Auth0 Home Blog Docs

MFA throws 401 error


When I use MFA with SMS and I am sending the binding_code with the rest of the data I get a 401 error
{ error: ‘access_denied’, error_description: ‘Unauthorized’ }. Generally I use a grant_type: ‘’ to login and then do the full flow for MFA using OOB. It is at the very last step of verifying my SMS code that I get the error. I have allowed MFA grant type for my application in Dashboard > advanced settings > grant types. I am absolutely stuck at this point.

What I send:

    const headers = {
      'Content-Type': 'application/x-www-form-urlencoded'

    const options = {
      mfa_token: mfaToken,
      oob_code: oobCode,
      binding_code: bindingCode,
      grant_type: '',
      client_id: config.auth0.AUTH0_REACT_NATIVE_CLIENT_ID,
      client_secret: config.auth0.AUTH0_REACT_NATIVE_CLIENT_SECRET

    const result = await`https://${config.auth0.AUTH0_DOMAIN}/oauth/token`, options, {

Can anyone help me out? Still can’t figure it out. I do not have any associations to the user. Looking at the docs doesn’t help as the example for confirming association requires a ACCESS_TOKEN but I’m not logged in and am unable to due to having to use MFA and in order to do the whole association process I need an MFA_TOKEN so I can’t be logged in either.

Am I not understanding something?


Extra info:
When I make a MFA request with SMS OOB and do not have an authenticator set I keep getting a 401.

Flow: login --(mfa_required error)–> Attempt to send challenge --(association_required error) ----> User receives SMS for enrolment ----> User sends back payload with mfa_token, oob_code, binding_code, etc. to /oauth/token.
Then I receive a 401 { error: ‘access_denied’, error_description: ‘Unauthorized’ }.