Hey @thijmen96
It’s admittedly confusing, but the “MFA token” can be obtained in two ways:
- what’s returned as the mfa token along with the
mfa_requirederror in the resource owner password grant flow - the access token you obtain with regular
/authorizerequest, with anaudience=https://YOUR_AUTH0_DOMAIN/mfa/and scopesenroll read:authenticators delete:authenticators
So, essentially, the same token used for enrollment is used to confirm the authenticator.
If you are using custom domains there’s a small gotcha: you can use your custom domain for the /oauth/token for all requests, but the MFA API audience will still need to be https://YOUR_AUTH0.COM_DOMAIN/mfa/.
I just tested the flow and worked on my machine 
(
) If it still doesn’t work for you, show me the actual domain for your request, and the payload of the access token you are trying to use.