Auth0 Home Blog Docs

SMS MFA challenge returning unauthorized



I am attempting to use SMS MFA with a machine to machine application. We already have configured SMS MFA correctly for a regular web application, but I seem to be getting stuck.

First, I’m making a POST to https://<MY_AUTH0_BASE>/oauth/token with request body:

	"username": "",
	"password": "passwordpassword",
	"client_id": "clientidclientid", 
	"client_secret": "secretsecret", 
	"realm": "this-is-my-realm",
	"audience": "this-is-my-audience"

this returns, as expected, a 401 with response body:

    "error": "mfa_required",
    "error_description": "Multifactor authentication required",
    "mfa_token": "mfatokenmfatoken"

then I make another POST to https://<MY_AUTH0_BASE>/mfa/challenge with the body:


but this returns a 401 with response body:

    "error": "server_error",
    "error_description": "Unauthorized"

The original user is configured with SMS MFA correctly (i.e., the same login info works in the regular web application). I also don’t see anything in the Auth0 logs indicating that anything is incorrect. Any thoughts on what I’m doing wrong?

1 Like

Fixed formatting in original post.


Anyone have thoughts on what I’m doing wrong? This is becoming a bit of a blocker for me unfortunately.



I am facing the same issue using Google Authenticator.
POST /mfa/challenge returns
“error”: “server_error”,
“error_description”: “Unauthorized”