# login

Source: /openapi/thomas-federated.openapi.json

## Operation

| Method | URL |
|---|---|
| POST | https://api.thomas.co/v1/auth/session |

| Field | Value |
|---|---|
| operationId | login |
| method | POST |
| server | https://api.thomas.co/v1 |
| path | /auth/session |
| tags | `Authentication` |
| summary | Create session |
| badges | None |

## Request Parameters

None.

## Request Body

| Content type | Schema refs |
|---|---|
| application/json | #/components/schemas/CreateSessionRequestDto |

## Responses

| Status | Description | Schema refs |
|---|---|---|
| 200 | Session created successfully | #/components/schemas/SessionResponseDto |
| 400 | Invalid Keycloak token format | #/components/schemas/ApiErrorResponseDto |
| 401 | No organisation (IDENTITY_NO_ORGANISATION), account not found (IDENTITY_ACCOUNT_NOT_FOUND), or account disabled | #/components/schemas/ApiErrorResponseDto |
| 429 | Rate limit exceeded (per-IP public-route throttle) | #/components/schemas/ApiErrorResponseDto |

## Artifact Examples

### Response 400 example

```json
{
  "statusCode": 400,
  "message": "Invalid or unverifiable Keycloak token",
  "error": "HTTP_BAD_REQUEST"
}
```

### Response 401 example

```json
{
  "statusCode": 401,
  "message": "User does not belong to any organisation",
  "error": "IDENTITY_NO_ORGANISATION"
}
```

### Response 429 example

```json
{
  "statusCode": 429,
  "message": "ThrottlerException: Too Many Requests",
  "error": "HTTP_TOO_MANY_REQUESTS"
}
```
