Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.scute.io/llms.txt

Use this file to discover all available pages before exploring further.

March 2026

API

MFA now works across all login methods

Previously, multi-factor authentication only kicked in through the challenge-based flow. Now it works everywhere, magic links, OTP, WebAuthn, all of it. If a user has MFA enrolled and your app requires it, they’ll get an mfa_required response instead of tokens, regardless of how they signed in. WebAuthn logins skip MFA by default (it’s already two factors, your device and your face), but you can turn that off per app if you’re feeling strict.

Email OTP

The OTP endpoint used to be phone-only. Now it handles email too. Set email_auth_type to "otp" on your app and the same /auth/:app_id/otps endpoint accepts email addresses. It figures out what you sent it and does the right thing.

User search got smarter

The users endpoint now supports a ?q= parameter. It does fuzzy matching across email, phone, and name using PostgreSQL’s pg_trgm extension. Results come back ranked by relevance. No more exact-match-only filtering.

Verifications API — new actions

Two new endpoints:
  • DELETE /v1/verify/:app_id/verifications/:id — cancel a verification
  • POST /v1/verify/:app_id/verifications/:id/resend — resend it (cancels the old one, creates a fresh one with the same params)
The create endpoint also now accepts full challenge params directly (purpose, method, intent, etc.) alongside the legacy format.

MFA status endpoint

New endpoint for the dashboard: 
GET /v1/verify/:app_id/users/:user_id/mfa
Returns a user’s MFA enrollments, which methods they have, backup codes remaining, everything you need to show on a user detail page.

Rails 7.1

Upgraded from 7.0 to 7.1. Nothing breaks, everything’s a little faster.

Dashboard

Auth settings redesign

The authentication settings page got a full rework. You can now see a visual preview of your login flow, step by step, that updates as you change settings. New options in the settings panel:
  • Email auth type — switch between magic link and OTP
  • MFA policy — disabled, optional, or required
  • Allowed MFA methods — pick from TOTP, passkeys, email OTP, SMS OTP, backup codes
  • WebAuthn skip MFA — toggle whether passkey logins bypass MFA
  • MFA grace period — give users time to set up MFA after you enable it

Challenges page

“User Verification” in the nav is now “Challenges”, because that’s what they are. New full page for browsing, filtering, and creating challenges. You can filter by purpose, method, and status. Each challenge opens in a detail sheet with the full timeline and metadata. You can also create challenges directly from the dashboard now, with a dialog that supports all challenge types and purposes.

MFA verify screen

New MFA verification UI in the login flow. Shows a 6-digit code input (or 8-digit for backup codes), lets users switch between available MFA methods, and handles TOTP / email / SMS / backup codes.