> ## Documentation Index > Fetch the complete documentation index at: https://docs.prelude.so/llms.txt > Use this file to discover all available pages before exploring further. # Check standalone OTP > Verify the OTP code for standalone/step-up verification. Returns a challenge token. ## OpenAPI ````yaml post /v1/session/otp/check openapi: 3.1.1 info: title: Prelude Session Frontend API version: 0.0.1 description: The Prelude Frontend API for Session Management contact: email: support@prelude.so servers: - url: https://{appId}.session.prelude.dev description: Production server variables: appId: default: changeme description: The appID security: [] tags: - name: Login OTP description: Login and step-up via OTP (phone or email) - name: Login Email Password description: Login via email and password - name: Login OAuth description: Login via OAuth providers - name: Login Finalize description: Finalize a login flow and create a session - name: Login Migration description: Migrate sessions from a legacy authentication system - name: Session description: Session refresh and revocation - name: Session Management description: Authenticated session and identifier management - name: Step-Up description: Step-up authentication flow - name: Well-Known description: Public key discovery endpoints - name: Password description: Password compliancy and change password paths: /v1/session/otp/check: post: tags: - Login OTP summary: Check standalone OTP description: >- Verify the OTP code for standalone/step-up verification. Returns a challenge token. operationId: otpCheck requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/StepUpOTPCheckRequest' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/StepUpOTPCheckResponse' '400': description: Bad Request content: application/json: schema: oneOf: - $ref: '#/components/schemas/BadRequestError' - $ref: '#/components/schemas/ExpiredChallengeTokenError' - $ref: '#/components/schemas/InvalidChallengeTokenError' - $ref: '#/components/schemas/TokenMismatchError' - $ref: '#/components/schemas/StepNotCompletedError' - $ref: '#/components/schemas/StepBypassedError' '401': description: Unauthorized content: application/json: schema: oneOf: - $ref: '#/components/schemas/BadCheckCodeError' - $ref: '#/components/schemas/UnauthorizedError' - $ref: '#/components/schemas/InvalidDPoPProofError' '404': description: Not Found content: application/json: schema: $ref: '#/components/schemas/StepNotFoundError' '409': description: Conflict content: application/json: schema: $ref: '#/components/schemas/TokenReusedError' '500': description: Internal Error content: application/json: schema: $ref: '#/components/schemas/InternalError' security: - verificationCookieAuth: [] components: schemas: StepUpOTPCheckRequest: type: object properties: code: type: string description: The OTP code to verify. examples: - '123456' challenge_token: type: string description: The challenge token (required for step-up flow). examples: - eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9... required: - code StepUpOTPCheckResponse: type: object properties: challenge_token: type: string description: | A new challenge token. The token's `grant_mode` claim determines what to do next: * `session-start` — finalize the login via the [Finalize login](/session/api-reference/frontend/finalize-login) endpoint. * `single-use` / `session-bound` / `profile-bound` — the next step-up step (or completion). The frontend SDKs handle this routing automatically. For the OAuth-email-link flow (provider with `verify_email=true`) this endpoint also returns a `session-start` token, which the SDK finalizes against the original PKCE `code_verifier`. examples: - eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9... required: - challenge_token BadRequestError: type: object properties: code: type: string enum: - bad_request type: type: string enum: - bad_request ExpiredChallengeTokenError: type: object properties: code: type: string enum: - expired_challenge_token type: type: string enum: - bad_request InvalidChallengeTokenError: type: object properties: code: type: string enum: - invalid_challenge_token type: type: string enum: - bad_request TokenMismatchError: type: object properties: code: type: string enum: - token_mismatch type: type: string enum: - bad_request StepNotCompletedError: type: object properties: code: type: string enum: - step_not_completed type: type: string enum: - bad_request StepBypassedError: type: object properties: code: type: string enum: - step_bypassed type: type: string enum: - bad_request BadCheckCodeError: type: object properties: code: type: string enum: - bad_check_code type: type: string enum: - unauthorized UnauthorizedError: type: object properties: code: type: string enum: - unauthorized type: type: string enum: - unauthorized InvalidDPoPProofError: type: object properties: code: type: string enum: - invalid_dpop_proof type: type: string enum: - unauthorized StepNotFoundError: type: object properties: code: type: string enum: - step_not_found type: type: string enum: - not_found TokenReusedError: type: object properties: code: type: string enum: - token_reused type: type: string enum: - conflict InternalError: type: object properties: code: type: string enum: - internal type: type: string enum: - internal securitySchemes: verificationCookieAuth: type: apiKey in: cookie name: __verification-login_{app_id} ````