# SMS code postlogin Complete passwordless authentication using a one-time code (OTC) sent via SMS. This is the second step in the SMS OTC passwordless login flow. After the user receives the code, this endpoint finalizes authentication and returns a valid JWT and refresh cookie. Request body must include: - token: The token ID associated with the SMS OTC sent to the user. - invitationToken (optional): Include if the user is signing up through an invitation. - recaptchaToken (optional): Required if reCAPTCHA is enabled for login. Use this endpoint to complete passwordless login via SMS and receive authentication tokens for the session. Endpoint: POST /resources/auth/v1/passwordless/smscode/postlogin Security: bearer ## Request fields (application/json): - `token` (string, required) One time code to login with - get it from the email sent after prelogin request - `recaptchaToken` (string) - `invitationToken` (string) ## Response 201 fields (application/json): - `tokenType` (string) - `otcToken` (string) - `mfaRequired` (boolean, required) - `mfaToken` (string) - `resetPasswordToken` (string) - `passwordExpiresIn` (number) - `notificationPeriod` (number) - `mfaEnrolled` (boolean) - `mfaDevices` (object) - `mfaDevices.webauthn` (array, required) - `mfaDevices.webauthn.id` (string, required) - `mfaDevices.webauthn.deviceType` (string, required) Enum: "Platform", "CrossPlatform" - `mfaDevices.webauthn.name` (string, required) - `mfaDevices.phones` (array, required) - `mfaDevices.phones.phoneNumber` (string, required) - `mfaDevices.authenticators` (array, required) - `mfaDevices.emails` (array, required) - `mfaDevices.emails.email` (string, required) - `mfaStrategies` (object) - `qrCode` (string) - `recoveryCode` (string) - `accessToken` (string, required) - `refreshToken` (string, required) - `expiresIn` (number, required) - `expires` (string, required) - `userId` (string) - `userEmail` (string) - `emailVerified` (boolean) - `isBreachedPassword` (boolean)