/auth endpoint always returns stat OK regardless of passcode value?

I am using /auth/v2/auth endpoint for my API to do 2FA.

I am doing a HTTP POST
■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■/auth/v2/auth
factor=passcode&passcode=123456&username=someuser

I get stat=Ok in the response regardless the value of passcode.
But from my Duo2FA mobile, the passcode for this user is clearly no 123456

But when I look at the administation log form Duo admin webpage it says:
Denied
Invalid passcode

Is the usage correct or there is something wrong on the Duo side?

OK means the auth request was successfully sent. Look at the result value and you shouls see it is deny. Please review the “Response Formats” table at Auth API | Duo Security.

If your post to /auth used async then you need to poll auth_status using the txid returned by /auth to see that deny result.