Documentation Index
Fetch the complete documentation index at: https://auth0-feat-authentication-api-migration.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
POST /oauth/token
Verifies multi-factor authentication (MFA) using a recovery code. Some multi-factor authentication (MFA) providers (such as Guardian) support using a recovery code to login. Use this method to authenticate when the user’s enrolled device is unavailable, or the user cannot receive the challenge or accept it due to connectivity issues.
To verify MFA using a recovery code your app must prompt the user for the recovery code, and then make a request to /oauth/token with grant_type=http://auth0.com/oauth/grant-type/mfa-recovery-code. Include the collected recovery code and the mfa_token from the mfa_required error. If the recovery code is accepted, the response will be the same as for password or http://auth0.com/oauth/grant-type/password-realm grant types. It might also include a recovery_code field, which the application must display to the end-user to be stored securely for future use.
Parameters
A DPoP proof for the request. This is optional and only required if your application uses Demonstrating Proof-of-Possession.
Request Body
Denotes the flow you are using. For recovery code use
http://auth0.com/oauth/grant-type/mfa-recovery-code.Allowed values: http://auth0.com/oauth/grant-type/mfa-recovery-codeYour application’s Client ID.
A JWT containing a signed assertion with your application credentials.
The value is
urn:ietf:params:oauth:client-assertion-type:jwt-bearer.Allowed values: urn:ietf:params:oauth:client-assertion-type:jwt-bearerYour application’s Client Secret.
The
mfa_token you received from mfa_required error.Recovery code provided by the end-user.
Response
| Status | Description |
|---|---|
| 200 | Successful response for recovery code verification. |
| 400 | Bad request due to missing or invalid parameters. |
| 401 | Unauthorized, invalid mfa_token or recovery_code. |