Auth0 · Schema

OTP

To verify MFA with an OTP, prompt the user to get the OTP code, then make a request to the /oauth/token endpoint. The request must have the OTP code, the mfa_token you received (from the mfa_required error), and the grant_type set to http://auth0.com/oauth/grant-type/mfa-otp. The response is the same as responses for password or http://auth0.com/oauth/grant-type/password-realm grant types.

AI AgentsAuthenticationAuthorizationFGAIdentity ManagementMCPOAuthOktaOpenID ConnectSAMLSecuritySCIM

Properties

Name Type Description
grant_type string Denotes the flow you are using. For OTP MFA use http://auth0.com/oauth/grant-type/mfa-otp.
client_id string Your application's Client ID.
client_assertion string A JWT containing a signed assertion with your application credentials. Required when Private Key JWT is your application authentication method.
client_assertion_type string The value is urn:ietf:params:oauth:client-assertion-type:jwt-bearer. Required when Private Key JWT is the application authentication method.
client_secret string Your application's Client Secret. Required when the Token Endpoint Authentication Method field at your Application Settings is Post or Basic.
mfa_token string The mfa_token you received from mfa_required error.
otp string OTP Code provided by the user.
View JSON Schema on GitHub

JSON Schema

auth0-otp-schema.json Raw ↑ 
{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "#/components/schemas/OTP",
  "title": "OTP",
  "description": "To verify MFA with an OTP, prompt the user to get the OTP code, then make a request to the /oauth/token endpoint. The request must have the OTP code, the mfa_token you received (from the mfa_required error), and the grant_type set to http://auth0.com/oauth/grant-type/mfa-otp. The response is the same as responses for password or http://auth0.com/oauth/grant-type/password-realm grant types.",
  "type": "object",
  "properties": {
    "grant_type": {
      "type": "string",
      "description": "Denotes the flow you are using. For OTP MFA use http://auth0.com/oauth/grant-type/mfa-otp."
    },
    "client_id": {
      "type": "string",
      "description": "Your application's Client ID."
    },
    "client_assertion": {
      "type": "string",
      "description": "A JWT containing a signed assertion with your application credentials. Required when Private Key JWT is your application authentication method."
    },
    "client_assertion_type": {
      "type": "string",
      "description": "The value is urn:ietf:params:oauth:client-assertion-type:jwt-bearer. Required when Private Key JWT is the application authentication method."
    },
    "client_secret": {
      "type": "string",
      "description": "Your application's Client Secret. Required when the Token Endpoint Authentication Method field at your Application Settings is Post or Basic."
    },
    "mfa_token": {
      "type": "string",
      "description": "The mfa_token you received from mfa_required error."
    },
    "otp": {
      "type": "string",
      "description": "OTP Code provided by the user."
    }
  }
}