Perform the authentication method

POST 
/verification-srv/authentication/:method/verification

Use this endpoint only after receiving a valid exchange_id from the initiation step. The verification method is specified in the {method} path parameter.

When to use this endpoint:

• Use this endpoint only to complete an initiated authentication method.
• Do not use this endpoint to start authentication; use /verification-srv/authentication/{method}/initiation.

Supported scenarios (method matrix):

• SMS, EMAIL (OTP), IVR, TOTP, BACKUPCODE: exchange_id, pass_code
• PASSWORD: exchange_id, password
• PUSH, PATTERN: exchange_id, push_id, device_id, client_id, pass_code
• TOUCHID: exchange_id, push_id, device_id, client_id
• FACE: exchange_id, push_id, device_id, client_id, photo (multipart/form-data)
• FIDO2: exchange_id, fido2_client_response

Not supported / will fail:

• Expired, invalid, or reused exchange_id
• Missing method-specific payload fields
• Mixing fields across methods (for example OTP fields for push flow)
• Method not enabled for the app/user
• Submitting an exchange_id for the wrong flow stage

What happens next:

• On success, continue login flow using returned status_id.
• On push-style methods, intermediate states can appear (PushAcknowledged, Allowed, Denied) before final authentication.
• On failure, the API returns an error object and the client should re-initiate or retry based on the error cause.

Validation Steps Performed:

1. Validates exchange_id is present and valid
2. Validates single_factor_auth is only allowed for FACE method
3. Method-specific validations:
   • Backup Code: Validates backup code exists, is not already used, and marks it as used after successful authentication
   • Email/SMS/TOTP: Validates pass_code matches the sent code
   • FIDO2: Validates FIDO2 client response
   • Password: Validates password matches user's stored password
   • Pattern: Validates pattern matches user's configured pattern
   • Push/TouchID/Face: Validates device and biometric authentication
4. Performs Fraud Detection System (FDS) checks for suspicious activity

Request

Responses

200

SUCCESS

400

Bad Request (e.g. invalid or expired exchange_id, invalid_client for push-style methods, wrong pass_code, invalid password, link already used)

417

Expectation Failed (e.g. missing required field such as exchange_id, invalid payload)