Send a One-Time Passcode (OTP) to a Member's phone number.
If the Member already has a phone number, the mfa_phone_number field is not needed; the endpoint will send an OTP to the number associated with the Member. If the Member does not have a phone number, the endpoint will send an OTP to the mfa_phone_number provided and link the mfa_phone_number with the Member.
An error will be thrown if the Member already has a phone number and the provided mfa_phone_number does not match the existing one.
OTP codes expire after two minutes. Note that sending another OTP code before the first has expired will invalidate the first code.
If a Member has a phone number and is enrolled in MFA, then after a successful primary authentication event (e.g. email magic link or SSO login is complete), an SMS OTP will automatically be sent to their phone number. In that case, this endpoint should only be used for subsequent authentication events, such as prompting a Member for an OTP again after a period of inactivity.
Passing an intermediate session token, session token, or session JWT is not required, but if passed must match the Member ID passed.
Cost to send SMS OTP
Before configuring SMS or WhatsApp OTPs, please review how Stytch bills the costs of international OTPs and understand how to protect your app against toll fraud.
Even when international SMS is enabled, we do not support sending SMS to countries on our Unsupported countries list.
Note: SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023. If you're interested in sending international SMS, please reach out to support@stytch.com.