Skip to main content
POST
Log in

Body

application/json
org
string
required

CBPay organization slug (cbpay).

email
string<email>
required
password
string
required

Response

Session issued — or, when the account's policy requires OTP on login, an intermediate response with otp_required true and a pending_token to exchange at POST /v1/auth/login/otp.

access_token
string
expires_at
string<date-time>
refresh_token
string

Single-use rotating refresh token (rt_…) to renew the session at POST /v1/auth/refresh without re-login.

refresh_expires_at
string<date-time>
account_id
string<uuid>
role
enum<string>
Available options:
owner,
operator,
viewer
otp_required
boolean

Present (true) when the login needs a second step.

pending_token
string

Intermediate token for POST /v1/auth/login/otp. It cannot authenticate API requests.

challenge_id
string<uuid>
channel
enum<string>

Effective channel of the login challenge. With the phone in binding cooldown the challenge automatically falls back to a stronger factor (authenticator app, then login email) — the code is never sent to a recently linked, unverified number.

Available options:
sms,
whatsapp,
email,
totp
phone
string

Masked phone the code was sent to.

Last modified on July 18, 2026