Login with password or impersonation token
Authenticate a user with email + password or with an impersonation token issued by /api/auth/impersonate/. On success returns an access token, a refresh token, the user payload, and the resolved session config.
Body
Provide either password or impersonationToken with email.
Login email; used to look up the user before credential check.
Plain-text password; verified via WorkOS when the user is migrated, otherwise via the local bcrypt hash. Mutually exclusive with impersonationToken.
Single-use JWT issued by /api/auth/impersonate/{userId}; must carry the isImpersonation flag and match email. Mutually exclusive with password.
Response
Login successful
Returned by /api/auth/login and POST /api/auth/workos/callback on success. Contains access + refresh tokens, session config, and the resolved user.
JWT access token.
Resolved session configuration returned alongside tokens. Mirrors the org-level idle-timeout / SSO renewal policy so the client can enforce it.
{
"enabled": true,
"idleTimeoutMinutes": 30,
"tokenExpiryHours": 8,
"warningTimeMinutes": 2,
"idleTrackingEnabled": true,
"ssoSilentRenewalEnabled": true,
"ssoFallbackBehavior": "redirect",
"passwordSilentRenewalEnabled": false,
"passwordFallbackBehavior": "logout"
}Compact User payload returned with auth tokens.
{
"id": "5f7b1c2e8a1d4e0012c3b4a5",
"email": "admin@acme.example",
"fullName": "Acme Admin",
"organizationId": "64a1b2c3d4e5f60012345678",
"accessRole": "ADMIN",
"conversationOpenPreference": "split"
}