> ## Documentation Index > Fetch the complete documentation index at: https://docs.prelude.so/llms.txt > Use this file to discover all available pages before exploring further. # Create standalone OTP > Send an OTP for step-up authentication or standalone verification. Can be initiated with a challenge token (step-up flow) or an identifier (standalone flow). **Note:** When a request is blocked by fraud/antispam rules, the server returns `204 No Content` rather than a 4xx error, so callers cannot distinguish a blocked attempt from a successful dispatch. When the identifier is an email whose domain is bound to a SAML connection with [enforced login](/session/documentation/integration-guide/saml/enforce), OTP creation is refused with the `saml_login_required` error (403) and the flow must be restarted via the [SAML initiate](/session/api-reference/frontend/saml-initiate-by-email) endpoint. ## OpenAPI ````yaml post /v1/session/otp openapi: 3.1.1 info: title: Prelude Auth Frontend API version: 0.0.1 description: The Prelude Frontend API for Authentication and Session Management contact: email: support@prelude.so servers: - url: https://{appId}.session.prelude.dev description: Production server variables: appId: default: changeme description: The appID security: [] tags: - name: Login OTP description: Login and step-up via OTP (phone or email) - name: Login Email Password description: Login via email and password - name: Login OAuth description: Login via OAuth providers - name: Login SAML description: Login via SAML 2.0 SSO connections (Okta, Google Workspace) - name: Login Finalize description: Finalize a login flow and create a session - name: Login Migration description: Migrate sessions from a legacy authentication system - name: Session description: Session refresh and revocation - name: Session Management description: Authenticated session and identifier management - name: Step-Up description: Step-up authentication flow - name: Well-Known description: Public key discovery endpoints - name: Password description: Password compliancy and change password - name: Passkey Login description: >- Primary-factor (passwordless) sign-in via WebAuthn discoverable credentials - name: Passkey Management description: >- Register / list / rename / delete the authenticated user's passkey credentials paths: /v1/session/otp: post: tags: - Login OTP summary: Create standalone OTP description: > Send an OTP for step-up authentication or standalone verification. Can be initiated with a challenge token (step-up flow) or an identifier (standalone flow). **Note:** When a request is blocked by fraud/antispam rules, the server returns `204 No Content` rather than a 4xx error, so callers cannot distinguish a blocked attempt from a successful dispatch. When the identifier is an email whose domain is bound to a SAML connection with [enforced login](/session/documentation/integration-guide/saml/enforce), OTP creation is refused with the `saml_login_required` error (403) and the flow must be restarted via the [SAML initiate](/session/api-reference/frontend/saml-initiate-by-email) endpoint. operationId: otpCreate requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/StepUpOTPCreateRequest' responses: '204': description: No Content headers: X-Verification-Token: schema: type: string example: eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9... description: | Verification token bound to this OTP attempt. Replay it on `POST /v1/session/otp/check` and `POST /v1/session/otp/retry` via the `X-Verification-Token` header. X-Verification-Token-Expires-At: schema: type: integer format: int64 example: 1715967600 description: >- Unix timestamp (seconds) at which the verification token expires. Set-Cookie: schema: type: string example: >- __Host-verification-login_{app_id}=abcde12345; Path=/; HttpOnly; Secure; Partitioned; description: | Verification token cookie. Kept for backwards-compatibility with SDKs that don't yet read `X-Verification-Token` — new integrations should use the header. '400': description: Bad Request content: application/json: schema: oneOf: - $ref: '#/components/schemas/BadRequestError' - $ref: '#/components/schemas/ExpiredChallengeTokenError' - $ref: '#/components/schemas/InvalidChallengeTokenError' - $ref: '#/components/schemas/TokenMismatchError' '402': description: Payment Required content: application/json: schema: $ref: '#/components/schemas/InsufficientBalanceError' '403': description: Forbidden content: application/json: schema: $ref: '#/components/schemas/SAMLLoginRequiredError' '500': description: Internal Error content: application/json: schema: $ref: '#/components/schemas/InternalError' components: schemas: StepUpOTPCreateRequest: type: object description: >- Either `challenge_token` or `identifier` must be provided. Use `challenge_token` for step-up flows, `identifier` for standalone OTP. anyOf: - required: - challenge_token - required: - identifier properties: identifier: $ref: '#/components/schemas/Identifier' challenge_token: type: string description: The challenge token from a step-up request. examples: - eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9... code_challenge: type: string description: | PKCE code challenge (S256) for the standalone OTP login flow. Only used with `identifier`; bound to the verification token so that `code_verifier` can be replayed against [Finalize login](/session/api-reference/frontend/finalize-login). Step-up flows ignore this field — they inherit PKCE from the originating challenge token. examples: - E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM dispatch_id: type: string description: The identifier of the dispatch from the front-end SDK. examples: - 123e4567-e89b-12d3-a456-426614174000 login_config_id: type: string description: The identifier of the login config to use. examples: - lcfg_01jqebhswje1ka1z7ahr9rfsgt BadRequestError: type: object properties: code: type: string enum: - bad_request type: type: string enum: - bad_request ExpiredChallengeTokenError: type: object properties: code: type: string enum: - expired_challenge_token type: type: string enum: - bad_request InvalidChallengeTokenError: type: object properties: code: type: string enum: - invalid_challenge_token type: type: string enum: - bad_request TokenMismatchError: type: object properties: code: type: string enum: - token_mismatch type: type: string enum: - bad_request InsufficientBalanceError: type: object properties: code: type: string enum: - insufficient_balance type: type: string enum: - bad_request SAMLLoginRequiredError: type: object description: > The identifier's email domain is bound to a SAML connection that enforces SSO login, so other login methods (such as OTP) are refused. Restart the flow via the SAML initiate endpoint. properties: code: type: string enum: - saml_login_required type: type: string enum: - forbidden message: type: string examples: - >- This email domain must sign in with SSO. Please use SAML to continue. InternalError: type: object properties: code: type: string enum: - internal type: type: string enum: - internal Identifier: type: object description: The verification target. Either a phone number or an email address. properties: type: type: string enum: - phone_number - email_address description: The type of the target. examples: - phone_number value: type: string examples: - '+306912345678' description: An E.164 formatted phone number or an email address. required: - type - value ````