Returns a JWT authorization token for a successful login request
Notes
You must always have a valid JWT-Bearer token to access the rest of the API. This is done here. Please refer to the recipe on a full code example to log in.
It is possible to get a mfaToken response if the user enabled MFA. MFA login through the API is only possible with Application authenticators. An encryption-key will not work.
The ´identityToken´ is only used when loggin in. It is used for cryptographic purposes and is advised to be random and then disposed of in memory (e.g. scope/garbage collection).
Warning
It is of paramount importance to keep passwords safe. Do never hardcode them! Always use safe parsing methods to use your password to log in.
Keep in mind that the POST-request using your password will hide it in a URI. And since it is HTTPS, they will be encrypted.
HOWEVER; If a proxy (or man-in-the-middle attack) is able to decrypt this by using spoofed or falsified certificates, your password will be visible when intercepted. It is therefor recommended to use a dedicated API user to isolate the activity and to update its password regularly.
If self-signed certificates are used using man-in-the-middle, a security prompt will appear in your browser. Our certificates are signed by recognized authorities and this prompt should never appear nor be accepted as safe. This is how you know that the server you are contacting is not faked.
By extention you should NEVER disable TLS-verification in your scripts!!!
Did you know
Even SSL-certificates can be hacked! Either a bug in the parsing (encrypting/decrypting) of the HTTPS request/response can cause unwanted side-effects, or a cryptographic oversight might make it more easy to bruteforce encryption-keys!
Heartbleed is one of the most famous incidents back in 2014 that made it possible for hackers to exploit the OpenSSL software (that manages the encryption and decryption) to read out system information! It massively disrupted the internet for months. It is sadly still commonplace to this day. It is a facinating read and might help you understand how to better securely use API's in general!