CorebanqCorebanq Developer Docs
Authv1Authentication

Verify 2FA

Verify 2FA code and complete authentication. This is the only point where MFA-enabled logins receive authenticated session artifacts. When auth.2fa_challenge=true, send the challenge token from /v1/authenticate in X-MFA-Challenge.

POST/v1/verify-2FA

Authorization

AuthorizationBearer <token>

In: header

Header Parameters

X-App-ID?string

Application identifier. Must be a value from the configured whitelist (e.g. web-app, admin-app, configurator-app). When provided, the refresh token cookie is scoped per application to prevent cross-app token collisions. If a whitelist is configured and the value is not in it, the request is rejected with 400.

X-MFA-Challenge?string

Pre-auth MFA challenge token returned by /v1/authenticate. Required by /v1/verify-2FA when auth.2fa_challenge is enabled.

Request Body

application/json

TypeScript Definitions

Use the request body type in TypeScript.

Response Body

application/json

application/json

curl -X POST "https://example.com/v1/verify-2FA" \  -H "Content-Type: application/json" \  -d '{    "user_id": "a169451c-8525-4352-b8ca-070dd449a1a5",    "otp": "string"  }'
{
  "access_token": "string",
  "expires_in": 0,
  "idle_timeout_seconds": 0,
  "user_id": "a169451c-8525-4352-b8ca-070dd449a1a5"
}
{
  "code": "auth.invalid_otp",
  "message": "Invalid or expired OTP"
}

POSTRefresh token

Get new access token using refresh token. The X-App-ID header must match the value used during authentication; a mismatch revokes the refresh token. The Authorization header must contain an authenticated access token (`sub=user_auth`); MFA challenge tokens are rejected.

Description

Next Page