Confirm OTP and Get Quick Session Token
Confirm a one-time password and receive a short-lived session token (48 hours) for immediate device control — no organization or Developer Key required.
This endpoint is designed for consumer applications where a user has purchased a device and wants to control it right away without setting up an organization.
The returned session token works exactly like a Developer Session Token from
/api/sessions/v2, but is scoped to a single device and expires after 48 hours.
Flow
- Device displays OTP on its screen
- Application sends the OTP to this endpoint
- Receives a session token + Device Key
- Uses the session token with
X-Device-Keyheader to control the device - After 48 hours the token expires — repeat the OTP flow to get a new one
Usage
# Step 1: Confirm OTP
curl -X POST https://api.getmelody.io/device/otp/confirm-quick-session \
-H "Content-Type: application/json" \
-d '{"otp": "123456"}'
# Step 2: Use session token to control device
curl https://api.getmelody.io/device/status \
-H "Authorization: Bearer <session_token>" \
-H "X-Device-Key: alpha-bravo-charlie-delta"
Note: For production integrations with multiple devices, use the full
organization-based flow with /device/otp/confirm/v2 and /api/sessions/v2.
Body
The 6-digit one-time password displayed on the device.
"123456"
Response
Quick session created
Response from the quick session endpoint. Contains a short-lived session token and the Device Key for the confirmed device.
JWT session token for device control.
Use as Authorization: Bearer <token> with X-Device-Key header.
"eyJhbGciOiJIUzI1NiIs..."
Token TTL in seconds (default 172800 = 48 hours).
172800
The Device Key in BIP39 word format.
Use as X-Device-Key header value when making API calls.
^[a-z]+-[a-z]+-[a-z]+-[a-z]+$"alpha-bravo-charlie-delta"