> ## Documentation Index > Fetch the complete documentation index at: https://docs.prelude.so/llms.txt > Use this file to discover all available pages before exploring further. # Check standalone OTP > Verify the OTP code for standalone/step-up verification. Returns a challenge token. ## OpenAPI ````yaml post /v1/session/otp/check openapi: 3.1.1 info: title: Prelude Auth Frontend API version: 0.0.1 description: The Prelude Frontend API for Authentication and Session Management contact: email: support@prelude.so servers: - url: https://{appId}.session.prelude.dev description: Production server variables: appId: default: changeme description: The appID security: [] tags: - name: Login OTP description: Login and step-up via OTP (phone or email) - name: Login Email Password description: Login via email and password - name: Login OAuth description: Login via OAuth providers - name: Login SAML description: Login via SAML 2.0 SSO connections (Okta, Google Workspace) - name: Login Finalize description: Finalize a login flow and create a session - name: Login Migration description: Migrate sessions from a legacy authentication system - name: Session description: Session refresh and revocation - name: Session Management description: Authenticated session and identifier management - name: Step-Up description: Step-up authentication flow - name: Well-Known description: Public key discovery endpoints - name: Password description: Password compliancy and change password - name: Passkey Login description: >- Primary-factor (passwordless) sign-in via WebAuthn discoverable credentials - name: Passkey Management description: >- Register / list / rename / delete the authenticated user's passkey credentials paths: /v1/session/otp/check: post: tags: - Login OTP summary: Check standalone OTP description: >- Verify the OTP code for standalone/step-up verification. Returns a challenge token. operationId: otpCheck requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/StepUpOTPCheckRequest' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/StepUpOTPCheckResponse' '400': description: Bad Request content: application/json: schema: oneOf: - $ref: '#/components/schemas/BadRequestError' - $ref: '#/components/schemas/ExpiredChallengeTokenError' - $ref: '#/components/schemas/InvalidChallengeTokenError' - $ref: '#/components/schemas/TokenMismatchError' - $ref: '#/components/schemas/StepNotCompletedError' - $ref: '#/components/schemas/StepBypassedError' - $ref: '#/components/schemas/OAuthProviderNotConfiguredError' '401': description: Unauthorized content: application/json: schema: oneOf: - $ref: '#/components/schemas/BadCheckCodeError' - $ref: '#/components/schemas/UnauthorizedError' - $ref: '#/components/schemas/InvalidDPoPProofError' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/AuthBlockedError' '404': description: Not Found content: application/json: schema: $ref: '#/components/schemas/StepNotFoundError' '409': description: Conflict content: application/json: schema: oneOf: - $ref: '#/components/schemas/TokenReusedError' - $ref: '#/components/schemas/IdentifierAlreadyExistsError' '500': description: Internal Error content: application/json: schema: $ref: '#/components/schemas/InternalError' security: - verificationTokenAuth: [] - verificationCookieAuth: [] components: schemas: StepUpOTPCheckRequest: type: object properties: code: type: string description: The OTP code to verify. examples: - '123456' challenge_token: type: string description: >- The challenge token. Required when the verification token carries a step-up context (i.e., OTP was initiated via a step-up flow); omit for standalone OTP verification. examples: - eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9... required: - code StepUpOTPCheckResponse: type: object properties: challenge_token: type: string description: | A new challenge token. The token's `grant_mode` claim determines what to do next: * `session-start` — finalize the login via the [Finalize login](/session/api-reference/frontend/finalize-login) endpoint. * `single-use` / `session-bound` / `profile-bound` — the next step-up step (or completion). The frontend SDKs handle this routing automatically. For the OAuth-email-link flow (provider with `verify_email=true`) this endpoint also returns a `session-start` token, which the SDK finalizes against the original PKCE `code_verifier`. examples: - eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9... public_key_credential_request_options: $ref: '#/components/schemas/PublicKeyCredentialRequestOptions' required: - challenge_token BadRequestError: type: object properties: code: type: string enum: - bad_request type: type: string enum: - bad_request ExpiredChallengeTokenError: type: object properties: code: type: string enum: - expired_challenge_token type: type: string enum: - bad_request InvalidChallengeTokenError: type: object properties: code: type: string enum: - invalid_challenge_token type: type: string enum: - bad_request TokenMismatchError: type: object properties: code: type: string enum: - token_mismatch type: type: string enum: - bad_request StepNotCompletedError: type: object properties: code: type: string enum: - step_not_completed type: type: string enum: - bad_request StepBypassedError: type: object properties: code: type: string enum: - step_bypassed type: type: string enum: - bad_request OAuthProviderNotConfiguredError: type: object properties: code: type: string enum: - oauth_provider_not_configured type: type: string enum: - bad_request BadCheckCodeError: type: object properties: code: type: string enum: - bad_check_code type: type: string enum: - unauthorized UnauthorizedError: type: object properties: code: type: string enum: - unauthorized type: type: string enum: - unauthorized InvalidDPoPProofError: type: object properties: code: type: string enum: - invalid_dpop_proof type: type: string enum: - unauthorized AuthBlockedError: type: object properties: code: type: string enum: - auth_blocked type: type: string enum: - forbidden StepNotFoundError: type: object properties: code: type: string enum: - step_not_found type: type: string enum: - not_found TokenReusedError: type: object properties: code: type: string enum: - token_reused type: type: string enum: - conflict IdentifierAlreadyExistsError: type: object properties: code: type: string enum: - identifier_already_exists type: type: string enum: - conflict InternalError: type: object properties: code: type: string enum: - internal type: type: string enum: - internal PublicKeyCredentialRequestOptions: type: object description: | WebAuthn `PublicKeyCredentialRequestOptions` in the WebAuthn Level 3 JSON form (binary fields are base64url-encoded). Present only when the step-up step the response advanced to is `verify_passkey`; pass it to `navigator.credentials.get({ publicKey })`. The frontend SDKs cache it keyed on the challenge id and run the assertion automatically. properties: challenge: type: string pattern: ^[A-Za-z0-9_-]+$ description: Base64url-encoded challenge bytes. timeout: type: integer description: Ceremony timeout in milliseconds. rpId: type: string description: Relying Party identifier. allowCredentials: type: array items: type: object properties: type: type: string enum: - public-key id: type: string pattern: ^[A-Za-z0-9_-]+$ description: Base64url-encoded credential id. transports: type: array items: type: string userVerification: type: string enum: - required - preferred - discouraged required: - challenge securitySchemes: verificationTokenAuth: type: apiKey in: header name: X-Verification-Token description: | Verification token returned in the `X-Verification-Token` response header of `POST /v1/session/otp`. Replay it on `/otp/check` and `/otp/retry` to identify the verification context. The legacy `verificationCookieAuth` cookie is still accepted as a fallback for SDKs that don't yet read the header. verificationCookieAuth: type: apiKey in: cookie name: __Host-verification-login_{app_id} ````