ScalixScalix Docs
Sign up

Multi-Factor Authentication

TOTP-based MFA with recovery codes

Overview

Scalix Auth supports TOTP (Time-based One-Time Password) for multi-factor authentication. Users can enroll with any authenticator app (Google Authenticator, Authy, 1Password).

Enroll MFA

bash
curl -X POST https://api.scalix.world/v1/auth/mfa/enroll \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -d '{"friendly_name": "My Phone"}'

Response:

json
{
  "factor_id": "fac_abc123",
  "factor_type": "totp",
  "friendly_name": "My Phone",
  "totp": {
    "secret": "JBSWY3DPEHPK3PXP",
    "uri": "otpauth://totp/Scalix:user@example.com?secret=JBSWY3DPEHPK3PXP",
    "qr_code": "data:image/png;base64,..."
  }
}

Display the QR code to the user. They scan it with their authenticator app.

Verify MFA

After enrollment, verify with a code from the authenticator:

bash
curl -X POST https://api.scalix.world/v1/auth/mfa/verify \
  -H "Authorization: Bearer $ACCESS_TOKEN" \
  -d '{"factor_id": "fac_abc123", "code": "123456"}'

Login with MFA

When MFA is enabled, login returns a challenge requiring a second factor:

json
{
  "mfa_required": true,
  "factors": [{"id": "fac_abc123", "type": "totp", "friendly_name": "My Phone"}]
}

Complete the challenge:

bash
curl -X POST https://api.scalix.world/v1/auth/mfa/challenge \
  -d '{"factor_id": "fac_abc123", "code": "123456"}'