POST /auth/mfa/verify
Verify multi-factor authentication. Response format depends on accessTokenType configuration:
Verify MFA
/auth/mfa/verifyVerify multi-factor authentication. Response format depends on accessTokenType configuration: - Header mode (default): Returns tokens in response body - Cookie mode: Sets tokens in HTTP-only cookies and returns success message
Request body
NestAuthVerify2faRequestDto
| Field | Type | Required | Description |
|---|---|---|---|
method | object | required | MFA method used Example: totp |
otp | string | required | One-time password code Example: 123456 |
trustDevice | boolean | optional | Whether to trust this device for future logins Example: true |
Examples
Example
{
"method": "totp",
"otp": "123456",
"trustDevice": true
}Responses
200Header mode: Returns message + tokens in body
Verify2faWithTokensResponseDto
| Field | Type | Required | Description |
|---|---|---|---|
accessToken | string | required | JWT access token (short-lived) Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiIxMjMiLCJpYXQiOjE2OTk5OTk5… |
refreshToken | string | required | JWT refresh token (long-lived) Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiIxMjMiLCJ0eXBlIjoicmVmcmVz… |
message | string | optional | Verification success message (added by controller) Example: 2FA verification successful |
user | object | optional | User information with roles and permissions |
Example response
{
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiIxMjMiLCJpYXQiOjE2OTk5OTk5OTksImV4cCI6MTY5OTk5OTk5OX0.xyz",
"refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiIxMjMiLCJ0eXBlIjoicmVmcmVzaCIsImlhdCI6MTY5OTk5OTk5OX0.abc",
"message": "2FA verification successful"
}Try it
curl -X POST 'https://api.example.com/auth/mfa/verify' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
-d '{"method":"totp","otp":"123456","trustDevice":true}'