VOOZH about

URL: https://auth0.com/docs/api/authentication/multi-factor-authentication/request-mfa-challenge

⇱ Challenge Request - Auth0 Docs

Documentation Index

Fetch the complete documentation index at: /llms.txt

Use this file to discover all available pages before exploring further.

Skip to main content

Endpoint

POST /mfa/challenge The Multi-factor Authentication (MFA) API endpoints allow you to enforce MFA when users interact with the Token endpoints, as well as enroll and manage user authenticators. First, request a challenge based on the challenge types supported by the application and user. If you know that one-time password (OTP) is supported, you can skip the challenge request. Next, verify the multi-factor authentication using the /oauth/token endpoint and the specified challenge type: a one-time password (OTP), a recovery code, or an out-of-band (OOB) challenge. To learn more, read:

Challenge Request

Request a challenge for multi-factor authentication (MFA) based on the challenge types supported by the application and user. The challenge_type is how the user will get the challenge and prove possession. Supported challenge types include:
  • otp: for one-time password (OTP)
  • oob: for SMS/Voice messages or out-of-band (OOB)
If OTP is supported by the user and you don’t want to request a different factor, you can skip the challenge request and verify the multi-factor authentication with a one-time password.

Remarks

  • This endpoint does not support enrollment; the user must be enrolled with the preferred method before requesting a challenge.
  • Auth0 chooses the challenge type based on the application’s supported types and types the user is enrolled with.
  • An unsupported_challenge_type error is returned if your application does not support any of the challenge types the user has enrolled with.
  • An unsupported_challenge_type error is returned if the user is not enrolled.
  • If the user is not enrolled, you will get an association_required error, indicating the user needs to enroll to use MFA. Read Add an authenticator below on how to proceed.

Learn More

Body Parameters

mfa_token
string
required
The token received from mfa_required error.
client_id
string
required
Your application’s Client ID.
client_secret
string
Your application’s Client Secret.
challenge_type
string
A whitespace-separated list of challenge types accepted by your application.Allowed values: oob, otp
client_assertion
string
A JWT containing a signed assertion with your application credentials.
client_assertion_type
string
The value is urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
authenticator_id
string
The ID of the authenticator to challenge.

Response Schema

Response Messages

StatusDescription
200Challenge request successful
400Invalid request, such as unsupported challenge type or missing enrollment.

Was this page helpful?

Get User Info
Previous
Verify multi-factor authentication with one-time password (OTP)
Next
⌘I
Assistant
Responses are generated using AI and may contain mistakes.