Skip to main content

Setup MFA

Initialize MFA setup for the authenticated user.

Request

curl -X POST https://fucksornot.com/api/auth/mfa/setup \
  -H "Cookie: auth-token=YOUR_JWT_TOKEN"

Response

{
  "qrCode": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUg...",
  "secret": "JBSWY3DPEHPK3PXP",
  "otpauthUrl": "otpauth://totp/FoN:user@example.com?secret=JBSWY3DPEHPK3PXP&issuer=FoN",
  "backupCodes": [
    "A1B2-C3D4-E5F6-A7B8",
    "B2C3-D4E5-F6A7-B8C9",
    "C3D4-E5F6-A7B8-C9D0",
    "D4E5-F6A7-B8C9-D0E1",
    "E5F6-A7B8-C9D0-E1F2",
    "F6A7-B8C9-D0E1-F2A3",
    "A7B8-C9D0-E1F2-A3B4",
    "B8C9-D0E1-F2A3-B4C5",
    "C9D0-E1F2-A3B4-C5D6",
    "D0E1-F2A3-B4C5-D6E7"
  ]
}

Fields

FieldDescription
qrCodeBase64 encoded QR code image to scan with authenticator app
secretTOTP secret for manual entry if QR scanning fails
otpauthUrlThe otpauth:// URI used by authenticator apps to configure TOTP automatically
backupCodesOne-time use codes for account recovery (10 codes, formatted as XXXX-XXXX-XXXX-XXXX)
Save your backup codes securely. They cannot be retrieved later and are needed if you lose access to your authenticator app.

Verify MFA Setup

Complete MFA setup by verifying a TOTP code from your authenticator app.

Request

curl -X POST https://fucksornot.com/api/auth/mfa/verify \
  -H "Cookie: auth-token=YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"mfaCode": "123456"}'

Response

{
  "success": true
}
After verification, MFA is enabled on your account and required for login.

Disable MFA

Disable MFA on your account. Requires your current password and a valid MFA code.

Request

curl -X POST https://fucksornot.com/api/auth/mfa/disable \
  -H "Cookie: auth-token=YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "password": "current_password",
    "mfaCode": "123456"
  }'

Response

{
  "success": true
}

Errors

StatusMessageCause
400Password is required to disable MFAThe password field was omitted from the request body

Using MFA with Login

When MFA is enabled, include the code in your login request:
{
  "action": "login",
  "email": "user@example.com",
  "password": "password",
  "mfaCode": "123456"
}
If you don’t include the code, you’ll receive:
{
  "mfaRequired": true
}

Backup Codes

Backup codes can be used in place of TOTP codes. Each code can only be used once.
{
  "action": "login",
  "email": "user@example.com",
  "password": "password",
  "mfaCode": "A1B2-C3D4-E5F6-A7B8"
}