Yes, it is possible to request an OTP once the user is logged in to confirm dangerous actions. You can add a timestamp to the access token payload indicating the last time the user was authenticated. On a route or API which requires a dangerous action, you can fetch the access token payload and check the value of the timestamp. If this value is before a certain time (say before 5 mins ago), then you can redirect the user to a screen asking them to re-login or do some login challenge, such as entering an OTP. Once the login challenge is finished, you can update the timestamp in the access token payload.
To actually send the OTP, you need to create an API which will first verify the session, and then use the passwordless recipe to generate a code and send the code via SMS / email (we have functions for these in our backend SDKs)
And then when the user types in an OTP, send it to another API of yours which once again verifies the session, and calls the
consumeCode
function in the passwordless recipe to check if the code is OK or not. If the code is OK, then you can update the session to indicate that that last reauth time is now, and proceed to doing the sensitive operation.