Verify OTP Code | API Reference | Descope Documentation

API Reference/One-Time Password (OTP)/Text Message (SMS)

Authorization

AuthorizationRequiredBearer <token>

In: header

Request Body

application/jsonRequired

loginIdstring

codestring

curl -X POST "https://api.descope.com/v1/auth/otp/verify/sms" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "loginId": "string",
    "code": "string"
  }'

OK

{
  "sessionJwt": "string",
  "refreshJwt": "string",
  "cookieDomain": "string",
  "cookiePath": "string",
  "cookieMaxAge": 0,
  "cookieExpiration": 0,
  "user": {
    "loginIds": [
      "string"
    ],
    "userId": "string",
    "name": "string",
    "email": "string",
    "phone": "string",
    "verifiedEmail": true,
    "verifiedPhone": true,
    "roleNames": [
      "string"
    ],
    "userTenants": [
      {
        "tenantId": "string",
        "roleNames": [
          "string"
        ],
        "tenantName": "string"
      }
    ],
    "status": "string",
    "externalIds": [
      "string"
    ],
    "picture": "string",
    "test": false,
    "customAttributes": {},
    "createdTime": 0,
    "TOTP": false,
    "SAML": false,
    "OAuth": {
      "property1": false,
      "property2": false
    },
    "webauthn": true,
    "password": true,
    "ssoAppIds": [
      "string"
    ],
    "givenName": "string",
    "middleName": "string",
    "familyName": "string",
    "editable": true,
    "SCIM": true
  },
  "firstSeen": true,
  "idpResponse": {
    "samlResponse": "string",
    "samlGeneratedUser": "string",
    "samlGeneratedRoles": "string",
    "oidcResponse": "string",
    "oidcGeneratedUser": "string",
    "oidcGeneratedRoles": "string",
    "idpGroups": [
      "string"
    ]
  },
  "sessionExpiration": 0
}

Was this helpful?

Sign-In with Auto Sign-up POST

### Sign-in end user (with automatic sign-up) by sending an OTP code via SMS Initiate a process that implements both sign-in and sign-up using a single endpoint. Descope will generate and deliver the One-Time Password (OTP) to the end user via SMS. If the phone number is already registered (the end user exists) the user will be signed in. If the phone number is not registered (the end user is not yet registered) the user will be signed up. Sending multiple OTP codes (for example, when an end user tries to sign-up/sign-in a second or third time) will invalidate any OTP code that has already been sent. This endpoint will return an empty response object when it completes successfully. ### Next Steps Verify the OTP code using the [Verify OTP Code](/api/otp/sms/verify-otp) endpoint to complete the user sign-in process. After successfully verifying the code the end user will be signed-in. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email address and phone number. - See [User Login Options](/api/overview#user-login-options) for further details on loginOptions. - Use the [Sign-Up](/api/otp/sms/sign-up) endpoint if you want a sign-up flow that will fail if the end user is already registered. - Use the [Sign-In](/api/otp/sms/sign-in-auto-sign-up) endpoint if you want a sign-in flow that will fail if the end user isn't yet registered. ### Endpoint Authentication Use authorization bearer header with the following format: `Authorization: Bearer <Project ID>`

Update Phone POST

### Update phone number of Existing User Update the phone number of an existing end user by sending an OTP code to the new phone number. After successfully verifying the code the new phone number will be used to deliver new OTP messages via SMS. The bearer token requires both the ProjectId and refresh JWT in the format `<Project ID>:<JWT>`, and can therefore only be run for end users who are currently signed-in. This endpoint will return an empty response object when it completes successfully. Descope allows you to associating multiple login IDs for a user during API update calls. For details on how this feature works, please review the details [here](/manage/users#associating-multiple-login-ids-for-a-user). ### Next Steps Verify the OTP code using the [Verify OTP Code](/api/otp/sms/verify-otp) endpoint to complete the update process. After successfully verifying the code the newphone number will replace the original phone number. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email address and phone number. - Successful execution will return an empty body - To try this endpoint - need to provide `Project ID:Refresh JWT` as bearer. You can acquire the Session JWT by signing in the user and collecting it from the response. ### Endpoint Authentication Use authorization bearer header with the following format: `Authorization: Bearer <Project ID:Refresh JWT>`