Verify OTP (One-time passcode)

POST /v1/auth/otps/verify

Verify an OTP (one-time passcode) against a method ID (email, phone number) to authenticate the user. This endpoints verifies that the OTP sent in is valid for the given method ID.

HTTP Request

POST /v1/auth/otps/verify

Returns

A successful response returns an object with method_id, method_type, and verified user_id properties.

application/json

Body

  • method_id string Required

    Method ID to verify the OTP against. This can either be the phone_number_id or email_id returned by the send or login or create endpoints.

    Minimum length is 1.

  • otp string Required

    OTP received by the User.

    Minimum length is 1.

  • device_fingerprint object

    Device fingerprinting metadata for fraud detection during OTP code verification step. This is useful to ensure that the user who originated the request matches the user that verifies the token. Verification requirements can be enabled by matching fields in the device_fingerprint such as IP, User Agent or the combination of them (more fraud detection features coming soon!)

    Hide device_fingerprint attributes Show device_fingerprint attributes object
    • ip string

      IP of the user originating the request.

    • user_agent string

      User Agent of the browser originating the request.

  • session_expires_in number

    Optional Extend the session expiration time to N minutes from now, must be between 5 to 525600 minutes (365 days). This parameter will create a new session if there is no existing session along with a session_token and session_jwt. However, if a valid session_token or session_jwt is sent in, it will extend that session by the minutes specified. If not sent in, no session will be created by default.

  • session_token string

    Optional Unique session token to verify.

  • session_jwt string

    Optional Unique Session JWT to verify.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • method_id string Required

      Method ID of the phone number or email.

      Minimum length is 1.

    • method_type string Required

      Method Type. Possible values: email, phone_number.

      Minimum length is 1.

    • user_id string Required

      User ID of the verified user.

      Minimum length is 1.

    • session_token string
    • session_jwt string
    • session object
      Hide session attributes Show session attributes object
      • id string Required

        Minimum length is 1.

      • user_id string Required

        Minimum length is 1.

      • session_token string Required

        Minimum length is 1.

      • started_at number Required
      • expires_at number Required
      • last_active_at number Required
      • factors array[object] Required

        At least 1 element.

        Hide factors attributes Show factors attributes object
        • delivery_channel string Required

          Delivery channel for this factor. Possible values: sms, email, totp_authenticator, totp_recovery_code, google_oauth, apple_oauth, microsoft_oauth, discord_oauth, okta_oauth, github_oauth, slack_oauth, facebook_oauth, webauthn_credential, eth_wallet, sol_wallet.

          Minimum length is 1.

        • type string Required

          Authentication type of factor. Possible values: otp, oauth, wallet, totp, webauthn.

          Minimum length is 1.

        • method object Required
          Hide method attributes Show method attributes object
          • id string
          • method_id string Required

            Minimum length is 1.

          • method_type string Required

            Identifier method type. Possible values: email, wallet, phone_number, webauthn.

            Minimum length is 1.

          • last_verified_at number Required
          • phone_number_id string

            Minimum length is 1.

          • phone_number string

            Minimum length is 1.

          • email_id string
          • email string
          • wallet_type string
          • wallet_id string
          • wallet_public_address string
          • totp_id string
          • webauthn_credential_id string
          • provider_subject string
      • device_fingerprint object Required
        Hide device_fingerprint attributes Show device_fingerprint attributes object
        • user_agent string Required
        • ip string Required

          Minimum length is 1.

      • updated_at number Required
      • created_at number Required
POST /v1/auth/otps/verify
curl \
 --request POST 'https://api.streambird.io/v1/auth/otps/verify' \
 --header "Authorization: Bearer $ACCESS_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{"otp":"829994","method_id":"pn_24oXBLRv6BoHXbNZoTAZkAFlRsy","device_fingerprint":{"ip":"123.2.1.1"},"session_expires_in":100}'
Request example
{
  "otp": "829994",
  "method_id": "pn_24oXBLRv6BoHXbNZoTAZkAFlRsy",
  "device_fingerprint": {
    "ip": "123.2.1.1"
  },
  "session_expires_in": 100
}
Response examples (200)
{
  "session": {
    "id": "sess_24tZ6tlJ7CxlTwB6Zoj6SHQ9vU3",
    "factors": [
      {
        "type": "otp",
        "method": {
          "method_id": "pn_24oXBLRv6BoHXbNZoTAZkAFlRsy",
          "method_type": "phone_number",
          "phone_number": "+14152222222",
          "phone_number_id": "pn_24oXBLRv6BoHXbNZoTAZkAFlRsy",
          "last_verified_at": 1643496805
        },
        "delivery_channel": "sms"
      }
    ],
    "user_id": "user_24wFP9pDa9YiMJLun94iKykoZs2",
    "created_at": 1643496805,
    "expires_at": 1643502805,
    "started_at": 1643496805,
    "updated_at": 1643496805,
    "session_token": "7hssInGtOjKGUh8w7T4NjgLIKKSw6UdZ8uOduBYmJzrtfV6GrNtaUYoGehRS6jBh",
    "last_active_at": 1643496805,
    "device_fingerprint": {
      "ip": "123.2.1.1",
      "user_agent": ""
    }
  },
  "user_id": "user_24wFP9pDa9YiMJLun94iKykoZs2",
  "method_id": "pn_24oXBLRv6BoHXbNZoTAZkAFlRsy",
  "method_type": "phone_number",
  "session_token": "7hssInGtOjKGUh8w7T4NjgLIKKSw6UdZ8uOduBYmJzrtfV6GrNtaUYoGehRS6jBh"
}