Login
Providing what is needed for existing API consumers to login and access their accounts, keys, and other information regarding their API consumption. A login allows any consumer of an API to be able to access the resources they will need to make a decision when it comes to integrating, expanding, or deprecating their usage of an API, providing what consumers will expect.
Also known as: Sign In, SSO, Authentication UX, Session
Example
Standards
- OpenID Foundation OpenID Connect Core 1.0
- OpenID Foundation OpenID Connect Discovery 1.0
- IETF RFC 6749 — OAuth 2.0 Authorization Framework
- IETF RFC 8252 — OAuth 2.0 for Native Apps
- IETF RFC 7636 — Proof Key for Code Exchange (PKCE)
- IETF RFC 8628 — OAuth 2.0 Device Authorization Grant
- IETF RFC 9700 — Best Current Practice for OAuth 2.0 Security
- IETF RFC 6265 — HTTP State Management Mechanism (Cookies)
- W3C WebAuthn Level 3
- FIDO Alliance FIDO2 / CTAP
- OASIS SAML 2.0 Web Browser SSO Profile
- NIST NIST SP 800-63B — Authentication and Lifecycle Management
- OpenID Foundation CAEP — Continuous Access Evaluation Profile
HTTP Headers
| Header | Direction | Spec | Description |
|---|---|---|---|
Authorization |
request | RFC 9110 §11.6.2 | Bearer or session-bound tokens issued at login. |
Set-Cookie |
response | RFC 6265 | Session cookies issued post-login; use Secure, HttpOnly, SameSite. |
Cookie |
request | RFC 6265 | Client returns the session cookie on subsequent requests. |
WWW-Authenticate |
response | RFC 9110 §11.6.1 | Challenge that may redirect users into a login flow. |
Status Codes
302 Found— RFC 9110 §15.4.3 — Common redirect to an OIDC/SAML login endpoint.401 Unauthorized— RFC 9110 §15.5.2 — Session missing or expired; client should re-authenticate.403 Forbidden— RFC 9110 §15.5.4 — Authenticated but lacking required permission/MFA assurance.
Well-Known Paths
/.well-known/openid-configuration— OpenID Connect Discovery 1.0 — Advertises authorization_endpoint, token_endpoint, jwks_uri, supported scopes/claims./.well-known/oauth-authorization-server— RFC 8414 — OAuth 2.0 authorization-server metadata./.well-known/webfinger— RFC 7033 — Account discovery prior to OIDC login./.well-known/assetlinks.json— Android App Links — Native-app login deep-link verification./.well-known/apple-app-site-association— Apple Universal Links — Native-app login deep-link verification.
Media Types
application/x-www-form-urlencoded— Token endpoint requests (RFC 6749 §3.2).application/json— ID Token / userinfo responses.application/jwt— RFC 7519 — ID Tokens issued at login (OIDC Core §2).
OpenAPI Expression
-
components.securitySchemes(OpenAPI 3.x)
Types: oauth2, openIdConnect -
components.securitySchemes.*.flows.authorizationCode(OpenAPI 3.x) — Defines authorization/token URLs surfaced by a login flow.
Link Relations
authorization_endpoint— OIDC Discovery (metadata key, not Link header)end_session_endpoint— OpenID Connect RP-Initiated Logout 1.0token_endpoint— OIDC Discovery
Governance Rules
owasp:api2:2023-no-http-basic(Vacuum / Spectral OWASP ruleset) — Avoid HTTP Basic in interactive login surfaces.oas-security-defined(Spectral built-in) — Operations behind login must declare a security requirement.
Risk & Compliance
OWASP:
- OWASP API Security Top 10: API2:2023 Broken Authentication
- OWASP Top 10 (web): A07:2021 Identification and Authentication Failures
Compliance:
- NIST SP 800-63B AAL2/AAL3 — phishing-resistant authenticators
- PSD2 RTS SCA — strong customer authentication for EU payments
- GDPR Art. 32 — appropriate technical measures for account access
- SOC 2 CC6.1 — logical access controls
Security: Login is the highest-value attack surface. Use PKCE for all OAuth clients (RFC 9700), redirect-URI exact matching, anti-CSRF on form posts, phishing-resistant factors (WebAuthn/passkeys), short access-token lifetimes with refresh-token rotation and reuse detection, account-lockout/back-off against credential stuffing, and device/browser fingerprint anomaly checks.
Tools
- Auth0 — Hosted login / IdP
- Okta — Hosted login / IdP
- Clerk — Hosted login (dev-focused)
- WorkOS — Enterprise SSO / SAML
- Keycloak — Self-hosted IdP (Apache-2.0)
- Hanko / Passage / SimpleWebAuthn — Passkeys / WebAuthn (MIT)
Suggested Metrics
login_success_rate— Successful logins over total attempts; primary UX and abuse signal.mfa_challenge_rate— Fraction of logins that prompt a second factor.passkey_adoption_rate— Share of accounts with at least one registered WebAuthn credential.account_lockout_events— Count of accounts temporarily locked due to failed attempts.session_duration_p50— Median active-session duration; informs idle-timeout policy.
Example Implementations
- GitHub — Password + TOTP/WebAuthn, OAuth, SSO for organizations, passkeys.
- Google — OIDC issuer with discovery, Sign-In with Google, passkeys.
- Microsoft Graph — Entra ID OIDC, conditional access, FIDO2.
- Slack — Workspace login, Sign in with Slack (OIDC), enterprise SSO.
Related Properties
Tags
- Onboarding
- Accounts