> ## Documentation Index > Fetch the complete documentation index at: https://stytch.com/docs/llms.txt > Use this file to discover all available pages before exploring further. # Authenticate > Authenticate with password using the Stytch Next.js SDK The Authenticate method wraps the [Authenticate](/api-reference/consumer/api/passwords/authenticate) Password API endpoint. This endpoint verifies that the user has a password currently set, and that the entered password is correct. There are cases where this endpoint will return a `reset_password` error even if the password entered is correct. View our [API Docs](/api-reference/consumer/api/passwords/authenticate) for more information. If this method succeeds, the user will be logged in, granted an active session, and the [session cookies](../../resources/cookies-and-session-management) will be minted and stored in the browser. ## Parameters The email of the user. The password for the user. Any UTF8 character is allowed, e.g. spaces, emojis, non-English characters, etc. Set the session lifetime to be this many minutes from now. This will return both an opaque session\_token and session\_jwt for this session, which will automatically be stored either in the browser cookies if you're using our JavaScript SDK, or in the iOS Keychain/ Android SharedPreferences if you're using one of our mobile SDKs. The `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will be automatically refreshed by the SDK in the background over time. This value must be a minimum of 5 and may not exceed the maximum session duration minutes value set in the [Frontend SDK page](https://stytch.com/dashboard/sdk-configuration) of the Stytch Dashboard. A successful authentication will continue to extend the session this many minutes. ## Response The unique ID of the affected User. The user object affected by call. See the [User object](/api-reference/consumer/api/users/user-object) for complete response field details. The timestamp of the User's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z. An array contains a list of all crypto wallets for a given User in the Stytch API. The unique ID for a crypto wallet The actual blockchain address of the User's crypto wallet. The blockchain that the User's crypto wallet operates on, e.g. Ethereum, Solana, etc. If this method has been successfully authenticated by the User. An array of email objects for the User. The unique ID of a specific email address. The email address. If this method has been successfully authenticated by the User. The name of the User. Each field in the name object is optional. The first name of the user. The middle name(s) of the user. The last name of the user. The trusted\_metadata field contains an arbitrary JSON object of application-specific data. See the [Metadata](/api-reference/consumer/api/resources/metadata) reference for complete field behavior details. The untrusted\_metadata field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and **cannot be used to store critical information.** See the [Metadata](/api-reference/consumer/api/resources/metadata) reference for complete field behavior details. An array of phone number objects linked to the User. The unique ID for the phone number. The phone number. If this method has been successfully authenticated by the User. An array of OAuth provider objects linked to the User. The unique ID for an OAuth registration. The unique identifier for the User within a given OAuth provider. Also commonly called the "sub" or "Subject field" in OAuth protocols. Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Facebook, GitHub etc. If available, the profile\_picture\_url is a url of the User's profile picture set in OAuth identity the provider that the User has authenticated with, e.g. Facebook profile picture. If available, the locale is the User's locale set in the OAuth identity provider that the user has authenticated with. The password object is returned for users with a password. The unique ID of a specific password Indicates whether this password requires a password reset The status of the User. The possible values are `pending` and `active`. An array containing a list of all TOTP instances for a given User in the Stytch API. The unique ID for a TOTP instance. If this method has been successfully authenticated by the User. The unique ID of the affected User. An array that contains a list of all Passkey or WebAuthn registrations for a given User in the Stytch API. The unique ID for the Passkey or WebAuthn registration. The domain on which Passkey or WebAuthn registration was started. This will be the domain of your app. The user agent of the User. The authenticator\_type string displays the requested authenticator type of the Passkey or WebAuthn device. The two valid types are "platform" and "cross-platform". If no value is present, the Passkey or WebAuthn device was created without an authenticator type preference. If this method has been successfully authenticated by the User. The name of the Passkey or WebAuthn registration. An array that contains a list of all biometric registrations for a given User in the Stytch API. The unique ID for a biometric registration. If this method has been successfully authenticated by the User. Roles assigned to this User. See the [RBAC guide](/consumer-auth/authorization/assigning-roles-to-users) for more information about role assignment. A secret token for a given Stytch Session. The JSON Web Token (JWT) for a given Stytch Session. If you initiate a Session, by including session\_duration\_minutes in your authenticate call, you'll receive a full Session object in the response. See [Session object](/api-reference/consumer/api/sessions/session-object) for complete response fields. A unique identifier for a specific Session. The unique ID of the affected User. An array of different authentication factors that comprise a Session. The timestamp when the Session was created. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z. The timestamp when the Session was last accessed. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z. The timestamp when the Session expires. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z. Provided attributes help with fraud detection. The IP address of the user. The user agent of the User. The custom claims map for a Session. Claims can be added to a session during a Sessions authenticate call. A list of the roles associated with the session. If [Protected Auth](/fraud-risk/device-fingerprinting/protected-auth) is enabled and returned fingerprinting results, the user\_device response field will contain information about the user's device attributes. The IP address of the user's device. Information about the ip\_address. Whether this ip\_address has been seen before for this user. When this ip\_address was first seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z. When this ip\_address was last seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z. The country code where the IP address is located. Information about the ip\_geo\_country. Whether this ip\_geo\_country has been seen before for this user. When this ip\_geo\_country was first seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z. When this ip\_geo\_country was last seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z. The city where the IP address is located. The region where the IP address is located. Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue. The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors. ```jsx theme={null} import { useCallback } from 'react'; import { useStytch } from '@stytch/nextjs'; export const Login = () => { const stytch = useStytch(); const authenticatePassword = useCallback(() => { stytch.passwords.authenticate({ email: '${exampleEmail}', password: '${examplePassword}', session_duration_minutes: 60, }); }, [stytch]); return ; }; ``` ```json 200 theme={null} { "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141", "session": null, "session_jwt": "", "session_token": "", "status_code": 200, "user": {...}, "user_id": "user-test-16d9ba61-97a1-4ba4-9720-b03761dc50c6", } ``` ```json 401 theme={null} { "status_code": 401, "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141", "error_type": "unauthorized_credentials", "error_message": "Unauthorized credentials.", "error_url": "https://stytch.com/docs/api/errors/401" } ``` ```json 404 theme={null} { "status_code": 404, "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141", "error_type": "email_not_found", "error_message": "Email could not be found.", "error_url": "https://stytch.com/docs/api/errors/404" } ``` ```json 429 theme={null} { "status_code": 429, "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141", "error_type": "too_many_requests", "error_message": "Too many requests have been made.", "error_url": "https://stytch.com/docs/api/errors/429" } ``` ```json 500 theme={null} { "status_code": 500, "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141", "error_type": "internal_server_error", "error_message": "Oops, something seems to have gone wrong, please reach out to support@stytch.com to let us know what went wrong.", "error_url": "https://stytch.com/docs/api/errors/500" } ```