matrix-spec/data/api/client-server/login.yaml

# Copyright 2016 OpenMarket Ltd
# Copyright 2018 New Vector Ltd
# Copyright 2022 The Matrix.org Foundation C.I.C.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
swagger: '2.0'
info:
  title: "Matrix Client-Server Registration and Login API"
  version: "1.0.0"
host: localhost:8008
schemes:
  - https
  - http
basePath: /_matrix/client/v3
consumes:
  - application/json
produces:
  - application/json
securityDefinitions:
  $ref: definitions/security.yaml
paths:
  "/login":
    get:
      summary: Get the supported login types to authenticate users
      description: |-
        Gets the homeserver's supported login types to authenticate users. Clients
        should pick one of these and supply it as the `type` when logging in.
      operationId: getLoginFlows
      responses:
        200:
          description: The login types the homeserver supports
          examples:
            application/json: {
              "flows": [
                {"type": "m.login.password"}
              ]
            }
          schema:
            type: object
            properties:
              flows:
                type: array
                description: The homeserver's supported login types
                items:
                  type: object
                  title: LoginFlow
                  properties:
                    type:
                      description: |-
                        The login type. This is supplied as the `type` when
                        logging in.
                      type: string
        429:
          description: This request was rate-limited.
          schema:
            "$ref": "definitions/errors/rate_limited.yaml"
      tags:
        - Session management
    post:
      summary: Authenticates the user.
      description: |-
        Authenticates the user, and issues an access token they can
        use to authorize themself in subsequent requests.

        If the client does not supply a `device_id`, the server must
        auto-generate one.

        The returned access token must be associated with the `device_id`
        supplied by the client or generated by the server. The server may
        invalidate any access token previously associated with that device. See
        [Relationship between access tokens and devices](/client-server-api/#relationship-between-access-tokens-and-devices).
      operationId: login
      parameters:
        - in: body
          name: body
          required: true
          schema:
            type: object
            example: {
                "type": "m.login.password",
                "identifier": {
                  "type": "m.id.user",
                  "user": "cheeky_monkey"
                },
                "password": "ilovebananas",
                "initial_device_display_name": "Jungle Phone"
              }
            properties:
              type:
                type: string
                enum: ["m.login.password", "m.login.token"]
                description: The login type being used.
              identifier:
                "$ref": "definitions/user_identifier.yaml"
              user:
                type: string
                description: The fully qualified user ID or just local part of the user ID, to log in.  Deprecated in favour of `identifier`.
              medium:
                type: string
                description: When logging in using a third party identifier, the medium of the identifier. Must be 'email'.  Deprecated in favour of `identifier`.
              address:
                type: string
                description: Third party identifier for the user.  Deprecated in favour of `identifier`.
              password:
                type: string
                description: |-
                  Required when `type` is `m.login.password`. The user's
                  password.
              token:
                type: string
                description: |-
                  Required when `type` is `m.login.token`. Part of Token-based login.
              device_id:
                type: string
                description: |-
                  ID of the client device. If this does not correspond to a
                  known client device, a new device will be created. The given
                  device ID must not be the same as a
                  [cross-signing](/client-server-api/#cross-signing) key ID.
                  The server will auto-generate a device_id
                  if this is not specified.
              initial_device_display_name:
                type: string
                description: |-
                  A display name to assign to the newly-created device. Ignored
                  if `device_id` corresponds to a known device.
              refresh_token:
                type: boolean
                description: |-
                  If true, the client supports refresh tokens.
                x-addedInMatrixVersion: "1.3"
            required: ["type"]

      responses:
        200:
          description: The user has been authenticated.
          examples:
            application/json: {
                "user_id": "@cheeky_monkey:matrix.org",
                "access_token": "abc123",
                "refresh_token": "def456",
                "expires_in_ms": 60000,
                "device_id": "GHTYAJCE",
                "well_known": {
                  "m.homeserver": {
                    "base_url": "https://example.org"
                  },
                  "m.identity_server": {
                    "base_url": "https://id.example.org"
                  }
                }
              }
          schema:
            type: object
            properties:
              user_id:
                type: string
                description: The fully-qualified Matrix ID for the account.
              access_token:
                type: string
                description: |-
                  An access token for the account.
                  This access token can then be used to authorize other requests.
              refresh_token:
                type: string
                description: |-
                  A refresh token for the account. This token can be used to
                  obtain a new access token when it expires by calling the
                  `/refresh` endpoint.
                x-addedInMatrixVersion: "1.3"
              expires_in_ms:
                type: integer
                description: |-
                  The lifetime of the access token, in milliseconds. Once
                  the access token has expired a new access token can be
                  obtained by using the provided refresh token. If no
                  refresh token is provided, the client will need to re-log in
                  to obtain a new access token. If not given, the client can
                  assume that the access token will not expire.
                x-addedInMatrixVersion: "1.3"
              home_server:
                type: string
                description: |-
                  The server_name of the homeserver on which the account has
                  been registered.

                  **Deprecated**. Clients should extract the server_name from
                  `user_id` (by splitting at the first colon) if they require
                  it. Note also that `homeserver` is not spelt this way.
              device_id:
                type: string
                description: |-
                  ID of the logged-in device. Will be the same as the
                  corresponding parameter in the request, if one was specified.
              well_known:
                description: |-
                  Optional client configuration provided by the server. If present,
                  clients SHOULD use the provided object to reconfigure themselves,
                  optionally validating the URLs within. This object takes the same
                  form as the one returned from .well-known autodiscovery.
                allOf:
                  - "$ref": "definitions/wellknown/full.yaml"
            required: ["access_token", "device_id", "user_id"]
        400:
          description: |-
            Part of the request was invalid. For example, the login type may not be recognised.
          examples:
            application/json: {
                  "errcode": "M_UNKNOWN",
                  "error": "Bad login type."
              }
          schema:
            "$ref": "definitions/errors/error.yaml"
        403:
          description: |-
            The login attempt failed. This can include one of the following error codes:
              * `M_FORBIDDEN`: The provided authentication data was incorrect
                or the requested device ID is the same as a cross-signing key
                ID.
              * `M_USER_DEACTIVATED`: The user has been deactivated.
          examples:
            application/json: {
              "errcode": "M_FORBIDDEN"
            }
          schema:
            "$ref": "definitions/errors/error.yaml"
        429:
          description: This request was rate-limited.
          schema:
            "$ref": "definitions/errors/rate_limited.yaml"
      tags:
        - Session management
Add a license to the spec We're licensing hte spec under ASLv2. Add the LICENSE file, and add the short-form to as much of the source as is practical right now (adding it to json source is a massive pita). 8 years ago			`# Copyright 2016 OpenMarket Ltd`
document new login identifier object (#1390) 6 years ago			`# Copyright 2018 New Vector Ltd`
add spec for refresh tokens 3 years ago			`# Copyright 2022 The Matrix.org Foundation C.I.C.`
Add a license to the spec We're licensing hte spec under ASLv2. Add the LICENSE file, and add the short-form to as much of the source as is practical right now (adding it to json source is a massive pita). 8 years ago			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`
Swaggerify /login 9 years ago			`swagger: '2.0'`
			`info:`
Replace version numbers with release numbers 9 years ago			`title: "Matrix Client-Server Registration and Login API"`
Swaggerify /login 9 years ago			`version: "1.0.0"`
			`host: localhost:8008`
			`schemes:`
			`- https`
			`- http`
Update client-server API endpoints to move from r0 to v3 (plus whitespace fixes) (#3421) * Blind find & replace all on client major version -> v3 * Fix up bad replacements * Fix anchors for r0->v3 * Changelog 3 years ago			`basePath: /_matrix/client/v3`
Swaggerify /login 9 years ago			`consumes:`
			`- application/json`
			`produces:`
			`- application/json`
			`securityDefinitions:`
Add securityDefintions to generated swagger JSON Also factor out to a common file 9 years ago			`$ref: definitions/security.yaml`
Swaggerify /login 9 years ago			`paths:`
			`"/login":`
Document the GET version of /login Fixes https://github.com/matrix-org/matrix-doc/issues/677 6 years ago			`get:`
			`summary: Get the supported login types to authenticate users`
			`description: \|-`
			`Gets the homeserver's supported login types to authenticate users. Clients`
Change RST code formatting markup to Markdown 4 years ago			should pick one of these and supply it as the `type` when logging in.
Document the GET version of /login Fixes https://github.com/matrix-org/matrix-doc/issues/677 6 years ago			`operationId: getLoginFlows`
			`responses:`
			`200:`
			`description: The login types the homeserver supports`
			`examples:`
			`application/json: {`
			`"flows": [`
			`{"type": "m.login.password"}`
			`]`
			`}`
			`schema:`
			`type: object`
			`properties:`
			`flows:`
			`type: array`
			`description: The homeserver's supported login types`
			`items:`
			`type: object`
			`title: LoginFlow`
			`properties:`
			`type:`
			`description: \|-`
Change RST code formatting markup to Markdown 4 years ago			The login type. This is supplied as the `type` when
Document the GET version of /login Fixes https://github.com/matrix-org/matrix-doc/issues/677 6 years ago			`logging in.`
			`type: string`
			`429:`
			`description: This request was rate-limited.`
			`schema:`
Describe the rate limit error everywhere Fixes https://github.com/matrix-org/matrix-doc/issues/1153 6 years ago			`"$ref": "definitions/errors/rate_limited.yaml"`
Document the GET version of /login Fixes https://github.com/matrix-org/matrix-doc/issues/677 6 years ago			`tags:`
			`- Session management`
Swaggerify /login 9 years ago			`post:`
			`summary: Authenticates the user.`
			`description: \|-`
Update the /login API spec Note that /login can be used with 3pid creds 9 years ago			`Authenticates the user, and issues an access token they can`
Swaggerify /login 9 years ago			`use to authorize themself in subsequent requests.`
Client device doc Document client devices, and the mods to the login and register apis to support them. 8 years ago
Change RST code formatting markup to Markdown 4 years ago			If the client does not supply a `device_id`, the server must
Client device doc Document client devices, and the mods to the login and register apis to support them. 8 years ago			`auto-generate one.`

Change RST code formatting markup to Markdown 4 years ago			The returned access token must be associated with the `device_id`
Client device doc Document client devices, and the mods to the login and register apis to support them. 8 years ago			`supplied by the client or generated by the server. The server may`
			`invalidate any access token previously associated with that device. See`
Fix links in data 4 years ago			`[Relationship between access tokens and devices](/client-server-api/#relationship-between-access-tokens-and-devices).`
Add operationId to all endpoints of all APIs To facilitate generation of API stubs from the spec. Signed-off-by: Alexey Rusakov <ktirf@users.sf.net> 7 years ago			`operationId: login`
Swaggerify /login 9 years ago			`parameters:`
			`- in: body`
			`name: body`
c2s: Add required: true to request bodies 5 years ago			`required: true`
Swaggerify /login 9 years ago			`schema:`
			`type: object`
Format examples as raw objects According the the openapi spec, examples for responses and schemas should be raw objects rather than being json strings. (It's unclear what non-json examples should look like...). The swagger UI used to support json strings, but no longer does. In short, let's turn the json strings into their raw formats. 7 years ago			`example: {`
typo :( 9 years ago			`"type": "m.login.password",`
document new login identifier object (#1390) 6 years ago			`"identifier": {`
			`"type": "m.id.user",`
			`"user": "cheeky_monkey"`
			`},`
Client device doc Document client devices, and the mods to the login and register apis to support them. 8 years ago			`"password": "ilovebananas",`
			`"initial_device_display_name": "Jungle Phone"`
Swaggerify /login 9 years ago			`}`
			`properties:`
Clean up some untruths in the login api doc add "type", and "username" -> "user" 9 years ago			`type:`
			`type: string`
PR feedback Fix some typos, and clarify several aspects of server behaviour. 8 years ago			`enum: ["m.login.password", "m.login.token"]`
			`description: The login type being used.`
document new login identifier object (#1390) 6 years ago			`identifier:`
			`"$ref": "definitions/user_identifier.yaml"`
Clean up some untruths in the login api doc add "type", and "username" -> "user" 9 years ago			`user:`
Swaggerify /login 9 years ago			`type: string`
Change RST code formatting markup to Markdown 4 years ago			description: The fully qualified user ID or just local part of the user ID, to log in. Deprecated in favour of `identifier`.
Update the /login API spec Note that /login can be used with 3pid creds 9 years ago			`medium:`
			`type: string`
Change RST code formatting markup to Markdown 4 years ago			description: When logging in using a third party identifier, the medium of the identifier. Must be 'email'. Deprecated in favour of `identifier`.
Update the /login API spec Note that /login can be used with 3pid creds 9 years ago			`address:`
			`type: string`
Change RST code formatting markup to Markdown 4 years ago			description: Third party identifier for the user. Deprecated in favour of `identifier`.
Swaggerify /login 9 years ago			`password:`
			`type: string`
document CAS login Following the spirit of "document how it is, not how we wish it was", document the CAS login bits. 8 years ago			`description: \|-`
Change RST code formatting markup to Markdown 4 years ago			Required when `type` is `m.login.password`. The user's
document CAS login Following the spirit of "document how it is, not how we wish it was", document the CAS login bits. 8 years ago			`password.`
			`token:`
			`type: string`
			`description: \|-`
Fix links in data 4 years ago			Required when `type` is `m.login.token`. Part of Token-based login.
Client device doc Document client devices, and the mods to the login and register apis to support them. 8 years ago			`device_id:`
			`type: string`
			`description: \|-`
			`ID of the client device. If this does not correspond to a`
apply suggestions from review 4 years ago			`known client device, a new device will be created. The given`
Fix links in data 4 years ago			`device ID must not be the same as a`
			`[cross-signing](/client-server-api/#cross-signing) key ID.`
			`The server will auto-generate a device_id`
apply suggestions from review 4 years ago			`if this is not specified.`
Client device doc Document client devices, and the mods to the login and register apis to support them. 8 years ago			`initial_device_display_name:`
			`type: string`
			`description: \|-`
			`A display name to assign to the newly-created device. Ignored`
Change RST code formatting markup to Markdown 4 years ago			if `device_id` corresponds to a known device.
add spec for refresh tokens 3 years ago			`refresh_token:`
			`type: boolean`
			`description: \|-`
			`If true, the client supports refresh tokens.`
			`x-addedInMatrixVersion: "1.3"`
document CAS login Following the spirit of "document how it is, not how we wish it was", document the CAS login bits. 8 years ago			`required: ["type"]`
Update the /login API spec Note that /login can be used with 3pid creds 9 years ago
Swaggerify /login 9 years ago			`responses:`
			`200:`
			`description: The user has been authenticated.`
			`examples:`
Format examples as raw objects According the the openapi spec, examples for responses and schemas should be raw objects rather than being json strings. (It's unclear what non-json examples should look like...). The swagger UI used to support json strings, but no longer does. In short, let's turn the json strings into their raw formats. 7 years ago			`application/json: {`
Swaggerify /login 9 years ago			`"user_id": "@cheeky_monkey:matrix.org",`
			`"access_token": "abc123",`
add spec for refresh tokens 3 years ago			`"refresh_token": "def456",`
			`"expires_in_ms": 60000,`
Add a mechanism for redirecting clients after login Implements https://github.com/matrix-org/matrix-doc/pull/1730 6 years ago			`"device_id": "GHTYAJCE",`
			`"well_known": {`
			`"m.homeserver": {`
			`"base_url": "https://example.org"`
			`},`
			`"m.identity_server": {`
			`"base_url": "https://id.example.org"`
			`}`
			`}`
Swaggerify /login 9 years ago			`}`
			`schema:`
			`type: object`
			`properties:`
			`user_id:`
			`type: string`
Fix typos and clarify the user ID in login sections 4 years ago			`description: The fully-qualified Matrix ID for the account.`
Swaggerify /login 9 years ago			`access_token:`
			`type: string`
Swagger refresh tokens 9 years ago			`description: \|-`
			`An access token for the account.`
			`This access token can then be used to authorize other requests.`
add spec for refresh tokens 3 years ago			`refresh_token:`
			`type: string`
			`description: \|-`
			`A refresh token for the account. This token can be used to`
			`obtain a new access token when it expires by calling the`
			`/refresh` endpoint.
			`x-addedInMatrixVersion: "1.3"`
			`expires_in_ms:`
			`type: integer`
			`description: \|-`
			`The lifetime of the access token, in milliseconds. Once`
			`the access token has expired a new access token can be`
			`obtained by using the provided refresh token. If no`
Apply suggestions from code review Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> 2 years ago			`refresh token is provided, the client will need to re-log in`
add spec for refresh tokens 3 years ago			`to obtain a new access token. If not given, the client can`
			`assume that the access token will not expire.`
			`x-addedInMatrixVersion: "1.3"`
Swaggerify /login 9 years ago			`home_server:`
			`type: string`
Mark `home_server` field deprecated This is spelt wrong, and is redundant to user_id, so let's stop people using it. 7 years ago			`description: \|-`
Explain how to split an mxid 7 years ago			`The server_name of the homeserver on which the account has`
			`been registered.`
Mark `home_server` field deprecated This is spelt wrong, and is redundant to user_id, so let's stop people using it. 7 years ago
			`Deprecated. Clients should extract the server_name from`
Change RST code formatting markup to Markdown 4 years ago			`user_id` (by splitting at the first colon) if they require
			it. Note also that `homeserver` is not spelt this way.
Client device doc Document client devices, and the mods to the login and register apis to support them. 8 years ago			`device_id:`
			`type: string`
			`description: \|-`
			`ID of the logged-in device. Will be the same as the`
			`corresponding parameter in the request, if one was specified.`
Add a mechanism for redirecting clients after login Implements https://github.com/matrix-org/matrix-doc/pull/1730 6 years ago			`well_known:`
c2s: Make allOf and description siblings throughout the PR The overall mess with allOf will be addressed separately; this PR just puts $ref under allOf to fix the glaring misuse of $ref objects. 4 years ago			`description: \|-`
			`Optional client configuration provided by the server. If present,`
			`clients SHOULD use the provided object to reconfigure themselves,`
			`optionally validating the URLs within. This object takes the same`
			`form as the one returned from .well-known autodiscovery.`
c2s: clean up $ref objects * Most of the changes: align to the $ref object definition (https://tools.ietf.org/html/draft-pbryan-zyp-json-ref-03#section-3) that says that any attribute other than $ref be ignored. * Remove extraneous leading ./ in $ref paths * Fix an apparent typo in registration.yaml: /account/password/msisdn/requestToken used a file from ../identity/* instead of its c2s namesake. 5 years ago			`allOf:`
			`- "$ref": "definitions/wellknown/full.yaml"`
Require `access_token`, `device_id` and `user_id` fields in `/login` response (#1210) 2 years ago			`required: ["access_token", "device_id", "user_id"]`
Clean up some untruths in the login api doc add "type", and "username" -> "user" 9 years ago			`400:`
			`description: \|-`
			`Part of the request was invalid. For example, the login type may not be recognised.`
			`examples:`
Format examples as raw objects According the the openapi spec, examples for responses and schemas should be raw objects rather than being json strings. (It's unclear what non-json examples should look like...). The swagger UI used to support json strings, but no longer does. In short, let's turn the json strings into their raw formats. 7 years ago			`application/json: {`
Clean up some untruths in the login api doc add "type", and "username" -> "user" 9 years ago			`"errcode": "M_UNKNOWN",`
			`"error": "Bad login type."`
			`}`
Give all errors a schema reference This just helps keep an overall structure 6 years ago			`schema:`
			`"$ref": "definitions/errors/error.yaml"`
Swaggerify /login 9 years ago			`403:`
			`description: \|-`
Add M_USER_DEACTIVATED to list of error codes (#2234) Spec PR for [MSC 2181](https://github.com/matrix-org/matrix-doc/pull/2181). Adds the `M_USER_DEACTIVATED` error code and a short description to the client-server API. 5 years ago			`The login attempt failed. This can include one of the following error codes:`
Change RST code formatting markup to Markdown 4 years ago			* `M_FORBIDDEN`: The provided authentication data was incorrect
apply suggestions from review 4 years ago			`or the requested device ID is the same as a cross-signing key`
			`ID.`
Change RST code formatting markup to Markdown 4 years ago			* `M_USER_DEACTIVATED`: The user has been deactivated.
Swaggerify /login 9 years ago			`examples:`
Format examples as raw objects According the the openapi spec, examples for responses and schemas should be raw objects rather than being json strings. (It's unclear what non-json examples should look like...). The swagger UI used to support json strings, but no longer does. In short, let's turn the json strings into their raw formats. 7 years ago			`application/json: {`
Add M_USER_DEACTIVATED to list of error codes (#2234) Spec PR for [MSC 2181](https://github.com/matrix-org/matrix-doc/pull/2181). Adds the `M_USER_DEACTIVATED` error code and a short description to the client-server API. 5 years ago			`"errcode": "M_FORBIDDEN"`
			`}`
Give all errors a schema reference This just helps keep an overall structure 6 years ago			`schema:`
			`"$ref": "definitions/errors/error.yaml"`
Swaggerify /login 9 years ago			`429:`
			`description: This request was rate-limited.`
			`schema:`
Describe the rate limit error everywhere Fixes https://github.com/matrix-org/matrix-doc/issues/1153 6 years ago			`"$ref": "definitions/errors/rate_limited.yaml"`
Generate swagger-ui output for client-server API Depends on: https://github.com/matrix-org/matrix-doc/pull/212 https://github.com/matrix-org/matrix-doc/pull/208 https://github.com/matrix-org/matrix-doc/pull/207 for the actual rendered output to not throw javascript errors at runtime. 9 years ago			`tags:`
			`- Session management`