Skip to content

Activate TOTP signup.

POST
/api/auth/totp/signup/activate
Code sample: Shell / cURL
curl --request POST \
--url https://auth.example.com/api/auth/totp/signup/activate \
--header 'Content-Type: application/json' \
--data '{ "challenge_id": "2c2f1c47-9f40-4bc1-a5e3-a19f1cb1a44e", "code": "123456" }'

Verifies the first TOTP code, creates and activates the stored credential, generates backup codes, and creates a browser session.

Media type application/json
object
challenge_id
required
string
code
required
string
/^(?:[0-9]{6}|[0-9]{8})$/
defer_authorization_continuation
boolean
key
additional properties
Example
{
"challenge_id": "2c2f1c47-9f40-4bc1-a5e3-a19f1cb1a44e",
"code": "123456"
}

TOTP signup activation response.

Media type application/json
object
success
required
boolean
sessionId
required
string
expires_in
required
integer
session
required
object
userId
required
string
createdAt
required
integer format: int64
expiresAt
required
integer format: int64
authTime
required
integer format: int64
acr
required
string
amr
required
Array<string>
user
required
object
id
string
email
Any of:
string format: email
name
Any of:
string
email_verified
One of:
boolean
created_at
string
updated_at
string
last_login_at
Any of:
string
user_type
string
authorization
object
key
additional properties
redirect_url
required
string
ok
required
boolean
credential
required
object
id
required
string
label
required
string
algorithm
required
string
Allowed values: SHA1 SHA256 SHA512
digits
required
integer
Allowed values: 6 8
period
required
integer
window
required
integer
status
required
string
Allowed values: pending active disabled
created_at
required
integer format: int64
activated_at
integer | null format: int64
last_used_at
integer | null format: int64
backup_codes
required
Array<string>
Example
{
"session": {
"acr": "urn:authrim:aal:2",
"amr": [
"otp",
"totp"
]
},
"user": {
"id": "user_123",
"email": "[email protected]",
"name": "Example User",
"email_verified": true,
"created_at": "2026-06-20T00:00:00.000Z",
"updated_at": "2026-06-20T00:00:00.000Z",
"last_login_at": "2026-06-20T00:00:00.000Z",
"user_type": "anonymous"
},
"credential": {
"algorithm": "SHA1",
"digits": 6,
"status": "pending"
}
}

Error response.

Media type application/json
object
error
string
error_description
string
message
string
webauthn_signal

Optional browser-side WebAuthn Signal API hint. When unknown_credential is true, clients that just received a WebAuthn credential assertion may call PublicKeyCredential.signalUnknownCredential() for that credential ID.

object
unknown_credential
boolean
key
additional properties
Example generated
{
"error": "example",
"error_description": "example",
"message": "example",
"webauthn_signal": {
"unknown_credential": true
}
}