Skip to main content

Verify Two-Factor Authentication code

POST 

/auth/2fa

Completes the Two-Factor Authentication challenge issued by POST /auth. When credentials are valid but the user has 2FA enabled, POST /auth returns an interim JWT (two_factor_required: true). This endpoint accepts that interim token together with the user's 2FA code and, on success, returns the final signed JWT.

Requirements

  • Authentication must be enabled in the plugin settings.
  • The Two-Factor Authentication plugin must be installed and active.
  • The interim JWT must be provided via the Authorization: Bearer header or the JWT body field.
  • The code field must contain the TOTP code, email token, or backup code, depending on the user's configured 2FA provider.

JWT delivery The interim JWT can be passed via:

  • JWT field in the request body
  • Authorization: Bearer <token> header (when enabled in plugin General Settings)

Request

Responses

2FA verification successful. Returns a signed JWT and optional refresh token.