Skip to content

Backendless Login API

Registered users can login using the API described below. The login operation requires two properties: one marked asuser identity and the second is password. Backendless automatically assigns the "AuthenticatedUser" role to all successfully logged in users. The role can be used to differentiate access to various resources (data in the database, files, messaging channels) between authenticated users and guests.



Endpoint URL

The is a subdomain assigned to your application. For more information see the Client-side Setup section of this documentation.

Request Headers



Argument                Description
Content-Type must be set to application/json. This header is mandatory.

Request Body

  "login" : value,  
  "password" : value  

The "login" key must contain the value for a property marked as identity.

Response Body

  "objectId" : value,  
  "user-token": value,   

The "objectId" property is a unique identifier assigned by Backendless to the user account. The "user-token" value identifies the user session initiated by the Login operation. Both of these values ("objectId" and "user-token") are required for Updating a user in the database.


When the server-side reports an error, it returns a JSON object in the following format:


The following errors may occur during the Login API call.

Error Code
Version is disabled or provided wrong application info (application id or secret key)
Login has been disabled for the user account.
Missing login settings, possibly invalid application id or version.
User cannot login because Multiple Logins disabled and there is a logged in user for the account.
Invalid login or password.
Either login or password is an empty string value.
User logins are disabled for the version of the application.
Account locked out due to too many failed logins.
One of the required parameters (application id, version, login or password) is null
Multiple login limit for the same user account has been reached.
Property value exceeds the length limit


Make sure to replace xxxx in the domain name in the sample request below to the one assigned to your application.

  -H Content-Type:application/json   
  -X POST   
  -d '{"login":"", "password":"watchingya"}'   

Maintaining User Session

The "user-token" value returned in the login API must be used in the subsequent requests to Backendless in order to maintain the user session. The value uniquely identifies both the user and the session on the server and is used to enforce security policy, apply user and roles permissions and track usage analytics. For all requests made after the login, the user-token value must be sent in the HTTP header:


Validating User Login

The user-token value can be saved in the client application so it can be used when the application is restarted. This helps in streamlining the user experience since the user of the application does not need to login again. However, when the application restarts, it needs to check if the underlying user token, and hence the user session are still valid. This can be accomplished with the API below:



Endpoint URL

The is a subdomain assigned to your application. For more information see the Client-side Setup section of this documentation.<userToken>


Argument                Description
<userToken> user token to validate. The value of the user token is returned by Backendless as a result of the login API request.

Return value

The server returns a boolean value of true if token is valid, false otherwise.

Sample Request

-X GET