POST /auth/login — Authenticate your merchant account

This endpoint authenticates your merchant account and returns two tokens: a short-lived access token you attach to every API request, and a long-lived refresh token you store securely and use only to rotate the access token when it expires. Your account must have a verified email address before login succeeds. This endpoint applies a strict rate limit.

Endpoint

POST https://api.dubupay.com/api/v1/auth/login

No authentication is required.

Request body

string

required

The email address registered to your merchant account.

password

string

required

Your account password.

Response

HTTP 200 OK on success.

success

boolean

true on a successful login.

data

object

Show data

access_token

string

A signed JWT access token. Valid for 15 minutes. Include this in the Authorization: Bearer header on all authenticated requests.

refresh_token

string

A signed JWT refresh token. Valid for 7 days. Use this with POST /auth/refresh to get a new access token without re-entering your password. Store it securely — treat it like a password.

merchant

object

The authenticated merchant’s profile.

Show merchant

string

UUID of the merchant account.

business_name

string

Registered business name.

string

Email address on the account.

is_verified

boolean

Whether the email address has been verified.

is_active

boolean

Whether the account is active.

kyc_status

string

Business KYC verification status.

personal_kyc_status

string

Personal KYC verification status for the account owner.

country

string

The country associated with the merchant account.

Example

curl -X POST https://api.dubupay.com/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "owner@acmetrading.com",
    "password": "SuperSecret123"
  }'

Response

{
  "success": true,
  "data": {
    "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "merchant": {
      "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "business_name": "Acme Trading Ltd",
      "email": "owner@acmetrading.com",
      "is_verified": true,
      "is_active": true,
      "kyc_status": "PENDING",
      "personal_kyc_status": "PENDING",
      "country": null
    }
  }
}

Using the access token

Pass the access token in the Authorization header on every authenticated request:

curl https://api.dubupay.com/api/v1/auth/me \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Access tokens expire after 15 minutes. When you receive a 401 UNAUTHORIZED response on a previously working token, call POST /auth/refresh with your refresh token to get a new access token.

Token lifetimes

Token	Lifetime	Where to store
Access token	15 minutes	In-memory only. Do not persist to disk or `localStorage`.
Refresh token	7 days	Secure, HTTP-only cookie or encrypted storage. Never expose it to client-side JavaScript.

Error responses

Status	Code	Description
`400`	Validation error	`email` or `password` is missing or malformed.
`401`	`INVALID_CREDENTIALS`	Email/password combination is incorrect, or the account is not active.
`429`	Rate limit	Too many login attempts. Wait before retrying.

Overview

Auth

Payments

Trading

Commerce

Webhooks

POST /auth/login — Authenticate your merchant account

Endpoint

Request body

Response

Example

Using the access token

Token lifetimes

Error responses

Overview

Auth

Payments

Trading

Commerce

Webhooks

Documentation Index

​Endpoint

​Request body

​Response

​Example

​Using the access token

​Token lifetimes

​Error responses

Endpoint

Request body

Response

Example

Using the access token

Token lifetimes

Error responses