Activate TOTP signup.
POST
/api/auth/totp/signup/activate
Code sample: Shell / cURL
curl --request POST \ --url https://auth.example.com/api/auth/totp/signup/activate \ --header 'Content-Type: application/json' \ --data '{ "challenge_id": "2c2f1c47-9f40-4bc1-a5e3-a19f1cb1a44e", "code": "123456" }'Verifies the first TOTP code, creates and activates the stored credential, generates backup codes, and creates a browser session.
Request Body required
Section titled “Request Body required ” Media type application/json
object
challenge_id
required
string
code
required
string
defer_authorization_continuation
boolean
key
additional properties
Example
{ "challenge_id": "2c2f1c47-9f40-4bc1-a5e3-a19f1cb1a44e", "code": "123456"}Responses
Section titled “ Responses ”TOTP signup activation response.
Media type application/json
object
success
required
boolean
sessionId
required
string
expires_in
required
integer
session
required
object
userId
required
string
createdAt
required
integer format: int64
expiresAt
required
integer format: int64
authTime
required
integer format: int64
acr
required
string
amr
required
Array<string>
user
required
authorization
object
key
additional properties
redirect_url
required
string
ok
required
boolean
credential
required
object
id
required
string
label
required
string
algorithm
required
string
digits
required
integer
period
required
integer
window
required
integer
status
required
string
created_at
required
integer format: int64
activated_at
integer | null format: int64
last_used_at
integer | null format: int64
backup_codes
required
Array<string>
Example
{ "session": { "acr": "urn:authrim:aal:2", "amr": [ "otp", "totp" ] }, "user": { "id": "user_123", "name": "Example User", "email_verified": true, "created_at": "2026-06-20T00:00:00.000Z", "updated_at": "2026-06-20T00:00:00.000Z", "last_login_at": "2026-06-20T00:00:00.000Z", "user_type": "anonymous" }, "credential": { "algorithm": "SHA1", "digits": 6, "status": "pending" }}Error response.
Media type application/json
object
error
string
error_description
string
message
string
webauthn_signal
Optional browser-side WebAuthn Signal API hint. When unknown_credential is true, clients that just received a WebAuthn credential assertion may call PublicKeyCredential.signalUnknownCredential() for that credential ID.
object
unknown_credential
boolean
key
additional properties
Example generated
{ "error": "example", "error_description": "example", "message": "example", "webauthn_signal": { "unknown_credential": true }}