> ## Documentation Index > Fetch the complete documentation index at: https://docs.prelude.so/llms.txt > Use this file to discover all available pages before exploring further. # Create step-up config > Create a step-up authentication configuration for the application. ## OpenAPI ````yaml post /v2/session/apps/{appID}/config/stepup openapi: 3.1.1 info: title: Prelude Session Management API version: 0.0.1 summary: The Prelude API for Session Management description: The Prelude API for Session Management. contact: email: support@prelude.so url: https://prelude.so servers: - url: https://api.prelude.dev description: Production server security: - Authorization: [] tags: - name: Mode description: Manage the mode (dev/prod) of your application. - name: Users description: Manage the users of your application. - name: Webhooks description: Manage the webhooks of your application. - name: Domains description: Manage the domains of your application. - name: Config - Scopes description: Manage the scope configuration of your application. - name: Config - Claims description: Manage the claims mapping configuration of your application. - name: Config - Step-up description: Manage the step-up authentication configuration of your application. - name: Config - Migration description: Manage the user migration configuration of your application. - name: Config - Login OTP description: Manage the OTP login configuration of your application. - name: Config - Login OAuth description: Manage the OAuth login configuration of your application. - name: Config - Login Password description: Manage the password login configuration of your application. paths: /v2/session/apps/{appID}/config/stepup: parameters: - $ref: '#/components/parameters/appIDParam' post: tags: - Config - Step-up summary: Create step-up config description: Create a step-up authentication configuration for the application. operationId: createStepUpConfig requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/PostStepUpConfigRequest' responses: '201': description: Created '400': description: Bad Request content: application/json: schema: $ref: '#/components/schemas/InvalidRequestError' '404': description: Not Found content: application/json: schema: $ref: '#/components/schemas/AppNotFoundError' '409': description: Conflict content: application/json: schema: $ref: '#/components/schemas/ConflictError' components: parameters: appIDParam: in: path name: appID required: true description: The id of the app the request refers to. schema: $ref: '#/components/schemas/AppID' schemas: PostStepUpConfigRequest: type: object properties: jwks_url: type: string format: uri description: | HTTPS endpoint exposing the JWKS used to verify tokens issued by your backend for custom steps. Required when at least one entry in `allowed_scopes` uses the `delegated` mode. examples: - https://api.example.com/.well-known/jwks.json step_keys: type: array items: $ref: '#/components/schemas/StepKey' allowed_scopes: type: array description: | Per-scope step-up configuration. Each entry is either delegated to a delegation hook on your backend or resolved directly by Prelude using a static decision. items: $ref: '#/components/schemas/AllowedScopeConfig' required: - step_keys - allowed_scopes InvalidRequestError: type: object properties: code: type: string enum: - invalid_request examples: - invalid_request status: type: string enum: - bad_request examples: - bad_request message: type: string examples: - The request body is invalid. required: - code - status - message AppNotFoundError: type: object properties: code: type: string enum: - app_not_found examples: - app_not_found status: type: string enum: - not_found examples: - not_found message: type: string examples: - The application was not found. required: - code - status - message ConflictError: type: object properties: code: type: string enum: - conflict examples: - conflict status: type: string enum: - conflict examples: - conflict message: type: string examples: - A conflict occurred with the current state of the resource. required: - code - status - message AppID: type: string description: An application's unique identifier. examples: - 54e9ujn - fvua38g StepKey: type: object properties: key: type: string examples: - high_value_transaction description: type: string examples: - Triggered for transactions above $10,000 required: - key - description AllowedScopeConfig: type: object description: | Per-scope step-up configuration. Set `mode` to `delegated` to call your delegation hook for this scope, or `direct` to serve a static decision without any hook call. Exactly one of `delegated` or `direct` must be set, matching `mode`. A scope may appear more than once in `allowed_scopes`: - Multiple `direct` entries are allowed as long as each `(scope, identifier_type)` pair is unique — useful when the step differs per identifier type (e.g. `verify_email` vs `verify_sms`). - At most one `delegated` entry per scope. When present alongside `direct` entries, it acts as a fallback and is invoked when no `direct` entry matches the user's identifier types at runtime. At runtime Prelude picks the first matching `direct` entry in declaration order, or falls back to the delegated entry. If none match, the request is rejected. properties: scope: type: string description: The scope this entry configures. examples: - transfer mode: type: string enum: - delegated - direct description: | How the step-up decision for this scope is produced. delegated: $ref: '#/components/schemas/DelegatedScopeConfig' direct: $ref: '#/components/schemas/DirectScopeConfig' required: - scope - mode DelegatedScopeConfig: type: object description: | Configuration of a scope whose decision is delegated to the customer's delegation hook. properties: delegation_hook: type: string format: uri description: HTTPS endpoint Prelude calls for this scope. examples: - https://api.example.com/stepup/signal required: - delegation_hook DirectScopeConfig: type: object description: | Static step-up decision served directly by Prelude for a scope, without any hook call. The decision applies only to users who hold at least one identifier of the listed `identifier_types`. properties: identifier_types: type: array description: | Identifier types the user must hold for this decision to apply. At least one identifier type is required. minItems: 1 items: type: string enum: - email_address - phone_number status: type: string enum: - continue - review - block description: | `continue` grants the scope immediately, `review` requires the user to complete one or more steps, `block` denies the scope. granted_for: type: integer minimum: 0 maximum: 86400 description: | Duration in seconds for which the scope is granted. Required when `status` is `continue` or `review`. For `session-bound` and `profile-bound` grants, a value below 1 defaults to 600 seconds. examples: - 3600 grant_mode: type: string enum: - single-use - session-bound - profile-bound description: | How the granted scope is attached. Required when `status` is `continue` or `review`. steps: type: array description: | Steps the user must complete, in order. Required and non-empty when `status` is `review`. Must be omitted otherwise. items: $ref: '#/components/schemas/Step' required: - identifier_types - status Step: type: object properties: order: type: integer description: Position of this step in the sequence (starts at 1). minimum: 1 examples: - 1 key: type: string pattern: ^[a-zA-Z0-9.\-_:]+$ description: | Step identifier. Use `verify_sms` or `verify_email` for Prelude-owned steps, or any custom key registered in `step_keys`. examples: - verify_sms expiration_duration: type: integer description: Time in seconds the user has to complete this step. minimum: 0 maximum: 86400 examples: - 600 required: - order - key - expiration_duration securitySchemes: Authorization: type: http scheme: bearer ````