> ## Documentation Index
> Fetch the complete documentation index at: https://docs.byzantine.fi/llms.txt
> Use this file to discover all available pages before exploring further.

# Step 2 Authenticate with OTP code

> Returns a session ID that can be used to submit an authenticated action.



## OpenAPI

````yaml /api-reference/openapi-integrator.json post /v1/submit/otp-auth
openapi: 3.0.3
info:
  title: Byzantine Integrator API
  description: Byzantine REST API for integrators.
  license:
    name: ''
  version: 0.2.0
servers:
  - url: https://sandbox.api.byzantine.fi
    description: Sandbox
security: []
tags:
  - name: API health
    description: Check API status.
  - name: Customer management
    description: Endpoints to create, update, and retrieve customer information.
  - name: Account management
    description: Endpoints to manage accounts, bank accounts, invitations, and user roles.
  - name: Products
    description: Endpoints to get data about products and vaults.
  - name: Transactions
    description: Endpoints to create and manage transactions.
  - name: OTP authentication
    description: Endpoints to initialize and manage user authentication with OTP.
  - name: Webhooks
    description: Integrator-managed outbound webhook subscriptions and delivery history.
paths:
  /v1/submit/otp-auth:
    post:
      tags:
        - OTP authentication
      summary: Step 2 Authenticate with OTP code
      description: Returns a session ID that can be used to submit an authenticated action.
      operationId: otp_auth
      parameters:
        - name: X-Pubkey
          in: header
          description: >-
            Integrator's ECDSA public key (P-256 curve, compressed SEC1 format).
            Example:
            0x038fedef7c12f93bbf342ad8943b7a825a3b41f61c9dc118b2c718efebabbf62fd
          required: true
          schema:
            type: string
        - name: X-Timestamp
          in: header
          description: >-
            Unix timestamp in seconds (UTC). Must be within tolerance window (1
            minute) to prevent replay attacks. Example: 1760375826
          required: true
          schema:
            type: string
        - name: X-Signature
          in: header
          description: >-
            ECDSA signature (DER-encoded, hex with 0x prefix). Signs the
            message: {timestamp}{METHOD}{path_and_query}{json_body}. Example:
            0x3045022100...
          required: true
          schema:
            type: string
      requestBody:
        description: Authenticate with OTP code
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/OtpAuthRequestBody'
        required: true
      responses:
        '200':
          description: OTP authentication successful
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OtpAuthResponse'
        '400':
          description: Invalid OTP code or request payload
        '404':
          description: Account or user not found
        '500':
          description: Internal server error
      security:
        - integrator_auth: []
components:
  schemas:
    OtpAuthRequestBody:
      type: object
      description: Request to authenticate with OTP code
      required:
        - accountId
        - userId
        - otpId
        - otpCode
      properties:
        accountId:
          $ref: '#/components/schemas/Uuid'
        userId:
          $ref: '#/components/schemas/Uuid'
        otpId:
          type: string
          description: The OTP ID returned by init-otp
          example: otp_a1b2c3d4567890abcdef
        otpCode:
          type: string
          description: The OTP code received by email
          example: '123456789'
    OtpAuthResponse:
      type: object
      description: Response from OTP authentication
      required:
        - session
        - sessionId
        - expiresAt
      properties:
        session:
          type: string
          description: Session metadata
        sessionId:
          $ref: '#/components/schemas/Uuid'
        expiresAt:
          type: string
          description: Session expiration timestamp (ISO 8601)
          example: '2026-02-05T12:00:00Z'
    Uuid:
      type: string
      format: uuid
      description: A UUID string
      example: 550e8400-e29b-41d4-a716-446655440000
  securitySchemes:
    integrator_auth:
      type: apiKey
      in: header
      name: X-Pubkey, X-Timestamp, X-Signature

````