Complete Login
/web/v1/system/auth/login/complete NoneSecure Channel Required
This endpoint requires Secure Channel v2 encryption. All request and response payloads are encrypted in transit. See Secure Channel Protocol for full protocol details.
Required Gateway Headers
All API requests require gateway headers. See Required Headers for the complete list. In local/test environments, you must also include Cloudflare simulation headers (CF-Connecting-IP, Cf-Ray, cf-ipcountry).
Completes the login flow by verifying the MFA code or credentials and issuing JWT tokens. Returns access and refresh tokens on success.
Required Headers
| Header | Example Value | Description |
|---|---|---|
| Content-Type | application/json;charset=UTF-8 | Request content type |
| Accept | application/json | Expected response type |
| X-Client-Hash | Client device fingerprint | |
| X-SC-Session-Id | Secure Channel session ID | |
| X-SC-Version | 2 | Secure Channel protocol version |
| Accept-Language | en, zh, zh-Hant, ja, vi | Response language (default: en) |
Business Parameters
| Name | Type | Required | In | Description |
|---|---|---|---|---|
sessionId | String | Required | body | Login session ID from the initiate step |
method | Integer | Required | body | MFA method code: 10011001 (EMAIL), 10011002 (OTP), 10011005 (BACKUP_CODE) |
code | String | Required | body | Verification code (6-10 chars) |
Business Parameters (before encryption)
The following JSON is what gets encrypted before transmission:
{
"sessionId": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
"method": 10011001,
"code": "123456"
}How to Call This Endpoint
Step 1: Establish Secure Channel Session (if not already active)
If you don't have an active SC session, create one first:
- Get server public key:
GET /web/v1/secure-channel/public-key - Create SC session:
POST /web/v1/secure-channel/session— exchanges AES session key, returnssessionId
Step 2: Prepare the Request
Construct the JSON payload with the business parameters:
{
"sessionId": "f47ac10b-58cc-4372-a567-0e02b2c3d479",
"method": 10011001,
"code": "123456"
}Step 3: Encrypt and Send
- Encrypt the JSON string using the AES session key (from Step 1)
- Send the HTTP request with:
- Header:
X-SC-Session-Id: {sessionId} - Header:
X-SC-Version: 2 - Header:
Content-Type: application/json;charset=UTF-8 - Body: the encrypted binary payload (SCv2 envelope format)
- Header:
Step 4: Decrypt the Response
The response body is also encrypted. Decrypt using the same AES session key to get the JSON response.
Success Response
{
"version": "2.0.0",
"timestamp": 1711929600000,
"success": true,
"code": "2000",
"message": "SUCCESS",
"data": {
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJBQ0NfVEVTVF8wMDEiLCJzaWQiOiJTRVNTXzAwMSIsImlhdCI6MTcxMTkyOTYwMH0.example",
"refreshToken": "dGVzdC1yZWZyZXNoLXRva2VuLWV4YW1wbGU",
"expiresIn": 3600,
"accountStatus": null
}
}Error Responses
{
"success": false,
"code": "AUTH.MFA_CODE_INVALID",
"message": "The verification code is incorrect"
}Notes
- If the account is pending approval, the response will include
isPendingApproval: truewith result codeACCOUNT_PENDING_APPROVAL. - Rate limited to 5 requests per window.
- Request body is strictly validated — unknown or unexpected fields will be rejected with HTTP 400.