Step-up Challenges

Issue a one-time password that can be used to step-up a token

Initiates the step-up token process by sending an SMS with an one-time-password to a device belonging to the logged-in user that was previously enrolled through /authentication_factors/otp/{channel} endpoint.

This process is required for endpoints that require a step-up token to complete the call.

Note that on the Sandbox Environment, text messages are not sent and the one-time-password is always "123456".

Securityauth_token and api_key
Request
path Parameters
channel
required
string (SCAOtpChannel)

The unique identifier for the channel.

Value: "SMS"
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses
204

Success - No Content.

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

405

Method Not Allowed - The request was received but has been rejected for the requested resource.

409

Conflict

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/stepup/challenges/otp/{channel}
Request samples
Response samples
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Verify a step-up token using a one-time password

Completes the verification process for a step up token. The challenge expires after 5 minutes and the number of incorrect OTP attempts is limited to reduce the risk of fraud, in that case challenge has to be issued again.

Note that on the Sandbox Environment, text messages are not sent and the verificationCode is always "123456".

Securityauth_token and api_key
Request
path Parameters
channel
required
string (SCAOtpChannel)

The unique identifier for the channel.

Value: "SMS"
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Request Body schema: application/json
required
verificationCode
required
string (Nonce) = 6 characters ^[0-9]*$

The code received by the user on the device.

Responses
204

Success - No Content.

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

409

Conflict

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/stepup/challenges/otp/{channel}/verify
Request samples
application/json
{
  • "verificationCode": "string"
}
Response samples
application/json
{
  • "message": "string",
  • "syntaxErrors": {
    }
}

Issue a push notification that can be used to step-up a token

Initiates the step-up token process by submitting a push notification to a device belonging to the logged-in user that was previously enrolled through the /authentication_factors/push/{channel} endpoint.

You should only start this process if the token step-up isn't already in flight.

Securityauth_token and api_key
Request
path Parameters
channel
required
string (SCAPushChannel)
  • "AUTHY": The push notification is sent on the user's device using Twilio Authy
  • "BIOMETRIC": The push notification is sent to the user's device
Enum: "AUTHY" "BIOMETRIC"
header Parameters
idempotency-ref
string

A unique call reference generated by the caller that, taking into consideration the payload as well as the operation itself, helps avoid duplicate operations. Idempotency reference uniqueness is maintained for at least 24 hours.

Responses
200

Success

400

Bad Request Error - Your request is invalid.

401

Unauthorized - Your credentials or access token are invalid.

403

Forbidden - Access to the requested resource or action is forbidden.

405

Method Not Allowed - The request was received but has been rejected for the requested resource.

409

Conflict

429

Too many requests.

500

Internal Server Error - There is a problem with the server. Please try again later.

503

Service Unavailable - We're temporarily offline for maintenance. Please try again later.

default

Error

post/stepup/challenges/push/{channel}
Request samples
Response samples
application/json
{
  • "id": "string"
}