Retrieve MFA API token without ROPG

As suggested in the document here, user needs to authenticate again with their user name and password in order to get an MFA API access token. With this approach, literally, we are asking user to login again which is bad UX!

I am wondering whether there is a way to retrieve MFA API token without ROPG. We are using Auth0 react SDK, and what we found out is that, if we create an Auth0 API with those MFA API permissions e.g list:authenticators, then from browser, we just need to mention the MFA scope in the /authorize call(by calling getAccessTokenSilently) the access token that comes back will have the required scopes to the MFA APIs and I have tested that this token can be used to list/remove authenticators.

Even though the above approach I found works, but it seems to be against the documentation. Does anyone know why it worked? What is the recommended way to get MFA API token after user has logged in?

1 Like