List MFA Methods
GET
/web/v1/system/security/mfa JWTLists all MFA methods for the authenticated user, including their enabled status and whether each is set as the primary method. A virtual EMAIL method is always included even if not explicitly configured.
Required Headers
| Header | Example Value | Description |
|---|---|---|
| Content-Type | application/json | Request content type |
| Accept | application/json | Expected response type |
| X-Client-Hash | Client device fingerprint | |
| Accept-Language | en, zh, zh-Hant, ja, vi | Response language (default: en) |
| Authorization | Bearer | JWT access token |
Request Parameters
No request parameters required.
Request Example
No request body required.
Success Response
Success 200
{
"version": "1.3.0",
"timestamp": 1709337600000,
"success": true,
"code": "2000",
"message": "SUCCESS",
"data": [
{
"mfaMethod": {
"code": "EMAIL",
"value": 10011001,
"label": "Email"
},
"isEnabled": true,
"isPrimary": true,
"verifiedAt": null
},
{
"mfaMethod": {
"code": "OTP",
"value": 10011002,
"label": "OTP"
},
"isEnabled": true,
"isPrimary": false,
"verifiedAt": "2026-03-23T10:30:00Z"
}
]
}| Field | Type | Description |
|---|---|---|
mfaMethod | object | MFA method enum — contains code (e.g. "EMAIL", "OTP"), value (integer code), and label |
isEnabled | boolean | Whether this MFA method is currently enabled |
isPrimary | boolean | Whether this is the primary MFA method |
verifiedAt | string (ISO 8601) or null | Timestamp when the method was verified/configured |
Error Responses
Unauthorized 401
{
"success": false,
"code": "4010",
"message": "Invalid or expired token"
}Notes
- EMAIL method is always included at position 0, even if not explicitly configured in the database.
- After OTP setup and verification, the OTP method appears with
isEnabled: true. - Available MFA method codes:
EMAIL(10011001),OTP(10011002),BACKUP_CODE(10011005).