Log in
Body
Response
Session issued — or, when the account's policy requires OTP on login, an intermediate response with otp_required true and a pending_token to exchange at POST /v1/auth/login/otp.
Single-use rotating refresh token (rt_…) to renew the session at POST /v1/auth/refresh without re-login.
owner, operator, viewer Present (true) when the login needs a second step.
Intermediate token for POST /v1/auth/login/otp. It cannot authenticate API requests.
Effective channel of the login challenge. With the phone in binding cooldown the challenge automatically falls back to a stronger factor (authenticator app, then login email) — the code is never sent to a recently linked, unverified number.
sms, whatsapp, email, totp Masked phone the code was sent to.