Skip to main content
POST
/
api
/
v1
/
partner
/
auth
/
login
User login
curl --request POST \
  --url https://api.qash.ai/api/v1/partner/auth/login \
  --header 'Content-Type: application/json' \
  --header 'X-Api-Key: <api-key>' \
  --header 'X-Api-Secret: <api-key>' \
  --data '
{
  "privyToken": "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9..."
}
'
{
  "success": true,
  "user": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "email": "user@example.com",
    "status": "active",
    "userType": "personal",
    "roles": [],
    "beta": false,
    "delegated": false
  },
  "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refreshToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
  "isNewUser": false,
  "businessId": "bp-uuid-del-partner"
}
Deprecated — This endpoint requires partners to integrate the Privy SDK directly in their frontend or mobile app, which is not the recommended integration path.Use POST /api/v1/partner/auth/token instead. It exchanges a pre-registered userId for a Qash JWT entirely from your backend, with no Privy SDK dependency.
Requires X-Api-Key and X-Api-Secret headers. See Authentication for details.
Call this endpoint after the user authenticates in your app via Privy (email OTP, wallet, etc.). Pass the resulting privyToken to Qash to receive a QASH accessToken and refreshToken.
  • If the user was pre-registered with POST /users, their Privy account is automatically linked on first login.
  • The accessToken expires in ~1 hour. Use refreshToken (valid 30 days) to obtain a new one.
  • The businessId in the response is derived server-side from your API key — never send it from the client.
  • isNewUser: true indicates this is the user’s first login.

Authorizations

X-Api-Key
string
header
required

Partner API key. Generated from Qash Dashboard → Settings → API Keys.

X-Api-Secret
string
header
required

Partner API secret. Shown once at creation — store it securely.

Body

application/json

Privy token from the user's authentication session.

privyToken
string
required

JWT issued by Privy after the user authenticates in your app.

Minimum string length: 1
Example:

"eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9..."

Response

User authenticated successfully.

success
boolean
required
Example:

true

user
object
required
accessToken
string
required

Short-lived JWT (~1 hour) for authenticated user requests.

refreshToken
string
required

Long-lived JWT (30 days) to obtain new access tokens.

isNewUser
boolean
required

true if this is the user's first login.

businessId
string<uuid>
required

Business profile ID of the partner, derived server-side from the API key.