2FA API โ
The Two-Factor Authentication API adds a second verification step to the login flow and to related session-sensitive actions.
The goal is simple: keep authentication easy for users while making account access safer for developers and product teams.
How to read this page โ
Each route is documented as a normal operation-style page so the flow is easy to follow.
Base path โ
All routes live under /auth/two_factor/.
How it works โ
- The user logs in with password or social auth.
- If 2FA is required, the server creates a short-lived pending session.
- The server sends a 6-digit numeric code by email.
- The client submits the code to the verify route.
- The session is promoted to active after successful verification.
Route map โ
| Method | Path | Auth | Purpose |
|---|---|---|---|
GET | /auth/two_factor/system | Public | Check whether 2FA is enabled and which methods are available |
GET | /auth/two_factor/methods | Session | List the userโs active 2FA methods |
POST | /auth/two_factor/email/setup | Session | Start email 2FA setup |
POST | /auth/two_factor/sms/setup | Session | Start SMS 2FA setup |
POST | /auth/two_factor/:method/start | Pending or active session | Resend a code for a method |
POST | /auth/two_factor/verify | Pending or active session | Verify a code and activate the session |
DELETE | /auth/two_factor/:id | Session | Remove a method |
POST | /auth/two_factor/toggle | Session | Enable or disable 2FA for the user |
Route details โ
System and methods โ
GET /auth/two_factor/system โ
Return global availability and method list.
Auth: public.
GET /auth/two_factor/methods โ
List the current userโs active methods.
Auth: session.
Setup โ
POST /auth/two_factor/email/setup โ
Start email 2FA setup.
Auth: session.
POST /auth/two_factor/sms/setup โ
Start SMS 2FA setup.
Auth: session.
Verification flow โ
POST /auth/two_factor/:method/start โ
Resend a code for a method.
Auth: pending or active session.
Body:
{
"action": "login"
}POST /auth/two_factor/verify โ
Verify a code and activate the session.
Auth: pending or active session.
Body:
{
"code": "482913",
"method": "email",
"action": "login"
}Maintenance โ
DELETE /auth/two_factor/:id โ
Remove a method.
Auth: session.
POST /auth/two_factor/toggle โ
Enable or disable 2FA for the user.
Auth: session.
Example: check system availability โ
GET /auth/two_factor/systemExample response:
{
"success": true,
"data": {
"global_two_factor_enabled": true,
"available_methods": ["email"]
}
}Example: start a login challenge โ
POST /auth/two_factor/email/start
Content-Type: application/json
{
"action": "login"
}Example response:
{
"success": true,
"data": {
"method": "email",
"status": "pending",
"expires_in_seconds": 600
}
}Example: verify a code โ
POST /auth/two_factor/verify
Content-Type: application/json
{
"code": "482913",
"method": "email",
"action": "login"
}Example response:
{
"success": true,
"data": {
"verified": true,
"session_status": "active",
"two_factor_verified": 1
}
}Important behavior โ
- The code is 6 digits and numeric.
- The code is treated as short-lived and must be verified within the session window.
- A pending session is not the final session; it becomes active only after verification.
- The flow is meant to be understandable to the frontend, not hidden behind vague auth behavior.
Typical login flow โ
- User submits credentials.
- Server returns a 2FA challenge instead of a full login session.
- User enters the code from email.
- Client submits the code to verify.
- Server activates the session and returns success.
Practical notes โ
- Keep login and verification steps separate in the UI.
- Treat the pending session as a temporary state, not a broken login.
- Make the 2FA screen explicit so developers can reason about it quickly.