Zitadel Preview Docs

Issue a factor challenge

Issues a single-factor verification challenge within an auth attempt. This advances the authentication state machine by requesting a specific factor method (password, passkey, TOTP, OTP via SMS, etc.). The server responds with challenge details including method, metadata, and any UI hints. The client then verifies the proof by calling POST /auth_attempts/{attempt_id}/challenges/{challenge_id}/verify.

POST
/auth_attempts/{attempt_id}/challenges

Issues a single-factor verification challenge within an auth attempt.

This advances the authentication state machine by requesting a specific factor method (password, passkey, TOTP, OTP via SMS, etc.). The server responds with challenge details including method, metadata, and any UI hints. The client then verifies the proof by calling POST /auth_attempts/{attempt_id}/challenges/{challenge_id}/verify.

Authorization

oauth2 auth_attempts.write
AuthorizationBearer <token>

In: header

Scope: auth_attempts.write

Path Parameters

attempt_id*string

The unique identifier of the authentication attempt

Request Body

application/json

TypeScript Definitions

Use the request body type in TypeScript.

Request to issue a factor challenge.

The method field selects which factor to challenge. Additional fields are only relevant for specific methods:

  • passkey_options is optional and only used when method is passkey.
  • idp_provider is required when method is idp and must be omitted otherwise. This conditional requirement is enforced server-side.

Response Body

application/json

application/json

curl -X POST "https://example.com/auth_attempts/abc123def456/challenges" \  -H "Content-Type: application/json" \  -d '{    "method": "password"  }'
{  "challenge_id": "abc123def456",  "method": "password",  "state": "pending",  "created_at": "2026-04-28T15:31:00Z",  "expires_at": "2026-04-28T15:41:00Z",  "payload": {}}

{  "code": "att.not_found",  "message": "The auth attempt was not found."}