AuthenticationOne-Time Password (OTP)SDKs

OTP Authentication with Mobile SDKs

A one-time password (OTP) is an automatically generated string sent to the user during the onboarding (sign-up or sign-in) process to authenticate that user. The OTP can be sent to an email address or a mobile phone as a text. A typical method for implementing OTP has two sets of functionality you need to program: user interaction and session verification.

Use Cases

  1. New user signup: The following actions must be completed, first User Sign-Up then User Verification
  2. Existing user signin: The following actions must be completed, first User Sign-In then User Verification
  3. Sign-Up or Sign-In (Signs up a new user or signs in an existing user): The following actions must be completed, first User Sign-Up or Sign-In then User Verification

Client SDK

Install SDK

// 1. Within XCode, go to File > Add Packages
// 2. Search for the URL of the git repo: https://github.com/descope/descope-swift
// 3. Configure your desired dependency rule
// 4. Click Add Package
// 1. Within Android Studio, go to File > Project Structure > Dependencies > Add Dependency > 1 Library Dependency
// 2. Search for the dependency: "com.descope"
// 3. Configure your desired dependency rules
// 4. Click "Ok"
// 1. From your Flutter project directory root, install the Descope SDK by running: flutter pub add descope
// 2. Or, add Descope to your pubspec.yml by including this line: descope: ^0.9.0
// View the package on pub.dev: https://pub.dev/packages/descope
// 1. From your React Native project directory root, install the Descope SDK by running: npm i @descope/react-native-sdk
// View the package: https://github.com/descope/descope-react-native

Import and initialize SDK

import DescopeKit
import AuthenticationServices

do {
    Descope.setup(projectId: "__ProjectID__") { config in
      // Optional: Only set baseURL if using a custom domain with Descope and managing token response with cookies
      config.baseURL = "https://auth.app.example.com"
    }
    print("Successfully initialized Descope")
} catch {
    print("Failed to initialize Descope")
    print(error)
}
import android.app.Application
import com.descope.Descope

class MyApplication : Application() {
    override fun onCreate() {
        super.onCreate()
        try {
            Descope.setup(this, projectId = "__ProjectID__") {
              // Optional: Only set baseURL if using a custom domain with Descope and managing token response with cookies
              baseUrl = "https://auth.app.example.com"
              // Enable the logger
              if (BuildConfig.DEBUG) {
                logger = DescopeLogger()
              }
            }
        } catch (e: Exception) {
            Log.e("ERROR", e.stackTraceToString())
        }
    }
}
import 'package:descope/descope.dart';

// Where your application state is being created
Descope.setup('<Your-Project-Id>', (config) {
  // Optional: Only set baseURL if using a custom domain with Descope and managing token response with cookies
  config.baseUrl = 'https://auth.app.example.com';
});
await Descope.sessionManager.loadSession();
import { AuthProvider } from '@descope/react-native-sdk'

const AppRoot = () => {
  return (
    <AuthProvider
      projectId="__ProjectID__"
      // Optional: Only set baseURL if using a custom domain with Descope and managing token response with cookies
      baseUrl = "https://auth.app.example.com"
    >
      <App />
    </AuthProvider>
  )
}

User Sign-Up

For registering a new user, your application should accept user information, including an email or phone number used for verification. In this sample code, the OTP verification will be sent by email to email@company.com. To change the delivery method to send the OTP verification as a Text Message (SMS), you would change the deliveryMethod to sms within the below example.

Note that signup is not complete without the user verification step below.

// Args:
//    deliveryMethod: Delivery method to use to send OTP. Supported values include DeliveryMethod.email or DeliveryMethod.sms
let deliveryMethod = DeliveryMethod.email
//    loginId: email or phone - becomes the loginId for the user from here on and also used for delivery
let loginId = "email@company.com"
//    user: Optional user object to populate new user information.
let user = User("name": "Joe Person", "phone": "+15555555555", "email": "email@company.com")

do {
  try await Descope.otp.signUp(with: deliveryMethod, loginId: loginId, user: user)
  print("Successfully initiated OTP Sign Up")
} catch {
  print("Failed to initiate OTP Sign Up")
  print(error)
}
try {
    Descope.otp.signUp(
      method = DeliveryMethod.Email, 
      loginId = "email@company.com", 
      // Optional object to populate new user information.
      details = SignUpDetails(
        name = "firstName lastName",
        email = "email@company.com",
        phone = "+15555555555",
        givenName = "firstName",
        middleName = "middleName",
        familyName = "lastName"
      )
    )
} catch (e: Exception) {
    Log.e("ERROR", e.stackTraceToString())
}
Descope.otp.signUp(method: DeliveryMethod.email, loginId: loginId);
// Args:
//    user: Optional user object to populate new user information.
const user = { "name": "Joe Person", "phone": "+15555555555", "email": "email@company.com"}
//    loginId: email or phone - becomes the loginId for the user from here on and also used for delivery
const loginId = "email@company.com"
//    deliveryMethod: Delivery method to use to send OTP. Supported values include "email", "voice, or "sms"
const deliveryMethod = "email"
//    signUpOptions (SignUpOptions): this allows you to configure behavior during the authentication process.
const signUpOptions = {
      "customClaims": {"claim": "Value1"},
      "templateOptions": {"option": "Value1"}
    }
 
const descopeSdk = useDescope();
const resp = await descopeSdk.otp.signUp[deliveryMethod](loginId, user, signUpOptions);
if (!resp.ok) {
  console.log("Failed to initialize signup flow")
  console.log("Status Code: " + resp.code)
  console.log("Error Code: " + resp.error.errorCode)
  console.log("Error Description: " + resp.error.errorDescription)
  console.log("Error Message: " + resp.error.errorMessage)
}
else {
  console.log("Successfully initialized signup flow")
}

User Sign-In

For authenticating a user, your application should accept the user's identity (typically an email address or phone number). In this sample code, the OTP verification will be sent by email to email@company.com.

Note that signin is not complete without the user verification step below.

// Args:
//    deliveryMethod: Delivery method to use to send OTP. Supported values include DeliveryMethod.email or DeliveryMethod.sms
let deliveryMethod = DeliveryMethod.email
//    loginId: email or phone - the loginId of the user
let loginId = "email@company.com"

guard let session = Descope.sessionManager.session else { return }
var signInOptions: [SignInOptions] = [
    .customClaims(["name": "{{user.name}}"]),
    .mfa(refreshJwt: session.refreshJwt),
    .stepup(refreshJwt: session.refreshJwt)
]

do {
  try await Descope.otp.signIn(with: deliveryMethod, loginId: loginId, options: signInOptions)
  print("Successfully initiated OTP Sign In")
} catch {
  print("Failed to initiate OTP Sign In")
  print(error)
}
// Args:
//    deliveryMethod: Delivery method to use to send OTP. Supported values include DeliveryMethod.email or DeliveryMethod.sms
//    loginId: email or phone - the loginId of the user
//    options: optional options to get attributes like custom claims, stepup, mfa, and revoke sessions in response
try {
    Descope.otp.signIn(
      method = DeliveryMethod.Email, 
      loginId = "email@company.com", 
      options = listOf(
        SignInOptions.CustomClaims(mapOf("cc1" to "yes", "cc2" to true)),
        SignInOptions.StepUp(session.refreshJwt),
        SignInOptions.Mfa(session.refreshJwt),
        SignInOptions.RevokeOtherSessions
      )
    )
} catch (e: Exception) {
    Log.e("ERROR", e.stackTraceToString())
}
// Args:
//    deliveryMethod: Delivery method to use to send OTP. Supported values include DeliveryMethod.email or DeliveryMethod.sms
const deliveryMethod = DeliveryMethod.email;
//    loginId: email or phone - the loginId of the user
const loginId = "email@company.com";
// options: Optional options to get custom claims in response
    const options = SignInOptions(customClaims: {'name': '{{user.name}}'});
Descope.otp.signIn(method: method, loginId: loginId, options: options);
// Args:
//    loginId: email or phone - becomes the loginId for the user from here on and also used for delivery
const loginId = "email@company.com"
//    deliveryMethod: Delivery method to use to send OTP. Supported values include "email", "voice, or "sms"
const deliveryMethod = "email"
//    loginOptions (LoginOptions): this allows you to configure behavior during the authentication process.
const loginOptions = {
      "stepup": false,
      "mfa": false,
      "customClaims": {"claim": "Value1"},
      "templateOptions": {"option": "Value1"}
    }
//    refreshToken (optional): the user's current refresh token in the event of stepup/mfa
 
const descopeSdk = useDescope();
const resp = await descopeSdk.otp.signIn[deliveryMethod](loginId, loginOptions);
if (!resp.ok) {
  console.log("Failed to initialize signin flow")
  console.log("Status Code: " + resp.code)
  console.log("Error Code: " + resp.error.errorCode)
  console.log("Error Description: " + resp.error.errorDescription)
  console.log("Error Message: " + resp.error.errorMessage)
}
else {
  console.log("Successfully initialized signin flow")
}

User Sign-Up or Sign-In

For signing up a new user or signing in an existing user, you can utilize the signUpOrIn functionality. Only user loginId is necessary for this function. In this sample code, the OTP verification will be sent by email to email@company.com. To change the delivery method to send the OTP verification as a Text Message (SMS), you would change the deliveryMethod to sms within the below example.

Note that signUpOrIn is not complete without the user verification step below.

// Args:
//    deliveryMethod: Delivery method to use to send OTP. Supported values include DeliveryMethod.email or DeliveryMethod.sms
let deliveryMethod = DeliveryMethod.email
//    loginId: email or phone - the loginId of the user
let loginId = "email@company.com"

guard let session = Descope.sessionManager.session else { return }
var signInOptions: [SignInOptions] = [
    .customClaims(["name": "{{user.name}}"]),
    .mfa(refreshJwt: session.refreshJwt),
    .stepup(refreshJwt: session.refreshJwt)
]

do {
  try await Descope.otp.signUpOrIn(with: deliveryMethod, loginId: loginId, options: signInOptions)
  print("Successfully initiated OTP Sign Up or In")
} catch {
  print("Failed to initiate OTP Sign Up or In")
  print(error)
}
// Args:
//    deliveryMethod: Delivery method to use to send OTP. Supported values include DeliveryMethod.email or DeliveryMethod.sms
//    loginId: email or phone - the loginId of the user
//    options: optional options to get attributes like custom claims, stepup, mfa, and revoke sessions in response
try {
      Descope.otp.signUpOrIn(     
        method = DeliveryMethod.Email, 
        loginId = "email@company.com", 
        options = listOf(
          SignInOptions.CustomClaims(mapOf("cc1" to "yes", "cc2" to true)),
          SignInOptions.StepUp(session.refreshJwt),
          SignInOptions.Mfa(session.refreshJwt),
          SignInOptions.RevokeOtherSessions
        )
      )
} catch (e: Exception) {
    Log.e("ERROR", e.stackTraceToString())
}
// Args:
//    deliveryMethod: Delivery method to use to send OTP. Supported values include DeliveryMethod.email or DeliveryMethod.sms
const deliveryMethod = DeliveryMethod.email;
//    loginId: email or phone - the loginId of the user
const loginId = "email@company.com";
// options: Optional options to get custom claims in response
    const options = SignInOptions(customClaims: {'name': '{{user.name}}'});
Descope.otp.signUpOrIn(method:method, loginId: loginId, options: options);
// Args:
//    loginId: email or phone - becomes the loginId for the user from here on and also used for delivery
const loginId = "email@company.com"
//    deliveryMethod: Delivery method to use to send OTP. Supported values include "email", "voice, or "sms"
const deliveryMethod = "email"
//    signUpOptions (SignUpOptions): this allows you to configure behavior during the authentication process.
const signUpOptions = {
      "customClaims": {"claim": "Value1"},
      "templateOptions": {"option": "Value1"}
    }
 
const descopeSdk = useDescope();
const resp = await descopeSdk.otp.signUpOrIn[deliveryMethod](loginId, signUpOptions);
if (!resp.ok) {
  console.log("Failed to initialize signUpOrIn flow")
  console.log("Status Code: " + resp.code)
  console.log("Error Code: " + resp.error.errorCode)
  console.log("Error Description: " + resp.error.errorDescription)
  console.log("Error Message: " + resp.error.errorMessage)
}
else {
  console.log("Successfully initialized signUpOrIn flow")
}

User Verification

The next step in authenticating the user is to verify the code entered by the user, using OTP verify code function. The function will return all the necessary JWT tokens, claims and user information. You can use the JWT tokens for session validation in your application middleware or app server for every route needs an authenticated user.

// Args:
//    deliveryMethod: Delivery method to use to send OTP. Supported values include DeliveryMethod.email or DeliveryMethod.sms
let deliveryMethod = DeliveryMethod.email
//   loginId (str): The loginId of the user being validated
let loginId = "email@company.com"
//   code (str): The authorization code enter by the end user during signup/signin
let code = "xxxx"

do {
  let descopeSession = try await Descope.otp.verify(with: deliveryMethod, loginId: loginId, code: code)
  print("Successfully verified OTP Code")
  print(descopeSession as Any)
} catch DescopeError.wrongOTPCode {
    print("Failed to verify OTP Code: ")
    print("Wrong code entered")
} catch {
    print("Failed to verify OTP Code: ")
    print(error)
}
// Args:
//    deliveryMethod: Delivery method to use to send OTP. Supported values include DeliveryMethod.email or DeliveryMethod.sms
//   loginId (str): The loginId of the user being validated
//   code (str): The authorization code enter by the end user during signup/signin
let code = "xxxx"
try {
      val authResponse = Descope.otp.verify(
          method = DeliveryMethod.Email,
          loginId = "email@company.com",
          code = "<code>"
      )
} catch (e: Exception) {
    Log.e("ERROR", e.stackTraceToString())
}
// Args:
//    deliveryMethod: Delivery method to use to send OTP. Supported values include DeliveryMethod.email or DeliveryMethod.sms
const deliveryMethod = DeliveryMethod.email;
//   loginId (str): The loginId of the user being validated
const loginId = "email@company.com";
//   code (str): The authorization code enter by the end user during signup/signin
const code = "xxxx";
  final authResponse = await Descope.otp
      .verify(method: method, loginId: loginId, code: code);
// Args:
//   loginId (str): The loginId of the user being validated
const loginId = "email@company.com"
//   code (str): The authorization code enter by the end user during signup/signin
const code = "xxxxxx"
//    deliveryMethod: Delivery method to use to send OTP. Supported values include "email", "voice, or "sms"
const deliveryMethod = "email"
 
const descopeSdk = useDescope();
const resp = await descopeSdk.otp.verify[deliveryMethod](loginId, code);
if (!resp.ok) {
  console.log("Failed to verify OTP code")
  console.log("Status Code: " + resp.code)
  console.log("Error Code: " + resp.error.errorCode)
  console.log("Error Description: " + resp.error.errorDescription)
  console.log("Error Message: " + resp.error.errorMessage)
}
else {
  console.log("Successfully verified OTP ")
  console.log(resp.data)
}

Update Email

The Descope SDK allows for you to update user's email address. With this function, you will pass the user's loginId and the new email address you want associated to the user. In order to verify the email address, the OTP code will be sent via the email delivery method. Once the update email function has been called, the user will need to verify with the sent OTP code before the email address will be updated.

// Args:
//    email: the new email address you want to associate with the user
let email = "newEmail@company.com"
//    loginId: email or phone - the loginId of the user
let loginId = "email@company.com"
//    refreshJwt: The refreshJwt of the user to be updated
let refreshJwt = "xxxxxx"

do {
  try await Descope.otp.updateEmail(email, loginId: loginId, refreshJwt: refreshJwt)
  print("Successfully initiated OTP Email Update")
} catch {
  print("Failed to initiate OTP Email Update")
  print(error)
}
// Args:
//    email: the new email address you want to associate with the user
//    loginId: email or phone - the loginId of the user
//    refreshJwt: The refreshJwt of the user to be updated
//    options: optional options for loginId and merging behavior
try {
      Descope.otp.updateEmail(
          email = "email2@gompany.com",
          loginId = "email@company.com",
          refreshJwt = "<refreshJwt>",
          options = UpdateOptions(
            addToLoginIds = true,
            onMergeUseExisting = true
          )
      )
} catch (e: Exception) {
    Log.e("ERROR", e.stackTraceToString())
}
// Args:
//    email: the new email address you want to associate with the user
const email = "newEmail@company.com";
//    loginId: email or phone - the loginId of the user
const loginId = "email@company.com";
//    refreshJwt: The refreshJwt of the user to be updated
const refreshJwt = "xxxxxx";
/// You can optionally pass the [options] parameter to add the new phone number
/// as a `loginId` for the existing user, and to determine how to resolve conflicts
/// if another user already exists with the same `loginId`. Check out the
// Update Options (https://github.com/descope/descope-flutter/blob/main/lib/src/types/others.dart) type for more details.
final options = UpdateOptions(
  addToLoginIds: true,
  onMergeUseExisting: true
);
Descope.otp
      .updateEmail(loginId: loginId, email: "email", refreshJwt: Descope.sessionManager.session!.refreshJwt, options: options);
// Args:
//   loginId (str): The loginId of the user being updated
const loginId = "email@company.com"
//   email (str): The new email address. If an email address already exists for this end user, it will be overwritten
const email = "newEmail@company.com"
//   refreshToken (str): The session's refresh token (used for verification)
const refreshToken = "xxxxx"
//    updateOptions (UpdateOptions): this allows you to configure behavior during the authentication process.
const updateOptions = {
      "addToLoginIDs": true,
      "onMergeUseExisting": true,
      "templateOptions": {"option": "Value1"}
    }
 
const descopeSdk = useDescope();
const resp = await descopeSdk.otp.update.email(loginId, email, refreshToken, updateOptions);
if (!resp.ok) {
  console.log("Failed to start OTP email update")
  console.log("Status Code: " + resp.code)
  console.log("Error Code: " + resp.error.errorCode)
  console.log("Error Description: " + resp.error.errorDescription)
  console.log("Error Message: " + resp.error.errorMessage)
}
else {
  console.log("Successfully started OTP email update")
  console.log(resp.data)
}

Update Phone

The Descope SDK allows for you to update user's phone number. With this function, you will pass the user's loginId and the new phone number you want associated to the user. In order to verify the phone number, the OTP code will be sent via the sms delivery method. Once the update phone function has been called, the user will need to verify with the sent OTP code before the phone number will be updated.

// Args:
//    phone: the new phone number you want to associate with the user
let phone = "+12222222222"
//    loginId: email or phone - the loginId of the user
let loginId = "email@company.com"
//    refreshJwt: The refreshJwt of the user to be updated
let refreshJwt = "xxxxxx"

do {
  try await Descope.otp.updatePhone(phone, with: .sms, loginId: loginId, refreshJwt: refreshJwt)
  print("Successfully initiated OTP Phone Update")
} catch {
  print("Failed to initiate OTP Phone Update")
  print(error)
}
// Args:
//    phone: the new phone number you want to associate with the user
//    deliveryMethod: the delivery method of verification otp
//    loginId: email or phone - the loginId of the user
//    refreshJwt: The refreshJwt of the user to be updated
//    options: optional options for loginId and merging behavior
try {
      Descope.otp.updatePhone(
          phone = "+11231231234",
          method = "sms",
          loginId = "email@company.com",
          refreshJwt = "<refreshJwt>"
          options = UpdateOptions(
            addToLoginIds = true,
            onMergeUseExisting = true
          )
      )
} catch (e: Exception) {
    Log.e("ERROR", e.stackTraceToString())
}
// Args:
// deliveryMethod: the delivery method of verification otp
const deliveryMethod = DeliveryMethod.email;
//    phone: the new phone number you want to associate with the user
const phone = "+12222222222";
//    loginId: email or phone - the loginId of the user
const loginId = "email@company.com";
//    refreshJwt: The refreshJwt of the user to be updated
const refreshJwt = "xxxxxx";
/// You can optionally pass the [options] parameter to add the new phone number
/// as a `loginId` for the existing user, and to determine how to resolve conflicts
/// if another user already exists with the same `loginId`. Check out the
// Update Options (https://github.com/descope/descope-flutter/blob/main/lib/src/types/others.dart) type for more details.
final options = UpdateOptions(
  addToLoginIds: true,
  onMergeUseExisting: true
);
Descope.otp
      .updatePhone(method: deliveryMethod, loginId: loginId, phone: phone, refreshJwt: refreshJwt, options: options);
// Args:
//   deliveryMethod: Delivery method to use to send OTP.
const deliveryMethod = "sms"
//   loginId (str): The loginId of the user being updated
const loginId = "phone@company.com"
//   phone (str): The new phone number. If a phone number already exists for this end user, it will be overwritten
const phone = "+12223334455"
//   refreshToken (str): The session's refresh token (used for verification)
const refreshToken = "xxxxx"
//    updateOptions (UpdateOptions): this allows you to configure behavior during the authentication process.
const updateOptions = {
      "addToLoginIDs": true,
      "onMergeUseExisting": true,
      "templateOptions": {"option": "Value1"}
    }
 
const descopeSdk = useDescope();
const resp = await useDescope.otp.update.phone(deliveryMethod, loginId, phone, refreshToken, updateOptions);
if (!resp.ok) {
  console.log("Failed to start OTP phone update")
  console.log("Status Code: " + resp.code)
  console.log("Error Code: " + resp.error.errorCode)
  console.log("Error Description: " + resp.error.errorDescription)
  console.log("Error Message: " + resp.error.errorMessage)
}
else {
  console.log("Successfully started OTP phone update")
  console.log(resp.data)
}

Session Validation

The final step of completing the authentication with Descope is to validate the user session. Descope provides rich session management capabilities, including configurable session timeouts and logout functions. You can find the details and sample code for client session validation here.

Checkpoint

Your application is now integrated with Descope. Please test with sign-up or sign-in use case.

Need help?
Was this helpful?
SparklesAsk AI about this pageArrowRight

Client SDKs

Add one-time password (OTP) authentication to your application using Descope Client SDKs. Read the detailed implementation guide with sample code.

Backend SDKs

Add one-time password (OTP) authentication to your application using Descope Backend SDKs. Read the detailed implementation guide with sample code.

On this page

OTP Authentication with Mobile SDKsUse CasesClient SDKInstall SDKImport and initialize SDKUser Sign-UpUser Sign-InUser Sign-Up or Sign-InUser VerificationUpdate EmailUpdate PhoneSession Validation