Challenge MFA endpoint always returns unauthorized

I have been trying to implement OTP MFA as described in this page here: Enroll and Challenge OTP Authenticators

And it works fine up until I have to make the request to /mfa/challenge. No matter what I do, I always receive a server error that only says “Unauthorized”. I’ve seen other posts in the forums saying to add the 'Content-Type: application/json’ header, and I’ve done that, and it doesn’t solve the issue for me.

I’m doing this in a trial account with PRO MFA enabled. I would really appreciate any help with this. Thanks!

Hey there @kaspbrakk welcome to the community!

Sorry to hear this isn’t working for you :thinking: It seems trivial but I’d double check all the data input to start - I believe MFA tokens have short lifetime (5 minutes) or less, are you making the calls in quick succession?

If you’d like share the specific calls you are making (redacted of course) that might be of help as well :slight_smile: I just ran through this using curl and all seemed to be functioning as expected.

Let us know!

Hi @tyf, thank you very much for replying. Here is all the information around the requests I’m making:

1 - I’m making a POST request to oauth/token, with grant_type=password, using the ClientId and ClientSecret of a regular web application with the Password and MFA grants enabled. This throws an error with the mfa_token included, as expected.
2 - I’m making a GET request to mfa/authenticators using the mfa_token as the authorization header to get the OTP authenticator I want. This also works correctly.
3 - I’m making a POST request to mfa/challenge using the authenticator Id I just got in the last request, the same mfa_token, the same client id I used in the first request, and challenge type set to “otp”. This is the step that doesn’t work and just say “Unauthorized”. Same thing happens if I add the 'Content-Type: application/json’.

I’ve tried doing this via code and via postman, the result is the same. With minimal interval between requests too, so I don’t think the lifetime of the mfa_token would be the issue.

My only guess as to what could be happening is that the MFA api is not working with a trial account for some reason, even if it has PRO MFA.

Really appreciate the help!

1 Like

Hey @kaspbrakk no problem, happy to help where I can!

Thanks for confirming - Everything seems to line up and OTP should work with Pro MFA so I’m not sure the snag with /mfa/challenge. Have you tried creating a new app to test against? If you want to DM me your tenant and let me know the ID both the new app and old app you are testing against I’d be happy to take a look on our end to see if there is anything that might stand out as being a potential issue.

Let me know!

Leaving this comment in case anyone has the same problem in the future:

@tyf helped me identify I was missing the client_secret property in the request. The documentation didn’t mention it, but the challenge endpoint doesn’t seem to work without it.


Thank you very much for your time and help @tyf!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.