# Confirm Login (Verify Email OTP) Confirms the login attempt by verifying the provided email OTP against the session identifier returned by /auth/login. On success, returns standard OAuth2 tokens (for subsequent API calls) and onboarding status/details if applicable. Endpoint: POST /auth/login-confirmation Version: 1.1.0 Security: m2m_oauth ## Request fields (application/json): - `email` (string, required) The email address of the user confirming login. Example: "user@company.com" - `session` (string, required) The session challenge identifier returned by the /auth/login endpoint. Example: "sess_abc123xyz789" - `method` (string, required) The confirmation method being used. Enum: "email" - `client_id` (string, required) The OAuth client_id of the company initiating the request. Example: "aBcDeFgHiJkLmNoPqRsT" - `otp` (string, required) The One-Time Password received by the user via email. Example: "123456" - `user_id` (string, required) User Id Example: "aaaa-bbbb-xxxx-yyyy" ## Response 200 fields (application/json): - `access_token` (string, required) The OAuth2.0 access token for making authenticated requests to non-auth endpoints. Example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." - `expires_in` (integer, required) The lifetime in seconds of the access token. Example: 3600 - `token_type` (string, required) Type of the token issued (e.g., "Bearer"). Example: "Bearer" - `id_token` (string, required) A JWT containing identity information about the user. Example: "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." - `onboarding_step` (string,null) Identifier for the next onboarding step required, if any. Null or absent if onboarding is complete. Example: "data_enrichment" - `onboarding_process_ulid` (string,null) The unique ULID for the user's current onboarding process, if onboarding is not complete. Null or absent otherwise. Example: "01ARZ3NDEKTSV4RRFFQ69G5FAV" ## Response 400 fields (application/json): - `code` (string, required) An application-specific error code string. Example: "INVALID_OTP" - `message` (string, required) A human-readable explanation specific to this occurrence of the problem. Example: "The OTP provided is invalid or has expired." ## Response 401 fields (application/json): - `code` (string, required) An application-specific error code string. Example: "INVALID_OTP" - `message` (string, required) A human-readable explanation specific to this occurrence of the problem. Example: "The OTP provided is invalid or has expired." ## Response 412 fields (application/json): - `code` (string, required) An application-specific error code string. Example: "INVALID_OTP" - `message` (string, required) A human-readable explanation specific to this occurrence of the problem. Example: "The OTP provided is invalid or has expired." ## Response 500 fields (application/json): - `code` (string, required) An application-specific error code string. Example: "INVALID_OTP" - `message` (string, required) A human-readable explanation specific to this occurrence of the problem. Example: "The OTP provided is invalid or has expired."