> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Verify with Out-of-Band (OOB)

> Verify MFA using an out-of-band (OOB) challenge such as push notification, SMS, or voice.

export const ResponseSchema = ({statusCode, type = "{}", children}) => {
  const [open, setOpen] = useState(false);
  return <div className="border border-gray-100 dark:border-gray-800 rounded-lg mb-3 overflow-hidden">
      <div className={`flex items-center gap-2.5 px-4 py-2.5 cursor-pointer select-none ${open ? "bg-gray-50 dark:bg-gray-800" : ""}`} onClick={() => setOpen(!open)}>
        {statusCode && <span className="border border-gray-300 dark:border-gray-600 text-gray-700 dark:text-gray-300 font-mono text-xs px-1.5 py-0.5 rounded">
            {statusCode.startsWith("default") ? "default" : statusCode}
          </span>}
        <span className="text-gray-500 dark:text-gray-400 text-sm font-mono">
          {type}
        </span>
        <span className="text-gray-400 dark:text-gray-500 text-sm italic">
          application/json
        </span>
        <svg className={`ml-auto opacity-50 transition-transform duration-200 ${open ? "rotate-180" : ""}`} width="16" height="16" viewBox="0 0 16 16" fill="none">
          <path d="M4 6l4 4 4-4" stroke="currentColor" strokeWidth="1.5" strokeLinecap="round" strokeLinejoin="round" />
        </svg>
      </div>
      {open && <div className="px-4 pt-1 pb-3 border-t border-gray-100 dark:border-gray-800">
          {children}
        </div>}
    </div>;
};

## Endpoint

`POST /oauth/token`

Verifies multi-factor authentication (MFA) using an out-of-band (OOB) challenge (either Push notification, SMS, or Voice). To verify MFA using an OOB challenge, your application must make a request to `/oauth/token` with `grant_type=http://auth0.com/oauth/grant-type/mfa-oob`. Include the `oob_code` you received from the challenge response, as well as the `mfa_token` you received as part of `mfa_required` error.

The response to this request depends on the status of the underlying challenge verification:

* If the challenge has been accepted and verified, it will be the same as `password` or `http://auth0.com/oauth/grant-type/password-realm` grant types.
* If the challenge has been rejected, you will get an `invalid_grant` error, meaning that the challenge was rejected by the user. At this point you should stop polling, as this response is final.
* If the challenge verification is still pending (meaning it has not been accepted nor rejected), you will get an `authorization_pending` error, meaning that you must retry the same request a few seconds later. If you request too frequently, you will get a `slow_down` error.

When the challenge response includes a `binding_method: prompt`, your app needs to prompt the user for the `binding_code` and send it as part of the request. The `binding_code` is usually a 6-digit number (similar to an OTP) included as part of the challenge. No `binding_code` is necessary if the challenge response did not include a `binding_method`. In this scenario, the response will be immediate; you will receive an `invalid_grant` or an `access_token` as response.

### Learn More

* [Associate Out-of-Band Authenticators](https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-challenge-sms-voice-authenticators)

## Headers

<ParamField header="DPoP" type="string">
  A DPoP proof for the request. This is optional and only required if your application uses Demonstrating Proof-of-Possession.
</ParamField>

## Body Parameters

<ParamField body="grant_type" type="string" required>
  Denotes the flow you are using. For OTP MFA, use `http://auth0.com/oauth/grant-type/mfa-oob`.

  Allowed values: `http://auth0.com/oauth/grant-type/mfa-oob`
</ParamField>

<ParamField body="client_id" type="string" required>
  Your application's Client ID.
</ParamField>

<ParamField body="client_assertion" type="string">
  A JWT containing a signed assertion with your application credentials.
</ParamField>

<ParamField body="client_assertion_type" type="string">
  The value is `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`.

  Allowed values: `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`
</ParamField>

<ParamField body="client_secret" type="string">
  Your application's Client Secret.
</ParamField>

<ParamField body="mfa_token" type="string" required>
  The `mfa_token` you received from `mfa_required` error.
</ParamField>

<ParamField body="oob_code" type="string" required>
  The oob code received from the challenge request.
</ParamField>

<ParamField body="binding_code" type="string">
  A code used to bind the side channel with the main channel you are using to authenticate.
</ParamField>

## Response Schema

<ResponseSchema>
  <ResponseField name="access_token" type="string">
    The access token returned upon successful verification.
  </ResponseField>

  <ResponseField name="token_type" type="string">
    The type of token issued.
  </ResponseField>

  <ResponseField name="expires_in" type="integer">
    The access token lifetime in seconds.
  </ResponseField>

  <ResponseField name="error" type="string">
    Error code returned when verification is pending or has failed.
  </ResponseField>

  <ResponseField name="error_description" type="string">
    Error description.
  </ResponseField>
</ResponseSchema>

## Response Messages

| Status | Description                                       |
| ------ | ------------------------------------------------- |
| 200    | Successful response for OOB verification.         |
| 400    | Bad request due to missing or invalid parameters. |
| 401    | Unauthorized, invalid mfa\_token or oob\_code.    |