# OTC (One-Time Code) postlogin Complete passwordless authentication using a one-time code (OTC) sent to the user's email. This is the second step in the email OTC passwordless login flow. After the user receives and enters the code, this endpoint validates the token and finalizes authentication. Request body must include: - token: The token ID associated with the email OTC sent to the user. - invitationToken (optional): Include if the user is signing up via an invitation. - recaptchaToken (optional): Required if reCAPTCHA is enabled for login. Use this endpoint to validate the email-based one-time code and receive authentication credentials, including a JWT and refresh cookie. Endpoint: POST /resources/auth/v1/passwordless/code/postlogin Security: bearer ## Request fields (application/json): - `token` (string, required) One time code to login with - get it from the email sent after prelogin request - `recaptchaToken` (string) - `invitationToken` (string) ## Response 201 fields (application/json): - `tokenType` (string) - `otcToken` (string) - `mfaRequired` (boolean, required) - `mfaToken` (string) - `resetPasswordToken` (string) - `passwordExpiresIn` (number) - `notificationPeriod` (number) - `mfaEnrolled` (boolean) - `mfaDevices` (object) - `mfaDevices.webauthn` (array, required) - `mfaDevices.webauthn.id` (string, required) - `mfaDevices.webauthn.deviceType` (string, required) Enum: "Platform", "CrossPlatform" - `mfaDevices.webauthn.name` (string, required) - `mfaDevices.phones` (array, required) - `mfaDevices.phones.phoneNumber` (string, required) - `mfaDevices.authenticators` (array, required) - `mfaDevices.emails` (array, required) - `mfaDevices.emails.email` (string, required) - `mfaStrategies` (object) - `qrCode` (string) - `recoveryCode` (string) - `accessToken` (string, required) - `refreshToken` (string, required) - `expiresIn` (number, required) - `expires` (string, required) - `userId` (string) - `userEmail` (string) - `emailVerified` (boolean) - `isBreachedPassword` (boolean)