Authenticate a user given a token. This endpoint verifies that the user completed the SSO Authentication flow by verifying that the token is valid and hasn't expired. Provide the session_duration_minutes parameter to set the lifetime of the session. If the session_duration_minutes parameter is not specified, a Stytch session will be created with a 60 minute duration. To link this authentication event to an existing Stytch session, include either the session_token or session_jwt param.
If the Member is required to complete MFA to log in to the Organization, the returned value of member_authenticated will be false, and an intermediate_session_token will be returned. The intermediate_session_token can be passed into the OTP SMS Authenticate endpoint, TOTP Authenticate endpoint, or Recovery Codes Recover endpoint to complete the MFA step and acquire a full member session. The session_duration_minutes and session_custom_claims parameters will be ignored.
If a valid session_token or session_jwt is passed in, the Member will not be required to complete an MFA step.