> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Verify

> Authenticate a user by verifying a passwordless code sent to their phone number or email address.

## Endpoint

`POST /passwordless/verify`

<Note>
  This feature is disabled by default for new tenants as of 8 June 2017. Please see [Application Grant Types](/applications/concepts/application-grant-types) for more information.
</Note>

Once you have a verification code, use this endpoint to login the user with their phone number/email and verification code. This is active authentication, so the user must enter the code in your app.

### Remarks

* The `profile` scope value requests access to the End-User's default profile Claims, which are: `name`, `family_name`, `given_name`, `middle_name`, `nickname`, `preferred_username`, `profile`, `picture`, `website`, `gender`, `birthdate`, `zoneinfo`, `locale`, and `updated_at`.
* The `email` scope value requests access to the `email` and `email_verified` Claims.
* The sample auth0.js script uses the library version 8. If you are using auth0.js version 7, please see this [reference guide](https://auth0.com/docs/libraries/auth0js).

### Learn More

* [Passwordless Best Practices](/connections/passwordless/best-practices)

## Body Parameters

<ParamField body="grant_type" type="string" required>
  Grant type, must be `password`.
</ParamField>

<ParamField body="client_id" type="string" required>
  The `client_id` of your application.
</ParamField>

<ParamField body="connection" type="string" required>
  Use `sms` or `email` (should be the same as [POST /passwordless/start](#get-code-or-link)).

  Allowed values: `email`, `sms`
</ParamField>

<ParamField body="username" type="string" required>
  The user's phone number if `connection=sms`, or the user's email if `connection=email`.
</ParamField>

<ParamField body="password" type="string" required>
  The user's verification code.
</ParamField>

<ParamField body="scope" type="string">
  Use `openid` to get an ID Token, or `openid profile email` to include user profile information in the ID Token.
</ParamField>

<ParamField body="redirect_uri" type="string" required>
  Callback URL registered with your application's Allowed Callback URLs.
</ParamField>

## Response Messages

| Status | Description                                   |
| ------ | --------------------------------------------- |
| 200    | User authenticated successfully.              |
| 400    | Bad Request. Invalid parameters.              |
| 401    | Unauthorized. Invalid credentials.            |
| 403    | Forbidden. Client authentication is required. |
| 500    | Internal Server Error.                        |