MFA
Complete MFA step-up after login
Uses the slugbase.mfa_pending cookie from password login or OIDC redirect (not the access JWT).
On success, clears the pending cookie and sets the access JWT. Strict rate limiting applies.
curl -X POST "//api/auth/mfa/verify" \
-H "Content-Type: application/json" \
-d '{
"code": "example_string"
}'
import requests
import json
url = "//api/auth/mfa/verify"
headers = {
"Content-Type": "application/json"
}
data = {
"code": "example_string"
}
response = requests.post(url, headers=headers, json=data)
print(response.json())
const response = await fetch("//api/auth/mfa/verify", {
method: "POST",
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify({
"code": "example_string"
})
});
const data = await response.json();
console.log(data);
package main
import (
"fmt"
"net/http"
"bytes"
"encoding/json"
)
func main() {
data := []byte(`{
"code": "example_string"
}`)
req, err := http.NewRequest("POST", "//api/auth/mfa/verify", bytes.NewBuffer(data))
if err != nil {
panic(err)
}
req.Header.Set("Content-Type", "application/json")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
fmt.Println("Response Status:", resp.Status)
}
require 'net/http'
require 'json'
uri = URI('//api/auth/mfa/verify')
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
request = Net::HTTP::Post.new(uri)
request['Content-Type'] = 'application/json'
request.body = '{
"code": "example_string"
}'
response = http.request(request)
puts response.body
{
"id": "example_string",
"email": "user@example.com",
"name": "John Doe",
"user_key": "example_string",
"is_admin": true,
"email_verified": true,
"language": "example_string",
"theme": "example_string"
}
{
"error": "Bad Request",
"message": "The request contains invalid parameters or malformed data",
"code": 400,
"details": [
{
"field": "email",
"message": "Invalid email format"
}
]
}
{
"error": "Unauthorized",
"message": "Authentication required. Please provide a valid API token",
"code": 401
}
{
"error": "Forbidden",
"message": "You don't have permission to access this resource",
"code": 403
}
{
"error": "Too Many Requests",
"message": "Rate limit exceeded. Please try again later",
"code": 429,
"retryAfter": 3600
}
POST
/api/auth/mfa/verify
POST
Content-Typestring
RequiredThe media type of the request body
Options: application/json
codestring
Required6-digit TOTP or a 16-character lowercase hex backup code
Request Preview
Response
Response will appear here after sending the request
Body
application/json
codestring
Required6-digit TOTP or a 16-character lowercase hex backup code
Responses
idstring
emailstring
namestring
user_keystring
is_adminboolean
email_verifiedboolean
languagestring
themestring
Was this page helpful?
Last updated today
Built with Documentation.AI