MFA throws 401 error

When I use MFA with SMS and I am sending the binding_code with the rest of the data I get a 401 error
{ error: ‘access_denied’, error_description: ‘Unauthorized’ }. Generally I use a grant_type: ‘’ to login and then do the full flow for MFA using OOB. It is at the very last step of verifying my SMS code that I get the error. I have allowed MFA grant type for my application in Dashboard > advanced settings > grant types. I am absolutely stuck at this point.

What I send:

    const headers = {
      'Content-Type': 'application/x-www-form-urlencoded'

    const options = {
      mfa_token: mfaToken,
      oob_code: oobCode,
      binding_code: bindingCode,
      grant_type: '',
      client_id: config.auth0.AUTH0_REACT_NATIVE_CLIENT_ID,
      client_secret: config.auth0.AUTH0_REACT_NATIVE_CLIENT_SECRET

    const result = await`https://${config.auth0.AUTH0_DOMAIN}/oauth/token`, options, {

Can anyone help me out? Still can’t figure it out. I do not have any associations to the user. Looking at the docs doesn’t help as the example for confirming association requires a ACCESS_TOKEN but I’m not logged in and am unable to due to having to use MFA and in order to do the whole association process I need an MFA_TOKEN so I can’t be logged in either.

Am I not understanding something?

Extra info:
When I make a MFA request with SMS OOB and do not have an authenticator set I keep getting a 401.

Flow: login --(mfa_required error)–> Attempt to send challenge --(association_required error) ----> User receives SMS for enrolment ----> User sends back payload with mfa_token, oob_code, binding_code, etc. to /oauth/token.
Then I receive a 401 { error: ‘access_denied’, error_description: ‘Unauthorized’ }.

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?