Skip to main content
POST
/
login-admin
curl -X POST "http://localhost:8080/login-admin" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "admin@example.com",
    "password": "securepassword123"
  }'

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhdXRoZW50aWNhdGVkIiwiZXhwIjoxNjQwOTk1MjAwLCJpYXQiOjE2NDA5MDg4MDAsImlzcyI6Imh0dHBzOi8veW91ci1wcm9qZWN0LnN1cGFiYXNlLmNvL2F1dGgvdjEiLCJzdWIiOiIyNmEyMGFmMC0xMDlkLTQzZTAtYWUzOC0yZTM1MTQ4ZmZmNjQiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwicm9sZSI6ImF1dGhlbnRpY2F0ZWQifQ...",
  "token_type": "bearer",
  "expires_in": 3600,
  "expires_at": 1640995200,
  "refresh_token": "refresh_token_string_here",
  "user": {
    "id": "26a20af0-109d-43e0-ae38-2e35148fff64",
    "aud": "authenticated",
    "role": "authenticated",
    "email": "admin@example.com",
    "phone": null,
    "email_confirmed_at": "2023-01-01T00:00:00Z",
    "phone_confirmed_at": null,
    "last_sign_in_at": "2023-01-01T12:00:00Z",
    "app_metadata": {
      "provider": "email",
      "providers": ["email"]
    },
    "user_metadata": {
      "first_name": "Admin",
      "last_name": "User"
    },
    "created_at": "2023-01-01T00:00:00Z",
    "updated_at": "2023-01-01T12:00:00Z"
  },
  "admin_details": {
    "id": "26a20af0-109d-43e0-ae38-2e35148fff64",
    "email": "admin@example.com",
    "is_admin": true,
    "created_at": "2023-01-01T00:00:00Z"
  }
}

Documentation Index

Fetch the complete documentation index at: https://docs.strikebet.app/llms.txt

Use this file to discover all available pages before exploring further.

Enhanced authentication endpoint specifically for administrators. This endpoint performs standard user authentication followed by admin privilege verification via REST API lookup.

Overview

The admin login endpoint performs a two-step authentication process:
  1. Standard Authentication: Validates user credentials using the OAuth2 password grant
  2. Admin Verification: Queries the user database to verify admin privileges
  3. Combined Response: Returns authentication tokens plus admin-specific user details
This endpoint requires the user to have is_admin: true in the user database. Non-admin users will receive a 403 Forbidden response even with valid credentials.

Request

curl -X POST "http://localhost:8080/login-admin" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "admin@example.com",
    "password": "securepassword123"
  }'

Request Body

email
string
required
Administrator’s email address
password
string
required
Administrator’s password

Response

access_token
string
JWT access token for authenticating API requests
token_type
string
Token type, always “bearer”
expires_in
integer
Token expiration time in seconds (typically 3600 for 1 hour)
expires_at
integer
Token expiration timestamp (Unix timestamp)
refresh_token
string
Refresh token for obtaining new access tokens
user
object
Standard user information object from authentication
admin_details
object
Additional admin-specific user details from database lookup
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhdXRoZW50aWNhdGVkIiwiZXhwIjoxNjQwOTk1MjAwLCJpYXQiOjE2NDA5MDg4MDAsImlzcyI6Imh0dHBzOi8veW91ci1wcm9qZWN0LnN1cGFiYXNlLmNvL2F1dGgvdjEiLCJzdWIiOiIyNmEyMGFmMC0xMDlkLTQzZTAtYWUzOC0yZTM1MTQ4ZmZmNjQiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwicm9sZSI6ImF1dGhlbnRpY2F0ZWQifQ...",
  "token_type": "bearer",
  "expires_in": 3600,
  "expires_at": 1640995200,
  "refresh_token": "refresh_token_string_here",
  "user": {
    "id": "26a20af0-109d-43e0-ae38-2e35148fff64",
    "aud": "authenticated",
    "role": "authenticated",
    "email": "admin@example.com",
    "phone": null,
    "email_confirmed_at": "2023-01-01T00:00:00Z",
    "phone_confirmed_at": null,
    "last_sign_in_at": "2023-01-01T12:00:00Z",
    "app_metadata": {
      "provider": "email",
      "providers": ["email"]
    },
    "user_metadata": {
      "first_name": "Admin",
      "last_name": "User"
    },
    "created_at": "2023-01-01T00:00:00Z",
    "updated_at": "2023-01-01T12:00:00Z"
  },
  "admin_details": {
    "id": "26a20af0-109d-43e0-ae38-2e35148fff64",
    "email": "admin@example.com",
    "is_admin": true,
    "created_at": "2023-01-01T00:00:00Z"
  }
}

Error Responses

{
  "code": 400,
  "error_code": "invalid_credentials",
  "msg": "Invalid login credentials"
}

Authentication Flow

The admin login process involves multiple steps with comprehensive error handling:
1

Initial Authentication

User credentials are validated using the standard OAuth2 password grant flow
2

User ID Extraction

The user UUID is extracted from the successful authentication response
3

Database Lookup

A REST API call is made to /rest/v1/users?id=eq.<UUID> with header Accept-Profile: users to fetch details from the users.users table (ensure the users schema is exposed in Supabase Settings → API).
4

Admin Verification

The is_admin field is checked in the database response
5

Response Assembly

Authentication tokens and admin details are combined into the final response

Use Cases

Admin Dashboard Access

Use this endpoint for admin-only applications like admin dashboards:
JavaScript
const adminLogin = async (email, password) => {
  try {
    const response = await fetch("/login-admin", {
      method: "POST",
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify({ email, password }),
    });

    if (!response.ok) {
      if (response.status === 403) {
        throw new Error("Access denied: Admin privileges required");
      }
      throw new Error("Login failed");
    }

    const data = await response.json();

    // Store tokens for subsequent API calls
    localStorage.setItem("access_token", data.access_token);
    localStorage.setItem("refresh_token", data.refresh_token);

    // Access admin-specific data
    console.log("Admin since:", data.admin_details.created_at);

    return data;
  } catch (error) {
    console.error("Admin login failed:", error.message);
    throw error;
  }
};

API Integration

For backend services that need to verify admin status:
Python
import requests
from datetime import datetime

def authenticate_admin(email, password):
    """Authenticate an admin user and return enriched user data"""

    response = requests.post('http://localhost:8080/login-admin', json={
        'email': email,
        'password': password
    })

    if response.status_code == 400:
        raise ValueError('Invalid credentials')
    elif response.status_code == 403:
        raise PermissionError('User is not an admin')
    elif response.status_code != 200:
        raise RuntimeError(f'Authentication failed: {response.status_code}')

    data = response.json()

    # Process admin details
    admin_since = datetime.fromisoformat(
        data['admin_details']['created_at'].replace('Z', '+00:00')
    )

    return {
        'access_token': data['access_token'],
        'user_id': data['user']['id'],
        'email': data['user']['email'],
        'admin_since': admin_since,
        'is_verified_admin': data['admin_details']['is_admin']
    }

Security Considerations

This endpoint performs two separate API calls internally. Ensure your Supabase RLS (Row Level Security) policies properly protect the /rest/v1/users endpoint to prevent unauthorized access to user data. If your admin data lives in a non-public schema like users, expose the schema in Settings → API and set header Accept-Profile: users.

Best Practices

  • Rate Limiting: Implement aggressive rate limiting for admin login attempts
  • Audit Logging: Log all admin login attempts for security monitoring
  • Token Management: Use the same token security practices as regular authentication
  • Database Security: Ensure the users table has proper RLS policies

Error Handling

The endpoint provides detailed error responses to help with debugging:
  • 400: Invalid request body or credentials
  • 403: Valid user but not an admin
  • 404: User not found in database
  • 500: Internal server errors (database connectivity, parsing errors)
Each error includes relevant details for troubleshooting while maintaining security best practices.