Verify an OTP

POST /auth/verify-otp

Complete OTP flow and exchange OTP for tokens.

Current behavior:

If OTP is valid:
- existing user is used, or user is auto-created if missing
- player role is assigned for auto-created users
- access + refresh tokens are returned
Invalid OTP returns 400.

Base URL examples

POST http://localhost:8001/auth/verify-otp
POST http://localhost:8000/client/auth/verify-otp

Required headers

x-client-id: <project_client_id>
x-client-secret: <project_client_secret>
Content-Type: application/json

If either client credential header is missing or invalid, the API returns 401.

Request

Responses

Successful Response

Request body

{
  "email": "player@example.com",
  "otp": "123456"
}

Response behavior

{
  "success": true,
  "access_token": "jwt-or-null",
  "refresh_token": "jwt-or-null",
  "message": "human-readable status"
}

With a valid OTP, token fields are populated and can be used for downstream SDK calls.

cURL example

curl -X POST "http://localhost:8001/auth/verify-otp" \
  -H "x-client-id: <client-id>" \
  -H "x-client-secret: <client-secret>" \
  -H "Content-Type: application/json" \
  -d '{"email":"player@example.com","otp":"123456"}'

Verify an OTP

/auth/verify-otp

Base URL examples​

Required headers​

Request​

Responses​

Request body​

Response behavior​

cURL example​