> ## Documentation Index
> Fetch the complete documentation index at: https://docs.vaultgraph.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Verify a sign-in code and mint a session token



## OpenAPI

````yaml /api-reference/openapi.yaml post /api/commerce/auth/verify
openapi: 3.1.0
info:
  title: VaultGraph Portal API
  version: 0.1.1
  description: Server-to-server endpoints exposed by the VaultGraph portal (beta).
servers:
  - url: https://app.vaultgraph.com
    description: Production
security: []
tags:
  - name: Shops
    description: Shop management endpoints.
  - name: Commerce
    description: >-
      Deployment-scoped commerce endpoints (catalog, checkout, order).
      Authenticated with a deployment (`dk_`) API key. Internal plumbing between
      the hosted MCP server and the merchant adapter — merchants integrate via
      the MCP, not these REST routes.
paths:
  /api/commerce/auth/verify:
    post:
      tags:
        - Commerce
      summary: Verify a sign-in code and mint a session token
      operationId: verifyAuthentication
      requestBody:
        required: true
        description: >-
          The challenge being answered and the one-time code the customer
          received.
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/AuthVerifyBody'
      responses:
        '200':
          description: A customer-bound session
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    $ref: '#/components/schemas/AuthSession'
        '400':
          description: Invalid request body
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '401':
          description: Missing or invalid API key
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      security:
        - ApiKeyAuth: []
components:
  schemas:
    AuthVerifyBody:
      type: object
      required:
        - challenge_id
        - code
      properties:
        challenge_id:
          type: string
          description: The `challenge_id` returned when the code was requested.
        code:
          type: string
          description: The one-time code the customer received.
    AuthSession:
      type: object
      description: >-
        A customer-bound session. Send `session_token` on later requests via the
        `x-vg-ctx-session-token` header to act as the signed-in customer.
      required:
        - session_token
      properties:
        session_token:
          type: string
        expires_at:
          type: string
          format: date-time
          description: Expiry of the session token, when the backend exposes one.
    ErrorResponse:
      type: object
      required:
        - error
      properties:
        error:
          type: string
        detail:
          type: string
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: x-api-key

````