OTP Validation
Overview​
Validate one-time passwords (OTP) sent via email/SMS or generated by authenticator apps (TOTP).
Endpoint​
POST /api/BPMSelfService/commands/ValidateOtpCommand
Request Parameters​
| Parameter | Type | Required | Description |
|---|---|---|---|
userId | integer | Yes | User ID |
otpCode | string | Yes | OTP or TOTP code to validate |
verificationMethodType | integer | Yes | Verification method: 1=Email, 2=SMS, 3=Authenticator |
Response​
Successful Validation​
{
"status": "success",
"message": "OTP validated successfully",
"data": {
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refreshToken": "...",
"expiresIn": 3600
}
}
Failed Validation​
{
"status": "error",
"message": "Invalid or expired OTP",
"errorCode": "AUTH_002"
}
Validation Logic​
Email/SMS OTP​
- Checks database for matching OTP
- Verifies OTP hasn't expired (typically 5-10 minutes)
- Invalidates OTP after successful validation
Authenticator App (TOTP)​
- Validates against user's stored secret key
- Uses RFC 6238 time-based algorithm
- Accepts codes within ±30 second time window
- No database lookup required
Example Usage​
C# Example​
Code Removed
Implementation details removed for security.
Contact support for implementation guidance.
JavaScript Example​
const response = await fetch('/api/BPMSelfService/commands/ValidateOtpCommand', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
userId: 123,
otpCode: '123456',
verificationMethodType: 3
})
});
const result = await response.json();
if (result.status === 'success') {
localStorage.setItem('jwt_token', result.data.token);
}
Error Responses​
| Status | Error Code | Description |
|---|---|---|
| 401 | AUTH_002 | Invalid OTP code |
| 401 | AUTH_003 | OTP expired |
| 404 | AUTH_005 | User not found |
| 400 | AUTH_007 | Invalid verification method |