Authenticate - Stytch Docs

Wraps the Authenticate endpoint. Call this method to authenticate a TOTP code entered by a user. If this method succeeds, the user will be logged in, granted an active session, and the session cookies will be minted and stored in the browser.

Parameters

totp_code

string

required

The TOTP code to authenticate. The TOTP code should consist of 6 digits.

session_duration_minutes

int

required

Set the session lifetime to be this many minutes from now. This will return both an opaque session_token and session_jwt for this session, which will automatically be stored either in the browser cookies if you’re using our JavaScript SDK, or in the iOS Keychain/ Android SharedPreferences if you’re using one of our mobile SDKs. The session_jwt will have a fixed lifetime of five minutes regardless of the underlying session duration, and will be automatically refreshed by the SDK in the background over time. This value must be a minimum of 5 and may not exceed the maximum session duration minutes value set in the Frontend SDK page of the Stytch Dashboard. A successful authentication will continue to extend the session this many minutes.

Response

totp_id

string

The unique ID for a TOTP instance.

user_id

string

The unique ID of the affected User.

user

object

The user object affected by this API call. See the Get user endpoint for complete response field details.

Show properties

user

object

The user object affected by this API call. See the User object for complete response field details.

Show properties

created_at

string

The timestamp of the User’s creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

crypto_wallets

array[objects]

An array contains a list of all crypto wallets for a given User in the Stytch API.

Show properties

crypto_wallet_id

string

The unique ID for a crypto wallet

crypto_wallet_address

string

The actual blockchain address of the User’s crypto wallet.

crypto_wallet_type

string

The blockchain that the User’s crypto wallet operates on, e.g. Ethereum, Solana, etc.

verified

boolean

If this method has been successfully authenticated by the User.

emails

array[objects]

An array of email objects for the User.

Show properties

email_id

string

The unique ID of a specific email address.

string

The email address.

verified

boolean

If this method has been successfully authenticated by the User.

name

object

The name of the User. Each field in the name object is optional.

Show properties

first_name

string

The first name of the user.

middle_name

string

The middle name(s) of the user.

last_name

string

The last name of the user.

trusted_metadata

object

The trusted_metadata field contains an arbitrary JSON object of application-specific data. See the Metadata reference for complete field behavior details.

untrusted_metadata

object

The untrusted_metadata field contains an arbitrary JSON object of application-specific data. Untrusted metadata can be edited by end users directly via the SDK, and cannot be used to store critical information. See the Metadata reference for complete field behavior details.

phone_numbers

array[objects]

An array of phone number objects linked to the User.

Show properties

phone_id

string

The unique ID for the phone number.

phone_number

string

The phone number.

verified

boolean

If this method has been successfully authenticated by the User.

providers

array[objects]

An array of OAuth provider objects linked to the User.

Show properties

oauth_user_registration_id

string

The unique ID for an OAuth registration.

provider_subject

string

The unique identifier for the User within a given OAuth provider. Also commonly called the “sub” or “Subject field” in OAuth protocols.

provider_type

string

Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Facebook, GitHub etc.

profile_picture_url

string

If available, the profile_picture_url is a url of the User’s profile picture set in OAuth identity the provider that the User has authenticated with, e.g. Facebook profile picture.

locale

string

If available, the locale is the User’s locale set in the OAuth identity provider that the user has authenticated with.

password

object

The password object is returned for users with a password.

Show properties

password_id

string

The unique ID of a specific password

requires_reset

boolean

Indicates whether this password requires a password reset

status

string

The status of the User. The possible values are pending and active.

totps

array[objects]

An array containing a list of all TOTP instances for a given User in the Stytch API.

Show properties

totp_id

string

The unique ID for a TOTP instance.

verified

boolean

If this method has been successfully authenticated by the User.

user_id

string

The unique ID of the affected User.

webauthn_registrations

array[objects]

An array that contains a list of all Passkey or WebAuthn registrations for a given User in the Stytch API.

Show properties

webauthn_registration_id

string

The unique ID for the Passkey or WebAuthn registration.

domain

string

The domain on which Passkey or WebAuthn registration was started. This will be the domain of your app.

user_agent

string

The user agent of the User.

authenticator_type

string

The authenticator_type string displays the requested authenticator type of the Passkey or WebAuthn device. The two valid types are “platform” and “cross-platform”. If no value is present, the Passkey or WebAuthn device was created without an authenticator type preference.

verified

boolean

If this method has been successfully authenticated by the User.

name

string

The name of the Passkey or WebAuthn registration.

biometric_registrations

array[objects]

An array that contains a list of all biometric registrations for a given User in the Stytch API.

Show properties

biometric_registration_id

string

The unique ID for a biometric registration.

verified

boolean

If this method has been successfully authenticated by the User.

roles

array[strings]

Roles assigned to this User. See the RBAC guide for more information about role assignment.

session_token

string

A secret token for a given Stytch Session.

session_jwt

string

The JSON Web Token (JWT) for a given Stytch Session.

session

object

If you initiate a Session, by including session_duration_minutes in your authenticate call, you’ll receive a full Session object in the response. See Session object for complete response fields.

Show properties

session_id

string

A unique identifier for a specific Session.

user_id

string

The unique ID of the affected User.

authentication_factors

array[objects]

An array of different authentication factors that comprise a Session.

started_at

string

The timestamp when the Session was created. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

last_accessed_at

string

The timestamp when the Session was last accessed. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

expires_at

string

The timestamp when the Session expires. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

attributes

object

Provided attributes help with fraud detection.

Show properties

ip_address

string

The IP address of the user.

user_agent

string

The user agent of the User.

custom_claims

map

The custom claims map for a Session. Claims can be added to a session during a Sessions authenticate call.

roles

array[string]

A list of the roles associated with the session.

user_device

object

If Protected Auth is enabled and returned fingerprinting results, the user_device response field will contain information about the user’s device attributes.

Show properties

ip_address

string

The IP address of the user’s device.

ip_address_details

object

Information about the ip_address.

Show properties

is_new

boolean

Whether this ip_address has been seen before for this user.

first_seen_at

string

When this ip_address was first seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

last_seen_at

string

When this ip_address was last seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

ip_geo_country

string

The country code where the IP address is located.

ip_geo_country_details

object

Information about the ip_geo_country.

Show properties

is_new

boolean

Whether this ip_geo_country has been seen before for this user.

first_seen_at

string

When this ip_geo_country was first seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

last_seen_at

string

When this ip_geo_country was last seen for this user. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

ip_geo_city

string

The city where the IP address is located.

ip_geo_region

string

The region where the IP address is located.

request_id

string

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

status_code

number

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

​Parameters

​Response

Parameters

Response