Verify OTP
POST
/web/v1/system/security/mfa/otp/verify JWTVerifies the OTP setup by validating a 6-digit code from the user's authenticator app. On success, the OTP method is automatically enabled as an MFA method and the endpoint returns 204 No Content.
Required Headers
| Header | Example Value | Description |
|---|---|---|
| Content-Type | application/json | Request content type |
| Accept | application/json | Expected response type |
| X-Client-Hash | Client device fingerprint | |
| Accept-Language | en, zh, zh-Hant, ja, vi | Response language (default: en) |
| Authorization | Bearer | JWT access token |
Request Parameters
| Name | Type | Required | In | Description |
|---|---|---|---|---|
request | OtpVerifyRequest | Required | body | Raw request body (encrypted via SecureChannel, auto-decrypted by the server) |
code | String | Required | body | 6-digit OTP code from the authenticator app (regex: ^\d{6}$) |
Request Example
json
{
"code": "123456"
}Success Response
No Content 204
Error Responses
Bad Request — invalid OTP code 400
{
"success": false,
"code": "AUTH.MFA_CODE_INVALID",
"message": "The OTP code is invalid or expired"
}Bad Request — no pending setup 400
{
"success": false,
"code": "AUTH.OTP_SETUP_SESSION_INVALID",
"message": "OTP setup session not found or expired"
}Unauthorized 401
{
"success": false,
"code": "4010",
"message": "Invalid or expired token"
}Notes
- Returns HTTP 204 No Content on success.
- A pending OTP setup session must exist (created by Setup OTP). The setup session has a limited TTL.
- On successful verification, the OTP MFA method is automatically configured and enabled.
- If this is the first MFA method, account-level MFA is automatically enabled.
- Rate limited to 5 requests per 300-second window.