> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prelude.so/llms.txt
> Use this file to discover all available pages before exploring further.

# Request step-up scope

> Initiate a step-up authentication flow for the given scope.



## OpenAPI

````yaml post /v1/session/stepup/request
openapi: 3.1.1
info:
  title: Prelude Session Frontend API
  version: 0.0.1
  description: The Prelude Frontend API for Session Management
  contact:
    email: support@prelude.so
servers:
  - url: https://{appId}.session.prelude.dev
    description: Production server
    variables:
      appId:
        default: changeme
        description: The appID
security: []
tags:
  - name: Login OTP
    description: Login and step-up via OTP (phone or email)
  - name: Login Email Password
    description: Login via email and password
  - name: Login OAuth
    description: Login via OAuth providers
  - name: Login Finalize
    description: Finalize a login flow and create a session
  - name: Login Migration
    description: Migrate sessions from a legacy authentication system
  - name: Session
    description: Session refresh and revocation
  - name: Session Management
    description: Authenticated session and identifier management
  - name: Step-Up
    description: Step-up authentication flow
  - name: Well-Known
    description: Public key discovery endpoints
  - name: Password
    description: Password compliancy and change password
paths:
  /v1/session/stepup/request:
    post:
      tags:
        - Step-Up
      summary: Request step-up scope
      description: Initiate a step-up authentication flow for the given scope.
      operationId: stepUpRequestScope
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/StepUpGrantScopeRequest'
      responses:
        '200':
          description: OK
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/StepUpGrantScopeResponse'
        '400':
          description: Bad Request
          content:
            application/json:
              schema:
                oneOf:
                  - $ref: '#/components/schemas/BadRequestError'
                  - $ref: '#/components/schemas/ScopeNotAllowedError'
                  - $ref: '#/components/schemas/InvalidMetadataError'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UnauthorizedError'
        '422':
          description: Unprocessable Entity
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/StepUpNotConfiguredError'
        '500':
          description: Internal Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/InternalError'
      security:
        - accessTokenAuth: []
components:
  schemas:
    StepUpGrantScopeRequest:
      type: object
      properties:
        scope:
          $ref: '#/components/schemas/Scope'
        metadata:
          type: object
          maxProperties: 5
          propertyNames:
            pattern: ^[a-zA-Z0-9.\-_:]+$
            maxLength: 12
          additionalProperties:
            type: string
            maxLength: 32
          description: >-
            Optional metadata (max 5 fields, keys max 12 chars, values max 32
            chars).
          examples:
            - amount: '500'
              currency: USD
        dispatch_id:
          type: string
          description: The identifier of the dispatch from the front-end SDK.
          examples:
            - 123e4567-e89b-12d3-a456-426614174000
      required:
        - scope
    StepUpGrantScopeResponse:
      type: object
      properties:
        status:
          type: string
          description: The status of the step-up request (e.g., "continue", "granted").
          examples:
            - continue
        challenge_token:
          type: string
          description: >-
            The challenge token for the step-up flow (present when status is
            "continue").
          examples:
            - eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCJ9...
    BadRequestError:
      type: object
      properties:
        code:
          type: string
          enum:
            - bad_request
        type:
          type: string
          enum:
            - bad_request
    ScopeNotAllowedError:
      type: object
      properties:
        code:
          type: string
          enum:
            - scope_not_allowed
        type:
          type: string
          enum:
            - bad_request
    InvalidMetadataError:
      type: object
      properties:
        code:
          type: string
          enum:
            - invalid_metadata
        type:
          type: string
          enum:
            - bad_request
    UnauthorizedError:
      type: object
      properties:
        code:
          type: string
          enum:
            - unauthorized
        type:
          type: string
          enum:
            - unauthorized
    StepUpNotConfiguredError:
      type: object
      properties:
        code:
          type: string
          enum:
            - not_configured
        type:
          type: string
          enum:
            - unprocessable_entity
    InternalError:
      type: object
      properties:
        code:
          type: string
          enum:
            - internal
        type:
          type: string
          enum:
            - internal
    Scope:
      type: string
      pattern: ^[a-zA-Z0-9.\-_:]+$
      description: A scope identifier.
      examples:
        - transfer:write
  securitySchemes:
    accessTokenAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: Access token obtained from session refresh

````