Skip to content

Verify TOTP login.

POST
/api/auth/totp/login/verify
Code sample: Shell / cURL
curl --request POST \
--url https://auth.example.com/api/auth/totp/login/verify \
--header 'Content-Type: application/json' \
--data '{ "challenge_id": "2c2f1c47-9f40-4bc1-a5e3-a19f1cb1a44e", "code": "123456", "authorization_challenge_id": "ach_123", "defer_authorization_continuation": false }'

Verifies a TOTP code, creates an Authrim browser session, and optionally continues an OIDC authorization challenge.

Media type application/json
object
challenge_id
required
string
code
required
string
/^(?:[0-9]{6}|[0-9]{8})$/
authorization_challenge_id
string
defer_authorization_continuation
boolean
key
additional properties
Example
{
"challenge_id": "2c2f1c47-9f40-4bc1-a5e3-a19f1cb1a44e",
"code": "123456",
"authorization_challenge_id": "ach_123",
"defer_authorization_continuation": false
}

TOTP login session response.

Media type application/json
object
success
required
boolean
sessionId
required
string
expires_in
required
integer
session
required
object
userId
required
string
createdAt
required
integer format: int64
expiresAt
required
integer format: int64
authTime
required
integer format: int64
acr
required
string
amr
required
Array<string>
user
required
object
id
string
email
Any of:
string format: email
name
Any of:
string
email_verified
One of:
boolean
created_at
string
updated_at
string
last_login_at
Any of:
string
user_type
string
authorization
object
key
additional properties
redirect_url
required
string
Example
{
"session": {
"acr": "urn:authrim:aal:2",
"amr": [
"otp",
"totp"
]
},
"user": {
"id": "user_123",
"email": "[email protected]",
"name": "Example User",
"email_verified": true,
"created_at": "2026-06-20T00:00:00.000Z",
"updated_at": "2026-06-20T00:00:00.000Z",
"last_login_at": "2026-06-20T00:00:00.000Z",
"user_type": "anonymous"
}
}

Error response.

Media type application/json
object
error
string
error_description
string
message
string
webauthn_signal

Optional browser-side WebAuthn Signal API hint. When unknown_credential is true, clients that just received a WebAuthn credential assertion may call PublicKeyCredential.signalUnknownCredential() for that credential ID.

object
unknown_credential
boolean
key
additional properties
Example generated
{
"error": "example",
"error_description": "example",
"message": "example",
"webauthn_signal": {
"unknown_credential": true
}
}