Skip to main content

Documentation Index

Fetch the complete documentation index at: https://auth0.com/llms.txt

Use this file to discover all available pages before exploring further.

Endpoint

POST /oauth/token Verifies multi-factor authentication (MFA) using an out-of-band (OOB) challenge (either Push notification, SMS, or Voice). To verify MFA using an OOB challenge, your application must make a request to /oauth/token with grant_type=http://auth0.com/oauth/grant-type/mfa-oob. Include the oob_code you received from the challenge response, as well as the mfa_token you received as part of mfa_required error. The response to this request depends on the status of the underlying challenge verification:
  • If the challenge has been accepted and verified, it will be the same as password or http://auth0.com/oauth/grant-type/password-realm grant types.
  • If the challenge has been rejected, you will get an invalid_grant error, meaning that the challenge was rejected by the user. At this point you should stop polling, as this response is final.
  • If the challenge verification is still pending (meaning it has not been accepted nor rejected), you will get an authorization_pending error, meaning that you must retry the same request a few seconds later. If you request too frequently, you will get a slow_down error.
When the challenge response includes a binding_method: prompt, your app needs to prompt the user for the binding_code and send it as part of the request. The binding_code is usually a 6-digit number (similar to an OTP) included as part of the challenge. No binding_code is necessary if the challenge response did not include a binding_method. In this scenario, the response will be immediate; you will receive an invalid_grant or an access_token as response.

Learn More

Headers

DPoP
string
A DPoP proof for the request. This is optional and only required if your application uses Demonstrating Proof-of-Possession.

Body Parameters

grant_type
string
required
Denotes the flow you are using. For OTP MFA, use http://auth0.com/oauth/grant-type/mfa-oob.Allowed values: http://auth0.com/oauth/grant-type/mfa-oob
client_id
string
required
Your application’s Client ID.
client_assertion
string
A JWT containing a signed assertion with your application credentials.
client_assertion_type
string
The value is urn:ietf:params:oauth:client-assertion-type:jwt-bearer.Allowed values: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_secret
string
Your application’s Client Secret.
mfa_token
string
required
The mfa_token you received from mfa_required error.
oob_code
string
required
The oob code received from the challenge request.
binding_code
string
A code used to bind the side channel with the main channel you are using to authenticate.

Response Schema

{}application/json

Response Messages

StatusDescription
200Successful response for OOB verification.
400Bad request due to missing or invalid parameters.
401Unauthorized, invalid mfa_token or oob_code.
Sign UpLet's Connect