POST /login
Sign in and issue a server-held token
Performs a real SRP login as the user against the kS, issues a per-user
TE token stored server-side, and returns an opaque sessionId. The
password is used only for the login and is then discarded; the token
never leaves the gateway.
Authentication
No authentication required.
Request
| Field | Type | Required | Description |
|---|---|---|---|
user | string | yes | kS username. |
password | string | yes | kS password (used only to SRP-login; discarded after the token is issued). |
Example
{
"user": "alice",
"password": "********"
}
Responses
200
Logged in; session created.
| Field | Type | Required | Description |
|---|---|---|---|
sessionId | string | yes | Opaque session id. Echo it back in X-Session on authenticated calls. |
user | string | yes | |
systemId | integer | yes | kS system identifier for the principal. (Judgment call: documented as a numeric engine system id; serialized verbatim by the gateway.) |
principalId | string | yes | Principal identifier, hex-encoded (16 hex chars). |
hasToken | boolean | yes | True when a TE token was issued and stored server-side for this session. |
Example
{
"sessionId": "9f3c1ab7d2e4...48hex",
"user": "alice",
"systemId": 1001,
"principalId": "a1b2c3d4e5f60718",
"hasToken": true
}
400
Validation error: missing fields, invalid JSON, or body > 1 MB.
401
Wrong credential (WRONG_CREDENTIAL / credential / empty data).
502
Login failed for a non-credential reason (kS unreachable).
Error handling
This endpoint can return the statuses below. For request bodies and the client action per status, see the full error contract.
| Status | Meaning |
|---|---|
400 | Validation error: missing fields, invalid JSON, or body > 1 MB. |
401 | Wrong credential (WRONG_CREDENTIAL / credential / empty data). |
502 | Login failed for a non-credential reason (kS unreachable). |