Login

Authenticate a user and start a WordPress cookie session.

Auth + CSRF

Auth: public
Proxy nonce required: yes.
CSRF: proxy requires X-WP-Nonce for all POST requests (HWP nonce policy: never).
Cookies: first-party cookies are set via the /api/secure/** proxy response.

Request schema

{
  "username": "string (optional)",
  "email": "string (optional)",
  "password": "string (required)",
  "rememberMe": "boolean (optional)"
}

At least one of username or email must be provided.

Response schema

{
  "data": {
    "user": {
      "id": 123,
      "email": "person@example.com",
      "displayName": "Person Name",
      "roles": ["subscriber"],
      "createdAt": "2024-01-01T00:00:00Z",
      "billingEmail": "billing@example.com (optional)",
      "billingPhone": "string (optional)",
      "companyName": "string (optional)"
    },
    "flags": {
      "isLoggedIn": true,
      "isAdmin": false,
      "hasWooCommerce": false,
      "hasRcp": false,
      "hasAffiliateWp": false,
      "hasEdd": false,
      "hasMemberPress": false,
      "hasGravityForms": false,
      "hasFluentForms": false,
      "hasGiveWp": false,
      "hasActiveRcpMembership": false,
      "hasActiveMemberPressMembership": false,
      "hasAnyCompletedWooOrder": false,
      "hasActiveSubscription": false,
      "hasProAccess": false,
      "isAffiliate": false,
      "isAffiliateApproved": false,
      "hasMemberPressMembership": false,
      "hasLearnDashCourses": false
    },
    "entitlements": {
      "flags": "<flags object>",
      "formsProvider": "string or null",
      "ordersSummary": {
        "hasAnyCompletedOrder": false,
        "totalOrders": 0,
        "lastOrderAt": "string or null"
      },
      "orders": [],
      "donations": { "donations": [] },
      "donationsSummary": {
        "hasDonations": false,
        "totalDonations": 0,
        "lastDonationAt": "string or null"
      },
      "memberships": [],
      "membershipsSummary": {
        "activeMembershipCount": 0,
        "totalMemberships": 0,
        "primaryPlan": "object or null"
      },
      "subscriptions": [],
      "subscriptionsSummary": {
        "activeSubscriptionCount": 0,
        "totalSubscriptions": 0
      },
      "affiliate": {
        "id": "string | number | null",
        "isActive": false,
        "status": "string or null"
      },
      "dependencies": {
        "hasWooCommerce": false,
        "hasRcp": false,
        "hasAffiliateWp": false,
        "hasLearnDash": false,
        "hasMemberPress": false,
        "hasEdd": false,
        "hasGravityForms": false,
        "hasFluentForms": false,
        "hasGiveWp": false
      },
      "summaries": {
        "orders": "<ordersSummary>",
        "donations": "<donationsSummary>",
        "memberships": "<membershipsSummary>",
        "subscriptions": "<subscriptionsSummary>",
        "affiliate": "<affiliate summary>",
        "dependencies": "<dependencies>"
      }
    },
    "next": "/wp-json/headlesswp/v1/me"
  },
  "meta": {
    "correlationId": "string-or-null",
    "correlation_id": "string-or-null",
    "request_id": "string-or-null",
    "timestamp": "2024-01-01T00:00:00Z"
  }
}

Error codes

Status	Code	Notes
400	`VALIDATION_FAILED`	Missing or invalid fields. `error.details.fieldErrors` includes per-field messages.
401	`AUTH_INVALID_CREDENTIALS`	Invalid username/email/password.
403	`AUTH_EMAIL_NOT_VERIFIED`	Email verification required.
403	`AUTH_ACCOUNT_DEACTIVATED`	Account disabled.
403	`CSRF_FAILED`	Proxy rejected missing nonce.
429	`AUTH_RATE_LIMITED`	Login rate limit hit. `error.details.bucket` identifies the limiter bucket.

Rate limiting

Login is rate-limited in the fixtures. When the limit is exceeded, the response is 429 AUTH_RATE_LIMITED with error.details.bucket indicating the limiter bucket.