See api-docs Menu

Generate MFA Token

Use to generate a temporary MFA token that can be used in place of other MFA tokens for a set time period. For example, use this token for account recovery when an MFA device has been lost.

Resource URL

Before calling this API, consider using its version /2 equivalent.

https://<subdomain>/api/1/users/:user_id/mfa_token

Header Parameters

Authorization

required

string

Set to bearer:<access_token>.

Set <access_token> to the access token generated with the Generate Token API.

Generate an access token with the API credential pair created using the scope required to call this API. Call this API with any one of the following scopes: Manage Users or Manage All.

Content-Type

required

string

Set to application/json.

Resource Parameters

user_id

required

integer

Set to the id of the user to generate a token.

If you don’t know the user’s id, the Get Users API returns all users and their id values.

Request Parameter

expires_in

integer

Set the duration of the token in seconds.

Token expiration defaults to 259200 seconds = 72 hours. 72 hours is the max value.

reusable

string

Defines if the token is reusable multiple times within the expiry window.

Value defaults to false. If set to true, token can be used multiple times, until it expires.

Sample Request Body

For the sample request, token expires in 300 seconds. The token can be used multiple times within the 300 seconds.

{
   "expires_in": "300",
   "reusable": true
}

Sample Response

{
    "mfa_token": "55647655",
    "reusable": true,
    "expires_at": "2019-01-16T22:16:38Z"
}

Typically, this error indicates your access token value is invalid.

{
    "status": {
        "error": true,
        "code": 401,
        "type": "Unauthorized",
        "message": "Authentication Failure"
 }
}

Typically, the following error indicates the access token used to make the call was generated using API credentials with insufficient permissions. Call this API using the Manage Users or Manage All scope.

{
    "status": {
        "error": true,
        "code": 401,
        "type": "Unauthorized",
        "message": "Insufficient Permission"
    }
}

Response Elements

mfa_token

Token can function as a temporary MFA token. It can be used to authenticate for any app when valid.

reusable true indcates the token can be used multiple times, until it expires. false indicates the token is invalid after a single use or once it expires. Defaults to false.
expires_at Defines the expiration time and date for the token. Format is UTC time.

Postman Collection

Run In Postman

    Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.

Sample Code

cURL

Replace sample values indicated by < > with your actual values.

curl 'https://<subdomain>/api/1/users/:user_id/mfa_token' \
-X POST \
-H "Authorization: bearer:<access_token>" \
-H "Content-Type: application/json" \
-d '{
  "expires_in":"<300>",
  "reusable":"<true>",
}'

Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.