# Send OTP Send a one-time passcode to a user by email or SMS, or retrieve the code directly in the response to deliver it out-of-band — for example, when an admin generates a temporary access code on behalf of a user. Endpoint: POST /v1/auth/otp/send Security: ClientAccessToken ## Request fields (application/json): - `channel` (string, required) Channel to use to send the OTP. Use sms or email to deliver the code to the user. Use direct to return the code in the response body without sending it — for example, to deliver it out-of-band as a temporary access code. See [Generate temporary access code](/guides/user/account_recovery.md). Enum: "sms", "email", "direct" - `identifier_type` (string, required) Type of user identifier used for login - `identifier` (string, required) User identifier, which may correspond to the user's email, phone number, username, or user ID. The type of identifier should be specified as the identifier_type. - `email_content` (object) Texts, logo and color to render email template with, if the channel is email - `email_content.subject` (string, required) The subject of the email - `email_content.primaryColor` (string) Primary color of the email, specified as a Hex color Example: "#6981FF" - `email_content.base64logo` (string) Base64 encoded image for email logo. The string length must be less than or equal to 20000 characters - `email_content.headerText` (string) The header of the email - `email_content.bodyText` (string) The body of the email - `email_content.linkText` (string) The text of the link button in the email - `email_content.infoText` (string) Any extra information in the email - `email_content.footerText` (string) The footer of the email Example: "If you didn't request this email, you can safely ignore it." - `email_content.senderName` (string) Name of the sender of the email - `custom_sms_input` (object) Custom SMS message to send, if the channel is sms - `custom_sms_input.custom_message` (string) Message to send, must contain {otp} and {app} placeholders to be replaced with one time password and application name. Limited to 140 characters - `custom_sms_input.sender_id` (string) The sender name that appears as the message sender on recipients devices. Limited to 11 characters. Limited support see https://docs.aws.amazon.com/sns/latest/dg/sns-supported-regions-countries.html - `approval_data` (object) Flat object that contains the data that your customer should approve for a transaction signing or custom approval flow. It can contain up to 10 keys, and only alphanumeric characters, underscores, hyphens, and periods. It will be returned as a claim in the ID token upon successful authentication. Example: {"transaction_id":"eFII2y40uB9hQ98nXt3tc1IHkRt8GrRZiqZuRn_59wT","sum":"200"} - `custom_email` (string) Custom email to send the OTP to, can be different than the user's email (if the channel is email) - `custom_phone_number` (string) Custom phone number to send the OTP to, can be different than the user's phone number (if the channel is sms) - `client_attributes` (object) Client attributes - `client_attributes.user_agent` (string) - `client_attributes.ip_address` (string) - `expires_in` (number) Number of minutes until the OTP expires - `generate_request_id` (boolean) The request ID can serve as an additional security identifier for authentication requests. When set to 'false' (by default), the request ID isn't returned. When set to 'true', Mosaic generates a unique request ID that must be included in the subsequent Authenticate OTP request along with other required parameters. ## Response 200 fields (application/json): - `message` (string, required) Example: "OTP sent" - `approval_data` (object) Approval data object, if passed in the request. Example: {"transaction_id":"eFII2y40uB9hQ98nXt3tc1IHkRt8GrRZiqZuRn_59wT","sum":"200"} - `code` (string) One time passcode, if the channel is direct. Example: "123456" ## Response 400 fields (application/json): - `error_code` (string) Enum: "system_invalid_input", "external_provider_configuration_error" - `message` (string) ## Response 403 fields (application/json): - `error_code` (string) Enum: "user_not_active", "auth_login_preferences_missing" - `message` (string) ## Response 404 fields (application/json): - `error_code` (string) Enum: "user_not_found", "user_email_address_missing", "user_phone_number_missing", "auth_login_preferences_missing" - `message` (string)