Skip to main content
POST
/
api
/
v1
/
users
/
login-pin
curl --request POST \
  --url https://crypto.westminister.tech/api/v1/users/login-pin \
  --header 'Content-Type: application/json' \
  --data '
{
  "email": "user@example.com",
  "pin": "123456"
}
'
{
  "access_token": "v2.local.eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "token_type": "bearer",
  "expires_in": 900,
  "user": {
    "id": "5c81c005-1c52-4e0d-85e2-862ee1cdd4d0",
    "email": "user@example.com",
    "phone_number": "+254712345678",
    "first_name": "John",
    "last_name": "Doe",
    "role": "customer",
    "kyc_status": "pending"
  }
}

Body

application/json

Login using a 6-digit PIN and an identifier (email or phone number).

pin
string
required

6-digit numeric PIN set by the user during sign-up or via a separate PIN setup flow.

Pattern: ^[0-9]{6}$
Example:

"123456"

email
string<email>

User email address. Required if phone_number is not provided.

Example:

"user@example.com"

phone_number
string

User phone number in E.164 format (e.g., +254712345678). Required if email is not provided.

Example:

"+254712345678"

Response

Login successful

Authentication response returned by login endpoints.

access_token
string

Short-lived PASETO bearer token used for authenticated API calls.

Example:

"v4.local.eyJzdWIiOiJ1c2VyLWlkIiwicm9sZSI6InVzZXIifQ..."

refresh_token
string

Long-lived refresh token used to obtain new access tokens. Store securely and never expose in URLs or logs.

Example:

"a1b2c3d4-e5f6-7890-abcd-ef1234567890"

token_type
string

Token type, typically 'bearer'.

Example:

"bearer"

expires_in
integer<int64>

Access token lifetime in seconds.

Example:

900

user
object