1. Authentication interfaces

There are different authentication controllers.


This controller is used to authenticate simple credentials of event or time based tokens. I.e. the controller has functions like check, check_s, simplecheck… to basically take a username and password to authenticate this user.

The validate controller is also used for challenge response authentication. See Challenge Response for this behaviour.


This controller is used for challenge response tokens following the OCRA standard. The controller also provides a function request to get the challenge but also a function check_t to validate the response to the challenge.

The methods are called as a HTTP GET/POST request and the described parameters are added as HTTP parameters.

The response of the HTTP Request will usually be a JSON object.


To every authentication controller you can add the parameter httperror followed by an HTTP error code. If LinOTP would return HTTP 200/OK with status: false in the JSON response indicating an internal error then LinOTP will instead return a e.g. HTTP 500 error code.