Welcome to the Auth0 Community!
I’ve checked our community for similar topics, and one stands out for me → Malformed mfa_token message when trying to challenge an user with MFA - #11 by tyf
Basically, it seems that in order to get a void MFA token for
/mfa/challenge, we must use ROPG.The
/authorizeendpoint with the audience and scopes is not enough, since once I pass the login there, I’m already considered login and haveaccess_token, which allows me to enroll new MFA methods, but cannot be used as MFA token for the/mfa/challengeendpoint.
Let me know if this helps you.
Thanks
Dawid