arazzo: 1.0.1
info:
  title: Stytch SMS One-Time Passcode Login
  summary: Send an SMS one-time passcode and authenticate the code the user enters.
  description: >-
    A passwordless SMS OTP login flow for consumer apps. The workflow sends a
    one-time passcode by SMS to a phone number (creating the user if they do not
    yet exist) and then authenticates the method_id and code the user submits to
    mint a session. Every step spells out its request inline so the flow can be
    read and executed without opening the underlying OpenAPI description. All
    calls authenticate with HTTP Basic auth using your Stytch project_id as the
    username and secret as the password.
  version: 1.0.0
sourceDescriptions:
- name: stytchConsumerApi
  url: ../openapi/stytch-consumer-openapi.yml
  type: openapi
workflows:
- workflowId: sms-otp-login
  summary: Send an SMS OTP and authenticate the code to obtain a session.
  description: >-
    Dispatches a one-time passcode by SMS to the supplied phone number and
    exchanges the returned phone_id method and the user-entered code for an
    authenticated session.
  inputs:
    type: object
    required:
    - phone_number
    - code
    properties:
      phone_number:
        type: string
        description: The E.164 formatted phone number to send the passcode to.
      code:
        type: string
        description: The one-time passcode the user received by SMS and entered.
      session_duration_minutes:
        type: integer
        description: Optional session lifetime in minutes for the authenticated session.
  steps:
  - stepId: sendSmsOtp
    description: >-
      Send a one-time passcode by SMS to the phone number, creating the user if
      no account exists, and return the phone_id used to authenticate the code.
    operationId: api_otp_v1_otp_sms_LoginOrCreate
    requestBody:
      contentType: application/json
      payload:
        phone_number: $inputs.phone_number
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/user_id
      phoneId: $response.body#/phone_id
  - stepId: authenticateOtp
    description: >-
      Authenticate the one-time passcode using the phone_id as the method_id and
      the code the user entered to mint a session.
    operationId: api_otp_v1_Authenticate
    requestBody:
      contentType: application/json
      payload:
        method_id: $steps.sendSmsOtp.outputs.phoneId
        code: $inputs.code
        session_duration_minutes: $inputs.session_duration_minutes
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/user_id
      sessionToken: $response.body#/session_token
      sessionJwt: $response.body#/session_jwt
  outputs:
    userId: $steps.authenticateOtp.outputs.userId
    sessionToken: $steps.authenticateOtp.outputs.sessionToken
    sessionJwt: $steps.authenticateOtp.outputs.sessionJwt