SMS OTPs may not be used as a primary authentication mechanism. They can be used to complete an MFA requirement, or they can be used as a step-up factor to be added to an existing session.
This endpoint verifies that the one-time passcode (OTP) is valid and hasn't expired or been previously used. OTP codes expire after two minutes.
A given Member may only have a single active OTP code at any given time. If a Member requests another OTP code before the first one has expired, the first one will be invalidated.
Exactly one of intermediate_session_token, session_token, or session_jwt must be provided in the request. If an intermediate session token is provided, this operation will consume it.
Intermediate session tokens are generated upon successful calls to primary authenticate methods in the case where MFA is required, such as email magic link authenticate, or upon successful calls to discovery authenticate methods, such as email magic link discovery authenticate.
If the Organization's MFA policy is REQUIRED_FOR_ALL, a successful OTP authentication will change the Member's mfa_enrolled status to true if it is not already true. If the Organization's MFA policy is OPTIONAL, the Member's MFA enrollment can be toggled by passing in a value for the set_mfa_enrollment field. The Member's MFA enrollment can also be toggled through the Update Member endpoint.
Provide the session_duration_minutes parameter to set the lifetime of the session. If the session_duration_minutes parameter is not specified, a Stytch session will be created with a duration of 60 minutes.