Disable Multi-Factor
This API is used to disable Multi-Factor authentication for a single User. To use this API the User must provide a valid Multi-Factor verification code or recovery code.
If using message based delivery, you may Send a Multi-Factor Code When Disabling MFA to deliver a code to the User. The User will then provide this code as input.
If a recovery code is provided, all methods will be removed.
Request#
OpenAPI Spec
Request Headers#
X-FusionAuth-TenantIdStringoptionalThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Parameters#
applicationIdUUIDoptionalAvailable since 1.44.0An application Id. This parameter is optional, and when provided it will cause application specific configuration to be used when available.
For example, to use an application specific email template to notify the user when multi-factor has been enabled, this parameter will be required. When this parameter is omitted, the tenant configuration will be used.
To learn more about overriding email templates, see the Application Specific Email Templates guide.
codeStringrequiredA valid multi-factor verification code. The User will obtain this code using an existing multi-factor method which may include an authenticator (TOTP) app, sms or email. This procedure is the same as if the user was completing a multi-factor challenge during login.
This may also be a recovery code. If one is provided, all methods are removed. If, after that, a multi-factor method is added, a new set of recovery codes will be generated.
methodIdStringrequiredThe Id of the multi-factor method to be disabled.
If a recovery code is provided, this can be any valid method Id.
OpenAPI Spec
Request Headers#
X-FusionAuth-TenantIdStringoptionalThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Body#
applicationIdUUIDoptionalAn application Id. This parameter is optional, and when provided it will cause application specific configuration to be used when available.
For example, to use an application specific email template to notify the user when multi-factor has been enabled, this parameter will be required. When this parameter is omitted, the tenant configuration will be used.
To learn more about overriding email templates, see the Application Specific Email Templates guide.
codeStringrequiredA valid multi-factor verification code. The User will obtain this code using an existing multi-factor method which may include an authenticator (TOTP) app, sms or email. This procedure is the same as if the user was completing a multi-factor challenge during login.
This may also be a recovery code. If one is provided, all methods are removed. If, after that, a multi-factor method is added, a new set of recovery codes will be generated.
methodIdStringrequiredThe Id of the multi-factor method to be disabled.
If a recovery code is provided, this can be any valid method Id.
Example Request JSON
{
"applicationId": "85a03867-dccf-4882-adde-1a79aeec50df",
"code": "549457",
"methodId": "email"
}
Request Headers#
X-FusionAuth-TenantIdStringoptionalThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Body#
applicationIdUUIDoptionalAn application Id. This parameter is optional, and when provided it will cause application specific configuration to be used when available.
For example, to use an application specific email template to notify the user when multi-factor has been enabled, this parameter will be required. When this parameter is omitted, the tenant configuration will be used.
To learn more about overriding email templates, see the Application Specific Email Templates guide.
codeStringrequiredA valid multi-factor verification code. The User will obtain this code using an existing multi-factor method which may include an authenticator (TOTP) app, sms or email. This procedure is the same as if the user was completing a multi-factor challenge during login.
This may also be a recovery code. If one is provided, all methods are removed. If, after that, a multi-factor method is added, a new set of recovery codes will be generated.
methodIdStringrequiredThe Id of the multi-factor method to be disabled.
If a recovery code is provided, this can be any valid method Id.
Example Request JSON
{
"applicationId": "85a03867-dccf-4882-adde-1a79aeec50df",
"code": "549457",
"methodId": "email"
}
Request Parameters#
applicationIdUUIDoptionalAvailable since 1.44.0An application Id. This parameter is optional, and when provided it will cause application specific configuration to be used when available.
For example, to use an application specific email template to notify the user when multi-factor has been enabled, this parameter will be required. When this parameter is omitted, the tenant configuration will be used.
To learn more about overriding email templates, see the Application Specific Email Templates guide.
codeStringrequiredA valid multi-factor verification code. The User will obtain this code using an existing multi-factor method which may include an authenticator (TOTP) app, sms or email. This procedure is the same as if the user was completing a multi-factor challenge during login.
This may also be a recovery code. If one is provided, all methods are removed. If, after that, a multi-factor method is added, a new set of recovery codes will be generated.
methodIdStringrequiredThe Id of the multi-factor method to be disabled.
If a recovery code is provided, this can be any valid method Id.
Response#
Response Codes
| Code | Description |
|---|---|
| 200 | The request was successful. Multi-Factor has been disabled for the User. |
| 400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. |
| 401 | You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication. |
| 404 | The User does not exist. The response will be empty. |
| 421 | The code request parameter is not valid. The response will be empty. |
| 500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
| 503 | The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |