POST
/
{locale}
/
shop
/
auth
/
login
curl -X POST "https://staging-api.loyalty.lt/en/shop/auth/login" \
  -H "X-API-Key: your_api_key" \
  -H "X-API-Secret: your_api_secret" \
  -H "Content-Type: application/json" \
  -d '{
    "phone": "+37060000000",
    "otp": "123456",
    "device_name": "iPhone 13"
  }'

{
  "success": true,
  "message": "Login successful",
  "data": {
    "user": {
      "id": 123,
      "phone": "+37060000000",
      "email": "user@example.com",
      "name": "Jonas Jonaitis",
      "phone_verified_at": "2024-01-15T10:30:00Z",
      "created_at": "2024-01-01T00:00:00Z"
    },
    "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
    "refresh_token": "refresh_token_string_here",
    "expires_in": 3600
  }
}

Login with OTP

Authenticate a user using their phone number and the OTP code received via SMS. This endpoint returns a JWT token for subsequent API calls.
OTP codes must be verified within 5 minutes of generation. After 3 failed attempts, a new OTP must be requested.

Request Body

phone
string
required
User’s phone number in international format (same as used for OTP request)
otp
string
required
6-digit OTP code received via SMS
device_name
string
Optional device identifier for session tracking

Response

success
boolean
Indicates if the login was successful
message
string
Human-readable message about the operation
data
object
curl -X POST "https://staging-api.loyalty.lt/en/shop/auth/login" \
  -H "X-API-Key: your_api_key" \
  -H "X-API-Secret: your_api_secret" \
  -H "Content-Type: application/json" \
  -d '{
    "phone": "+37060000000",
    "otp": "123456",
    "device_name": "iPhone 13"
  }'

{
  "success": true,
  "message": "Login successful",
  "data": {
    "user": {
      "id": 123,
      "phone": "+37060000000",
      "email": "user@example.com",
      "name": "Jonas Jonaitis",
      "phone_verified_at": "2024-01-15T10:30:00Z",
      "created_at": "2024-01-01T00:00:00Z"
    },
    "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
    "refresh_token": "refresh_token_string_here",
    "expires_in": 3600
  }
}

Token Usage

After successful login, use the JWT token for authenticated requests: 
curl -X GET "https://staging-api.loyalty.lt/en/shop/auth/me" \
  -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..." \
  -H "Content-Type: application/json"

Security Best Practices

Token Storage: Store tokens securely using platform-specific secure storage:
  • Web: HttpOnly cookies or secure localStorage
  • Mobile: Keychain (iOS) or Keystore (Android)
  • Server: Environment variables or secure configuration
Never expose tokens in:
  • URL parameters
  • Browser console logs
  • Version control systems
  • Client-side JavaScript source

Next Steps

Get User Profile

Retrieve current user information and preferences

Refresh Token

Extend session when access token expires

Loyalty Cards

Access user’s loyalty cards after authentication

User Statistics

View user’s loyalty program statistics