POST /v1/auth/email-otp/request
Send a one-time passwordless login code to the user's email. Always returns 204 — the response shape doesn't reveal whether the email is registered.
::: tip Auth Required: none. :::
Request
POST /v1/auth/email-otp/request
| Header | Required | Notes |
|---|---|---|
Content-Type: application/json | yes | — |
Body
{ "email": "alice@example.com" }
Response
204 No Content
Always 204 — even for unknown or disabled emails, and even for malformed input. This is a deliberate enumeration defense.
If the email is registered AND active, a 6-digit code is emailed; if not, the SDK silently no-ops.
Error responses
| Status | Code | When |
|---|---|---|
| 500 | internal_error | Database or email-transport failure. |
Example: curl
curl -X POST https://auth.example.com/v1/auth/email-otp/request \
-H 'Content-Type: application/json' \
-d '{"email":"alice@example.com"}'
Notes
- Codes are 6 digits, zero-padded.
- Code TTL: 10 minutes.
- Max attempts per challenge: 5 (enforced at
/verify). - Codes are stored as SHA-256 hashes; the plaintext exists only in the outbound email.
- Any prior outstanding login codes for this user are wiped before the new one is minted.