> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate User

> Authenticate a user with their phone number or email and a passwordless verification code.

## Endpoint

`POST /oauth/token`

Once you have a verification code, use this endpoint to login the user with their phone number/email and verification code.

### Remarks

* The `grant_type` should be `http://auth0.com/oauth/grant-type/passwordless/otp`.
* The `client_id` of your application is required.
* The `username` is either the user's phone number (if `realm=sms`) or the user's email (if `realm=email`).
* The `realm` must be either `sms` or `email`, matching the [POST /passwordless/start](#get-code-or-link) request.
* The `otp` should be the user's verification code.
* The `redirect_uri` is a required callback URL that must be registered in your application's **Allowed Callback URLs**.

### Learn More

* [Passwordless Authentication](https://auth0.com/docs/authenticate/passwordless)

## Headers

<ParamField header="DPoP" type="string">
  A DPoP proof for the request. This is optional and only required if your application uses Demonstrating Proof-of-Possession.
</ParamField>

## Body Parameters

<ParamField body="grant_type" type="string" required>
  Should be [http://auth0.com/oauth/grant-type/passwordless/otp](http://auth0.com/oauth/grant-type/passwordless/otp).
</ParamField>

<ParamField body="client_id" type="string" required>
  The client\_id of your application.
</ParamField>

<ParamField body="client_secret" type="string">
  The client\_secret of your application. Required for Regular Web Applications only.
</ParamField>

<ParamField body="otp" type="string" required>
  The user's verification code.
</ParamField>

<ParamField body="realm" type="string" required>
  Should match the connection used.

  Allowed values: `email`, `sms`
</ParamField>

<ParamField body="username" type="string" required>
  The user's phone number or email.
</ParamField>

<ParamField body="audience" type="string">
  API Identifier of the API for which you want to get an Access Token.
</ParamField>

<ParamField body="resource" type="string">
  The identifier of the target API (resource server) you want to access. Must match an API Identifier registered in your Auth0 tenant. Used as an alternative to `audience` when the tenant's [Resource Parameter Compatibility Profile](https://auth0.com/docs/get-started/tenant-settings#settings-advanced) is set to `compatibility`.
</ParamField>

<ParamField body="scope" type="string">
  Use openid to get an ID Token.
</ParamField>

<ParamField body="redirect_uri" type="string" required>
  A callback URL that has been registered with your application's Allowed Callback URLs.
</ParamField>

## Response Messages

| Status | Description                        |
| ------ | ---------------------------------- |
| 200    | User authenticated successfully.   |
| 400    | Bad Request. Invalid parameters.   |
| 401    | Unauthorized. Invalid credentials. |