Device Authentication

Device Authentication#

These endpoints are designed for authenticating new devices from which the user logs into the web application.

By default, security policies allow users to be logged in on only one device at a time. If a session is active on another device, switching to a new device requires authentication.

API

/api/device/check-session/ checks if an active session is already established for this device. /api/device/check-otp/ verifies the one-time password sent to the user's email for authenticating the new device.

Check Current Device#

/api/device/check-session/

Use this endpoint to check if there are any active sessions on other devices at the moment.

Request#

Method POST

Value	Type	Comment
Fingerprint	`string`	Unique device fingerprint
Email	`string`	User's email
app	`string`	Frontend application being used. Accepts values `Olga` or `Morinus`
`user_agent`	`string`	User Agent - from the HTTP header
`device_name`	`string`	Device name, e.g., `Windows computer`
`device_type`	`string`	Device type, e.g., `desktop`
`screen_resolution`	`string`	Screen resolution, e.g., `1900x1200`

Response#

Success status 200

If the current active session is occupied by another device, it returns confirmed = false and the data of the current active session. It also sends an email with a one-time code for authenticating the current device.

If the current active session matches the current device, it returns confirmed = true and the data about the current session.

{
    "confirmed": false,
    "active_session": {
        "id": 3,
        "auth_date": "2025-11-20T20:17:46.798774Z",
        "status": "Active", // Active | Abandoned
        "email": "...",
        "app": "Morinus",
        "fingerprint": "1d67c5c...",
        "user_agent": "Mozilla/5.0...",
        "device_name": "Linux Computer",
        "device_type": "desktop",
        "screen_resolution": "1920x1080"
    }
}

Verify One-Time Password#

/api/device/check-otp/

Use this endpoint to verify the one-time code sent to the email for authenticating the current device. Please note that the code is valid for 15 minutes.

Request#

Method POST

Value	Type	Comment
....	....	Same parameters as the endpoint above
code	int	6-digit code

Response#

Success status 200

If the code is invalid, returns a message.

{
    "error": "Invalid OTP"
}

If successful, returns the session data with status confirmed = true, exactly like the endpoint above.