> ## Documentation Index > Fetch the complete documentation index at: https://docs.corbado.com/llms.txt > Use this file to discover all available pages before exploring further. # Create a challenge for a user > Creates a new challenge to verify a login identifier for a user by given `userID`. Challenges come in three flavors: **Email OTP**, **SMS OTP**, and **Email Magiclink**. **OTP** stands for One-Time Password. It is a unique code sent to the user via email or SMS, which they must enter to complete the verification process. ## OpenAPI ````yaml https://backendapi.cloud.corbado.io/v2/openapi.yaml post /users/{userID}/challenges openapi: 3.0.3 info: version: 2.0.0 title: Corbado Backend API description: > # Introduction This documentation gives an overview of all Corbado Backend API calls to implement passwordless authentication with Passkeys. contact: name: Corbado team email: support@corbado.com url: https://www.corbado.com servers: - url: https://backendapi.corbado.io/v2 security: - basicAuth: [] tags: - name: Users description: All API calls to manage users - name: Sessions description: All API calls to manage sessions - name: Challenges description: All API calls to manage challenges - name: Identifiers description: All API calls to manage login identifiers - name: Passkeys description: All API calls for passkey flows - name: SSO description: All API calls for SSO flows - name: AuthEvents description: All API calls to manage authentication events - name: PasskeyEvents description: All API calls to manage passkey events - name: ProjectConfig description: All API calls to manage project configurations - name: ConnectTokens description: All API calls to manage connectTokens - name: PasskeyChallenges description: All API calls to manage passkey challenges - name: WebhookEndpoints description: All API calls to manage webhook endpoints - name: PasswordManagers description: All API calls to manage password managers - name: ClientEnvs description: All API calls to manage client environments - name: Devices description: All API calls to manage devices - name: Exports description: All API calls to manage project export files paths: /users/{userID}/challenges: post: tags: - Challenges summary: Create a challenge for a user description: > Creates a new challenge to verify a login identifier for a user by given `userID`. Challenges come in three flavors: **Email OTP**, **SMS OTP**, and **Email Magiclink**. **OTP** stands for One-Time Password. It is a unique code sent to the user via email or SMS, which they must enter to complete the verification process. operationId: ChallengeCreate parameters: - $ref: '#/components/parameters/userID' requestBody: required: true content: application/json: schema: $ref: '#/components/schemas/challengeCreateReq' responses: '200': description: Challenge has been created. content: application/json: schema: $ref: '#/components/schemas/challenge' default: $ref: '#/components/responses/error' security: - basicAuth: [] components: parameters: userID: name: userID in: path description: | Unique identifier of the user. Format: `usr-`. required: true schema: type: string example: usr-4693224802260150919 schemas: challengeCreateReq: type: object required: - challengeType - identifierValue - clientInformation properties: challengeType: $ref: '#/components/schemas/challengeType' identifierValue: type: string example: jane@doe.com challengeMetadata: type: object example: city: Munich lifetimeSeconds: type: integer example: 300 clientInformation: $ref: '#/components/schemas/clientInformation' challenge: type: object required: - challengeID - type - identifierValue - value - expires - status properties: challengeID: type: string type: $ref: '#/components/schemas/challengeType' identifierValue: type: string value: type: string expires: type: integer format: int64 status: $ref: '#/components/schemas/challengeStatus' challengeType: type: string enum: - email_otp - email_link - sms_otp clientInformation: type: object required: - remoteAddress - userAgent - userVerifyingPlatformAuthenticatorAvailable - conditionalMediationAvailable - clientCapabilities - parsedDeviceInfo properties: remoteAddress: description: Client's IP address type: string example: '::ffff:172.18.0.1' userAgent: description: Client's user agent type: string example: >- Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36 clientEnvHandle: description: Client's environment handle type: string javascriptFingerprint: description: Client's fingerprint type: string javaScriptHighEntropy: $ref: '#/components/schemas/javaScriptHighEntropy' bluetoothAvailable: description: Client's Bluetooth availability type: boolean passwordManagerAvailable: description: Client's password manager availability type: boolean userVerifyingPlatformAuthenticatorAvailable: type: boolean conditionalMediationAvailable: type: boolean clientCapabilities: $ref: '#/components/schemas/clientCapabilities' privateMode: type: boolean parsedDeviceInfo: $ref: '#/components/schemas/parsedDeviceInfo' nativeMeta: $ref: '#/components/schemas/nativeMeta' challengeStatus: type: string enum: - pending - completed - expired javaScriptHighEntropy: type: object required: - platform - platformVersion - mobile properties: platform: type: string platformVersion: type: string mobile: type: boolean clientCapabilities: type: object properties: conditionalCreate: type: boolean conditionalMediation: type: boolean hybridTransport: type: boolean passkeyPlatformAuthenticator: type: boolean userVerifyingPlatformAuthenticator: type: boolean parsedDeviceInfo: type: object required: - browserName - browserVersion - osName - osVersion properties: browserName: type: string browserVersion: type: string osName: type: string osVersion: type: string nativeMeta: type: object required: - build properties: build: type: string deviceOwnerAuth: type: string isPlatformAuthenticatorAPISupported: type: boolean isBluetoothAvailable: type: boolean isBluetoothOn: type: boolean googlePlayServices: type: boolean deviceSecure: type: boolean brand: type: string model: type: string responses: error: description: Error content: application/json: schema: allOf: - type: object required: - httpStatusCode - message - requestData - runtime properties: httpStatusCode: description: HTTP status code of operation type: integer format: int32 message: type: string example: OK requestData: description: Data about the request itself, can be used for debugging type: object required: - requestID properties: requestID: description: >- Unique ID of request, you can provide your own while making the request, if not the ID will be randomly generated on server side type: string example: req-557...663 link: description: Link to dashboard with details about request type: string example: >- https://my.corbado.com/requests/req-xxxxxxxxxxxxxxxxxxx runtime: description: Runtime in seconds for this request type: number format: float example: 0.06167686 - type: object required: - error properties: data: type: object error: type: object required: - type properties: type: description: Type of error type: string details: description: Details of error type: string validation: description: Validation errors per field type: array items: type: object required: - field - message properties: field: type: string message: type: string links: description: Additional links to help understand the error type: array items: type: string securitySchemes: basicAuth: type: http scheme: basic description: > Basic authentication is used to authenticate requests to the Backend API. The username is the project ID and the password is the API secret. The project ID and API secret can be found in the [Developer Panel](https://app.corbado.com/settings/api-secrets). ````