Skip to main content

Documentation Index

Fetch the complete documentation index at: https://auth0-feat-authentication-api-migration.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

POST /mfa/challenge The Multi-factor Authentication (MFA) API endpoints allow you to enforce MFA when users interact with the Token endpoints, as well as enroll and manage user authenticators. First, request a challenge based on the challenge types supported by the application and user. If you know that one-time password (OTP) is supported, you can skip the challenge request. Next, verify the multi-factor authentication using the /oauth/token endpoint and the specified challenge type: a one-time password (OTP), a recovery code, or an out-of-band (OOB) challenge. To learn more, read:

ā€‹
Challenge Request

Request a challenge for multi-factor authentication (MFA) based on the challenge types supported by the application and user. The challenge_type is how the user will get the challenge and prove possession. Supported challenge types include:
  • otp: for one-time password (OTP)
  • oob: for SMS/Voice messages or out-of-band (OOB)
If OTP is supported by the user and you donā€™t want to request a different factor, you can skip the challenge request and verify the multi-factor authentication with a one-time password.

ā€‹
Remarks

  • This endpoint does not support enrollment; the user must be enrolled with the preferred method before requesting a challenge.
  • Auth0 chooses the challenge type based on the applicationā€™s supported types and types the user is enrolled with.
  • An unsupported_challenge_type error is returned if your application does not support any of the challenge types the user has enrolled with.
  • An unsupported_challenge_type error is returned if the user is not enrolled.
  • If the user is not enrolled, you will get an association_required error, indicating the user needs to enroll to use MFA. Read Add an authenticator below on how to proceed.

ā€‹
Learn More

ā€‹
Parameters

ā€‹
mfa_token
string
required
The token received from mfa_required error.
ā€‹
client_id
string
required
Your applicationā€™s Client ID.
ā€‹
client_secret
string
Your applicationā€™s Client Secret.
ā€‹
challenge_type
string
A whitespace-separated list of challenge types accepted by your application.Allowed values: oob, otp
ā€‹
client_assertion
string
A JWT containing a signed assertion with your application credentials.
ā€‹
client_assertion_type
string
The value is urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
ā€‹
authenticator_id
string
The ID of the authenticator to challenge.

ā€‹
Response

StatusDescription
200Challenge request successful
400Invalid request, such as unsupported challenge type or missing enrollment.