Setup MFA
Initialize MFA setup for the authenticated user.
Request
curl -X POST https://fucksornot.com/api/auth/mfa/setup \
-H "Cookie: auth-token=YOUR_JWT_TOKEN"
Response
{
"qrCode": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUg...",
"secret": "JBSWY3DPEHPK3PXP",
"otpauthUrl": "otpauth://totp/FoN:user@example.com?secret=JBSWY3DPEHPK3PXP&issuer=FoN",
"backupCodes": [
"A1B2-C3D4-E5F6-A7B8",
"B2C3-D4E5-F6A7-B8C9",
"C3D4-E5F6-A7B8-C9D0",
"D4E5-F6A7-B8C9-D0E1",
"E5F6-A7B8-C9D0-E1F2",
"F6A7-B8C9-D0E1-F2A3",
"A7B8-C9D0-E1F2-A3B4",
"B8C9-D0E1-F2A3-B4C5",
"C9D0-E1F2-A3B4-C5D6",
"D0E1-F2A3-B4C5-D6E7"
]
}
Fields
| Field | Description |
|---|
qrCode | Base64 encoded QR code image to scan with authenticator app |
secret | TOTP secret for manual entry if QR scanning fails |
otpauthUrl | The otpauth:// URI used by authenticator apps to configure TOTP automatically |
backupCodes | One-time use codes for account recovery (10 codes, formatted as XXXX-XXXX-XXXX-XXXX) |
Save your backup codes securely. They cannot be retrieved later and are needed if you lose access to your authenticator app.
Verify MFA Setup
Complete MFA setup by verifying a TOTP code from your authenticator app.
Request
curl -X POST https://fucksornot.com/api/auth/mfa/verify \
-H "Cookie: auth-token=YOUR_JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{"mfaCode": "123456"}'
Response
After verification, MFA is enabled on your account and required for login.
Disable MFA
Disable MFA on your account. Requires your current password and a valid MFA code.
Request
curl -X POST https://fucksornot.com/api/auth/mfa/disable \
-H "Cookie: auth-token=YOUR_JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"password": "current_password",
"mfaCode": "123456"
}'
Response
Errors
| Status | Message | Cause |
|---|
400 | Password is required to disable MFA | The password field was omitted from the request body |
Using MFA with Login
When MFA is enabled, include the code in your login request:
{
"action": "login",
"email": "user@example.com",
"password": "password",
"mfaCode": "123456"
}
If you don’t include the code, you’ll receive:
Backup Codes
Backup codes can be used in place of TOTP codes. Each code can only be used once.
{
"action": "login",
"email": "user@example.com",
"password": "password",
"mfaCode": "A1B2-C3D4-E5F6-A7B8"
}