B2B Saas Authentication

/

API reference

/

Multi-Factor Authentication (MFA)

/

One-time passcodes

/

Authenticate SMS OTP

Authenticate SMS OTP

POSThttps://test.stytch.com/v1/b2b/otps/sms/authenticate

SMS OTPs may not be used as a primary authentication mechanism. They can be used to complete an MFA requirement, or they can be used as a step-up factor to be added to an existing session.

This endpoint verifies that the one-time passcode (OTP) is valid and hasn't expired or been previously used. OTP codes expire after two minutes.

A given Member may only have a single active OTP code at any given time. If a Member requests another OTP code before the first one has expired, the first one will be invalidated.

Exactly one of intermediate_session_token, session_token, or session_jwt must be provided in the request. If an intermediate session token is provided, this operation will consume it.

Intermediate session tokens are generated upon successful calls to primary authenticate methods in the case where MFA is required, such as email magic link authenticate, or upon successful calls to discovery authenticate methods, such as email magic link discovery authenticate.

If the Organization's MFA policy is REQUIRED_FOR_ALL, a successful OTP authentication will change the Member's mfa_enrolled status to true if it is not already true. If the Organization's MFA policy is OPTIONAL, the Member's MFA enrollment can be toggled by passing in a value for the set_mfa_enrollment field. The Member's MFA enrollment can also be toggled through the Update Member endpoint.

Provide the session_duration_minutes parameter to set the lifetime of the session. If the session_duration_minutes parameter is not specified, a Stytch session will be created with a duration of 60 minutes.


Body parameters


organization_id*string

member_id*string

code*string

intermediate_session_tokenstring

set_mfa_enrollmentstring

session_tokenstring

session_jwtstring

session_duration_minutesint

session_custom_claimsmap<string, any>

Response fields


request_idstring

status_codeint

member_idstring

organization_idstring

memberobject

organizationobject

session_tokenstring

session_jwtstring

member_sessionobject
curl --request POST \
  --url https://test.stytch.com/v1/b2b/otps/sms/authenticate \
  -u 'PROJECT_ID:SECRET' \
  -H 'Content-Type: application/json' \
  -d '{
    "organization_id": "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
    "member_id": "member-test-32fc5024-9c09-4da3-bd2e-c9ce4da9375f",
    "code": "123456",
    "intermediate_session_token": "SeiGwdj5lKkrEVgcEY3QNJXt6srxS3IK2Nwkar6mXD4="
  }'

RESPONSE

200
{
  "status_code": 200,
  "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
  "member_id": "member-test-32fc5024-9c09-4da3-bd2e-c9ce4da9375f",
  "organization_id": "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
  "session_jwt": "example_jwt",
  "session_token": "mZAYn5aLEqKUlZ_Ad9U_fWr38GaAQ1oFAhT8ds245v7Q",
  "member_session": {...},
  "member": {...},
  "organization": {...}
}

Common Error Types