Hey @thijmen96
It’s admittedly confusing, but the “MFA token” can be obtained in two ways:
- what’s returned as the mfa token along with the
mfa_required
error in the resource owner password grant flow - the access token you obtain with regular
/authorize
request, with anaudience=https://YOUR_AUTH0_DOMAIN/mfa/
and scopesenroll read:authenticators delete:authenticators
So, essentially, the same token used for enrollment is used to confirm the authenticator.
If you are using custom domains there’s a small gotcha: you can use your custom domain for the /oauth/token
for all requests, but the MFA API audience
will still need to be https://YOUR_AUTH0.COM_DOMAIN/mfa/
.
I just tested the flow and worked on my machine () If it still doesn’t work for you, show me the actual domain for your request, and the payload of the access token you are trying to use.