Skip to main content

April 2026

API

Intent Verification

New endpoint for server-to-server verification flows with workflow context. Send a verification email or SMS to any user with metadata about what’s being verified — ticket approvals, team invitations, access requests, anything. 
POST /v1/verify/:app_id/verifications/intent
The endpoint accepts an intent_name, delivery method (email or SMS), verification_type (magic link or OTP), and a meta_data object with arbitrary context fields. The user receives a verification with full context about what they’re approving. See the Intent Verification Guide for details.

Challenge-based authentication

The challenge flow now powers all authentication methods. OTP, magic link, and WebAuthn all go through the unified challenge API. This means MFA works consistently everywhere — if a user has MFA enrolled and your app requires it, they’ll always get an mfa_required response regardless of how they signed in. New challenge endpoints:
  • POST /v1/auth/:app_id/challenges — create a challenge
  • POST /v1/auth/:app_id/challenges/:token/verify — verify with code
  • POST /v1/auth/:app_id/challenges/:token/resend — resend delivery
  • POST /v1/auth/:app_id/challenges/:token/deny — deny a challenge
  • DELETE /v1/auth/:app_id/challenges/:token — cancel

Tenant mode

Apps can now be set to verify_only tenant mode — a minimal deployment that only handles verification flows, no login or profile UI. Configure via the API or the new dashboard settings.

SDK

@scute/js-core v0.5.1

  • MFA support in verifyOtp and verifyMagicLinkToken — the SDK now detects mfa_required responses and emits the MFA_REQUIRED auth event
  • New verifyMfaChallenge() method for completing MFA verification
  • New switchMfaMethod() for switching between available MFA methods during verification
  • pendingMfaChallenge getter for accessing the current MFA challenge state
  • resendChallenge() for resending challenge deliveries
  • getChallengeStatus() for checking challenge completion

@scute/nextjs-handlers v0.5.1

  • Updated to use @scute/js-core@0.5.1 with MFA support
  • Fixed workspace:* dependency resolution in published package

@scute/react-hooks v0.5.1

  • AUTH_CHANGE_EVENTS.MFA_REQUIRED event for triggering MFA UI in React apps
  • Re-exports MFA types from js-core