POST /api/auth/verify-otp
Verify a one-time password (OTP) for an email address.
This endpoint verifies a one-time password (OTP) previously sent to an email address.
A successful verification confirms ownership of the email address.
When to use
- After sending an OTP to the user
- Before allowing sensitive actions
Request
HTTP
POST /api/auth/verify-otp
Content-Type: application/jsonRequest Body
{
"email": "user@example.com",
"otp": "123456"
}Request Fields
| Field | Type | Required | Description |
|---|---|---|---|
| string | Yes | Target email address | |
| otp | string | Yes | One-time password |
Response
Success (200 OK)
Response
{
"success": true
}Errors
Invalid or expired OTP (400)
Error
{
"success": false,
"message": "Invalid or expired OTP"
}Rate limited (429)
Error
{
"success": false,
"message": "Too many attempts"
}Notes
- OTPs can only be used once
- Expired OTPs cannot be verified
- Verification does not create a session
Related APIs
- POST
/api/auth/send-otp– Send OTP - POST
/api/auth/set-new-password– Reset password