Skip to main content
Version: v2

authenticateOtp

This function is only available on the JavaScript SDK. Support for more SDKs will be coming soon.

The authenticateOtp function enables an app using the Beyond Identity SDK to initiate authentication using an OTP. The OTP gets sent to the provided email address. This function is used in conjunction with redeemOtp.

Dependencies​

The authenticateOtp function requires the Beyond Identity Javascript SDK.

yarn add @beyondidentity/bi-sdk-js

or

npm install @beyondidentity/bi-sdk-js

Prerequisites​

Before making a call to authenticateOtp, you must complete the following prerequisite calls:

  1. Import the required types and functions from the SDK.

    import { Embedded } from '@beyondidentity/bi-sdk-js';
  2. Initialize the SDK.

    // --- Initialize with required arguments
    try {
    const embedded = await Embedded.initialize();
    console.log("Initialization successful", embedded);
    } catch (error) {
    console.error("Initialization failed:", error);
    }

    // --- Initialize with required and optional arguments
    const config = {
    allowedDomains: ["example.com", "another-example.com"],
    logger: function (logType, message) {
    console.log(`[${logType}] ${message}`);
    },
    };

    try {
    const embedded = await Embedded.initialize(config);
    console.log("Initialization successful", embedded);
    } catch (error) {
    console.error("Initialization failed:", error);
    }
  3. Use authenticateOtp to initiate authentication using an OTP.

    await embedded.authenticateOtp(url, email);

Parameters​

ParameterTypeDescription
urlstringRequired. The authentication URL of the current transaction. This URL is generated by the Beyond Identity API's /authorize endpoint in response to a standard OpenID Connect request from your app (see example below). The generated URL is unique for each authentication request. It contains an encoded JWT token containing the challenge for the passkey to sign. (/bi-authenticate?request=someToken)
emailstringRequired. The email address where the OTP gets sent.

Returns​

On success, the authenticateOtp function returns a Promise that resolves to an OtpChallengeResponse, which itself is a JSON object that contains the following keys:

url: object containing a URL containing the authentication state.

note

This URL should be saved and used when calling redeemOtp.

Examples​

Example: Call authenticateOtp​

let authenticateResponse = await embedded.authenticateOtp(url, email);

Example: Retrieve Beyond Identity authentication url via OIDC call​

The app sends an OIDC call to the Beyond Identity API's /authorize endpoint:

GET https://auth-us.beyondidentity.com/v1/tenants/{TENANT_ID}/realms/{REALM_ID}/applications/{APPLICATION_ID}/authorize?client_id={CLIENT_ID}&scope=openid&response_type=code&redirect_uri={REDIRECT_URI}&state=8LIY29kN8Oz7zrAhb8xb0yvem-gvnRy1HTn03MAuL_E

where the following elements match the corresponding properties of the app as configured in your Beyond Identity tenant:

PropertyDescription
TENANT_IDThe Tenant ID of the tenant in which the app is configured.
REALM_IDThe Realm ID of the realm in which the app is configured.
APPLICATION_IDThe Application ID from the header of the app's configuration page.
CLIENT_IDThe Client ID from the External Protocol tab of the app's configuration page.
REDIRECT_URIMatches one of the Redirect URIs configured on the External Protocol tab of the app's configuration page, URL encoded.

When the Invocation Type configured on the Authenticator Config tab of the app's configuration page is set to Manual, it returns a JSON object:

{ "authenticate_url": "http://localhost:8083/bi-authenticate?request={BI_JWT}" }

where BI_JWT is a base64url encoded JWT token containing the challenge and other data to kick off the passkey authentication.

When the Invocation Type on the app is set to Automatic, it returns an HTTP 302 to the authentication URL:

http/1.1 302 Found
...
location: http://localhost:8083/bi-authenticate?request={BI_JWT}

where BI_JWT is a base64url encoded JWT token containing the challenge and other data to kick off the passkey authentication.