Malformed mfa_token message when trying to challenge an user with MFA

Thanks for all the info!

It sounds like you don’t have MFA enabled at the tenant level (Dashboard → Security → Multi-factor Auth)? I believe you may need to have this enabled in order to receive an MFA token that can be used at /mfa/challenge . If MFA is enabled and you go to log a user in, you should receive an error like:

{
    "error": "mfa_required",
    "error_description": "Multifactor authentication required",
    "mfa_token": "Fe26...Ha"
}

This token should work to challenge. You could also try adding https://YOUR_DOMAIN/mfa/ as an audience, but I am not positive that will work either.