Complete Step-Up

POST 
/api/auth/2fa/step-up

Perform second factor for step-up.

You can learn more about the step-up flow here.

Requirements

• User authenticated using their password through POST /api/auth/step-up.
• At least one of email or TOTP as 2FA methods should be enabled.
• An email or totp 2FA code is present for an enabled 2FA method. Check out email and TOTP to learn how to retrieve a 2FA code.

Tokens

• A valid AccessToken is required.
• A valid TwoFactorAuthenticationToken is required. This token should match user and session contained in the AccessToken.
• If 2FA is disabled and the request is successful, StepUpToken will automatically be set as HTTP-only cookie. If header authentication is enabled, the StepUpToken will be returned in the response body and can be used to authorized critical requests.

Request

Responses

200

The token if header authentication is enabled.

400

The following error codes correspond to this status:

• NO_2FA_CODE_PROVIDED: Invalid request: at least one of email or totp must be provided.
• NO_PASSWORD_PROVIDER: The user needs to set a password in to perform this action.
• 2FA_DISABLED: User needs to set up two-factor authentication to complete this action.

401

The following error codes correspond to this status:

• TWO_FACTOR_AUTHENTICATION_TOKEN_EXPIRED: Indicates that the two-factor authentication token is expired.
• TWO_FACTOR_AUTHENTICATION_TOKEN_INVALID: Indicates that the two-factor authentication token cannot be decoded.
• TWO_FACTOR_AUTHENTICATION_TOKEN_MISSING: Thrown when the two-factor authentication token is missing.
• TWO_FACTOR_CODE_EXPIRED: Two-factor code has expired.
• WRONG_TWO_FACTOR_CODE: Wrong two-factor code.
• ACCESS_TOKEN_EXPIRED: Indicates that the access token is expired.
• ACCESS_TOKEN_INVALID: Indicates that the access token cannot be decoded.
• AUTHENTICATION_REQUIRED: User is not authenticated.

403

The following error codes correspond to this status:

• STEP_UP_TOKEN_CREATION_FORBIDDEN: Thrown when a step-up token is requested from an illegal context.

404

The following error codes correspond to this status:

• USER_NOT_FOUND: User not found.

500

The following error codes correspond to this status:

• DATABASE_FAILURE: Exception representing a general failure related to database operations.
• INVALID_USER_DOCUMENT: A requested user document was stored in an invalid format.
• POST_COMMIT_SIDE_EFFECT_FAILURE: Exception representing a failure to perform a side effect after a successful database operation.
• TOTP_CODE_VALIDATION_FAILURE: Failed to validate TOTP code.
• ACCESS_TOKEN_ALLOWLIST_READING_FAILURE: Represents an exception indicating a failure when reading the allowlist for an access token cache.
• INVALID_DATABASE_OBJECT: Indicates an invalid document stored in the database.
• STEP_UP_TOKEN_ENCODING_FAILURE: Represents an exception that occurs during the encoding process of a step-up token.
• STEP_UP_TOKEN_SECRET_FAILURE: Represents an exception that occurs when there is a failure related to the secret required for creating a refresh token.
• COOKIE_CREATION_FAILURE: Thrown when an exception occurred during the creation of a cookie.