ScrumTool
Start Building
arrow_backAll articles
Agile5 min read·May 13, 2026

Acceptance Criteria for a Login Page: Real Examples You Can Use

Complete set of acceptance criteria for a login page with examples in checklist and Gherkin format. Covers happy path, error states, session handling, security, and accessibility.

A login page is one of the most common user stories teams write acceptance criteria for — and one of the easiest to underspecify. A single "user can log in" criterion leaves out error states, session behavior, security requirements, and accessibility. Here is a complete set.

Happy path

  • Given a registered user with valid credentials, when they submit the form, then they are redirected to the dashboard.
  • The user's name and avatar appear in the navigation after login.
  • The session persists across browser refresh.

Error states

  • Given invalid credentials, when the form is submitted, then a generic error message is shown (do not distinguish between wrong email and wrong password).
  • The error message appears inline, not as a browser alert.
  • The email field retains its value after a failed attempt; the password field is cleared.
  • Given an empty email or password, when the form is submitted, then field-level validation errors appear without making a network request.

Security requirements

  • Passwords are never displayed in plain text at any point in the form.
  • The form is protected against CSRF attacks.
  • Rate limiting prevents more than 10 failed attempts per IP per hour.
  • Session tokens are HttpOnly and Secure cookies — not stored in localStorage.

Account states

  • Given an unverified email, when the user attempts to log in, then they see a prompt to verify their email with a resend option.
  • Given a deactivated account, when the user attempts to log in, then they see a message that the account is inactive.

Accessibility

  • The form is operable by keyboard only (Tab, Shift+Tab, Enter).
  • All form fields have associated visible labels (not only placeholder text).
  • Error messages are announced to screen readers via ARIA live regions.

Password reset

  • A "Forgot password" link is visible and navigates to the password reset flow.
  • The link appears below the form, not inside the form inputs.

How to use this list

Copy these criteria and remove or adapt any that do not apply to your stack. Add any business-specific rules (SSO, magic link, etc.). For generating criteria for your own stories, try our acceptance criteria generator.

Related reading: What is acceptance criteria · Gherkin format · AC vs definition of done.

Run better ceremonies starting today.

Retro boards, planning poker, and async standup — with AI built in. Free to start, no credit card required.

Start for freearrow_forward

Related reading

What Is Acceptance Criteria? Definition, Examples, and Best Practices

7 min read · May 10, 2026

arrow_forward

Acceptance Criteria vs Definition of Done: What's the Difference?

5 min read · May 11, 2026

arrow_forward

Gherkin Acceptance Criteria: How to Write Given/When/Then Stories

6 min read · May 12, 2026

arrow_forward