See api-docs Menu

Generate MFA Token

Use to generate a temporary MFA token that can be used in place of other MFA tokens for a set time period. For example, use this token for account recovery when an MFA device has been lost.

Resource URL


Header Parameters




Set to bearer:<access_token>.

Set <access_token> to the access token generated with the Generate Token API.

Generate an access token with the API credential pair created using the scope required to call this API. Call this API with any one of the following scopes: Manage users or Manage All.




Set to application/json.

Resource Parameters




Set to the id of the user to generate a token.

If you don’t know the user’s id, the List Users API returns all users and their id values.

Request Parameter



Set the duration of the token in seconds.

Token expiration defaults to 259200 seconds = 72 hours. 72 hours is the max value.



Defines if the token is reusable multiple times within the expiry window.

Value defaults to false. If set to true, token can be used multiple times, until it expires.

Sample Request Body

For the sample request, token expires in 300 seconds. The token can be used multiple times within the 300 seconds.

   "expires_in": "300",
   "reusable": true

Sample Response

    "mfa_token": "25992782",
    "expires_at": "2021-07-27T23:25:50Z",
    "reusable": false,
    "device_id": "user_temp_otp_36216766"

Typically, this error indicates your access token value is invalid.

    "statusCode": 401,
    "name": "InvalidCredentials",
    "message": "Please provide valid credentials"

The structure of the request payload is correct but it contains an invalid value.

    "statusCode": 422,
    "name": "ValidationError",
    "message": "Validations failed",
    "details": {
        "parameters": []

Response Elements


Token can function as a temporary MFA token. It can be used to authenticate for any app when valid.

reusable true indcates the token can be used multiple times, until it expires. false indicates the token is invalid after a single use or once it expires. Defaults to false.
expires_at Defines the expiration time and date for the token. Format is UTC time.
device_id A unique identifier for the temp otp device that has been created for this token.

Postman Collection

Run In Postman

    Clicking Run in Postman button navigates to the page where you can fork the collection to your workspace. Forking the collection into your workspace will enable you to contribute to the source collection using pull requests. You can also view the collection in a public workspace if you like and even import a copy of the collection using the links present on the screen.

Sample Code


Replace sample values indicated by < > with your actual values.

curl 'https://<subdomain>/api/2/mfa/users/:user_id/mfa_token' \
-H "Authorization: bearer:<access_token>" \
-H "Content-Type: application/json" \
-d '{

Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.