# Step-up Challenges

## Issue a one-time password that can be used to step-up a token

 - [POST /stepup/challenges/otp/{channel}](https://api.weavr.io/products/multi/openapi/step-up-challenges/stepupscachallenge.md): Initiates the step-up token process by sending an SMS with an one-time-password to a device belonging to the logged-in user that was previously enrolled through /authentication_factors/otp/{channel} endpoint.

This process is required for endpoints that require a step-up token to complete the call.

_Note that on the Sandbox Environment, text messages are not sent and the one-time-password is always \"123456\"._

## Verify a step-up token using a one-time password

 - [POST /stepup/challenges/otp/{channel}/verify](https://api.weavr.io/products/multi/openapi/step-up-challenges/stepupscaverify.md): Completes the verification process for a step up token.
The challenge expires after 5 minutes and the number of incorrect OTP attempts is limited to reduce the risk of fraud, in that case challenge has to be issued again.

_Note that on the Sandbox Environment, text messages are not sent and the verificationCode is always \"123456\"._

## Issue a push notification that can be used to step-up a token

 - [POST /stepup/challenges/push/{channel}](https://api.weavr.io/products/multi/openapi/step-up-challenges/stepupscachallengepush.md): Initiates the step-up token process by submitting a push notification to a device belonging to the logged-in user that was previously enrolled through the /authentication_factors/push/{channel} endpoint.

You should only start this process if the token step-up isn't already in flight.