> ## Documentation Index > Fetch the complete documentation index at: https://docs.prelude.so/llms.txt > Use this file to discover all available pages before exploring further. # Continue step-up challenge > Verify the customer's verification token and advance the challenge to the next step. A valid DPoP proof (`DPoP` header, RFC 9449) is required on every call to this endpoint. ## OpenAPI ````yaml post /v1/session/stepup/continue openapi: 3.1.1 info: title: Prelude Auth Frontend API version: 0.0.1 description: The Prelude Frontend API for Authentication and Session Management contact: email: support@prelude.so servers: - url: https://{appId}.session.prelude.dev description: Production server variables: appId: default: changeme description: The appID security: [] tags: - name: Login OTP description: Login and step-up via OTP (phone or email) - name: Login Email Password description: Login via email and password - name: Login OAuth description: Login via OAuth providers - name: Login SAML description: Login via SAML 2.0 SSO connections (Okta, Google Workspace) - name: Login Finalize description: Finalize a login flow and create a session - name: Login Migration description: Migrate sessions from a legacy authentication system - name: Session description: Session refresh and revocation - name: Session Management description: Authenticated session and identifier management - name: Step-Up description: Step-up authentication flow - name: Well-Known description: Public key discovery endpoints - name: Password description: Password compliancy and change password - name: Passkey Login description: >- Primary-factor (passwordless) sign-in via WebAuthn discoverable credentials - name: Passkey Management description: >- Register / list / rename / delete the authenticated user's passkey credentials paths: /v1/session/stepup/continue: post: tags: - Step-Up summary: Continue step-up challenge description: >- Verify the customer's verification token and advance the challenge to the next step. A valid DPoP proof (`DPoP` header, RFC 9449) is required on every call to this endpoint. operationId: stepUpContinue requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/StepUpContinueRequest' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/StepUpContinueResponse' '400': description: Bad Request content: application/json: schema: oneOf: - $ref: '#/components/schemas/BadRequestError' - $ref: '#/components/schemas/ExpiredChallengeTokenError' - $ref: '#/components/schemas/InvalidChallengeTokenError' - $ref: '#/components/schemas/InvalidVerificationTokenError' - $ref: '#/components/schemas/TokenMismatchError' - $ref: '#/components/schemas/StepNotCompletedError' - $ref: '#/components/schemas/StepBypassedError' '401': description: Unauthorized content: application/json: schema: oneOf: - $ref: '#/components/schemas/UnauthorizedError' - $ref: '#/components/schemas/InvalidDPoPProofError' '404': description: Not Found content: application/json: schema: $ref: '#/components/schemas/StepNotFoundError' '409': description: Conflict content: application/json: schema: oneOf: - $ref: '#/components/schemas/TokenReusedError' - $ref: '#/components/schemas/IdentifierAlreadyExistsError' '422': description: Unprocessable Entity content: application/json: schema: $ref: '#/components/schemas/StepUpNotConfiguredError' '429': description: Rate Limited content: application/json: schema: $ref: '#/components/schemas/RateLimitedError' '500': description: Internal Error content: application/json: schema: $ref: '#/components/schemas/InternalError' security: - accessTokenAuth: [] components: schemas: StepUpContinueRequest: type: object properties: challenge_token: type: string description: The current challenge token. examples: - eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9... verification_token: type: string description: The verification token from the completed step. examples: - eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9... required: - challenge_token - verification_token StepUpContinueResponse: type: object properties: challenge_token: type: string description: The updated challenge token for the next step or final grant. examples: - eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9... public_key_credential_request_options: $ref: '#/components/schemas/PublicKeyCredentialRequestOptions' required: - challenge_token BadRequestError: type: object properties: code: type: string enum: - bad_request type: type: string enum: - bad_request ExpiredChallengeTokenError: type: object properties: code: type: string enum: - expired_challenge_token type: type: string enum: - bad_request InvalidChallengeTokenError: type: object properties: code: type: string enum: - invalid_challenge_token type: type: string enum: - bad_request InvalidVerificationTokenError: type: object properties: code: type: string enum: - invalid_verification_token type: type: string enum: - bad_request TokenMismatchError: type: object properties: code: type: string enum: - token_mismatch type: type: string enum: - bad_request StepNotCompletedError: type: object properties: code: type: string enum: - step_not_completed type: type: string enum: - bad_request StepBypassedError: type: object properties: code: type: string enum: - step_bypassed type: type: string enum: - bad_request UnauthorizedError: type: object properties: code: type: string enum: - unauthorized type: type: string enum: - unauthorized InvalidDPoPProofError: type: object properties: code: type: string enum: - invalid_dpop_proof type: type: string enum: - unauthorized StepNotFoundError: type: object properties: code: type: string enum: - step_not_found type: type: string enum: - not_found TokenReusedError: type: object properties: code: type: string enum: - token_reused type: type: string enum: - conflict IdentifierAlreadyExistsError: type: object properties: code: type: string enum: - identifier_already_exists type: type: string enum: - conflict StepUpNotConfiguredError: type: object properties: code: type: string enum: - not_configured type: type: string enum: - unprocessable_entity RateLimitedError: type: object properties: code: type: string enum: - rate_limited type: type: string enum: - rate_limited InternalError: type: object properties: code: type: string enum: - internal type: type: string enum: - internal PublicKeyCredentialRequestOptions: type: object description: | WebAuthn `PublicKeyCredentialRequestOptions` in the WebAuthn Level 3 JSON form (binary fields are base64url-encoded). Present only when the step-up step the response advanced to is `verify_passkey`; pass it to `navigator.credentials.get({ publicKey })`. The frontend SDKs cache it keyed on the challenge id and run the assertion automatically. properties: challenge: type: string pattern: ^[A-Za-z0-9_-]+$ description: Base64url-encoded challenge bytes. timeout: type: integer description: Ceremony timeout in milliseconds. rpId: type: string description: Relying Party identifier. allowCredentials: type: array items: type: object properties: type: type: string enum: - public-key id: type: string pattern: ^[A-Za-z0-9_-]+$ description: Base64url-encoded credential id. transports: type: array items: type: string userVerification: type: string enum: - required - preferred - discouraged required: - challenge securitySchemes: accessTokenAuth: type: http scheme: bearer bearerFormat: JWT description: Access token obtained from session refresh ````