I have a REST API, and I want to create a method that accepts a username and password, makes sure they're valid, and returns a user resource.
This is NOT to validate users of the REST APIs. The users are part of a separate system, and the API manages them.
What method and URL are appropriate for this?
GET doesn't seem like a good idea, since it would put the password in the query string. Plus this method might update the last-login-date on the user, so it's not idempotent.
I could use PUT, but I use that to update the user. So I could PUT to a different URL, but what would be an appropriate URL for this? Something like /user/credentials
might imply that you're updating the credentials, not validating them.