Verify an Authentication Factor
Use this API to authenticate a one-time password (OTP) code provided by a multifactor authentication (MFA) device.
If this is the first time that the OTP device has been confirmed, then the device will be updated to have a state of enabled.
There is a different MFA endpoint to use when combined with a user login and session creation. See Logging a User In Via API.
Resource URL
https://<subdomain>/api/1/users/<user_id>/otp_devices/<device_id>/verifyHeader Parameter
Authorization required string | Set to Set The access token must have been generated using an API credential pair created using the scope required to call this API. This API can be called using either of the following scopes: |
Resource Parameters
user_id required integer |
Set to the If you don’t know the user’s |
device_id required integer |
Set to the The You can also use this endpoint to verify Temporary MFA Tokens when a user does not have a MFA device registered. To do this you must set the device_id to 0 which indicates no specific MFA device is being used. |
Request Parameter
otp_token string |
OTP code provided by the device or SMS message sent to user. When a device like OneLogin Protect that supports Push has been used you do not need to provide the |
state_token string |
The The Note that the See the HTTP 400 Bad Request payloads below for an example of an expired token message. |
Request Body
For OneLogin SMS
{
"state_token": "98e008497066bc2763c52342996e06358aab2e32",
"otp_token": "B41832"
}For Push using OneLogin Protect
{
"state_token": "98e008497066bc2763c52342996e06358aab2e32",
}For Google Authenticator or similar
{
"otp_token": "123456"
}For Yubikey
{
"otp_token": "chchchhgjhg..........."
}Sample Response
- 200 OK
- 400 Bad Request
- 401 Unauthorized
{
"status": {
"type": "success",
"code": 200,
"message": "Success",
"error": false
}
}{
"status": {
"type": "bad request",
"code": 400,
"message": "User does not exist",
"error": true
}
}{
"status": {
"type": "bad request",
"code": 400,
"message": "State token is invalid or expired",
"error": true
}
}{ "status": { "type": "Unauthorized", "code": 401, "message": "Authentication pending on OL Protect", "error": true } }{ "status": { "error": true, "code": 401, "type": "Unauthorized", "message": "Insufficient Permission" } }{ "status": { "type": "Unauthorized", "code": 401, "message": "Failed authentication with this factor", "error": true } }
Postman Collection
- Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.
Sample Code
cURL
Replace sample values indicated by < > with your actual values.
curl 'https://<subdomain>/api/1/users/<user_id>/otp_devices/<device_id>/verify' \
-X POST \
-H "Authorization: bearer: <access_token>" \
-H "Content-Type: application/json" \
-d '{
"state_token":"<state_token>",
"otp_token":"<otp_token>"
}'Have a Question?
Found a problem or a bug? Submit a support ticket.
Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.
Have a product idea or request? Share it with us in our Ideas Portal.