arazzo: 1.0.1
info:
  title: Stytch B2B SMS OTP Multi-Factor Authentication
  summary: Send an SMS OTP to a member and authenticate the code to complete MFA.
  description: >-
    A second-factor SMS OTP flow for B2B apps. The workflow sends a one-time
    passcode by SMS to a member of an organization and then authenticates the
    code the member enters, completing the MFA step and producing a full member
    session. Every step spells out its request inline so the flow can be read and
    executed without opening the underlying OpenAPI description. All calls
    authenticate with HTTP Basic auth using your Stytch project_id as the
    username and secret as the password.
  version: 1.0.0
sourceDescriptions:
- name: stytchB2bApi
  url: ../openapi/stytch-b2b-openapi.yml
  type: openapi
workflows:
- workflowId: sms-otp-mfa
  summary: Send an SMS OTP to a member and authenticate the code to finish MFA.
  description: >-
    Dispatches a one-time passcode by SMS to a member and exchanges the
    member-entered code for an authenticated member session, completing the MFA
    step.
  inputs:
    type: object
    required:
    - organization_id
    - member_id
    - code
    properties:
      organization_id:
        type: string
        description: The id of the organization the member belongs to.
      member_id:
        type: string
        description: The id of the member completing MFA.
      mfa_phone_number:
        type: string
        description: Optional E.164 phone number to enroll and send the passcode to.
      code:
        type: string
        description: The one-time passcode the member received by SMS and entered.
      session_duration_minutes:
        type: integer
        description: Optional session lifetime in minutes for the member session.
  steps:
  - stepId: sendSmsOtp
    description: >-
      Send a one-time passcode by SMS to the member's MFA phone number, enrolling
      the supplied number if provided.
    operationId: api_b2b_otp_v1_b2b_otp_sms_Send
    requestBody:
      contentType: application/json
      payload:
        organization_id: $inputs.organization_id
        member_id: $inputs.member_id
        mfa_phone_number: $inputs.mfa_phone_number
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      memberId: $response.body#/member_id
  - stepId: authenticateSmsOtp
    description: >-
      Authenticate the SMS one-time passcode the member entered to complete the
      MFA step and mint a member session.
    operationId: api_b2b_otp_v1_b2b_otp_sms_Authenticate
    requestBody:
      contentType: application/json
      payload:
        organization_id: $inputs.organization_id
        member_id: $inputs.member_id
        code: $inputs.code
        session_duration_minutes: $inputs.session_duration_minutes
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      memberId: $response.body#/member_id
      organizationId: $response.body#/organization/organization_id
      sessionToken: $response.body#/session_token
  outputs:
    memberId: $steps.authenticateSmsOtp.outputs.memberId
    organizationId: $steps.authenticateSmsOtp.outputs.organizationId
    sessionToken: $steps.authenticateSmsOtp.outputs.sessionToken