# POST /auth/otp/verify

> Verify OTP code and get a JWT

Verify the one-time code sent to the user's email or phone and return a JWT. **Passwordless flow** — no password. Use **the same identifier** (email or phone) that was used in [POST /auth/otp/send](/reference/authentication/otp-send).

## Endpoint

```http
POST /v1/public/projects/:projectSlug/auth/otp/verify
```

## Request Body

| Field | Type | Required | Description |
|-------|------|----------|-------------|
| `email` | string | One of email/phone | Same email the OTP was sent to |
| `phone` | string | One of email/phone | Same phone the OTP was sent to (E.164, e.g. `+919876543210`) |
| `code` | string | ✅ | The 6-digit code received by the user |

### Example: Email OTP

```json
{
  "email": "user@example.com",
  "code": "123456"
}
```

### Example: Phone OTP

```json
{
  "phone": "+919876543210",
  "code": "123456"
}
```

## Response

### Success (200 OK)

```json
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "user": {
    "id": "user-uuid-here",
    "email": "user@example.com",
    "name": "Jane Doe"
  }
}
```

For **phone-only users**, `email` may be a placeholder value. Store the `token` for authenticated requests (e.g. `GET /auth/me`).

### Error Responses

| Status Code | Description |
|-------------|-------------|
| 400 | Invalid request (validation failed) |
| 401 | Code is wrong or expired |
| 403 | Email not verified (when project requires verification and user signed in via Email OTP) |
| 500 | Server error |

## Related Endpoints

- [POST /auth/otp/send](/reference/authentication/otp-send) - Send OTP to user
- [GET /auth/me](/reference/authentication/me) - Get current user with the token
