Skip to main content
POST
/
v1
/
session
/
stepup
/
continue
Continue step-up challenge
curl --request POST \
  --url https://{appId}.session.prelude.dev/v1/session/stepup/continue \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "challenge_token": "<string>",
  "verification_token": "<string>"
}
'
{
  "challenge_token": "<string>",
  "public_key_credential_request_options": {
    "challenge": "<string>",
    "timeout": 123,
    "rpId": "<string>",
    "allowCredentials": [
      {
        "type": "public-key",
        "id": "<string>",
        "transports": [
          "<string>"
        ]
      }
    ]
  }
}

Authorizations

Authorization
string
header
required

Access token obtained from session refresh

Body

application/json
challenge_token
string
required

The current challenge token.

Example:

"eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9..."

verification_token
string
required

The verification token from the completed step.

Example:

"eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9..."

Response

OK

challenge_token
string
required

The updated challenge token for the next step or final grant.

Example:

"eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9..."

public_key_credential_request_options
object

WebAuthn PublicKeyCredentialRequestOptions in the WebAuthn Level 3 JSON form (binary fields are base64url-encoded). Present only when the step-up step the response advanced to is verify_passkey; pass it to navigator.credentials.get({ publicKey }). The frontend SDKs cache it keyed on the challenge id and run the assertion automatically.