POST /api/admin/login, the server creates a session and returns a session cookie. You must include that cookie with every subsequent API request. There are no API keys or bearer tokens — the session cookie is the sole authentication mechanism.
Endpoints
| Method | Path | Description |
|---|---|---|
POST | /api/admin/login | Authenticate and start a session. |
POST | /api/admin/logout | Invalidate the current session. |
GET | /api/admin/me | Return the authenticated user’s details. |
POST /api/admin/login
Validates the provided credentials and opens an admin session.Request body
The admin account email address. Must be a valid email format.
The admin account password.
Response fields
Human-readable status message.
"Login successful." on success.Code example
GET /api/admin/me
Returns the session’s current authenticated user. Use this to confirm a session is still active or to retrieve the logged-in user’s details without re-authenticating.Response fields
"Authenticated user loaded." when the session is valid.Code example
POST /api/admin/logout
Clears the current admin session. After a successful logout, the session cookie is no longer valid and all protected endpoints will return HTTP 401 until you log in again.Code example
Error handling
| HTTP status | Condition | Message |
|---|---|---|
422 | Credentials did not match any admin account. | "Invalid credentials." |
401 | Request reached a protected endpoint without a valid session. | "Unauthorized." |
401 on any endpoint other than /api/admin/me, your session has expired or was never established. Call POST /api/admin/login again to obtain a new session before retrying.
Validation errors on the login request (e.g. missing
email or malformed email format) are returned as HTTP 422 with a Laravel validation error body, separate from the invalid-credentials 422 shown above.