Email + password login
POST/auth/login
Resolves the tenant from the email, calls Cognito USER_PASSWORD_AUTH, and either: (a) issues session cookies + returns the SPA redirect URL, or (b) returns a challenge envelope (mfa_required, mfa_setup_required, or new_password_required) to drive the next step.
Request
Responses
- 200
- 401
Either tokens issued (redirect) or a challenge envelope.
Invalid credentials, ambiguous tenant, missing tokens, or Cognito error.