SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

For the third-party auth / passwordless recipe, is there an official way for prompting re-authentication when doing dangerous actions?
E.g. Suppose we're an API company, and we want to allow users to revoke API keys. If the user wants to wants to revoke a key, we want to perform some sort of check, such as sending them an OTP via email.

What you want to do is the following:
- On session creation, you want to add a time stamp to the access token payload whose value will be the current time. This value indicates the last time the user was authenticated.

- On a route or API which requires a dangerous action, fetch the access token payload and check the value of the timestamp. If this value is before a certain time (say before 5 mins ago), then redirect the user to a screen asking them to relogin, or do some login challenge.

- Whichever login challenge you show, in it's API, once the login challenge is finished, you want to update the timestamp in the access token payload.

Now coming to the actual login challenge, what flow do you want there?