MFA Reference

Multi-Factor Authentication (TOTP) configuration.

Overview

MFA is automatically enabled when Supabase and JWT are configured. Uses RFC 6238 TOTP standard.

Endpoints

Method	Endpoint	Description
POST	`/mfa/setup`	Generate TOTP secret & QR
POST	`/mfa/verify`	Verify TOTP code
POST	`/mfa/enable`	Enable MFA for user
POST	`/mfa/disable`	Disable MFA for user
GET	`/mfa/status`	Get MFA status
GET	`/mfa/backup-codes`	Generate backup codes
POST	`/mfa/backup-codes/verify`	Verify backup code

Setup Flow

1. Initialize Setup

bash

POST /mfa/setup
Authorization: Bearer <token>

Response:

json

{
  "secret": "JBSWY3DPEHPK3PXP",
  "qrCode": "data:image/png;base64,...",
  "manualEntry": "JBSWY3DPEHPK3PXP"
}

2. Verify Code

bash

POST /mfa/verify
Authorization: Bearer <token>
Content-Type: application/json

{
  "code": "123456"
}

Response:

json

{
  "valid": true
}

3. Enable MFA

bash

POST /mfa/enable
Authorization: Bearer <token>
Content-Type: application/json

{
  "code": "123456"
}

Response:

json

{
  "enabled": true,
  "backupCodes": [
    "abc123def456",
    "ghi789jkl012",
    ...
  ]
}

Backup Codes

Generate New Codes

bash

GET /mfa/backup-codes
Authorization: Bearer <token>

Returns 10 single-use recovery codes.

Use Backup Code

bash

POST /mfa/backup-codes/verify
Authorization: Bearer <token>
Content-Type: application/json

{
  "code": "abc123def456"
}

MFA Status

bash

GET /mfa/status
Authorization: Bearer <token>

Response:

json

{
  "enabled": true,
  "backupCodesRemaining": 8
}

Disable MFA

bash

POST /mfa/disable
Authorization: Bearer <token>
Content-Type: application/json

{
  "code": "123456"
}

Database Schema

sql

CREATE TABLE user_mfa (
  user_id TEXT PRIMARY KEY,
  secret TEXT NOT NULL,
  enabled BOOLEAN DEFAULT FALSE,
  backup_codes TEXT[],
  created_at TIMESTAMP DEFAULT NOW(),
  updated_at TIMESTAMP DEFAULT NOW()
);

Auth with MFA

User logs in with credentials
Server returns partial token or MFA required flag
Client prompts for TOTP code
Submit code to /auth/mfa/verify
Server returns full JWT

Auth Endpoints

Method	Endpoint	Description
POST	`/auth/login`	Initial login
POST	`/auth/mfa/verify`	Complete MFA login

Security

Secrets stored encrypted
Backup codes hashed with SHA-256
Codes valid for 30-second windows
Rate limited to prevent brute force
Audit logging for all MFA events

MFA Reference ​

Overview ​

Endpoints ​

Setup Flow ​

1. Initialize Setup ​

2. Verify Code ​

3. Enable MFA ​

Backup Codes ​

Generate New Codes ​

Use Backup Code ​

MFA Status ​

Disable MFA ​

Database Schema ​

Auth with MFA ​

Login Flow ​

Auth Endpoints ​

Security ​

MFA Reference

Overview

Endpoints

Setup Flow

1. Initialize Setup

2. Verify Code

3. Enable MFA

Backup Codes

Generate New Codes

Use Backup Code

MFA Status

Disable MFA

Database Schema

Auth with MFA

Login Flow

Auth Endpoints

Security