Authentication

Login Response JSON Example

A JSON example for a successful authentication response — access token, refresh token, expiry, and the authenticated user's basic profile. Copy-ready for REST and OAuth-style login endpoints.

{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c3JfOWsybVhwUXI0dCJ9.4Q2yP3z8v9",
  "refreshToken": "rtok_8mNq2vXzKpL4wRfT9hYc",
  "tokenType": "Bearer",
  "expiresIn": 3600,
  "user": {
    "id": "usr_9k2mXpQr4t",
    "email": "ravi.mehta@example.com",
    "fullName": "Ravi Mehta",
    "role": "admin",
    "isVerified": true
  },
  "sessionId": "sess_4Lp9QzXvN2mK",
  "issuedAt": "2026-07-10T09:15:00Z"
}

Field Reference

accessTokenrequiredstringShort-lived JWT used to authenticate subsequent API requests, sent as Authorization: Bearer <token>
refreshTokenrequiredstringLong-lived opaque token used to obtain a new access token without re-entering credentials
tokenTyperequiredstringAlways 'Bearer' for token-based auth — indicates how the client should send accessToken
expiresInrequirednumberSeconds until accessToken expires, from issuedAt
userrequiredobjectMinimal authenticated-user payload — avoid including sensitive fields here
sessionIdoptionalstringServer-side session identifier, useful for session revocation and audit logs

Variants

MinimalThe smallest valid login response — just the token needed to authenticate.
{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c3JfM2hGd0xtTno4cSJ9.9Kf1mQ",
  "tokenType": "Bearer",
  "expiresIn": 3600
}
MFA RequiredReturned instead of tokens when the account has two-factor authentication enabled — the client must complete a second step.
{
  "mfaRequired": true,
  "mfaToken": "mfa_6zXpQ9wNv2Lk",
  "mfaMethods": [
    "totp",
    "sms"
  ],
  "expiresIn": 300
}

Common Use Cases

  • Designing the response body for a POST /auth/login endpoint
  • Implementing token refresh logic on the client using accessToken + refreshToken
  • Building a mock authentication server for frontend development before the real backend exists
loginauthenticationaccess tokenrefresh tokensession

Validate or format this JSON

One click loads this exact example into the tool — no copy-paste needed. Format it, validate it, explore the tree, or generate TypeScript types instantly.

Frequently Asked Questions

Both patterns are common. Returning it in the body is simpler for mobile/native clients that manage their own storage; setting it as an HttpOnly, Secure cookie is safer for web clients since it's inaccessible to JavaScript and therefore immune to XSS token theft.

A relative duration avoids clock-skew issues between client and server — the client just adds it to the time the response was received, rather than trusting the server's absolute clock, which can drift.

Only what the client's UI needs immediately after login — id, name, role, avatar. Fetch the full profile separately via a dedicated endpoint rather than bloating every login response with data most sessions never use.

Related JSON Examples