-
Notifications
You must be signed in to change notification settings - Fork 0
Use Cases OOB Email Sign In
Osvaldo Andrade edited this page Feb 12, 2026
·
3 revisions
Authenticate a user via a one-time code sent to email.
- End user
- Client application (frontend)
- Tikti API
- Notification worker (downstream)
- API key is configured for protected endpoints.
- OOB request type is supported by Tikti.
- Email delivery path is available downstream.
- User enters email and triggers sign-in in the client app.
- Client calls
POST /v1/accounts/sendOobCode?key=API_KEYwith email and request type. - Tikti ensures user identity exists (create if missing), generates OOB code, and stores OOB state.
- Tikti dispatches OOB delivery through the asynchronous integration path.
- User receives the code by email.
- Client sends
POST /v1/accounts/signInWithOobCodewith email, OOB code, and request type. - Tikti validates code, expiry, single-use, and request type match.
- Tikti returns authentication token payload.
sequenceDiagram
participant U as End User
participant F as Client App
participant T as Tikti API
participant W as Notification Worker
participant E as Email Provider
U->>F: Enter email and click authenticate
F->>T: POST /v1/accounts/sendOobCode?key=API_KEY
T->>T: Ensure user exists / generate OOB / persist state
T->>W: Dispatch OOB delivery task
W->>E: Send OOB token email
E-->>U: Deliver token
U->>F: Enter OOB token
F->>T: POST /v1/accounts/signInWithOobCode
T->>T: Validate code, expiry, single-use, requestType
T-->>F: Auth token payload
F-->>U: Authenticated session
- New user can authenticate without password bootstrap.
- OOB code is single-use and expires deterministically.
- Request type mismatch is rejected.
- Expired code -> authentication denied, requires new OOB request.
- Consumed code reuse -> authentication denied.
- Invalid code or mismatched request type -> authentication denied.