Auth0 MFA binding code validation error

I am using custom login with realm. In the first call using auth0-js webauth client login, I get an error response code “mfa_required”, and an mfa_token. Then I call /mfa/challenge endpoint to get the otp on user email. Then when I use the otp binding code to get an access token from /oauth/token endpoint, it throws and error response 401 unauthorised.

Hey @James.Morrison, can you please help?

Hey @suryakantbansal, I wanted to reach out and let you know that I am looking into this with our team. I will keep you posted with what we are able to find.

On a side note, please keep all HAR files private in the future as they can contain sensitive information.

Hey, @James.Morrison,

The HAR file is just for the sample app I am implementing this on, no sensitive data on it, no worries there.

Thanks a lot for helping out!

@suryakantbansal we are unable to see the POST data in the sample HAR you sent over. Can you please resend a HAR file capture over direct message to me and select “Preserve log” to catch redirects and scrub the file of user passwords before sending it over? Also I would like to confirm your using SMS for MFA as well. Please let me know if you have any questions. Thanks!

Hey @suryakantbansal, to follow up. I reviewed your HAR file capture with one of our senior engineers and it appears you are posting your MFA token to OAuth Token endpoint. This will not work with the way you are proceeding, you will need to follow the MFA API steps as instructed by our documentation to eliminate this roadblock. I have included the support doc below, please let me know if you have any questions as you adjust. Thanks!

Hey @James.Morrison, I read this documentation and as mentioned in the document, I removed the MFA token from the header. Now, I am only sending the form data in the body. My Javascript request looks like this:

const payload = new FormData();
payload.append('grant_type', '');
payload.append('client_id', 'XXH9skh44KSude1nhCGM74R9TciHylrj');
payload.append('mfa_token', mfa_token);
payload.append('oob_code', oob_code);
payload.append('binding_code', binding_code);
const response = await fetch('', {
    method: 'POST',
    headers: {
        'content-type': 'application/x-www-form-urlencoded',
    body: payload,

I am still getting the same 401 error.
But the thing is that when I replicate this same request in Postman, it totally works. Is there a check on this endpoint that it cannot be called from a browser or something like that?

Hey @James.Morrison,

I change the request body to JSON and this worked perfectly. I guess there is some issue using formdata with /oauth/token controller.


Thanks for sharing the end solution @suryakantbansal, I’m glad you were able to get it resolved!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.