This endpoint allows you to exchange the intermediate_session_token returned when the user successfully completes a Discovery authentication flow to create a new Organization and Member and log the user in. If the user wants to log into an existing Organization, use the Exchange Intermediate Session endpoint instead.
Stytch requires that users verify their email address prior to creating a new Organization in order to prevent Account Takeover (ATO) attacks and phishing.
If the user authenticated using a method that does not provide real-time email verification (returning password auth, Github/Slack/Hubspot OAuth) this API will return member_authenticated: false and an intermediate_session_token to indicate that the user must perform additional authentication via one of the options listed in primary_required.allowed_auth_methods to finish logging in.
If you specified an mfa_policy: REQUIRED_FOR_ALL in the request, this API will return member_authenticated: false, an intermediate_session_token, and mfa_required in order to indicate that you must prompt the user to enroll in MFA.
Include the intermediate_session_token when calling the authenticate() method that the user needed to perform to verify their email or enroll in MFA. Once the user has completed the authentication requirements they were missing, they will be granted a full session_token and session_jwt and be successfully logged in.
If the user logged in with a method that does provide real-time email verification (Email Magic Links, Email OTP, Google/Microsoft OAuth, initial email verification when creating a new password) this API will return member_authenticated: true and a session_jwt and session_token to indicate that the user has successfully logged in.
The Member created by this endpoint will automatically be granted the stytch_admin Role. See the RBAC guide for more details on this Role.