Disable MFA
Disables Multi-Factor Authentication for the authenticated user. Requires a valid TOTP code from the user's authenticator app to confirm the action. Once disabled, all recovery codes are invalidated and the user will no longer be prompted for MFA during login.
Request
POST /mfa/disable
Authentication
Requires a valid Bearer JWT token in the Authorization header.
Authorization: Bearer <access_token>
Request Body
{
"code": "123456"
}
Request Fields
| Field | Type | Required | Description |
|---|---|---|---|
code | string | Yes | Current 6-digit TOTP code from the user's authenticator app. Required to confirm the disable action. |
Response
Returns 200 OK with no response body on success.
Error Responses
| Status Code | Error | Description |
|---|---|---|
| 400 | Bad Request | Invalid or incorrect TOTP code |
| 401 | Unauthorized | Invalid or missing JWT token |
| 404 | Not Found | MFA is not enabled for this user |
Example
Request
curl -X POST https://api.entryguard.io/api/v1/mfa/disable \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
-H "Content-Type: application/json" \
-d '{
"code": "123456"
}'
Response
HTTP/1.1 200 OK
Important Notes
- MFA is immediately disabled upon successful verification
- All recovery codes are invalidated and cannot be used again
- The TOTP secret is removed from the user's account
- Future logins will only require email and password
- To re-enable MFA, the user must go through the full setup process again (
POST /mfa/setupandPOST /mfa/setup/confirm) - This action is logged in the audit trail