Skip to main content
When using Mobile SDK methods for email OTP, SMS OTP, WhatsApp OTP, or authenticator app, you must first track an action using a Server SDK to generate a short-lived token. This token is valid for 10 minutes by default and authorizes a window in which Mobile SDK methods can be used to authenticate the user associated with the token. 
const request = {
  userId: "dc58c6dc-a1fd-4a4f-8e2f-846636dd4833",
  action: "signIn",
};

const response = await authsignal.track(request);

const token = response.token;
For enrollment flows, you must also specify the scope add:authenticators when tracking the action if the user already has an existing authenticator. For more detail refer to our guide on how to ensure a strong binding when adding authenticators.
Then you can use the SDK’s setToken method. You must use the same token for the initial enroll/challenge call and the subsequent verify call. 
authsignal.setToken("eyJhbGciOiJ...")

// Send the user a WhatsApp OTP code
// You can call this multiple times via a 'resend' button
await authsignal.whatsapp.challenge()

// Verify the inputted code matches the original code
let response = await authsignal.whatsapp.verify(code: "123456")