Confirm MFA enrollment
Verifies a 6-digit TOTP code against the pending secret, enables MFA, and returns one-time backup codes.
curl -X POST "https://slugbase.app/api/auth/mfa/enroll/confirm" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_API_TOKEN (JWT or sb_ API token)" \
-d '{
"code": "example_string"
}'
import requests
import json
url = "https://slugbase.app/api/auth/mfa/enroll/confirm"
headers = {
"Content-Type": "application/json",
"Authorization": "Bearer YOUR_API_TOKEN (JWT or sb_ API token)"
}
data = {
"code": "example_string"
}
response = requests.post(url, headers=headers, json=data)
print(response.json())
const response = await fetch("https://slugbase.app/api/auth/mfa/enroll/confirm", {
method: "POST",
headers: {
"Content-Type": "application/json",
"Authorization": "Bearer YOUR_API_TOKEN (JWT or sb_ API token)"
},
body: JSON.stringify({
"code": "example_string"
})
});
const data = await response.json();
console.log(data);
package main
import (
"fmt"
"net/http"
"bytes"
"encoding/json"
)
func main() {
data := []byte(`{
"code": "example_string"
}`)
req, err := http.NewRequest("POST", "https://slugbase.app/api/auth/mfa/enroll/confirm", bytes.NewBuffer(data))
if err != nil {
panic(err)
}
req.Header.Set("Content-Type", "application/json")
req.Header.Set("Authorization", "Bearer YOUR_API_TOKEN (JWT or sb_ API token)")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
fmt.Println("Response Status:", resp.Status)
}
require 'net/http'
require 'json'
uri = URI('https://slugbase.app/api/auth/mfa/enroll/confirm')
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
request = Net::HTTP::Post.new(uri)
request['Content-Type'] = 'application/json'
request['Authorization'] = 'Bearer YOUR_API_TOKEN (JWT or sb_ API token)'
request.body = '{
"code": "example_string"
}'
response = http.request(request)
puts response.body
{
"backup_codes": [
"example_string"
]
}
{
"error": "Bad Request",
"message": "The request contains invalid parameters or malformed data",
"code": 400,
"details": [
{
"field": "email",
"message": "Invalid email format"
}
]
}
{
"error": "Unauthorized",
"message": "Authentication required. Please provide a valid API token",
"code": 401
}
{
"error": "Conflict",
"message": "The request conflicts with the current state of the resource",
"code": 409,
"details": "Resource already exists"
}
/api/auth/mfa/enroll/confirm
Use Authorization: Bearer <token>. Personal API tokens from Profile use the sb_ prefix.
You may also send the access JWT as Bearer (same value as the token cookie after login).
Authorization: Bearer <token>. Personal API tokens from Profile use the sb_ prefix.
You may also send the access JWT as Bearer (same value as the token cookie after login).
The media type of the request body
6-digit TOTP from the authenticator app
Request Preview
Response
Response will appear here after sending the request
Authentication
Bearer token (JWT or sb_ API token). Use Authorization: Bearer \<token\>. Personal API tokens from Profile use the sb_ prefix.
You may also send the access JWT as Bearer (same value as the token cookie after login).
Body
6-digit TOTP from the authenticator app
Responses
One-time codes; shown once
Stable machine-readable codes include:
MFA_ALREADY_ENABLED, INVALID_CODE, MFA_PENDING_INVALID, MFA_NO_PENDING,
MFA_NOT_ENABLED, PASSWORD_REQUIRED, INVALID_PASSWORD.
Stable machine-readable codes include:
MFA_ALREADY_ENABLED, INVALID_CODE, MFA_PENDING_INVALID, MFA_NO_PENDING,
MFA_NOT_ENABLED, PASSWORD_REQUIRED, INVALID_PASSWORD.
Last updated Apr 17, 2026
Built with Documentation.AI