Skip to main content

Confirm MFA Setup

Completes the MFA setup process by verifying a TOTP code from the user's authenticator app. Once confirmed, MFA is activated for the user and recovery codes are generated. Store these recovery codes securely as they can be used to regain access if the authenticator app is lost.

Request

POST /mfa/setup/confirm

Authentication

Requires a valid Bearer JWT token in the Authorization header.

Authorization: Bearer <access_token>

Request Body

{
  "secret": "JBSWY3DPEHPK3PXP",
  "code": "123456"
}

Request Fields

FieldTypeRequiredDescription
secretstringYesThe TOTP secret returned from POST /mfa/setup. Must match the secret used to generate the QR code.
codestringYes6-digit TOTP code generated by the user's authenticator app.

Response

Returns an MfaSetupConfirmResponse object containing one-time recovery codes.

{
  "recoveryCodes": [
    "a1b2c3d4",
    "e5f6g7h8",
    "i9j0k1l2",
    "m3n4o5p6",
    "q7r8s9t0",
    "u1v2w3x4",
    "y5z6a7b8",
    "c9d0e1f2"
  ]
}

Response Fields

FieldTypeDescription
recoveryCodesstring[]Array of one-time recovery codes. Each code can be used once to log in if the authenticator app is unavailable. Store these securely.

Error Responses

Status CodeErrorDescription
400Bad RequestInvalid or expired TOTP code, or secret mismatch
401UnauthorizedInvalid or missing JWT token
409ConflictMFA is already enabled for this user

Example

Request

curl -X POST https://api.entryguard.io/api/v1/mfa/setup/confirm \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json" \
  -d '{
    "secret": "JBSWY3DPEHPK3PXP",
    "code": "123456"
  }'

Response

{
  "recoveryCodes": [
    "a1b2c3d4",
    "e5f6g7h8",
    "i9j0k1l2",
    "m3n4o5p6",
    "q7r8s9t0",
    "u1v2w3x4",
    "y5z6a7b8",
    "c9d0e1f2"
  ]
}

Important Notes

  • MFA is now active for this user
  • All future logins will require a TOTP code or recovery code
  • Recovery codes can only be used once each
  • Store recovery codes in a secure location (password manager, encrypted file, etc.)
  • Recovery codes can be regenerated via POST /mfa/recovery-codes/regenerate