Verify the email code and issue tokens
Completes the login / registration flow started by /auth/lookup. On success the response includes tokens.accessToken and tokens.refreshToken. If the account requires MFA, mfaRequired is true and tokens.mfaAccessToken is issued instead — clients must then complete an MFA verification flow.
Headers
HMAC-SHA256 signature: HMAC-SHA256(secretKey, timestamp + METHOD + path + body). Optional -- when omitted, HMAC verification is skipped.
Request timestamp in epoch milliseconds. Required when x-signature is provided. Rejected if drift exceeds 5 minutes.
Body
OpenAPI schema McpVerifyAuthLookupBodyDto. Mirrors GraphQL VerifyAuthLookupInput.
Same email as in /auth/lookup (required for both login and signup verification).
"alice@example.com"
Numeric verification code emailed to the user.
"123456"
reCAPTCHA token. Verification is skipped automatically in non-production environments.
"recaptcha_token_here"