Skip to main content
POST
/
v1
/
session
/
otp
/
check
Check standalone OTP
curl --request POST \
  --url https://{appId}.session.prelude.dev/v1/session/otp/check \
  --header 'Content-Type: application/json' \
  --cookie __Host-verification-login_%7Bapp_id%7D= \
  --data '
{
  "code": "<string>",
  "challenge_token": "<string>"
}
'
{
  "challenge_token": "<string>"
}

Documentation Index

Fetch the complete documentation index at: https://docs.prelude.so/llms.txt

Use this file to discover all available pages before exploring further.

Authorizations

__Host-verification-login_{app_id}
string
cookie
required

Body

application/json
code
string
required

The OTP code to verify.

Example:

"123456"

challenge_token
string

The challenge token (required for step-up flow).

Example:

"eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9..."

Response

OK

challenge_token
string
required

A new challenge token. The token's grant_mode claim determines what to do next:

  • session-start — finalize the login via the Finalize login endpoint.
  • single-use / session-bound / profile-bound — the next step-up step (or completion). The frontend SDKs handle this routing automatically.

For the OAuth-email-link flow (provider with verify_email=true) this endpoint also returns a session-start token, which the SDK finalizes against the original PKCE code_verifier.

Example:

"eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9..."