@themeera Can you please explain when the /mfa audience is required? I believe we’re currently using it on all /oauth/token API calls.
We have a pretty typical use-case, nothing out of the ordinary. The user signs up with an email and password and phone number, and MFA via SMS is always required.
This 10min restriction essentially means we have to ask the user every 10 minutes to log back in, which doesn’t seem reasonable. What is the work-around? is the only work-around using a refresh token?