Auth Mfa API

Auto-generated from openapi-snapshot.json. Do not edit by hand — changes are overwritten by scripts/docs/generate_api_reference.py.

12 endpoints in this group.

POST /api/auth/mfa/backup-codes/regenerate

Regenerate Backup Codes

Responses

POST /api/auth/mfa/challenge

Mfa Challenge

Trade an mfa-pending token + second-factor code for a full JWT. Called from the frontend after the initial password login returns {mfa_required: true, mfa_token}.

Request body: application/json

Responses

GET /api/auth/mfa/methods

Mfa Methods

Responses

POST /api/auth/mfa/reset/confirm

Mfa Reset Confirm

Public — consume a mfa-reset JWT and clear the user’s 2FA enrollment.

Single-use enforcement: the token’s jti (or a sha256 of the token when no jti claim is present) is written to mfa_reset_tokens_used on first consumption. A second call with the same token returns 410 Gone.

Request body: application/json

Responses

POST /api/auth/mfa/reset/request

Mfa Reset Request

Authenticated — issue a signed reset token and email it to the user.

Rate-limited at the app layer (see core/rate_limit.py::mfa_reset_rate_limit); we apply it via the route decorator below.

Responses

POST /api/auth/mfa/sms/setup

Sms Setup

Request body: application/json

Responses

POST /api/auth/mfa/sms/verify

Sms Verify

Request body: application/json

Responses

POST /api/auth/mfa/totp/setup

Totp Setup

Responses

POST /api/auth/mfa/totp/verify

Totp Verify

Request body: application/json

Responses

GET /api/auth/mfa/trusted-devices

List Trusted Devices

List active trusted devices for the authenticated user.

Responses

DELETE /api/auth/mfa/trusted-devices/{device_id}

Revoke Trusted Device

Revoke a single trusted device and audit the event.

Parameters

Responses

DELETE /api/auth/mfa/{method}

Delete Method

Parameters

Responses