# Authenticate password

Authenticates a user using their username and password. The value of this username may correspond to the user's username, phone number, or email (based on what was used to register their password credentials, see Register password).

Endpoint: POST /v1/auth/password/authenticate
Security: ClientAccessToken

## Request fields (application/json):

  - `body` (object, required) — one of:
    - ApiPasswordTokenWithIdentifierRequestDto:
      - `resource` (string)
        Resource URI the authentication request is attempting to access, which is reflected in the audience (aud claim) of the access token. This must be configured as resource for the application.
      - `claims` (object)
        Used to request additional claims in the ID token, such as roles, permissions, and other user profile data. The structure is per the [OIDC Standard](https://openid.net/specs/openid-connect-core-1_0-final.html#ClaimsParameter). For supported claims and how to request custom claims, see the [ID Token Reference](https://developer.transmitsecurity.com/openapi/id_token_reference/).
        Example: {"id_token":{"roles":null}}
      - `claims.id_token` (object)
        Example: {"roles":null}
      - `claims.access_token` (object)
      - `org_id` (string)
        Organization ID, used for member login in B2B scenarios
      - `client_attributes` (object)
        Client attributes
      - `client_attributes.user_agent` (string)
      - `client_attributes.ip_address` (string)
      - `device_id` (string)
        Identifier of the device from which the authentication request originates
      - `session_id` (string)
        Used to associate the authentication with an existing session (such as for MFA). If unspecified, a new session is created and the session ID is returned.
      - `username_type` (string)
        Type of user identifier used to register the password
        Enum: "username", "email", "phone_number"
      - `password` (string, required)
        Password
      - `identifier` (string, required)
        User identifier, which may correspond to the user's email, phone number, username, or user ID. The type of identifier should be specified as the identifier_type.
      - `identifier_type` (string, required)
        Type of user identifier used for login
    - ApiPasswordTokenWithUsernameRequestDto:
      - `resource` (string)
        Resource URI the authentication request is attempting to access, which is reflected in the audience (aud claim) of the access token. This must be configured as resource for the application.
      - `claims` (object)
        Used to request additional claims in the ID token, such as roles, permissions, and other user profile data. The structure is per the [OIDC Standard](https://openid.net/specs/openid-connect-core-1_0-final.html#ClaimsParameter). For supported claims and how to request custom claims, see the [ID Token Reference](https://developer.transmitsecurity.com/openapi/id_token_reference/).
        Example: {"id_token":{"roles":null}}
      - `claims.id_token` (object)
        Example: {"roles":null}
      - `claims.access_token` (object)
      - `org_id` (string)
        Organization ID, used for member login in B2B scenarios
      - `client_attributes` (object)
        Client attributes
      - `client_attributes.user_agent` (string)
      - `client_attributes.ip_address` (string)
      - `device_id` (string)
        Identifier of the device from which the authentication request originates
      - `session_id` (string)
        Used to associate the authentication with an existing session (such as for MFA). If unspecified, a new session is created and the session ID is returned.
      - `username_type` (string)
        Type of user identifier used to register the password
        Enum: same as `username_type` in "ApiPasswordTokenWithIdentifierRequestDto" (3 values)
      - `password` (string, required)
        Password
      - `username` (string, required)
        Identifier of the user, which may contain the user's username, email or phone number (depending on what was used to register password credentials). The username_type must match the type of identifier used.

## Response 200 fields (application/json):

  - `access_token` (string, required)
    User access token for accessing endpoints on behalf of the authenticated user.

  - `id_token` (string)
    ID token that identifies the user.

  - `refresh_token` (string)
    Refresh token used to refresh an expired access token.

  - `token_type` (string, required)
    Bearer.

  - `expires_in` (number, required)
    Expiration time of the access token in seconds.

  - `session_id` (string, required)
    ID of the session in which the authentication occurs.

## Response 400 fields (application/json):

  - `error_code` (string)
    Enum: "system_invalid_input"

  - `message` (string)

## Response 401 fields (application/json):

  - `error_code` (string)
    Enum: "auth_invalid_credentials"

  - `message` (string)

## Response 403 fields (application/json):

  - `error_code` (string)
    Enum: "auth_locked", "user_not_found", "user_not_active", "auth_invalid_credentials", "auth_password_expired", "auth_password_temporary", "auth_not_active"

  - `message` (string)

## Response 500 fields (application/json):

  - `error_code` (string)
    Enum: "system_unexpected_error"

  - `message` (string)