See api-docs Menu

Verify an Authentication Factor

Use this API to authenticate a one-time password (OTP) code provided by a multifactor authentication (MFA) device.

If this is the first time that the OTP device has been confirmed, then the device will be updated to have a state of enabled.

There is a different MFA endpoint to use when combined with a user login and session creation. See Logging a User In Via API.

Resource URL

https://<subdomain>/api/1/users/<user_id>/otp_devices/<device_id>/verify

Header Parameter

Authorization

required

string

Set to bearer:<access_token>.

Set <access_token> to the access token you generated using the Generate Token API.

The access token must have been generated using an API credential pair created using the scope required to call this API. This API can be called using either of the following scopes: Manage users or Manage All.

Resource Parameters

user_id

required

integer

Set to the id of the user.

If you don’t know the user’s id, use the Get Users API call to return all users and their id values.

device_id

required

integer

Set to the device_id of the MFA device.

The device_id is returned on enrollment of a factor or you can get the device_id using the Get Enrolled Factors API call.

You can also use this endpoint to verify Temporary MFA Tokens when a user does not have a MFA device registered.

To do this you must set the device_id to 0 which indicates no specific MFA device is being used.

Request Parameter

otp_token

string

OTP code provided by the device or SMS message sent to user.

When a device like OneLogin Protect that supports Push has been used you do not need to provide the otp_token and can keep polling this endpoint until the state_token expires.

state_token

string

The state_token is returned after a successful request to Enroll a Factor or Activate a Factor.

The state_token MUST be provided if the needs_trigger attribute from the proceeding calls is set to true.

Note that the state_token expires 120 seconds after creation. If the token is expired you will need to Activate the Factor again.

See the HTTP 400 Bad Request payloads below for an example of an expired token message.

Request Body

For OneLogin SMS

{
    "state_token": "98e008497066bc2763c52342996e06358aab2e32",
    "otp_token": "B41832"
}

For Push using OneLogin Protect

{
    "state_token": "98e008497066bc2763c52342996e06358aab2e32",
}

For Google Authenticator or similar

{
    "otp_token": "123456"
}

For Yubikey

{
    "otp_token": "chchchhgjhg..........."
}

Sample Response

{
    "status": {
        "type": "success",
        "code": 200,
        "message": "Success",
        "error": false
    }
}
{
    "status": {
        "type": "bad request",
        "code": 400,
        "message": "User does not exist",
        "error": true
    }
}
{
    "status": {
        "type": "bad request",
        "code": 400,
        "message": "State token is invalid or expired",
        "error": true
    }
}

{
    "status": {
        "type": "Unauthorized",
        "code": 401,
        "message": "Authentication pending on OL Protect",
        "error": true
    }
}
{
    "status": {
        "error": true,
        "code": 401,
        "type": "Unauthorized",
        "message": "Insufficient Permission"
    }
}
{
    "status": {
        "type": "Unauthorized",
        "code": 401,
        "message": "Failed authentication with this factor",
        "error": true
    }
}

Postman Collection

Replace sample variables indicated by {{ }} with your actual values.

Download for the MFA API

Sample Code

cURL

Replace sample values indicated by < > with your actual values.

curl 'https://<subdomain>/api/1/users/<user_id>/otp_devices/<device_id>/verify' \
-X POST \
-H "Authorization: bearer: <access_token>" \
-H "Content-Type: application/json" \
-d '{
    "state_token":"<state_token>",
    "otp_token":"<otp_token>"
}'

Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.