Not able to use Challenge API For MFA

I’m currently using Auth0 APIs to perform MFA on users by utilising Resource Owner Password Flow. I’m currently able to enrol User in MFA and verify the code.
But when I’m trying to use mfa/challenge API, it gives me error.

    "error": "invalid_grant",
    "error_description": "Malformed mfa_token"

Not Sure what could be the issue, Please help here.

Hi @devendra.khurana

Welcome to the Auth0 Community!

I’ve checked our community for similar topics, and one stands out for me → Malformed mfa_token message when trying to challenge an user with MFA - #11 by tyf

Basically, it seems that in order to get a void MFA token for /mfa/challenge, we must use ROPG.

The /authorize endpoint with the audience and scopes is not enough, since once I pass the login there, I’m already considered login and have access_token, which allows me to enroll new MFA methods, but cannot be used as MFA token for the /mfa/challenge endpoint.

Let me know if this helps you.


Nope its not working, I’m using ROPG, Can you please let me know what should be scope and audience URI to generate MFA Token for this. Currently I’m using

  • Audience URI: <BASE_URL>/mfa

  • Scope: enroll read:authenticators remove:authenticators openid profile read:current_user

  • Endpoint: <BASE_URL>/oauth/token