Skip to content

/v1/holds/{reservationId}/otp/verify

POST
/v1/holds/{reservationId}/otp/verify
curl --request POST \
--url http://localhost:8787/v1/holds/2489E9AD-2EE2-8E00-8EC9-32D5F69181C0/otp/verify \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data '{ "code": "example", "email": "hello@example.com" }'
reservationId
required
string format: uuid
Media typeapplication/json
object
code
required
string
/^[0-9]{6}$/
email
required
string format: email
Examplegenerated
{
"code": "example",
"email": "hello@example.com"
}

Code matched an active, unexpired, not-yet-consumed OTP for this hold+email. The returned token authorizes confirming ONLY this one hold (API-008).

Media typeapplication/json
object
expiresAt
required
string
guestVerificationToken
required
string
Examplegenerated
{
"expiresAt": "example",
"guestVerificationToken": "example"
}

No active OTP for this hold+email, wrong code, expired, or attempt-locked — all fold into the SAME bad_code shape (M4: no oracle for which one it was).

Media typeapplication/problem+json
object
code
required
string
Allowed values: hold_not_found hold_not_held bad_code expired exhausted_attempts rate_limited
detail
required
string
status
required
number
title
required
string
type
required
string
Example
{
"code": "hold_not_found"
}

OTP-verify rate limit exceeded for this hold.

Media typeapplication/problem+json
object
code
required
string
Allowed values: hold_not_found hold_not_held bad_code expired exhausted_attempts rate_limited
detail
required
string
status
required
number
title
required
string
type
required
string
Example
{
"code": "hold_not_found"
}