> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.
> Describes how to manage MFA authenticator factor enrollments for applications using the Auth0 MFA API.
# Manage Authentication Factors with Authentication API
export const AuthCodeGroup = ({children, dropdown}) => {
const [processedChildren, setProcessedChildren] = useState(children);
useEffect(() => {
let unsubscribe = null;
function init() {
unsubscribe = window.autorun(() => {
const processChildren = node => {
if (typeof node === "string") {
let processedNode = node;
for (const [key, value] of window.rootStore.variableStore.values.entries()) {
const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
processedNode = processedNode.replaceAll(new RegExp(escapedKey, "g"), value);
}
return processedNode;
} else if (Array.isArray(node)) {
return node.map(processChildren);
} else if (node && node.props && node.props.children) {
return {
...node,
props: {
...node.props,
children: processChildren(node.props.children)
}
};
}
return node;
};
setProcessedChildren(processChildren(children));
});
}
if (window.rootStore) {
init();
} else {
window.addEventListener("adu:storeReady", init);
}
return () => {
window.removeEventListener("adu:storeReady", init);
unsubscribe?.();
};
}, [children]);
return {processedChildren};
};
export const AuthCodeBlock = ({filename, icon, language, highlight, children}) => {
const [displayText, setDisplayText] = useState(children);
const [copyText, setCopyText] = useState(children);
const wrapperRef = React.useRef(null);
useEffect(() => {
let unsubscribe = null;
function init() {
if (!window.autorun || !window.rootStore) {
return;
}
unsubscribe = window.autorun(() => {
let processedChildrenForDisplay = children;
let processedChildrenForCopy = children;
for (const [key, value] of window.rootStore.variableStore.values.entries()) {
const escapedKey = key.replaceAll(/[.*+?^${}()|[\]\\]/g, (String.raw)`\$&`);
let displayValue = value;
if (key === "{yourClientSecret}" && value !== "{yourClientSecret}") {
displayValue = value.substring(0, 3) + "*****MASKED*****";
}
processedChildrenForDisplay = processedChildrenForDisplay.replaceAll(new RegExp(escapedKey, "g"), displayValue);
processedChildrenForCopy = processedChildrenForCopy.replaceAll(new RegExp(escapedKey, "g"), value);
}
setDisplayText(processedChildrenForDisplay);
setCopyText(processedChildrenForCopy);
});
}
if (window.rootStore) {
init();
} else {
window.addEventListener("adu:storeReady", init);
}
return () => {
window.removeEventListener("adu:storeReady", init);
unsubscribe?.();
};
}, [children]);
useEffect(() => {
if (!wrapperRef.current) return;
const originalWriteText = navigator.clipboard.writeText.bind(navigator.clipboard);
let isOverriding = false;
const handleClick = e => {
const button = e.target.closest('[data-testid="copy-code-button"]');
if (!button || !wrapperRef.current.contains(button)) return;
isOverriding = true;
navigator.clipboard.writeText = text => {
if (isOverriding) {
isOverriding = false;
navigator.clipboard.writeText = originalWriteText;
return originalWriteText(copyText);
}
return originalWriteText(text);
};
setTimeout(() => {
if (isOverriding) {
isOverriding = false;
navigator.clipboard.writeText = originalWriteText;
}
}, 100);
};
const wrapper = wrapperRef.current;
wrapper.addEventListener('click', handleClick, true);
return () => {
wrapper.removeEventListener('click', handleClick, true);
if (navigator.clipboard.writeText !== originalWriteText) {
navigator.clipboard.writeText = originalWriteText;
}
};
}, [copyText]);
return
{displayText}
;
};
* Enable the **MFA** grant type for your application. To learn more, read [Update Grant Types](/docs/get-started/applications/update-grant-types).
Auth0 provides several [API endpoints](https://auth0.com/docs/api/authentication#multi-factor-authentication) to help you manage the authenticators you're using with an application for multi-factor authentication (MFA). You can use these endpoints to build a complete user interface that lets users manage their authenticator factors.
## Get MFA API access tokens
To call the MFA API to manage enrollments, you first need to obtain an access token for the MFA API.
To use the MFA API as part of an authentication flow, you can follow the steps detailed in [Authenticate With Resource Owner Password Grant and MFA](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa). If you are building a user interface to manage authentication factors, you'll need to obtain a token you can use for the MFA API at any moment, not only during authentication.
An MFA access token, or an access token with an `https://{yourDomain}/mfa/` audience, simultaneously authenticates and instigates an MFA [challenge request](https://auth0.com/docs/api/authentication/muti-factor-authentication/request-mfa-challenge). Factor enablement in your tenant and enrollment by your users determine whether the MFA challenge initiates:
* If your tenant allows for multiple factor enrollment and your users enroll in a valid factor (excluding email), such as a one-time password (OTP), the user is issued the MFA challenge upon login.
* If your users are not enrolled with any authentication factors, or are only enrolled with the `email` factor, the MFA token is minted and the user not issued a challenge.
The default expiry time of access tokens with the `https://{yourDomain}/mfa/*` audience is 10 minutes. This value cannot be configured.
### Universal Login
If you are using [Universal Login](/docs/authenticate/login/auth0-universal-login), redirect to the Authorize endpoint, specifying the `https://{yourDomain}/mfa/` audience.
When `https://{yourDomain}/mfa/` is specified as the audience, MFA is enforced. When end users enable **Remember this browser** while `.../mfa/` is specified as audience, the setting will have no effect.
Auth0 recommends that tenant administrators [create an action](/docs/customize/actions/write-your-first-action) that sets `allowRememberBrowser` to false. This will hide **Remember this browser** from view in the end user's experience.
### Resource owner password grant
If you are using the Resource Owner Password Grant (ROPG), you have 3 options:
* Ask for the `https://{yourDomain}/mfa/` audience when logging-in, and use a [refresh token](/docs/secure/tokens/refresh-tokens) to refresh it later.
* If you need to list and delete authenticators, ask the user to [authenticate again](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa) with `/oauth/token`, specifying the `https://{yourDomain}/mfa/` audience. Users will need to complete MFA before being able to list and/or delete authentication factors.
* If you only need to list authenticators, ask the user to [authenticate again](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa) using `/oauth/token` with username/password. The endpoint will return an `mfa_required` error, and an `mfa_token` you can use to list authenticators. Users will need to provide their password to see their authenticators.
### Scopes
When you request a token for the MFA audience, you can request the following scopes:
| Scope | Description |
| ----------------------- | -------------------------------- |
| `enroll` | To enroll a new authenticator. |
| `read:authenticators` | To list existing authenticators. |
| `remove:authenticators` | To delete an authenticator. |
## List authenticators
To get a list of the authenticators for a user, you can call the MFA Authenticators endpoint:
```bash cURL theme={null}
curl --request GET \
--url 'https://{yourDomain}/mfa/authenticators' \
--header 'authorization: Bearer MFA_TOKEN'
```
```csharp C# theme={null}
var client = new RestClient("https://{yourDomain}/mfa/authenticators");
var request = new RestRequest(Method.GET);
request.AddHeader("authorization", "Bearer MFA_TOKEN");
IRestResponse response = client.Execute(request);
```
```go Go theme={null}
package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://{yourDomain}/mfa/authenticators"
req, _ := http.NewRequest("GET", url, nil)
req.Header.Add("authorization", "Bearer MFA_TOKEN")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}
```
```java Java theme={null}
HttpResponse response = Unirest.get("https://{yourDomain}/mfa/authenticators")
.header("authorization", "Bearer MFA_TOKEN")
.asString();
```
```javascript Node.JS theme={null}
var axios = require("axios").default;
var options = {
method: 'GET',
url: 'https://{yourDomain}/mfa/authenticators',
headers: {authorization: 'Bearer MFA_TOKEN'}
};
axios.request(options).then(function (response) {
console.log(response.data);
}).catch(function (error) {
console.error(error);
});
```
```php PHP theme={null}
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://{yourDomain}/mfa/authenticators",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "GET",
CURLOPT_HTTPHEADER => [
"authorization: Bearer MFA_TOKEN"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}
```
```python Python theme={null}
import http.client
conn = http.client.HTTPSConnection("")
headers = { 'authorization': "Bearer MFA_TOKEN" }
conn.request("GET", "/{yourDomain}/mfa/authenticators", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
```
```ruby Ruby theme={null}
require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://{yourDomain}/mfa/authenticators")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Get.new(url)
request["authorization"] = 'Bearer MFA_TOKEN'
response = http.request(request)
puts response.read_body
```
You should receive information about the authenticator type(s) in the response:
```json lines theme={null}
[
{
"authenticator_type": "recovery-code",
"id": "recovery-code|dev_IsBj5j3H12VAdOIj",
"active": true
},
{
"authenticator_type": "otp",
"id": "totp|dev_nELLU4PFUiTW6iWs",
"active": true,
},
{
"authenticator_type": "oob",
"oob_channel": "sms",
"id": "sms|dev_sEe99pcpN0xp0yOO",
"name": "+1123XXXXX",
"active": true
}
]
```
For the purposes of building a user interface for end users to manage their factors, you should ignore authenticators that have `active` as `false`. Those authenticators are not confirmed by users, so they can't be used to challenge for MFA.
The MFA API will list the following enrollments depending on the authenticator type:
| Authenticator | Actions |
| ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Push and OTP** | If push is enabled, Auth0 also creates an OTP enrollment. You will see both when listing enrollments. |
| **SMS and Voice** | If both SMS and voice are enabled, when a user enrolls with either SMS or voice, Auth0 automatically creates two authenticators for the phone number, one for SMS and another for voice. |
| **Email** | All verified emails will be listed as authenticators. |
## Enroll authenticators
See the following links for details on how to enroll authenticators for different factors:
* [SMS or voice](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-challenge-sms-voice-authenticators)
* [One-time password (OTP)](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-otp-authenticators)
* [Push](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-push-authenticators)
* [Email](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-email-authenticators)
You can also use the [Universal Login flow](/docs/secure/multi-factor-authentication/multi-factor-authentication-developer-resources/create-custom-enrollment-tickets) for enrolling users at any time.
## Delete authenticators
To delete an associated authenticator, send a `DELETE` request to the MFA Authenticators endpoint replacing the `AUTHENTICATOR_ID` with the relevant authenticator ID. You can get the ID when you list authenticators.
If an `mfa_token` was used to list authenticators, users will need to [complete MFA to obtain an access token](https://auth0.com/docs/api/authentication/muti-factor-authentication/verify-mfa-with-otp) with an audience of `https://{yourDomain}/mfa/` in order to delete an authenticator.
```bash cURL theme={null}
curl --request DELETE \
--url 'https://{yourDomain}/mfa/authenticators/AUTHENTICATOR_ID' \
--header 'authorization: Bearer ACCESS_TOKEN'
```
```csharp C# theme={null}
var client = new RestClient("https://{yourDomain}/mfa/authenticators/AUTHENTICATOR_ID");
var request = new RestRequest(Method.DELETE);
request.AddHeader("authorization", "Bearer ACCESS_TOKEN");
IRestResponse response = client.Execute(request);
```
```go Go theme={null}
package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://{yourDomain}/mfa/authenticators/AUTHENTICATOR_ID"
req, _ := http.NewRequest("DELETE", url, nil)
req.Header.Add("authorization", "Bearer ACCESS_TOKEN")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}
```
```java Java theme={null}
HttpResponse response = Unirest.delete("https://{yourDomain}/mfa/authenticators/AUTHENTICATOR_ID")
.header("authorization", "Bearer ACCESS_TOKEN")
.asString();
```
```javascript Node.JS theme={null}
var axios = require("axios").default;
var options = {
method: 'DELETE',
url: 'https://{yourDomain}/mfa/authenticators/AUTHENTICATOR_ID',
headers: {authorization: 'Bearer ACCESS_TOKEN'}
};
axios.request(options).then(function (response) {
console.log(response.data);
}).catch(function (error) {
console.error(error);
});
```
```php PHP theme={null}
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://{yourDomain}/mfa/authenticators/AUTHENTICATOR_ID",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "DELETE",
CURLOPT_HTTPHEADER => [
"authorization: Bearer ACCESS_TOKEN"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}
```
```python Python theme={null}
import http.client
conn = http.client.HTTPSConnection("")
headers = { 'authorization': "Bearer ACCESS_TOKEN" }
conn.request("DELETE", "/{yourDomain}/mfa/authenticators/AUTHENTICATOR_ID", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
```
```ruby Ruby theme={null}
require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://{yourDomain}/mfa/authenticators/AUTHENTICATOR_ID")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Delete.new(url)
request["authorization"] = 'Bearer ACCESS_TOKEN'
response = http.request(request)
puts response.read_body
```
If the authenticator was deleted, a 204 response is returned.
When you delete an authenticator, the following actions take place depending on the authenticator type:
| Authenticator | Action |
| ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Push and OTP** | When a user enrolls a push authenticator, Auth0 also enrolls OTP. If you delete either of them, the other one will also be deleted. |
| **SMS and Voice** | When a user enrolls in either SMS or Voice,. Auth0 creates two authenticators, SMS and voice. If you delete either of them, the other will will also be deleted. |
| **Email** | All verified emails listed as authenticators, but you can't delete them. You can only delete email authenticators that are enrolled explicitly. |
## Regenerate recovery codes
To delete a recovery code and generate a new one, get an Auth0 [Management API access token](https://auth0.com/docs/api/management/v2/tokens) and use the Management API [Recovery Code Regeneration endpoint](https://auth0.com/docs/api/management/v2/#!/Users/post_recovery_code_regeneration).
```bash cURL theme={null}
curl --request POST \
--url 'https://{yourDomain}/api/v2/users/USER_ID/recovery-code-regeneration' \
--header 'authorization: Bearer MANAGEMENT_API_TOKEN'
```
```csharp C# theme={null}
var client = new RestClient("https://{yourDomain}/api/v2/users/USER_ID/recovery-code-regeneration");
var request = new RestRequest(Method.POST);
request.AddHeader("authorization", "Bearer MANAGEMENT_API_TOKEN");
IRestResponse response = client.Execute(request);
```
```go Go theme={null}
package main
import (
"fmt"
"net/http"
"io/ioutil"
)
func main() {
url := "https://{yourDomain}/api/v2/users/USER_ID/recovery-code-regeneration"
req, _ := http.NewRequest("POST", url, nil)
req.Header.Add("authorization", "Bearer MANAGEMENT_API_TOKEN")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}
```
```java Java theme={null}
HttpResponse response = Unirest.post("https://{yourDomain}/api/v2/users/USER_ID/recovery-code-regeneration")
.header("authorization", "Bearer MANAGEMENT_API_TOKEN")
.asString();
```
```javascript Node.JS theme={null}
var axios = require("axios").default;
var options = {
method: 'POST',
url: 'https://{yourDomain}/api/v2/users/USER_ID/recovery-code-regeneration',
headers: {authorization: 'Bearer MANAGEMENT_API_TOKEN'}
};
axios.request(options).then(function (response) {
console.log(response.data);
}).catch(function (error) {
console.error(error);
});
```
```php PHP theme={null}
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://{yourDomain}/api/v2/users/USER_ID/recovery-code-regeneration",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_HTTPHEADER => [
"authorization: Bearer MANAGEMENT_API_TOKEN"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}
```
```python Python theme={null}
import http.client
conn = http.client.HTTPSConnection("")
headers = { 'authorization': "Bearer MANAGEMENT_API_TOKEN" }
conn.request("POST", "/{yourDomain}/api/v2/users/USER_ID/recovery-code-regeneration", headers=headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
```
```ruby Ruby theme={null}
require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://{yourDomain}/api/v2/users/USER_ID/recovery-code-regeneration")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["authorization"] = 'Bearer MANAGEMENT_API_TOKEN'
response = http.request(request)
puts response.read_body
```
You will get a new recovery code that the end user will need to capture, for example:
```json lines theme={null}
{
"recovery_code": "FA45S1Z87MYARX9RG6EVMAPE"
}
```
## Learn more
* [Enroll and Challenge SMS and Voice Authenticators](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-challenge-sms-voice-authenticators)
* [Enroll and Challenge OTP Authenticators](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-otp-authenticators)
* [Enroll and Challenge Push Authenticators](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-push-authenticators)
* [Enroll and Challenge Email Authenticators](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-email-authenticators)
* [Challenge with Recovery Codes](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/challenge-with-recovery-codes)