One-Time-Password APIs
Overview
Using the One-Time-Password APIs requires a two-phase actions. First phase action is calling the API endpoint to initiate the process (sign-up, sign-in, etc.), and the second phase is to verify the received OTP code from the user.
Each first phase API endpoint, when successfully executed, will result in a code delivered to the user, either in email, voice call, or text message (SMS). Once executed, you app should wait on user's interaction to supply the delivered code, and then issue the verify API endpoint action (second phase action) to confirm the user's code and complete the action.
The OTP code can be delivered over email, voice call, or text message (SMS) - each has its own set of API endpoints.
Use Cases
- Sign up a new user
- Sign in an existing user
- Sign in with auto sign-up a new user if not exists
- Update user's email address
- Update user's phone number
Examples
Example - user sign-up over email
- Trigger the process with Sign-Up endpoint Once successfully completed - the OTP code will be delivered to the user's email
- Compete the process by verifying the code with Verify OTP Code endpoint When the code is received from the end user, use the Verify OTP code API to confirm it is the code. Once confirmed - the Verify command will return the user's Session and Refresh JWT
Note
This example applies also for "Sign in an existing user" and "Sign in with auto sign-up a new user if not exists" use cases, and for text message (SMS) channel, when using the relevant API endpoints.
Example - update user's phone number
- Trigger the process with the Update Phone Number endpoint Once successfully executed - the OTP will be delivered to the new phone number provided as parameter of the endpoint
- Complete the process by verifying the code with the Verify Code API endpoint. When the code is received from the user, use the Verify API to confirm it is valid. Once confirmed - the user's phone number will be updated, and from that point all OTP codes over text message (SMS) will be delivered to the new number.
Note
This example applies also for "Update user's email address" use case, when using the relevant API endpoints.
REST API Reference
Use the Descope REST API to build authentication and user management for your app while retaining full control over your UI.
Sign-Up POST
### Sign-up new end user by sending an OTP code via email Initiate a sign-up process by sending a One-Time Password (OTP) to a new end user. Descope will generate and deliver the OTP code to the email address specified. Sending multiple OTP codes (for example, when an end user tries to sign-up a second or third time) will invalidate any OTP code that has already been sent. This endpoint will return an empty response object when it completes successfully. The endpoint will return a failure code if the email address is already registered. ### Next Steps Verify the OTP code using the [Verify OTP Code](/api/otp/email/verify-otp) endpoint to complete the user sign-up process. After successfully verifying OTP code the end user will be signed-in. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number. - Use the [Sign-In](/api/otp/email/sign-in) endpoint to sign-in an existing end user. - Use the [Sign-In with Auto Sign-up](/api/otp/email/sign-in-auto-sign-up) endpoint to create a single sign-up and sign-in flow, which will create a new end user if they are not already registered. ### Endpoint Authentication Use authorization bearer header with the following format: `Authorization: Bearer <Project ID>`