Skip to main content
POST
/
login-admin
curl -X POST "http://localhost:8080/login-admin" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "admin@example.com",
    "password": "securepassword123"
  }'

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhdXRoZW50aWNhdGVkIiwiZXhwIjoxNjQwOTk1MjAwLCJpYXQiOjE2NDA5MDg4MDAsImlzcyI6Imh0dHBzOi8veW91ci1wcm9qZWN0LnN1cGFiYXNlLmNvL2F1dGgvdjEiLCJzdWIiOiIyNmEyMGFmMC0xMDlkLTQzZTAtYWUzOC0yZTM1MTQ4ZmZmNjQiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwicm9sZSI6ImF1dGhlbnRpY2F0ZWQifQ...",
  "token_type": "bearer",
  "expires_in": 3600,
  "expires_at": 1640995200,
  "refresh_token": "refresh_token_string_here",
  "user": {
    "id": "26a20af0-109d-43e0-ae38-2e35148fff64",
    "aud": "authenticated",
    "role": "authenticated",
    "email": "admin@example.com",
    "phone": null,
    "email_confirmed_at": "2023-01-01T00:00:00Z",
    "phone_confirmed_at": null,
    "last_sign_in_at": "2023-01-01T12:00:00Z",
    "app_metadata": {
      "provider": "email",
      "providers": ["email"]
    },
    "user_metadata": {
      "first_name": "Admin",
      "last_name": "User"
    },
    "created_at": "2023-01-01T00:00:00Z",
    "updated_at": "2023-01-01T12:00:00Z"
  },
  "admin_details": {
    "id": "26a20af0-109d-43e0-ae38-2e35148fff64",
    "email": "admin@example.com",
    "is_admin": true,
    "created_at": "2023-01-01T00:00:00Z"
  }
}
Enhanced authentication endpoint specifically for administrators. This endpoint performs standard user authentication followed by admin privilege verification via REST API lookup.

Overview

The admin login endpoint performs a two-step authentication process:
  1. Standard Authentication: Validates user credentials using the OAuth2 password grant
  2. Admin Verification: Queries the user database to verify admin privileges
  3. Combined Response: Returns authentication tokens plus admin-specific user details
This endpoint requires the user to have is_admin: true in the user database. Non-admin users will receive a 403 Forbidden response even with valid credentials.

Request

curl -X POST "http://localhost:8080/login-admin" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "admin@example.com",
    "password": "securepassword123"
  }'

Request Body

email
string
required
Administrator’s email address
password
string
required
Administrator’s password

Response

access_token
string
JWT access token for authenticating API requests
token_type
string
Token type, always “bearer”
expires_in
integer
Token expiration time in seconds (typically 3600 for 1 hour)
expires_at
integer
Token expiration timestamp (Unix timestamp)
refresh_token
string
Refresh token for obtaining new access tokens
user
object
Standard user information object from authentication
admin_details
object
Additional admin-specific user details from database lookup
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhdXRoZW50aWNhdGVkIiwiZXhwIjoxNjQwOTk1MjAwLCJpYXQiOjE2NDA5MDg4MDAsImlzcyI6Imh0dHBzOi8veW91ci1wcm9qZWN0LnN1cGFiYXNlLmNvL2F1dGgvdjEiLCJzdWIiOiIyNmEyMGFmMC0xMDlkLTQzZTAtYWUzOC0yZTM1MTQ4ZmZmNjQiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwicm9sZSI6ImF1dGhlbnRpY2F0ZWQifQ...",
  "token_type": "bearer",
  "expires_in": 3600,
  "expires_at": 1640995200,
  "refresh_token": "refresh_token_string_here",
  "user": {
    "id": "26a20af0-109d-43e0-ae38-2e35148fff64",
    "aud": "authenticated",
    "role": "authenticated",
    "email": "admin@example.com",
    "phone": null,
    "email_confirmed_at": "2023-01-01T00:00:00Z",
    "phone_confirmed_at": null,
    "last_sign_in_at": "2023-01-01T12:00:00Z",
    "app_metadata": {
      "provider": "email",
      "providers": ["email"]
    },
    "user_metadata": {
      "first_name": "Admin",
      "last_name": "User"
    },
    "created_at": "2023-01-01T00:00:00Z",
    "updated_at": "2023-01-01T12:00:00Z"
  },
  "admin_details": {
    "id": "26a20af0-109d-43e0-ae38-2e35148fff64",
    "email": "admin@example.com",
    "is_admin": true,
    "created_at": "2023-01-01T00:00:00Z"
  }
}

Error Responses

{
  "code": 400,
  "error_code": "invalid_credentials",
  "msg": "Invalid login credentials"
}

Authentication Flow

The admin login process involves multiple steps with comprehensive error handling:
1

Initial Authentication

User credentials are validated using the standard OAuth2 password grant flow
2

User ID Extraction

The user UUID is extracted from the successful authentication response
3

Database Lookup

A REST API call is made to /rest/v1/users?id=eq.<UUID> with header Accept-Profile: users to fetch details from the users.users table (ensure the users schema is exposed in Supabase Settings → API).
4

Admin Verification

The is_admin field is checked in the database response
5

Response Assembly

Authentication tokens and admin details are combined into the final response

Use Cases

Admin Dashboard Access

Use this endpoint for admin-only applications like admin dashboards:
JavaScript
const adminLogin = async (email, password) => {
  try {
    const response = await fetch("/login-admin", {
      method: "POST",
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify({ email, password }),
    });

    if (!response.ok) {
      if (response.status === 403) {
        throw new Error("Access denied: Admin privileges required");
      }
      throw new Error("Login failed");
    }

    const data = await response.json();

    // Store tokens for subsequent API calls
    localStorage.setItem("access_token", data.access_token);
    localStorage.setItem("refresh_token", data.refresh_token);

    // Access admin-specific data
    console.log("Admin since:", data.admin_details.created_at);

    return data;
  } catch (error) {
    console.error("Admin login failed:", error.message);
    throw error;
  }
};

API Integration

For backend services that need to verify admin status:
Python
import requests
from datetime import datetime

def authenticate_admin(email, password):
    """Authenticate an admin user and return enriched user data"""

    response = requests.post('http://localhost:8080/login-admin', json={
        'email': email,
        'password': password
    })

    if response.status_code == 400:
        raise ValueError('Invalid credentials')
    elif response.status_code == 403:
        raise PermissionError('User is not an admin')
    elif response.status_code != 200:
        raise RuntimeError(f'Authentication failed: {response.status_code}')

    data = response.json()

    # Process admin details
    admin_since = datetime.fromisoformat(
        data['admin_details']['created_at'].replace('Z', '+00:00')
    )

    return {
        'access_token': data['access_token'],
        'user_id': data['user']['id'],
        'email': data['user']['email'],
        'admin_since': admin_since,
        'is_verified_admin': data['admin_details']['is_admin']
    }

Security Considerations

This endpoint performs two separate API calls internally. Ensure your Supabase RLS (Row Level Security) policies properly protect the /rest/v1/users endpoint to prevent unauthorized access to user data. If your admin data lives in a non-public schema like users, expose the schema in Settings → API and set header Accept-Profile: users.

Best Practices

  • Rate Limiting: Implement aggressive rate limiting for admin login attempts
  • Audit Logging: Log all admin login attempts for security monitoring
  • Token Management: Use the same token security practices as regular authentication
  • Database Security: Ensure the users table has proper RLS policies

Error Handling

The endpoint provides detailed error responses to help with debugging:
  • 400: Invalid request body or credentials
  • 403: Valid user but not an admin
  • 404: User not found in database
  • 500: Internal server errors (database connectivity, parsing errors)
Each error includes relevant details for troubleshooting while maintaining security best practices.