Skip to content

Complete login with a second factor

POST
/api/auth/2fa

Exchanges the 2FA challenge (mfa_pending cookie or challengeToken body) plus a TOTP or recovery code for a session.

Authorizations

ApiToken

Long-lived API token created via POST /api/api-tokens (returned once in plaintext).

Type
API Key (header: X-API-TOKEN)
or
JWT

JWT access token obtained via POST /api/auth/login. Send as: Authorization: Bearer .

Type
HTTP (bearer)

Request Body

application/json
JSON
{
  
"code": "123456",
  
"challengeToken": "string"
}

Responses

Login successful

application/json
JSON
{
  
"token": "string",
  
"refreshToken": "string"
}

Playground

Authorization
Body

Samples

Powered by VitePress OpenAPI