# Validate email OTP

Validate a one-time passcode sent by email to a user. The endpoint will return a URI which can be used to redirect the client in order to complete authentication. Required permissions: apps:execute, [appId]:execute, auth:execute.

Endpoint: POST /v1/auth/otp/email/validation
Security: ClientAccessToken

## Request fields (application/json):

  - `email` (string, required)
    Email that the OTP was sent to

  - `passcode` (string, required)
    Email code to validate

  - `response_type` (string)
    Response type requested for the authentication flow.
    Enum: "code", "id_token"

  - `nonce` (string)
    A random value that will associate the client request with the ID token, and used to mitigate replay attacks. It will be added to the ID token and the backend service should only accept ID tokens that include the same nonce value as the one included in the original request.

## Response 200 fields (application/json):

  - `result` (string, required)
    URI used to complete the flow. Sending a GET request to this URI will redirect the browser to your redirect URI with a code to exchange for user tokens.

## Response 400 fields (application/json):

  - `message` (array, required)
    Example: "Bad request"

  - `error_code` (number, required)
    Example: 400