OTP Validation
Overview
Validate one-time passwords (OTP) sent via email/SMS or generated by authenticator apps (TOTP).
Endpoint
POST /api/BPMSelfService/commands/ValidateOtpCommand
Request Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
userId | integer | Yes | User ID |
otpCode | string | Yes | OTP or TOTP code to validate |
verificationMethodType | integer | Yes | Verification method: 1=Email, 2=SMS, 3=Authenticator |
Response
Successful Validation
{
"status": "success",
"message": "OTP validated successfully",
"data": {
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refreshToken": "...",
"expiresIn": 3600
}
}
Failed Validation
{
"status": "error",
"message": "Invalid or expired OTP",
"errorCode": "AUTH_002"
}
Validation Logic
Email/SMS OTP
- Checks database for matching OTP
- Verifies OTP hasn't expired (typically 5-10 minutes)
- Invalidates OTP after successful validation
Authenticator App (TOTP)
- Validates against user's stored secret key
- Uses RFC 6238 time-based algorithm
- Accepts codes within ±30 second time window
- No database lookup required
Example Usage
C# Example
Code Removed
Implementation details removed for security.
Contact support for implementation guidance.
JavaScript Example
const response = await fetch('/api/BPMSelfService/commands/ValidateOtpCommand', {
method: 'POST',
headers: {
'Content-Type': 'application/json'
},
body: JSON.stringify({
userId: 123,
otpCode: '123456',
verificationMethodType: 3
})
});
const result = await response.json();
if (result.status === 'success') {
localStorage.setItem('jwt_token', result.data.token);
}
Error Responses
| Status | Error Code | Description |
|---|---|---|
| 401 | AUTH_002 | Invalid OTP code |
| 401 | AUTH_003 | OTP expired |
| 404 | AUTH_005 | User not found |
| 400 | AUTH_007 | Invalid verification method |