For the third-party auth / passwordless recipe, is there an official way for prompting re-authentication when doing dangerous actions? E.g. Suppose we're an API company, and we want to allow users to revoke API keys. If the user wants to wants to revoke a key, we want to perform some sort of check, such as sending them an OTP via email.

Hey @Philip

Hi 🙂

What you want to do is the following: - On session creation, you want to add a time stamp to the access token payload whose value will be the current time. This value indicates the last time the user was authenticated. - On a route or API which requires a dangerous action, fetch the access token payload and check the value of the timestamp. If this value is before a certain time (say before 5 mins ago), then redirect the user to a screen asking them to relogin, or do some login challenge. - Whichever login challenge you show, in it's API, once the login challenge is finished, you want to update the timestamp in the access token payload.