Generate Backup Codes
POST
/web/v1/system/security/mfa/backup-codes/generate JWTGenerates a new set of 10 backup codes, invalidating any previously generated codes. Backup codes are only returned once in this response and should be stored securely by the user.
Required Headers
| Header | Example Value | Description |
|---|---|---|
| Content-Type | application/json | Request content type |
| Accept | application/json | Expected response type |
| X-Client-Hash | Client device fingerprint | |
| Accept-Language | en, zh, zh-Hant, ja, vi | Response language (default: en) |
| Authorization | Bearer | JWT access token |
| X-SC-Session-Id | Secure channel session ID |
Request Parameters
No request parameters required.
Request Example
No request body required.
Success Response
Success 200
{
"version": "1.3.0",
"timestamp": 1709337600000,
"success": true,
"code": "2000",
"message": "SUCCESS",
"data": {
"codes": [
"a1b2c3d4",
"e5f6g7h8",
"i9j0k1l2",
"m3n4o5p6",
"q7r8s9t0",
"u1v2w3x4",
"y5z6a7b8",
"c9d0e1f2",
"g3h4i5j6",
"k7l8m9n0"
],
"count": 10
}
}| Field | Type | Description |
|---|---|---|
codes | string[] | Array of plaintext backup codes (10 codes) |
count | integer | Number of generated codes (always 10) |
Error Responses
Unauthorized 401
{
"success": false,
"code": "4010",
"message": "Invalid or expired token"
}Notes
- Generates exactly 10 backup codes.
- Previously generated codes are invalidated when new codes are generated.
- Codes are hashed before storage and cannot be retrieved again after this response.
- Users should store these codes securely offline.
- Rate limited to 3 requests per 300-second window.