Admin Login

Overview

Authenticate administrators using email/username and password with two-factor authentication support.

Endpoint

POST /api/BPMSelfService/commands/SelfAdminLoginCommand

Request Parameters

Parameter	Type	Required	Description
username	string	Yes	Administrator username or email
password	string	Yes	Administrator password
verificationMethodType	integer	No	2FA method: 0=Default, 1=Email, 2=SMS, 3=Authenticator (default: 0)
otpCode	string	Conditional	OTP code for email/SMS verification
setupVerificationCode	string	Conditional	TOTP code for authenticator setup verification

Response

Successful Login (Email/SMS OTP)

{
  "status": "success",
  "message": "OTP sent successfully",
  "data": {
    "otpSent": true,
    "maskedEmail": "a***@example.com",
    "expiresIn": 300
  }
}

Successful Login (Authenticator - First Time)

{
  "status": "success",
  "message": "Authenticator setup required",
  "data": {
    "requiresSetup": true,
    "qrCodeUrl": "otpauth://totp/BankLingo:admin@example.com?secret=ABC123XYZ&issuer=BankLingo",
    "secretKey": "ABC123XYZ"
  }
}

Successful Authentication Complete

{
  "status": "success",
  "message": "Login successful",
  "data": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refreshToken": "...",
    "expiresIn": 3600,
    "user": {
      "id": 123,
      "username": "admin",
      "email": "admin@example.com",
      "roles": ["Administrator"]
    }
  }
}

Example Usage

C# Example

Code Removed

Implementation details removed for security.

Contact support for implementation guidance.

JavaScript Example

// Initial login
const loginResponse = await fetch('/api/BPMSelfService/commands/SelfAdminLoginCommand', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    username: 'admin@example.com',
    password: 'SecurePassword123!',
    verificationMethodType: 3
  })
});

const loginData = await loginResponse.json();

if (loginData.data.requiresSetup) {
  // Show QR code setup UI
  displayQRCode(loginData.data.qrCodeUrl);
  
  // After user completes setup
  const setupResponse = await fetch('/api/BPMSelfService/commands/SelfAdminLoginCommand', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      username: 'admin@example.com',
      password: 'SecurePassword123!',
      verificationMethodType: 3,
      setupVerificationCode: userEnteredCode
    })
  });
}

Error Responses

Status	Error Code	Description
401	AUTH_001	Invalid username or password
401	AUTH_002	Invalid OTP code
401	AUTH_003	OTP expired
403	AUTH_004	Account locked due to multiple failed attempts
404	AUTH_005	User not found
400	AUTH_006	Invalid verification method type

Implementation Details

See TOTP Implementation Summary for technical implementation details.

Related APIs

• OTP Validation
• Resend OTP
• Authenticator Setup
• Refresh Token

Security Considerations

• Always use HTTPS for authentication endpoints
• Implement rate limiting to prevent brute force attacks
• Store JWT tokens securely (HttpOnly cookies recommended)
• Clear tokens on logout
• Monitor failed login attempts

See Also

• Authentication Overview
• Customer Login