Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
77 lines (53 sloc) 2.46 KB

Log in and register password accounts over HTTP

meteor add simple:rest-accounts-password

If you have accounts-password in your app, and you want to be able to use it over HTTP, this is the package for you. Call these APIs to get an access token, and pass that token to API methods you defined with simple:rest to call methods and publications that require login.

Make sure to serve your app over HTTPS if you are using this for login, otherwise people can hijack your passwords. Try the force-ssl package.

POST /users/login, POST /users/register

The login and registration endpoints take the same inputs. Pass an object with the following properties:

  • username
  • email
  • password

password is required, and you must have at least one of username or email.


Both login and registration have the same response format.

// successful response, with HTTP code 200
  token: "string",
  tokenExpires: "ISO encoded date string",
  id: "user id"

// error response, with HTTP code 500
  error: "error-code",
  reason: "Human readable error string"


After adding this package, API endpoints accept a standard bearer token header (Based on RFC 6750 and OAuth Bearer).

Authorization: Bearer <token>

Here is how you could use Meteor's http package to call a method as a logged in user. Inside the method, the current user can be accessed the exact same way as in a normal method call, through this.userId."/methods/return-five-auth", {
  headers: { Authorization: "Bearer " + token }
}, function (err, res) {
  console.log(; // 5

Change log


  • Change order of middleware, and add error middleware


  • Add token parsing and auth middleware into the middleware stack
    • This functionality was moved from simple:rest, since it's outside its scope
    • Known issue: Middleware is added on all routes (user should have control over which routes middleware is applied, and at the very least it should be restricted to API routes)
  • Use the latest version of simple:json-routes (1.0.3)


  • Fixed bug where logging into accounts with no email would log into the wrong account.
You can’t perform that action at this time.