This guide is meant for developers that are NOT using Descope Flows to design login screens and authentication methods.
If you'd like to use Descope Flows, Quick Start should be your starting point.
A one-time password (OTP) is an automatically generated string sent to the user during the
onboarding (sign-up or sign-in) process to authenticate that user. The OTP can be sent to an email
address or a mobile phone as a voice call or SMS (text message). A typical method for implementing OTP has two
sets of functionality you need to program: user interaction and session verification.
Sign-Up or Sign-In (Signs up a new user or signs in an existing user): The following actions must be completed, first User Sign-Up or Sign-In then User Verification
import DescopeClient from '@descope/node-sdk';try{ // baseUrl="<URL>" // When initializing the Descope clientyou can also configure the baseUrl ex: https://auth.company.com - this is useful when you utilize CNAME within your Descope project. const descopeClient = DescopeClient({ projectId: '__ProjectID__' });} catch (error) { // handle the error console.log("failed to initialize: " + error)}// Note that you can handle async operation failures and capture specific errors to customize errors.// An example can be found here: https://github.com/descope/node-sdk?tab=readme-ov-file#error-handling
For registering a new user, your application client should accept user information, including an email or
phone number used for verification. In this sample code, the OTP verification will be sent by email
to email@company.com. To change the delivery method to send the OTP verification as a Text Message (SMS), you would
change the delivery_method to sms within the below example.
Note that signup is not complete without the user verification step below.
// Args:// user: Optional user object to populate new user information.const user = { "name": "Joe Person", "phone": "+15555555555", "email": "email@company.com"}// loginId: email or phone - becomes the loginId for the user from here on and also used for deliveryconst loginId = "email@company.com"// deliveryMethod: Delivery method to use to send OTP. Supported values include "email", "voice, or "sms"const deliveryMethod = "email"// signUpOptions (SignUpOptions): this allows you to configure behavior during the authentication process.const signUpOptions = { "customClaims": {"claim": "Value1"}, "templateOptions": {"option": "Value1"} }const resp = await descopeClient.otp.signUp[deliveryMethod](loginId, user, signUpOptions);if (!resp.ok) { console.log("Failed to initialize signup flow") console.log("Status Code: " + resp.code) console.log("Error Code: " + resp.error.errorCode) console.log("Error Description: " + resp.error.errorDescription) console.log("Error Message: " + resp.error.errorMessage)}else { console.log("Successfully initialized signup flow")}
For authenticating a user, your application client should accept the user's identity (typically an email address or phone
number). In this sample code, the OTP verification will be sent by email to email@company.com.
Note that signin is not complete without the user verification step below.
// Args:// loginId: email or phone - becomes the loginId for the user from here on and also used for deliveryconst loginId = "email@company.com"// deliveryMethod: Delivery method to use to send OTP. Supported values include "email", "voice, or "sms"const deliveryMethod = "email"// loginOptions (LoginOptions): this allows you to configure behavior during the authentication process.const loginOptions = { "stepup": false, "mfa": false, "customClaims": {"claim": "Value1"}, "templateOptions": {"option": "Value1"} }// refreshToken (optional): the user's current refresh token in the event of stepup/mfaconst resp = await descopeClient.otp.signIn[deliveryMethod](loginId, loginOptions);if (!resp.ok) { console.log("Failed to initialize signin flow") console.log("Status Code: " + resp.code) console.log("Error Code: " + resp.error.errorCode) console.log("Error Description: " + resp.error.errorDescription) console.log("Error Message: " + resp.error.errorMessage)}else { console.log("Successfully initialized signin flow")}
For signing up a new user or signing in an existing user, you can utilize the signUpOrIn functionality.
Only user loginId is necessary for this function. In this sample code, the OTP verification will be
sent by email to email@company.com. To change the delivery method to send the OTP verification as a Text Message (SMS), you would
change the delivery_method to sms within the below example.
Note that signUpOrIn is not complete without the user verification step below.
// Args:// loginId: email or phone - becomes the loginId for the user from here on and also used for deliveryconst loginId = "email@company.com"// deliveryMethod: Delivery method to use to send OTP. Supported values include "email", "voice, or "sms"const deliveryMethod = "email"// signUpOptions (SignUpOptions): this allows you to configure behavior during the authentication process.const signUpOptions = { "customClaims": {"claim": "Value1"}, "templateOptions": {"option": "Value1"} }const resp = await descopeClient.otp.signUpOrIn[deliveryMethod](loginId, signUpOptions);if (!resp.ok) { console.log("Failed to initialize signUpOrIn flow") console.log("Status Code: " + resp.code) console.log("Error Code: " + resp.error.errorCode) console.log("Error Description: " + resp.error.errorDescription) console.log("Error Message: " + resp.error.errorMessage)}else { console.log("Successfully initialized signUpOrIn flow")}
The next step in authenticating the user is to verify the code entered by the user, using OTP verify code
function. The function will return all the necessary JWT tokens,
claims and user information. You can use the JWT tokens for session validation in your application middleware or app
server for every route needs an authenticated user.
// Args:// loginId (str): The loginId of the user being validatedconst loginId = "email@company.com"// code (str): The authorization code enter by the end user during signup/signinconst code = "xxxxxx"// deliveryMethod: Delivery method to use to send OTP. Supported values include "email", "voice, or "sms"const deliveryMethod = "email"const resp = await descopeClient.otp.verify[deliveryMethod](loginId, code);if (!resp.ok) { console.log("Failed to verify OTP code") console.log("Status Code: " + resp.code) console.log("Error Code: " + resp.error.errorCode) console.log("Error Description: " + resp.error.errorDescription) console.log("Error Message: " + resp.error.errorMessage)}else { console.log("Successfully verified OTP ") console.log(resp.data)}
This function allows you to update the user's email address via email. This requires a valid refresh token. Once the user has
received the OTP Code, you will need to host a page to verify the OTP code using the OTP Verify Function.
// Args:// loginId (str): The loginId of the user being updatedconst loginId = "email@company.com"// email (str): The new email address. If an email address already exists for this end user, it will be overwrittenconst email = "newEmail@company.com"// refreshToken (str): The session's refresh token (used for verification)const refreshToken = "xxxxx"// updateOptions (UpdateOptions): this allows you to configure behavior during the authentication process.const updateOptions = { "addToLoginIDs": true, "onMergeUseExisting": true, "templateOptions": {"option": "Value1"} }const resp = await descopeClient.otp.update.email(loginId, email, refreshToken, updateOptions);if (!resp.ok) { console.log("Failed to start OTP email update") console.log("Status Code: " + resp.code) console.log("Error Code: " + resp.error.errorCode) console.log("Error Description: " + resp.error.errorDescription) console.log("Error Message: " + resp.error.errorMessage)}else { console.log("Successfully started OTP email update") console.log(resp.data)}
This function allows you to update the user's phone number address via SMS. This requires a valid refresh token. Once the user has
received the OTP Code, you will need to host a page to verify the OTP code using the OTP Verify Function.
// Args:// deliveryMethod: Delivery method to use to send OTP.const deliveryMethod = "sms"// loginId (str): The loginId of the user being updatedconst loginId = "phone@company.com"// phone (str): The new phone number. If a phone number already exists for this end user, it will be overwrittenconst phone = "+12223334455"// refreshToken (str): The session's refresh token (used for verification)const refreshToken = "xxxxx"// updateOptions (UpdateOptions): this allows you to configure behavior during the authentication process.const updateOptions = { "addToLoginIDs": true, "onMergeUseExisting": true, "templateOptions": {"option": "Value1"} }const resp = await descopeClient.otp.update.phone(deliveryMethod, loginId, phone, refreshToken, updateOptions);if (!resp.ok) { console.log("Failed to start OTP phone update") console.log("Status Code: " + resp.code) console.log("Error Code: " + resp.error.errorCode) console.log("Error Description: " + resp.error.errorDescription) console.log("Error Message: " + resp.error.errorMessage)}else { console.log("Successfully started OTP phone update") console.log(resp.data)}
The final step of completing the authentication with Descope is to validate the user session. Descope provides rich session management capabilities, including configurable session timeouts and
logout functions. You can find the details and sample code for backend session validation here.
Checkpoint
Your application is now integrated with Descope. Please test with sign-up or sign-in use case.