Disable MFA
Requires a valid TOTP or unused backup code. Local (password) users must also send password.
OIDC-only users omit password.
curl -X POST "//api/auth/mfa/disable" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_API_TOKEN (JWT or sb_ API token)" \
-d '{
"code": "example_string",
"password": "example_string"
}'
import requests
import json
url = "//api/auth/mfa/disable"
headers = {
"Content-Type": "application/json",
"Authorization": "Bearer YOUR_API_TOKEN (JWT or sb_ API token)"
}
data = {
"code": "example_string",
"password": "example_string"
}
response = requests.post(url, headers=headers, json=data)
print(response.json())
const response = await fetch("//api/auth/mfa/disable", {
method: "POST",
headers: {
"Content-Type": "application/json",
"Authorization": "Bearer YOUR_API_TOKEN (JWT or sb_ API token)"
},
body: JSON.stringify({
"code": "example_string",
"password": "example_string"
})
});
const data = await response.json();
console.log(data);
package main
import (
"fmt"
"net/http"
"bytes"
"encoding/json"
)
func main() {
data := []byte(`{
"code": "example_string",
"password": "example_string"
}`)
req, err := http.NewRequest("POST", "//api/auth/mfa/disable", bytes.NewBuffer(data))
if err != nil {
panic(err)
}
req.Header.Set("Content-Type", "application/json")
req.Header.Set("Authorization", "Bearer YOUR_API_TOKEN (JWT or sb_ API token)")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
fmt.Println("Response Status:", resp.Status)
}
require 'net/http'
require 'json'
uri = URI('//api/auth/mfa/disable')
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
request = Net::HTTP::Post.new(uri)
request['Content-Type'] = 'application/json'
request['Authorization'] = 'Bearer YOUR_API_TOKEN (JWT or sb_ API token)'
request.body = '{
"code": "example_string",
"password": "example_string"
}'
response = http.request(request)
puts response.body
{
"ok": true
}
{
"error": "Bad Request",
"message": "The request contains invalid parameters or malformed data",
"code": 400,
"details": [
{
"field": "email",
"message": "Invalid email format"
}
]
}
{
"error": "Unauthorized",
"message": "Authentication required. Please provide a valid API token",
"code": 401
}
/api/auth/mfa/disable
Use Authorization: Bearer <token>. Personal API tokens from Profile use the sb_ prefix.
You may also send the access JWT as Bearer (same value as the token cookie after login).
Authorization: Bearer <token>. Personal API tokens from Profile use the sb_ prefix.
You may also send the access JWT as Bearer (same value as the token cookie after login).
The media type of the request body
TOTP or unused backup code
Required when the user has a local password (omit for OIDC-only)
Request Preview
Response
Response will appear here after sending the request
Authentication
Bearer token (JWT or sb_ API token). Use Authorization: Bearer \<token\>. Personal API tokens from Profile use the sb_ prefix.
You may also send the access JWT as Bearer (same value as the token cookie after login).
Body
TOTP or unused backup code
Required when the user has a local password (omit for OIDC-only)
Responses
Stable machine-readable codes include:
MFA_ALREADY_ENABLED, INVALID_CODE, MFA_PENDING_INVALID, MFA_NO_PENDING,
MFA_NOT_ENABLED, PASSWORD_REQUIRED, INVALID_PASSWORD.
Stable machine-readable codes include:
MFA_ALREADY_ENABLED, INVALID_CODE, MFA_PENDING_INVALID, MFA_NO_PENDING,
MFA_NOT_ENABLED, PASSWORD_REQUIRED, INVALID_PASSWORD.
Last updated Apr 17, 2026
Built with Documentation.AI