Skip to main content
POST
/
api
/
auth
/
verify
curl --request POST \ --url https://mcp.echozero.app/api/auth/verify \ --header 'Content-Type: application/json' \ --data ' { "email": "alice@example.com", "code": "123456", "recaptcha": "recaptcha_token_here" } '
{
  "success": true,
  "data": {
    "newUser": true,
    "onBoardingCompleted": true,
    "mfaRequired": true,
    "user": {
      "id": "507f1f77bcf86cd799439011",
      "username": "alice_bob",
      "email": "alice@example.com",
      "emailVerifiedAt": "2023-11-07T05:31:56Z"
    },
    "tokens": {
      "accessToken": "<string>",
      "refreshToken": "<string>",
      "mfaAccessToken": "<string>"
    },
    "errorMessage": "<string>",
    "unlocksAt": "2023-11-07T05:31:56Z"
  }
}

Headers

x-signature
string

HMAC-SHA256 signature: HMAC-SHA256(secretKey, timestamp + METHOD + path + body). Optional -- when omitted, HMAC verification is skipped.

x-timestamp
string

Request timestamp in epoch milliseconds. Required when x-signature is provided. Rejected if drift exceeds 5 minutes.

Body

application/json

OpenAPI schema McpVerifyAuthLookupBodyDto. Mirrors GraphQL VerifyAuthLookupInput.

email
string
required

Same email as in /auth/lookup (required for both login and signup verification).

Example:

"alice@example.com"

code
string
required

Numeric verification code emailed to the user.

Example:

"123456"

recaptcha
string
required

reCAPTCHA token. Verification is skipped automatically in non-production environments.

Example:

"recaptcha_token_here"

Response

Verification succeeded. Tokens issued unless MFA is required.

success
boolean
required
Example:

true

data
object
required

Endpoint-specific payload