Skip to main content
When using Mobile SDK methods for email OTP, SMS OTP, WhatsApp OTP, or authenticator app, you must first track an action using a Server SDK to generate a short-lived token. This token is valid for 10 minutes by default and authorizes a window in which Mobile SDK methods can be used to authenticate the user associated with the token.
For enrollment flows, you must also specify the scope add:authenticators when tracking the action if the user already has an existing authenticator. For more detail refer to our guide on how to ensure a strong binding when adding authenticators.
Then you can use the SDK’s setToken method. You must use the same token for the initial enroll/challenge call and the subsequent verify call.