Send a Multi-Factor Code During Login or Step Up

This operation allows you to send a message with a code to finish a Multi-Factor flow, and requires an existing twoFactorId. No API key is required.

This should only be used if you want FusionAuth to send the code. Do not use this if you are sending a code out of band or are using a TOTP based authentication method.

You can use this to re-send a code with the same or a different method. Using this API will invalidate all other codes previously associated with the provided twoFactorId.

Sending a code invalidates all previous codes for the provided twoFactorId.

Request#

No Authentication Required
Send a multi-factor code to complete Multi-Factor Login
POST/api/two-factor/send/{twoFactorId}
OpenAPI Spec

Request Parameters#

twoFactorIdStringrequired

The twoFactorId returned by the Login API or the Start multi-factor request.

Request Headers#

X-FusionAuth-TenantIdStringoptional

The unique Id of the tenant used to scope this API request.

The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.

Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.

See Making an API request using a Tenant Id for additional information.

Request Body#

messageTypeStringoptionalDefaults to SMSAvailable since 1.65.0

The message type used when sending a code for a phone-based MFA method.

This value is only used when the selected MFA method is sms.

Valid values are:

  • SMS
  • Voice
methodIdStringrequired

The Id of the MFA method to be used.

Example Request JSON

{
  "messageType": "Voice",
  "methodId": "KLRT"
}

Response#

This API does not return a JSON response body.

Response Codes
CodeDescription
200The request was successful.
400The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present.
401You did not supply a valid Authorization header. The header was omitted or your API key was not valid. The response will be empty. See Authentication.
500There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty.
503The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body.