MFA Endpoints
The multi-factor authentication endpoints manage TOTP, SMS, and email-based MFA enrollment and verification. All endpoints require an authenticated session. Served by MfaController at /api/v1/mfa.
Endpoints
| Method | Endpoint | Description |
|---|---|---|
| GET | /api/v1/mfa/status | Get MFA configuration status |
| POST | /api/v1/mfa/totp/enroll | Initiate TOTP enrollment |
| POST | /api/v1/mfa/totp/verify | Complete TOTP enrollment |
| DELETE | /api/v1/mfa/totp | Disable TOTP |
| POST | /api/v1/mfa/sms/enroll | Initiate SMS enrollment |
| POST | /api/v1/mfa/sms/verify | Complete SMS enrollment |
| POST | /api/v1/mfa/sms/resend | Resend SMS verification code |
| DELETE | /api/v1/mfa/sms | Disable SMS MFA |
| POST | /api/v1/mfa/email/enroll | Initiate email MFA enrollment |
| POST | /api/v1/mfa/email/verify | Complete email MFA enrollment |
| POST | /api/v1/mfa/email/resend | Resend email verification code |
| DELETE | /api/v1/mfa/email | Disable email MFA |
| POST | /api/v1/mfa/backup-codes/regenerate | Regenerate backup codes |
| GET | /api/v1/mfa/backup-codes/count | Get remaining backup code count |
GET /api/v1/mfa/status
Returns the current MFA configuration for the authenticated user, including which methods are enabled and the remaining backup code count.
TOTP Enrollment Flow
- Initiate:
POST /api/v1/mfa/totp/enrollreturns a QR code URI and secret for authenticator app setup - Verify:
POST /api/v1/mfa/totp/verifywith a valid TOTP code to confirm enrollment
{
"code": "123456"
}On successful verification, backup codes are returned. These should be stored securely by the user.
| Status | Description |
|---|---|
| 200 | Enrollment completed, backup codes returned |
| 400 | TOTP already configured or invalid code |
SMS Enrollment Flow
- Initiate:
POST /api/v1/mfa/sms/enrollsends a verification code to the provided phone number
{
"phoneNumber": "+1234567890"
}- Verify:
POST /api/v1/mfa/sms/verifywith the received code - Resend:
POST /api/v1/mfa/sms/resendto request a new code (rate-limited)
| Status | Description |
|---|---|
| 200 | Code sent or enrollment completed |
| 400 | Invalid phone number or SMS already configured |
| 429 | Rate limit exceeded for code resend |
Email MFA Enrollment Flow
The email MFA flow mirrors the SMS flow but sends the verification code to the user's registered email address. Uses the same enroll/verify/resend pattern.
Backup Codes
Backup codes are generated during initial MFA enrollment and can be regenerated at any time.
Regenerate (POST /api/v1/mfa/backup-codes/regenerate): Invalidates all existing backup codes and returns a new set.
Count (GET /api/v1/mfa/backup-codes/count): Returns {"remainingCodes": 8}.