> ## Documentation Index
> Fetch the complete documentation index at: https://docs.scalev.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Start customer login

> Public storefront endpoint. If the store can complete login directly, a successful credential check returns customer JWT tokens. If the store requires OTP, a successful credential check sends the one-time code and returns a message object so the frontend can show the OTP entry step.




## OpenAPI

````yaml https://api-openapi.scalev.com/specs/v3/openapi.json post /v3/stores/{store_id}/public/auth/login
openapi: 3.0.3
info:
  title: Nexus Commerce API
  version: 3.0.0
  description: >
    Public v3 commerce contract for storefront, customer, and authenticated
    business

    commerce flows.


    This specification intentionally documents only the `/v3` namespace.

    Store-derived public storefront routes under
    `/v3/stores/{store_id}/public/*` require `X-Scalev-Storefront-Api-Key`.

    HTML Mode public page runtime routes under `/v3/pages/{page_unique_id}/*`
    require `X-Scalev-Page-Api-Key` and do not accept storefront public API
    keys.

    Storefront API requests made with `X-Scalev-Storefront-Api-Key`, page
    runtime requests made with `X-Scalev-Page-Api-Key`, and guest-cart requests
    made with `X-Scalev-Guest-Token` are browser client requests and use the
    direct client/IP rate limiter. Machine-authenticated business requests are
    rate-limited per API key or OAuth installation. Rate-limit metadata is
    returned in `X-Ratelimit-*` headers, and `429` responses may be plain text.
  license:
    name: Proprietary
servers:
  - url: https://api.scalev.com
    description: Production
security: []
tags:
  - name: Orders
    description: Authenticated business order management endpoints.
  - name: Storefront
    description: >-
      Public storefront catalog, guest cart, and guest checkout flows. All
      store-derived public storefront routes require
      `X-Scalev-Storefront-Api-Key`.
  - name: HTML Mode Pages
    description: >-
      Public HTML Mode runtime endpoints. These routes require
      `X-Scalev-Page-Api-Key` for the path page and reject storefront public API
      keys.
  - name: OAuth
    description: >-
      Public and machine OAuth token-management endpoints. The authorization
      code flow accepts the standard `scope` parameter; public OAuth clients may
      use PKCE with `token_endpoint_auth_method=none`, and metadata document
      clients may use `private_key_jwt`.
  - name: Identity
    description: Authenticated business identity context.
  - name: Business Users
    description: Authenticated business-user membership self-service endpoints.
  - name: Landing Pages
    description: >-
      Authenticated business landing page endpoints. The documented payloads
      focus on HTML Mode pages.
    externalDocs:
      description: >-
        Read the Landing Pages API guide before creating or publishing HTML Mode
        pages.
      url: https://docs.scalev.com/en/landing-pages-api
  - name: Analytics Setup
    description: >-
      Authenticated business analytics provider catalogs and pixel/container
      endpoints used when configuring landing page displays.
  - name: OAuth Billing
    description: OAuth billing runtime, refund, and developer finance endpoints.
  - name: Customer Auth
    description: Public customer authentication and password-reset endpoints.
  - name: Customer Account
    description: Authenticated customer profile endpoints.
  - name: Customer Cart
    description: Authenticated customer cart management endpoints.
  - name: Customer Checkout
    description: Authenticated customer checkout preparation and confirmation endpoints.
  - name: Customer Orders
    description: Authenticated customer order read endpoints.
  - name: Customer Subscriptions
    description: Authenticated customer subscription and subscription-item endpoints.
  - name: Customer Courses
    description: Authenticated customer digital course access and progress endpoints.
  - name: Discounts
    description: Discount-code validation and authenticated management endpoints.
  - name: Locations
    description: Authenticated business location lookup endpoints.
  - name: Business Stores
    description: >-
      Authenticated business store lookup endpoints. These routes use direct
      numeric Scalev store database IDs.
  - name: Storefront Setup
    description: >-
      Authenticated business setup endpoints for public storefront keys and CORS
      origins.
  - name: Shipping
    description: Authenticated business shipping lookup endpoints.
  - name: Business Products
    description: >-
      Authenticated business product, variant, taxonomy, and course management
      endpoints.
  - name: Business Bundles
    description: >-
      Authenticated business bundle, bundle-price-option, and related
      bundle-management endpoints.
  - name: Business Customers
    description: Authenticated business customer and customer-address management endpoints.
  - name: WABA
    description: >-
      Authenticated WhatsApp Business Account operations and related WABA
      resources.
  - name: WhatsApp Integrations
    description: Authenticated WhatsApp integration management endpoints.
paths:
  /v3/stores/{store_id}/public/auth/login:
    post:
      tags:
        - Customer Auth
      summary: Start customer login
      description: >
        Public storefront endpoint. If the store can complete login directly, a
        successful credential check returns customer JWT tokens. If the store
        requires OTP, a successful credential check sends the one-time code and
        returns a message object so the frontend can show the OTP entry step.
      operationId: loginCustomer
      parameters:
        - $ref: '#/components/parameters/StoreId'
        - $ref: '#/components/parameters/StorefrontPublicApiKey'
      requestBody:
        $ref: '#/components/requestBodies/CustomerLoginRequestBody'
      responses:
        '200':
          $ref: '#/components/responses/CustomerLoginResponse'
        '400':
          $ref: '#/components/responses/BadRequestResponse'
        '401':
          $ref: '#/components/responses/UnauthorizedResponse'
components:
  parameters:
    StoreId:
      name: store_id
      in: path
      required: true
      schema:
        type: string
      description: Store `unique_id`.
    StorefrontPublicApiKey:
      name: X-Scalev-Storefront-Api-Key
      in: header
      required: true
      schema:
        type: string
      description: >-
        Publishable storefront public API key for the target store. Page public
        API keys are not accepted on Storefront public routes.
  requestBodies:
    CustomerLoginRequestBody:
      required: true
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/CustomerLoginRequest'
  responses:
    CustomerLoginResponse:
      description: >-
        Customer login tokens, or an OTP challenge message when the store
        requires OTP.
      content:
        application/json:
          schema:
            oneOf:
              - $ref: '#/components/schemas/CustomerAuthTokenResponseBody'
              - $ref: '#/components/schemas/CustomerLoginOtpChallengeResponseBody'
    BadRequestResponse:
      description: Bad Request
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiErrorResponse'
    UnauthorizedResponse:
      description: Unauthorized
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiErrorResponse'
  schemas:
    CustomerLoginRequest:
      type: object
      required:
        - email
        - password
      properties:
        email:
          type: string
          format: email
        password:
          type: string
        login_as:
          type: string
          enum:
            - customer
            - owner
      additionalProperties: true
    CustomerAuthTokenResponseBody:
      type: object
      required:
        - access
        - refresh
        - token_type
        - expires_in
        - refresh_expires_in
      properties:
        access:
          type: string
          description: >
            Customer access JWT. Send it as `Authorization: Bearer <token>` to
            `/v3/stores/{store_id}/customers/me/*`.
        refresh:
          type: string
          description: >-
            Refresh token for `POST
            /v3/stores/{store_id}/public/auth/jwt/refresh`.
        token_type:
          type: string
          enum:
            - Bearer
          description: Token type to use in the `Authorization` header.
        expires_in:
          type: integer
          description: Access token lifetime in seconds.
          example: 900
        refresh_expires_in:
          type: integer
          description: >-
            Refresh token lifetime in seconds. Refresh tokens rotate on every
            refresh and are single-use.
          example: 2592000
        store_unique_id:
          type: string
          nullable: true
          description: Public store unique ID returned by some OTP verification responses.
      additionalProperties: true
    CustomerLoginOtpChallengeResponseBody:
      type: object
      required:
        - message
      properties:
        message:
          type: string
          description: >-
            OTP challenge message. Show the OTP entry UI and continue with `POST
            /v3/stores/{store_id}/public/auth/otp/verify`.
          example: If this email exists in our system, an OTP has been sent to it.
      additionalProperties: false
    ApiErrorResponse:
      type: object
      properties:
        error:
          $ref: '#/components/schemas/FlexibleValue'
        error_code:
          type: string
        message:
          type: string
          description: Error-only human-readable detail.
        errors:
          $ref: '#/components/schemas/FlexibleValue'
      additionalProperties: false
    FlexibleValue:
      oneOf:
        - $ref: '#/components/schemas/FlexibleObject'
        - type: array
          items: {}
        - type: string
        - type: number
        - type: boolean
    FlexibleObject:
      type: object
      additionalProperties: true

````