> ## Documentation Index > Fetch the complete documentation index at: https://docs.lerian.studio/llms.txt > Use this file to discover all available pages before exploring further. # Verify MFA Challenge > Use this endpoint to complete the MFA verification step during login. After receiving an `mfaToken` from the access token endpoint, submit the verification code along with the token to receive your access credentials. You must provide either a `passcode` (from your authenticator app, email, or SMS) or a `recoveryCode` — not both. ## OpenAPI ````yaml /en/openapi/v3-current/AM-auth.yaml post /v1/login/mfa/verify openapi: 3.1.0 info: title: Auth Plugin description: '' version: 2.6.4 servers: - url: https://auth.sandbox.lerian.net security: [] tags: - name: Authentication API - name: MFA API - name: User Information API - name: Authorization API paths: /v1/login/mfa/verify: post: tags: - MFA API summary: Verify MFA Challenge description: > Use this endpoint to complete the MFA verification step during login. After receiving an `mfaToken` from the access token endpoint, submit the verification code along with the token to receive your access credentials. You must provide either a `passcode` (from your authenticator app, email, or SMS) or a `recoveryCode` — not both. parameters: [] requestBody: content: application/json: schema: $ref: '#/components/schemas/MFAVerifyInput' examples: TOTPVerification: summary: TOTP App Verification description: Verify using a 6-digit code from an authenticator app value: mfaToken: eyJhbGciOiJIUzI1NiJ9... passcode: '123456' mfaType: app rememberDevice: false RecoveryCodeVerification: summary: Recovery Code Verification description: >- Verify using a recovery code when the primary method is unavailable value: mfaToken: eyJhbGciOiJIUzI1NiJ9... recoveryCode: ABCD-1234-EFGH mfaType: app rememberDevice: false responses: '200': description: >- MFA verification succeeded. Returns the access credentials for the authenticated session. content: application/json: schema: $ref: '#/components/schemas/OAuth2Token' example: accessToken: >- eyJhbGciOiJSUzI1NiIsImtpZCI6ImNlcnQtYnVpbHQtaW4iLCJ0eXAiOiJKV1QifQ... idToken: >- eyJhbGciOiJSUzI1NiIsImtpZCI6ImNlcnQtYnVpbHQtaW4iLCJ0eXAiOiJKV1QifQ... tokenType: Bearer expiresIn: 3600 refreshToken: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9... scope: openid profile email headers: {} '400': description: '' content: application/json: schema: $ref: '#/components/schemas/ErrorMessage' examples: Error0001: $ref: '#/components/examples/Error0001' Error0009: $ref: '#/components/examples/Error0009' Error0016: $ref: '#/components/examples/Error0016' headers: {} '401': description: '' content: application/json: schema: $ref: '#/components/schemas/ErrorMessage' examples: Error0017: $ref: '#/components/examples/Error0017' Error0020: $ref: '#/components/examples/Error0020' headers: {} '429': description: '' content: application/json: schema: $ref: '#/components/schemas/ErrorMessage' examples: Error0018: $ref: '#/components/examples/Error0018' headers: {} '500': description: '' content: application/json: schema: $ref: '#/components/schemas/ErrorMessage' examples: Error0005: $ref: '#/components/examples/Error0005' headers: {} security: [] components: schemas: MFAVerifyInput: description: >- Information used to verify an MFA challenge during login. Provide either a passcode or a recovery code — not both. type: object required: - mfaToken - mfaType oneOf: - required: - passcode - required: - recoveryCode properties: mfaToken: type: string description: The temporary MFA token received from the access token endpoint. passcode: type: string description: >- The 6-digit verification code from your authenticator app, email, or SMS. minLength: 6 maxLength: 6 recoveryCode: type: string description: A recovery code to use when the primary MFA method is unavailable. mfaType: type: string enum: - app - email - sms description: The MFA method being verified. rememberDevice: type: boolean description: When set to `true`, the device is remembered for future logins. default: false OAuth2Token: description: >- Information used to manage OAuth2 authentication data. It securely stores access credentials, ensuring seamless authorization and control over protected resources. type: object required: - accessToken - tokenType - expiresIn - refreshToken properties: accessToken: type: string description: A temporary token that grants the user secure access the APIs. expiresIn: type: integer description: The time (in seconds) until the token expires. idToken: type: string description: >- The identity details about the authenticated user in OpenID Connect standards. It can be used to verify user authentication. refreshToken: type: string description: >- A long-lived token that allows users to obtain a new `access_token` without requiring them to log in again. scope: type: string description: The level of access granted to the issued tokens tokenType: type: string description: The type of token issued. ErrorMessage: description: The response message error. type: object properties: code: type: string description: A unique, stable identifier for the error. title: type: string description: A brief summary of the issue. message: type: string description: Detailed guidance for resolving the error. examples: Error0001: summary: Missing Fields in Request value: code: AUT-0001 title: Missing Fields in Request message: >- Your request is missing one or more required fields. Please refer to the documentation to ensure all necessary fields are included in your request. Error0009: summary: Bad Request value: code: AUT-0009 title: Bad Request message: >- The server could not understand the request due to malformed syntax. Please check the listed fields and try again. Error0016: summary: Invalid MFA Code value: code: AUT-0016 title: Invalid MFA Code message: The provided MFA code is invalid. Please check the code and try again. Error0017: summary: MFA Token Expired value: code: AUT-0017 title: MFA Token Expired message: >- The MFA token has expired. Please restart the login process to receive a new token. Error0020: summary: Invalid MFA Token value: code: AUT-0020 title: Invalid MFA Token message: >- The provided MFA token is invalid or malformed. Please use the token received from the access token endpoint. Error0018: summary: MFA Max Attempts Reached value: code: AUT-0018 title: MFA Max Attempts Reached message: >- The maximum number of MFA verification attempts has been reached. Please restart the login process. Error0005: summary: Internal Server Error value: code: AUT-0005 title: Internal Server Error message: >- The server encountered an unexpected error. Please try again later or contact support. ````