arazzo: 1.0.1
info:
  title: Stytch WhatsApp One-Time Passcode Login
  summary: Send a WhatsApp one-time passcode and authenticate the code the user enters.
  description: >-
    A passwordless WhatsApp OTP login flow for consumer apps. The workflow sends
    a one-time passcode over WhatsApp to a phone number (creating the user if
    they do not yet exist) and then authenticates the method_id and code the
    user submits to mint a session. Every step spells out its request inline so
    the flow can be read and executed without opening the underlying OpenAPI
    description. All calls authenticate with HTTP Basic auth using your Stytch
    project_id as the username and secret as the password.
  version: 1.0.0
sourceDescriptions:
- name: stytchConsumerApi
  url: ../openapi/stytch-consumer-openapi.yml
  type: openapi
workflows:
- workflowId: whatsapp-otp-login
  summary: Send a WhatsApp OTP and authenticate the code to obtain a session.
  description: >-
    Dispatches a one-time passcode over WhatsApp to the supplied phone number
    and exchanges the returned phone_id method and the user-entered code for an
    authenticated session.
  inputs:
    type: object
    required:
    - phone_number
    - code
    properties:
      phone_number:
        type: string
        description: The E.164 formatted phone number to send the WhatsApp passcode to.
      code:
        type: string
        description: The one-time passcode the user received over WhatsApp and entered.
      session_duration_minutes:
        type: integer
        description: Optional session lifetime in minutes for the authenticated session.
  steps:
  - stepId: sendWhatsappOtp
    description: >-
      Send a one-time passcode over WhatsApp to the phone number, creating the
      user if no account exists, and return the phone_id used to authenticate.
    operationId: api_otp_v1_otp_whatsapp_LoginOrCreate
    requestBody:
      contentType: application/json
      payload:
        phone_number: $inputs.phone_number
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/user_id
      phoneId: $response.body#/phone_id
  - stepId: authenticateOtp
    description: >-
      Authenticate the one-time passcode using the phone_id as the method_id and
      the code the user entered to mint a session.
    operationId: api_otp_v1_Authenticate
    requestBody:
      contentType: application/json
      payload:
        method_id: $steps.sendWhatsappOtp.outputs.phoneId
        code: $inputs.code
        session_duration_minutes: $inputs.session_duration_minutes
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/user_id
      sessionToken: $response.body#/session_token
      sessionJwt: $response.body#/session_jwt
  outputs:
    userId: $steps.authenticateOtp.outputs.userId
    sessionToken: $steps.authenticateOtp.outputs.sessionToken
    sessionJwt: $steps.authenticateOtp.outputs.sessionJwt