Verify a candidate PIN for the caller
Story 4 AC-4.5. Compares a candidate PIN against the stored Argon2id hash. After 5 consecutive wrong attempts the user is locked out for 15 minutes (state lives in `pos_cashier_pins.failed_attempts` + `locked_until`); the next call returns 423 until the lock expires. A successful verify resets `failed_attempts` and clears `locked_until`. On the transition into a fresh lockout window, emits one `audit_log` row with action `pos.pin.locked`. Gated by `pos.pin.verify` permission.
Story 4 AC-4.5. Compares a candidate PIN against the stored Argon2id
hash. After 5 consecutive wrong attempts the user is locked out for 15
minutes (state lives in pos_cashier_pins.failed_attempts +
locked_until); the next call returns 423 until the lock expires. A
successful verify resets failed_attempts and clears locked_until.
On the transition into a fresh lockout window, emits one audit_log
row with action pos.pin.locked. Gated by pos.pin.verify permission.
Authorization
bearerAuth In: header
Request Body
application/json
TypeScript Definitions
Use the request body type in TypeScript.
Response Body
application/json
application/json
application/json
application/json
application/json
application/json
application/json
curl -X POST "https://example.com/api/pos/v1/pin/verify" \ -H "Content-Type: application/json" \ -d '{ "pin": "1234" }'{
"verified": true
}{
"error": "string",
"message": "string",
"request_id": "string"
}{
"error": "string",
"message": "string",
"request_id": "string"
}{
"error": "string",
"message": "string",
"request_id": "string"
}{
"error": "string",
"message": "string",
"request_id": "string"
}{
"error": "string",
"message": "string",
"request_id": "string"
}{
"error": "string",
"message": "string",
"request_id": "string"
}Was this page helpful?