/usersendpoint and receives a User object with an embedded authentication token.
/verificationsendpoint. For some verification methods, this is a single step since the data will be provided immediately (e.g. passport, driver's license, etc.). In other cases, this is a two-step process since the user must wait for verification data to arrive (e.g. SMS, email).
verificationsarray along with the user field being verified.
phone, and the verification's value (from the process above) matches the user's phone number, the user's phone number becomes verified. Verification objects of all types can be attached to the user, but only
/tokensendpoint and receives an authentication token. The login can be either a single step process (e.g. username + password) or a two-step process, where the user needs to provide a secret such as in the case of a phone number + SMS code flow.
/sessionsendpoint, sending the authentication token with the
Authorization: Basicheader. If the authentication token is active, a session token object is returned. If the server replies with a 401 Unauthorized the authentication token is either invalid or has expired. If the server replies with a 400 Bad Request the user account is invalid (e.g. has been locked).
Authorization: Bearerheader for each request to the endpoints. If the server replies with a 401 Unauthorized the session token is either invalid or has expired.