Stytch
Lets an agent manage users and drive authentication flows through Stytch's Consumer (B2C) API: create and search users, send and verify magic links and one-time passcodes, manage passwords and sessions, register TOTP authenticators, and authenticate OAuth tokens.
What it can do
| Method | What it does |
|---|---|
stytch_user_create | Create a user by email or phone number, with optional name, external_id, and metadata. |
stytch_user_get | Get a single user by user_id. |
stytch_user_search | Search users with an optional query object; supports limit and cursor pagination. |
stytch_user_update | Update a user's name, external_id, or metadata. |
stytch_user_delete | Delete a user (irreversible). |
stytch_magic_link_email_send | Send an email magic link to an existing user. |
stytch_magic_link_email_login_or_create | Send an email magic link, creating the user if they do not exist. |
stytch_magic_link_authenticate | Authenticate a magic link token and optionally mint a session. |
stytch_otp_sms_send | Send a one-time passcode by SMS. |
stytch_otp_whatsapp_send | Send a one-time passcode by WhatsApp. |
stytch_otp_email_send | Send a one-time passcode by email. |
stytch_otp_authenticate | Authenticate an OTP using the method_id and code. |
stytch_password_create | Create a password-backed user (password is validated for strength). |
stytch_password_authenticate | Authenticate a user with email and password. |
stytch_password_reset_start | Start a password reset by email. |
stytch_password_strength_check | Check password strength (and breach status if an email is supplied). |
stytch_session_get | List a user's active sessions. |
stytch_session_authenticate | Validate and optionally extend a session token or JWT. |
stytch_session_revoke | Revoke a session by id, token, or JWT. |
stytch_totp_create | Register a TOTP authenticator for a user. |
stytch_totp_authenticate | Authenticate a 6-digit TOTP code. |
stytch_oauth_authenticate | Authenticate an OAuth token returned to your redirect URL. |
stytch_request | Generic passthrough to any Consumer (B2C) endpoint for full API coverage. |
How to get your keys
Stytch authenticates server-side calls with HTTP Basic auth: your Project ID as the username and your Secret as the password. Both come from the same dashboard page.
- Sign in at stytch.com/dashboard.
- Open Project Overview and find the Project ID & API keys section (key management docs).
- Copy the Project ID - it looks like
project-test-...(Test) orproject-live-...(Live). - Copy the Secret - it looks like
secret-test-.../secret-live-.... Keep it private; never expose it in client-side code. - Note which environment the keys belong to. Test and Live are separate projects with separate keys and separate users.
Fields to fill
| FlyMyAI field | Where it comes from |
|---|---|
STYTCH_PROJECT_ID | Stytch Dashboard -> Project Overview -> Project ID & API keys |
STYTCH_SECRET | Same page as the Project ID (kept private) |
STYTCH_ENV | Optional - test (default) or live, matching the project whose keys you pasted |
Troubleshooting
401 unauthorized_credentials- the Project ID or Secret is wrong, or they are from different projects. Re-copy both from the same Project Overview page.- Test keys do not see your live users - Test and Live are separate environments. Set
STYTCH_ENV=liveand use theproject-live-.../secret-live-...pair to act on live data. user_not_foundon magic link send -stytch_magic_link_email_sendrequires an existing user; usestytch_magic_link_email_login_or_createto create one on the fly.unable_to_auth_otp_code/ expired - OTP codes are short-lived (a few minutes). Re-send and authenticate promptly with themethod_idfrom the send response.
Links
We love our partners - FlyMy.AI builds with the best. Thanks, Stytch!