Your article is good to start :) But there are some errors. Firstly, you shouldn't return status 500 if it's not a internal error, bad credential is a 4xx. Not a big mistake, but if you give your API to an other dev he'll thing your server is broken. Secondly, for security concern, you shouldn't give any informations except that the given informations were wrong when a user is trying to signing in (no "password incorrect"). Hope it will help other.