Skip to main content
POST
/
api
/
v1
/
auth
/
verify-otp
Verify OTP and return tokens
curl --request POST \
  --url https://handauncle-backend-prod-205012263523.asia-south1.run.app/api/v1/auth/verify-otp \
  --header 'Content-Type: application/json' \
  --header 'x-device-id: <x-device-id>' \
  --data '
{
  "phone": "9876543210",
  "otp": "123456"
}
'
{
  "success": true,
  "data": {
    "accessToken": "<string>",
    "idToken": "<string>",
    "refreshToken": "<string>",
    "expiresIn": 123,
    "user": {
      "id": "<string>",
      "email": "jsmith@example.com",
      "name": "<string>",
      "picture": "<string>",
      "emailVerified": true,
      "phone": "<string>"
    }
  },
  "meta": {
    "timestamp": "2023-11-07T05:31:56Z",
    "requestId": "<string>"
  }
}
Validates the submitted OTP code, creates/updates the user in Auth0 and MongoDB, and returns Auth0 tokens so the client can treat OTP users like any other session.

Headers

HeaderRequiredDescription
x-device-idYesUnique device identifier
x-platformNoPlatform type: ios, android, or web

Request Body

{
  "phone": "+919876543210",
  "otp": "123456"
}

Response

{
  "success": true,
  "data": {
    "accessToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
    "idToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refreshToken": "v1.MjAyNS0xMi0wMlQwODowMDowMC4wMDBa...",
    "expiresIn": 86400,
    "user": {
      "id": "auth0|692e9f465b1b4e6753627a4f",
      "phone": "+919876543210",
      "name": "HU Phone 3210",
      "phoneVerified": true,
      "email": "919876543210@sms.handauncle.app"
    }
  },
  "meta": {
    "timestamp": "2025-12-02T08:00:00.000Z",
    "request_id": "uuid"
  }
}

Error Codes

StatusDescription
400Invalid or expired OTP
401Maximum verification attempts exceeded
502Auth0 or Exotel service failure

Notes

  • The accessToken is an Auth0 JWT that can be used with all authenticated endpoints
  • The refreshToken can be used with /api/v1/auth/refresh to get new tokens
  • The synthetic email (phone@sms.handauncle.app) is used internally for Auth0 database connection

Headers

x-device-id
string
required

Unique identifier for the calling device or installation.

Minimum string length: 1
x-platform
enum<string>

Client platform (ios, android, web).

Available options:
ios,
android,
web

Body

application/json
phone
string
required

Phone number. Accepts 10-digit numbers (9876543210), numbers with country code (919876543210), or E.164 format (+919876543210). The +91 prefix is automatically added for 10-digit numbers.

Example:

"9876543210"

otp
string
required

6-digit verification code.

Pattern: ^\d{6}$
Example:

"123456"

Response

Tokens issued

success
enum<boolean>
required
Available options:
true
data
object
required
meta
object
required