MFA Challenge 'server_error' 'Unauthorized'

I have been trying to implement a custom MFA workflow in Auth0 using the details described on this page: 5

I have successfully enrolled a user for MFA this way.

However, when it comes to the user disabling MFA I’ve run into some issues.

The API attempts to fetch a token and receives a response similar to this:


"error": "mfa_required",


"Multifactor authentication required",

"mfa_token": "Fe26...Ha"


The API then fetches the enrolled authenticators and gets a similar response similar to this:



id: 'sms|dev_gH5vQnpT4ijbPLz5',

authenticator_type: 'oob',

active: true,

oob_channel: 'sms',

name: 'XXXXXXXX5635'



The API then takes the correct ID and the mfa_token from above and requests a challenge as described here:

We’re using these request options:


method: 'POST',

url: `https://${config.auth0.domain}/mfa/challenge`,

data: {

client_id: config.auth0.clientId,

client_secret: config.auth0.clientSecret,

challenge_type: 'oob',

authenticator_id: id,

mfa_token: "Fe26...Ha"



Someone suggested in this thread, to add 'Content-Type: application/json’ to the headers, which we are also doing.

We get this error:





Can anyone help?

1 Like

Would be great if someone could help!

Can anyone help out?

Would be good if someone could help

We’re still struggling with this.

I was receiving this error and the header did the trick

  curl --request POST \
  --url 'https://domain/mfa/challenge' \
  --header 'content-type: application/json' \
  --data '{ "client_id": "client_id",  "client_secret": "client_secret", "challenge_type": "oob", "authenticator_id": "sms|id", "mfa_token": "mfa_token" }'
1 Like

Thank you for sharing this with the rest of community!