Get TOTP Setup Details

GET 
/api/auth/2fa/totp/setup

Get a TOTP secret, recovery codes and a TOTP URL. This is the first step to enabling TOTP as 2FA method. You can learn more about this here.

The user needs to save the recovery codes and use the URL or the secret to set up 2FA in their 2FA app.

This secret will be stored inside the token contained in the response. This token is required to enable TOTP. Performing this request will not change the user's state in the database. Therefore, the token is the single point of truth for validation. Every request will generate a new TOTP secret, new recovery codes and a new TOTP URL.

The setup can be completed through the endpoint POST /api/auth/2fa/totp/setup using the token and a 2FA code from an authenticator app.

Requirements

• The user can authenticate using password. 2FA will not work with OAuth2. The OAuth2 provider will validate the second factor if the user enabled it for the provider.

Tokens

• A valid AccessToken is required.
• A valid StepUpToken is required. This token should match user and session contained in the AccessToken.

Responses

200

The TOTP secret, recovery codes, TOTP URL and setup token.

304

The following error codes correspond to this status:

• TWO_FACTOR_METHOD_ALREADY_ENABLED: Two-factor authentication method is already enabled.

400

The following error codes correspond to this status:

• NO_PASSWORD_PROVIDER: The user needs to set a password in to perform this action.

401

The following error codes correspond to this status:

• ACCESS_TOKEN_EXPIRED: Indicates that the access token is expired.
• ACCESS_TOKEN_INVALID: Indicates that the access token cannot be decoded.
• AUTHENTICATION_REQUIRED: User is not authenticated.
• STEP_UP_TOKEN_EXPIRED: Indicates that the step-up token is expired.
• STEP_UP_TOKEN_INVALID: Indicates that the step-up token cannot be decoded.
• STEP_UP_TOKEN_MISSING: Thrown when the step-up token is missing.

404

The following error codes correspond to this status:

• USER_NOT_FOUND: User not found.

500

The following error codes correspond to this status:

• ACCESS_TOKEN_ALLOWLIST_READING_FAILURE: Represents an exception indicating a failure when reading the allowlist for an access token cache.
• DATABASE_FAILURE: Exception representing a general failure related to database operations.
• DATABASE_ENCRYPTION_FAILURE: Exception representing a general failure related to database encryption operations.
• INVALID_CONFIGURATION: Invalid configuration.
• INVALID_USER_DOCUMENT: A requested user document was stored in an invalid format.
• TOTP_TOKEN_CREATION_FAILURE: Failed to create TOTP token.
• TOTP_FAILURE: TOTP code validation failed.