Complete login with a second factor
POST
/api/auth/2fa
Exchanges the 2FA challenge (mfa_pending cookie or challengeToken body) plus a TOTP or recovery code for a session.
Authorizations
ApiToken
Long-lived API token created via POST /api/api-tokens (returned once in plaintext).
Type
API Key (header: X-API-TOKEN)
or
JWT
JWT access token obtained via POST /api/auth/login. Send as: Authorization: Bearer
Type
HTTP (bearer)
Request Body
application/json
JSON "code": "123456", "challengeToken": "string"
{
}
Responses
Login successful
application/json
JSON "token": "string", "refreshToken": "string"
{
}
