post:
  tags: [Accounts, Auth]
  summary: API login using email/password and client credentials
  description: |
    Validates account credentials and eligible API client credentials, then returns final auth payload.
    This endpoint bypasses login OTP/2FA and is intended only for approved API clients.
    If the client definition includes `allowedCIDRs`, request source IP must match one of those CIDRs.
  operationId: accountsApiLogin
  requestBody:
    $ref: ./bodies/auth.yaml#/components/requestBodies/ApiLoginBody
  responses:
    '200':
      description: Login successful
      content:
        application/json:
          schema:
            allOf:
              - $ref: ../response/response.yaml#/components/schemas/BaseResponse
              - type: object
                properties:
                  data:
                    $ref: ./response/auth.yaml#/components/schemas/LoginData
    '400':
      $ref: ../response/operation.yaml#/components/responses/BadRequest
    '401':
      $ref: ../response/operation.yaml#/components/responses/Unauthorized
    '403':
      $ref: ../response/operation.yaml#/components/responses/Forbidden
    '500':
      $ref: ../response/operation.yaml#/components/responses/InternalServerError