Passwordless login

On this page

How it worksRequest a codeVerify the codeRate limitsNotes

Sign in with a one-time code sent to your email. No password required.

How it works

  1. Request a code for your email address.
  2. Check your inbox for a 6-digit code.
  3. Submit the code to receive a JWT token.

Request a code

curl -X POST https://api.fold.run/otp/send \
  -H "Content-Type: application/json" \
  -d '{ "email": "you@example.com" }'

A 6-digit code is sent to your email. The code expires after 10 minutes.

For security, this endpoint always returns a success response regardless of whether the email exists. This prevents email enumeration.

Verify the code

curl -X POST https://api.fold.run/otp/verify \
  -H "Content-Type: application/json" \
  -d '{
    "email": "you@example.com",
    "code": "482916"
  }'

On success, returns a JWT token:

{
  "token": "eyJhbGciOiJIUzI1NiJ9...",
  "user": {
    "id": "usr_abc123",
    "email": "you@example.com",
    "role": "admin"
  }
}

If you have two-factor authentication enabled, the response returns an mfa_token instead. Complete login by verifying your TOTP code at /mfa/verify.

Rate limits

  • Code requests: 3 per email per 10 minutes.
  • IP-based rate limit applies to both endpoints.

Notes

  • OTP login automatically marks your email as verified.
  • Each code can only be used once. Requesting a new code invalidates any previous unused code.
  • OTP login works for existing accounts only. To create a new account, use the signup flow.
PreviousTwo-factor authenticationNextPassword reset