Start TOTP signup.
POST
/api/auth/totp/signup/options
Code sample: Shell / cURL
curl --request POST \ --url https://auth.example.com/api/auth/totp/signup/options \ --header 'Content-Type: application/json' \ --data '{ "email": "[email protected]", "name": "Example User", "label": "Authenticator app", "custom_fields": {} }'Creates a short-lived TOTP enrollment challenge, synthetic pending credential metadata, secret, and otpauth URI for first-code activation. The user and stored credential are created when activation succeeds.
Request Body required
Section titled “Request Body required ” Media type application/json
object
email
required
string format: email
name
string
label
string
custom_fields
object
key
additional properties
human_verification_response
string
cf_turnstile_response
string
authorization_challenge_id
string
key
additional properties
Example
{ "name": "Example User", "label": "Authenticator app", "custom_fields": {}}Responses
Section titled “ Responses ”TOTP signup enrollment options response.
Media type application/json
object
challenge_id
required
string
expires_in
required
integer
credential
required
object
id
required
string
label
required
string
algorithm
required
string
digits
required
integer
period
required
integer
window
required
integer
status
required
string
created_at
required
integer format: int64
activated_at
integer | null format: int64
last_used_at
integer | null format: int64
secret
required
Base32 TOTP secret shown once during enrollment.
string
otpauth_uri
required
string format: uri
profile
required
object
algorithm
required
string
digits
required
integer
period
required
integer
window
required
integer
Example
{ "credential": { "algorithm": "SHA1", "digits": 6, "status": "pending" }}Error response.
Media type application/json
object
error
string
error_description
string
message
string
webauthn_signal
Optional browser-side WebAuthn Signal API hint. When unknown_credential is true, clients that just received a WebAuthn credential assertion may call PublicKeyCredential.signalUnknownCredential() for that credential ID.
object
unknown_credential
boolean
key
additional properties
Example generated
{ "error": "example", "error_description": "example", "message": "example", "webauthn_signal": { "unknown_credential": true }}