> ## Documentation Index > Fetch the complete documentation index at: https://docs.prelude.so/llms.txt > Use this file to discover all available pages before exploring further. # Finalize login > Finalize a login flow by exchanging a challenge token for session tokens (access + refresh). ## OpenAPI ````yaml post /v1/session/login/finalize openapi: 3.1.1 info: title: Prelude Session Frontend API version: 0.0.1 description: The Prelude Frontend API for Session Management contact: email: support@prelude.so servers: - url: https://{appId}.session.prelude.dev description: Production server variables: appId: default: changeme description: The appID security: [] tags: - name: Login OTP description: Login and step-up via OTP (phone or email) - name: Login Email Password description: Login via email and password - name: Login OAuth description: Login via OAuth providers - name: Login Finalize description: Finalize a login flow and create a session - name: Login Migration description: Migrate sessions from a legacy authentication system - name: Session description: Session refresh and revocation - name: Session Management description: Authenticated session and identifier management - name: Step-Up description: Step-up authentication flow - name: Well-Known description: Public key discovery endpoints - name: Password description: Password compliancy and change password paths: /v1/session/login/finalize: post: tags: - Login Finalize summary: Finalize login description: >- Finalize a login flow by exchanging a challenge token for session tokens (access + refresh). operationId: finalizeLogin requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/FinalizeLoginRequest' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/SessionRefreshResponse' headers: Set-Cookie: schema: type: string example: __refresh_{app_id}=abcde12345; Path=/; HttpOnly; Secure; description: The refresh token cookie X-Refresh-Token: schema: type: string description: The refresh token (DPoP flow) X-Refresh-Token-Expires-At: schema: type: string format: date-time description: The refresh token expiration time (DPoP flow) DPoP-Nonce: schema: type: string description: Server-issued DPoP nonce (RFC 9449) '400': description: Bad Request content: application/json: schema: oneOf: - $ref: '#/components/schemas/BadRequestError' - $ref: '#/components/schemas/ExpiredChallengeTokenError' - $ref: '#/components/schemas/InvalidChallengeTokenError' '401': description: Unauthorized content: application/json: schema: oneOf: - $ref: '#/components/schemas/InvalidDPoPProofError' '409': description: Conflict content: application/json: schema: $ref: '#/components/schemas/TokenReusedError' '429': description: Rate Limited content: application/json: schema: $ref: '#/components/schemas/RateLimitedError' '500': description: Internal Error content: application/json: schema: $ref: '#/components/schemas/InternalError' components: schemas: FinalizeLoginRequest: type: object properties: challenge_token: type: string description: The challenge token obtained from a login method. examples: - eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9... code_verifier: type: string description: PKCE code verifier for OAuth flows. examples: - dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk required: - challenge_token SessionRefreshResponse: type: object properties: access_token: type: string examples: - eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9... expires_at: type: integer format: int64 description: Unix timestamp of when the access token expires. examples: - 1717689600 required: - access_token - expires_at BadRequestError: type: object properties: code: type: string enum: - bad_request type: type: string enum: - bad_request ExpiredChallengeTokenError: type: object properties: code: type: string enum: - expired_challenge_token type: type: string enum: - bad_request InvalidChallengeTokenError: type: object properties: code: type: string enum: - invalid_challenge_token type: type: string enum: - bad_request InvalidDPoPProofError: type: object properties: code: type: string enum: - invalid_dpop_proof type: type: string enum: - unauthorized TokenReusedError: type: object properties: code: type: string enum: - token_reused type: type: string enum: - conflict RateLimitedError: type: object properties: code: type: string enum: - rate_limited type: type: string enum: - rate_limited InternalError: type: object properties: code: type: string enum: - internal type: type: string enum: - internal ````