# Authenticate OTP

Authenticates a user using a one-time passcode that was sent to them by email or SMS. This API validates the code provided by the user and returns user tokens.

Endpoint: POST /v1/auth/otp/authenticate
Security: ClientAccessToken

## Request fields (application/json):

  - `resource` (string)
    Resource URI the authentication request is attempting to access, which is reflected in the audience (aud claim) of the access token. This must be configured as resource for the application.

  - `claims` (object)
    Used to request additional claims in the ID token, such as roles, permissions, and other user profile data. The structure is per the [OIDC Standard](https://openid.net/specs/openid-connect-core-1_0-final.html#ClaimsParameter). For supported claims and how to request custom claims, see the [ID Token Reference](https://developer.transmitsecurity.com/openapi/id_token_reference/).
    Example: {"id_token":{"roles":null}}

  - `org_id` (string)
    Organization ID, used for member login in B2B scenarios

  - `client_attributes` (object)
    Client attributes

  - `client_attributes.user_agent` (string)

  - `client_attributes.ip_address` (string)

  - `device_id` (string)
    Identifier of the device from which the authentication request originates

  - `session_id` (string)
    Used to associate the authentication with an existing session (such as for MFA). If unspecified, a new session is created and the session ID is returned.

  - `passcode` (string, required)
    OTP to validate

  - `identifier_type` (string, required)
    Type of user identifier used for sending the OTP

  - `identifier` (string, required)
    User identifier that the OTP was sent to

  - `request_id` (string)
    The request ID. This is a mandatory parameter if you’ve previously requested to generate a request ID when sending OTP or email link.

## Response 200 fields (application/json):

  - `access_token` (string, required)
    User access token for accessing endpoints on behalf of the authenticated user.

  - `id_token` (string)
    ID token that identifies the user.

  - `refresh_token` (string)
    Refresh token used to refresh an expired access token.

  - `token_type` (string, required)
    Bearer.

  - `expires_in` (number, required)
    Expiration time of the access token in seconds.

  - `session_id` (string, required)
    ID of the session in which the authentication occurs.

## Response 400 fields (application/json):

  - `error_code` (string)
    Enum: "system_invalid_input", "auth_invalid_credentials", "auth_otp_passcode_expired"

  - `message` (string)

## Response 403 fields (application/json):

  - `error_code` (string)
    Enum: "auth_locked"

  - `message` (string)