> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fucksornot.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Multi-Factor Authentication

> Setup and manage MFA for enhanced security

## Setup MFA

Initialize MFA setup for the authenticated user.

### Request

```bash theme={null}
curl -X POST https://fucksornot.com/api/auth/mfa/setup \
  -H "Cookie: auth-token=YOUR_JWT_TOKEN"
```

### Response

```json theme={null}
{
  "qrCode": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUg...",
  "secret": "JBSWY3DPEHPK3PXP",
  "otpauthUrl": "otpauth://totp/FoN:user@example.com?secret=JBSWY3DPEHPK3PXP&issuer=FoN",
  "backupCodes": [
    "A1B2-C3D4-E5F6-A7B8",
    "B2C3-D4E5-F6A7-B8C9",
    "C3D4-E5F6-A7B8-C9D0",
    "D4E5-F6A7-B8C9-D0E1",
    "E5F6-A7B8-C9D0-E1F2",
    "F6A7-B8C9-D0E1-F2A3",
    "A7B8-C9D0-E1F2-A3B4",
    "B8C9-D0E1-F2A3-B4C5",
    "C9D0-E1F2-A3B4-C5D6",
    "D0E1-F2A3-B4C5-D6E7"
  ]
}
```

### Fields

| Field         | Description                                                                            |
| ------------- | -------------------------------------------------------------------------------------- |
| `qrCode`      | Base64 encoded QR code image to scan with authenticator app                            |
| `secret`      | TOTP secret for manual entry if QR scanning fails                                      |
| `otpauthUrl`  | The `otpauth://` URI used by authenticator apps to configure TOTP automatically        |
| `backupCodes` | One-time use codes for account recovery (10 codes, formatted as `XXXX-XXXX-XXXX-XXXX`) |

<Warning>
  Save your backup codes securely. They cannot be retrieved later and are needed if you lose access to your authenticator app.
</Warning>

***

## Verify MFA Setup

Complete MFA setup by verifying a TOTP code from your authenticator app.

### Request

```bash theme={null}
curl -X POST https://fucksornot.com/api/auth/mfa/verify \
  -H "Cookie: auth-token=YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"mfaCode": "123456"}'
```

### Response

```json theme={null}
{
  "success": true
}
```

After verification, MFA is enabled on your account and required for login.

***

## Disable MFA

Disable MFA on your account. Requires your current password and a valid MFA code.

### Request

```bash theme={null}
curl -X POST https://fucksornot.com/api/auth/mfa/disable \
  -H "Cookie: auth-token=YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "password": "current_password",
    "mfaCode": "123456"
  }'
```

### Response

```json theme={null}
{
  "success": true
}
```

### Errors

| Status | Message                               | Cause                                                  |
| ------ | ------------------------------------- | ------------------------------------------------------ |
| `400`  | `Password is required to disable MFA` | The `password` field was omitted from the request body |

***

## Using MFA with Login

When MFA is enabled, include the code in your login request:

```json theme={null}
{
  "action": "login",
  "email": "user@example.com",
  "password": "password",
  "mfaCode": "123456"
}
```

If you don't include the code, you'll receive:

```json theme={null}
{
  "mfaRequired": true
}
```

## Backup Codes

Backup codes can be used in place of TOTP codes. Each code can only be used once.

```json theme={null}
{
  "action": "login",
  "email": "user@example.com",
  "password": "password",
  "mfaCode": "A1B2-C3D4-E5F6-A7B8"
}
```
