Disable Multi-Factor

This API is used to disable Multi-Factor authentication for a single User. To use this API the User must provide a valid Multi-Factor verification code or recovery code.

If using message based delivery, you may Send a Multi-Factor Code When Disabling MFA to deliver a code to the User. The User will then provide this code as input.

If a recovery code is provided, all methods will be removed.

Request#

API Key Authentication
Disable a single multi-factor method by User Id
DELETE/api/user/two-factor/{userId}?code={code}&methodId={methodId}
OpenAPI Spec

Request Headers#

X-FusionAuth-TenantIdStringoptional

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

Request Parameters#

applicationIdUUIDoptionalAvailable since 1.44.0

An application Id. This parameter is optional, and when provided it will cause application specific configuration to be used when available.

For example, to use an application specific email template to notify the user when multi-factor has been enabled, this parameter will be required. When this parameter is omitted, the tenant configuration will be used.

To learn more about overriding email templates, see the Application Specific Email Templates guide.

codeStringrequired

A valid multi-factor verification code. The User will obtain this code using an existing multi-factor method which may include an authenticator (TOTP) app, sms or email. This procedure is the same as if the user was completing a multi-factor challenge during login.

This may also be a recovery code. If one is provided, all methods are removed. If, after that, a multi-factor method is added, a new set of recovery codes will be generated.

methodIdStringrequired

The Id of the multi-factor method to be disabled.

If a recovery code is provided, this can be any valid method Id.

API Key Authentication
Disable a single multi-factor method by User Id
DELETE/api/user/two-factor/{userId}
OpenAPI Spec

Request Headers#

X-FusionAuth-TenantIdStringoptional

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

Request Body#

applicationIdUUIDoptional

An application Id. This parameter is optional, and when provided it will cause application specific configuration to be used when available.

For example, to use an application specific email template to notify the user when multi-factor has been enabled, this parameter will be required. When this parameter is omitted, the tenant configuration will be used.

To learn more about overriding email templates, see the Application Specific Email Templates guide.

codeStringrequired

A valid multi-factor verification code. The User will obtain this code using an existing multi-factor method which may include an authenticator (TOTP) app, sms or email. This procedure is the same as if the user was completing a multi-factor challenge during login.

This may also be a recovery code. If one is provided, all methods are removed. If, after that, a multi-factor method is added, a new set of recovery codes will be generated.

methodIdStringrequired

The Id of the multi-factor method to be disabled.

If a recovery code is provided, this can be any valid method Id.

Example Request JSON

{
  "applicationId": "85a03867-dccf-4882-adde-1a79aeec50df",
  "code": "549457",
  "methodId": "email"
}
JWT Authentication
Disable a single multi-factor method using a JWT
DELETE/api/user/two-factor

Request Headers#

X-FusionAuth-TenantIdStringoptional

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

Request Body#

applicationIdUUIDoptional

An application Id. This parameter is optional, and when provided it will cause application specific configuration to be used when available.

For example, to use an application specific email template to notify the user when multi-factor has been enabled, this parameter will be required. When this parameter is omitted, the tenant configuration will be used.

To learn more about overriding email templates, see the Application Specific Email Templates guide.

codeStringrequired

A valid multi-factor verification code. The User will obtain this code using an existing multi-factor method which may include an authenticator (TOTP) app, sms or email. This procedure is the same as if the user was completing a multi-factor challenge during login.

This may also be a recovery code. If one is provided, all methods are removed. If, after that, a multi-factor method is added, a new set of recovery codes will be generated.

methodIdStringrequired

The Id of the multi-factor method to be disabled.

If a recovery code is provided, this can be any valid method Id.

Example Request JSON

{
  "applicationId": "85a03867-dccf-4882-adde-1a79aeec50df",
  "code": "549457",
  "methodId": "email"
}
JWT Authentication
Disable a single multi-factor method using a JWT
DELETE/api/user/two-factor?code={code}&methodId={methodId}

Request Parameters#

applicationIdUUIDoptionalAvailable since 1.44.0

An application Id. This parameter is optional, and when provided it will cause application specific configuration to be used when available.

For example, to use an application specific email template to notify the user when multi-factor has been enabled, this parameter will be required. When this parameter is omitted, the tenant configuration will be used.

To learn more about overriding email templates, see the Application Specific Email Templates guide.

codeStringrequired

A valid multi-factor verification code. The User will obtain this code using an existing multi-factor method which may include an authenticator (TOTP) app, sms or email. This procedure is the same as if the user was completing a multi-factor challenge during login.

This may also be a recovery code. If one is provided, all methods are removed. If, after that, a multi-factor method is added, a new set of recovery codes will be generated.

methodIdStringrequired

The Id of the multi-factor method to be disabled.

If a recovery code is provided, this can be any valid method Id.

Response#

Response Codes

CodeDescription
200The request was successful. Multi-Factor has been disabled for the User.
400The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors.
401You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.
404The User does not exist. The response will be empty.
421The code request parameter is not valid. The response will be empty.
500There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.
503The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.