Multi-tenancy authentication API reference - passwords discovery authenticate

Discovery Authenticate

POSThttps://test.stytch.com/v1/b2b/passwords/discovery/authenticate

Authenticate an email/password combination in the discovery flow. This authenticate flow is only valid for cross-org passwords use cases, and is not tied to a specific organization.

If you have breach detection during authentication enabled in your password strength policy and the member's credentials have appeared in the HaveIBeenPwned dataset, this endpoint will return a member_reset_password error even if the member enters a correct password. We force a password reset in this case to ensure that the member is the legitimate owner of the email address and not a malicious actor abusing the compromised credentials.

If successful, this endpoint will create a new intermediate session and return a list of discovered organizations that can be session exchanged into.

Body parameters

email_address* string

password* string

Response fields

request_id string

status_code int

email_address string

intermediate_session_token string

discovered_organizations array

curl --request POST \
  --url https://test.stytch.com/v1/b2b/passwords/discovery/authenticate \
  -u 'PROJECT_ID:SECRET' \
  -H 'Content-Type: application/json' \
  -d '{
    "email_address": "sandbox@stytch.com",
    "password": "%mzfj0tHl+T9vDpR"
  }'

RESPONSE

{
    "status_code": 200,
    "request_id": "request-id-test-b05c992f-ebdc-489d-a754-c7e70ba13141",
    "member_id": "member-test-32fc5024-9c09-4da3-bd2e-c9ce4da9375f",
    "organization_id": "organization-test-07971b06-ac8b-4cdb-9c15-63b17e653931",
    "session_jwt": "example_jwt",
    "session_token": "mZAYn5aLEqKUlZ_Ad9U_fWr38GaAQ1oFAhT8ds245v7Q",
    "intermediate_session_token": "",
    "member_authenticated": true,
    "mfa_required": null,
    "primary_required": null,
    "member_session": {...},
    "member": {...},
    "organization": {...}
}