Auth0 · Schema
OOB
To verify MFA using an OOB challenge, your application must make a request to /oauth/token with grant_type=http://auth0.com/oauth/grant-type/mfa-oob. Include the oob_code you received from the challenge response, as well as the mfa_token you received as part of mfa_required error.
AI AgentsAuthenticationAuthorizationFGAIdentity ManagementMCPOAuthOktaOpenID ConnectSAMLSecuritySCIM
Properties
| Name | Type | Description |
|---|---|---|
| grant_type | string | Denotes the flow you are using. For OTP MFA, use http://auth0.com/oauth/grant-type/mfa-oob. |
| client_id | string | Your application's Client ID. |
| client_assertion | string | A JWT containing a signed assertion with your application credentials. Required when Private Key JWT is your application authentication method. |
| client_assertion_type | string | The value is urn:ietf:params:oauth:client-assertion-type:jwt-bearer. Required when Private Key JWT is the application authentication method. |
| client_secret | string | Your application's Client Secret. Required when the Token Endpoint Authentication Method field at your Application Settings is Post or Basic. |
| mfa_token | string | The mfa_token you received from mfa_required error. |
| oob_code | string | The oob code received from the challenge request. |
| binding_code | string | A code used to bind the side channel (used to deliver the challenge) with the main channel you are using to authenticate. This is usually an OTP-like code delivered as part of the challenge message. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "#/components/schemas/OOB",
"title": "OOB",
"description": "To verify MFA using an OOB challenge, your application must make a request to /oauth/token with grant_type=http://auth0.com/oauth/grant-type/mfa-oob. Include the oob_code you received from the challenge response, as well as the mfa_token you received as part of mfa_required error.",
"type": "object",
"properties": {
"grant_type": {
"type": "string",
"description": "Denotes the flow you are using. For OTP MFA, use http://auth0.com/oauth/grant-type/mfa-oob."
},
"client_id": {
"type": "string",
"description": "Your application's Client ID."
},
"client_assertion": {
"type": "string",
"description": "A JWT containing a signed assertion with your application credentials. Required when Private Key JWT is your application authentication method."
},
"client_assertion_type": {
"type": "string",
"description": "The value is urn:ietf:params:oauth:client-assertion-type:jwt-bearer. Required when Private Key JWT is the application authentication method."
},
"client_secret": {
"type": "string",
"description": "Your application's Client Secret. Required when the Token Endpoint Authentication Method field at your Application Settings is Post or Basic."
},
"mfa_token": {
"type": "string",
"description": "The mfa_token you received from mfa_required error."
},
"oob_code": {
"type": "string",
"description": "The oob code received from the challenge request."
},
"binding_code": {
"type": "string",
"description": "A code used to bind the side channel (used to deliver the challenge) with the main channel you are using to authenticate. This is usually an OTP-like code delivered as part of the challenge message."
}
}
}