Complete MFA challenge to obtain JWT

POST

/v1/auth/mfa/challenge

const url = 'https://example.com/v1/auth/mfa/challenge';
const options = {
  method: 'POST',
  headers: {'Content-Type': 'application/json'},
  body: '{"challenge_id":"2489E9AD-2EE2-8E00-8EC9-32D5F69181C0","code":"example"}'
};

try {
  const response = await fetch(url, options);
  const data = await response.json();
  console.log(data);
} catch (error) {
  console.error(error);
}

curl --request POST \
  --url https://example.com/v1/auth/mfa/challenge \
  --header 'Content-Type: application/json' \
  --data '{ "challenge_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0", "code": "example" }'

Request Body^required

application/json

object

challenge_id

required

string format: uuid

code

required

6-digit TOTP code or backup code.

string

>= 6 characters <= 20 characters

Example ^generated

{
  "challenge_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0",
  "code": "example"
}

Responses

200

MFA verified. Returns signed system JWT.

application/json

object

token

Signed system JWT. Null when enrollment_required is true.

string

nullable

expires_at

string format: date-time

nullable

mfa_setup_required

If true, user must enroll MFA before accessing any other endpoint.

boolean

enrollment_required

If true, user must enroll MFA. No token is issued — use challenge_id to complete enrollment.

boolean

challenge_id

Challenge ID for the enrollment flow. Only present when enrollment_required is true.

string format: uuid

nullable

Example ^generated

{
  "token": "example",
  "expires_at": "2026-04-15T12:00:00Z",
  "mfa_setup_required": true,
  "enrollment_required": true,
  "challenge_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0"
}

400

Malformed request.

application/json

object

code

required

Machine-readable error code (e.g. “not_found”, “tenant_mismatch”).

string

message

required

Human-readable description of the error.

string

details

Optional additional context about the error.

object

key

additional properties

any

notices

Policy notices from determining Cedar rules, if applicable.

Array<string>

Example ^generated

{
  "code": "example",
  "message": "example",
  "details": {},
  "notices": [
    "example"
  ]
}

401

Invalid code, expired challenge, or too many attempts.

application/json

object

code

required

Machine-readable error code (e.g. “not_found”, “tenant_mismatch”).

string

message

required

Human-readable description of the error.

string

details

Optional additional context about the error.

object

key

additional properties

any

notices

Policy notices from determining Cedar rules, if applicable.

Array<string>

Example ^generated

{
  "code": "example",
  "message": "example",
  "details": {},
  "notices": [
    "example"
  ]
}

Complete MFA challenge to obtain JWT

Request Body required

Example generated

Responses

200

Example generated

400

Example generated

401

Example generated

Request Body^required

Example ^generated

Example ^generated

Example ^generated

Example ^generated