SMS MFA challenge returning unauthorized


I am attempting to use SMS MFA with a machine to machine application. We already have configured SMS MFA correctly for a regular web application, but I seem to be getting stuck.

First, I’m making a POST to https://<MY_AUTH0_BASE>/oauth/token with request body:

	"username": "",
	"password": "passwordpassword",
	"client_id": "clientidclientid", 
	"client_secret": "secretsecret", 
	"realm": "this-is-my-realm",
	"audience": "this-is-my-audience"

this returns, as expected, a 401 with response body:

    "error": "mfa_required",
    "error_description": "Multifactor authentication required",
    "mfa_token": "mfatokenmfatoken"

then I make another POST to https://<MY_AUTH0_BASE>/mfa/challenge with the body:


but this returns a 401 with response body:

    "error": "server_error",
    "error_description": "Unauthorized"

The original user is configured with SMS MFA correctly (i.e., the same login info works in the regular web application). I also don’t see anything in the Auth0 logs indicating that anything is incorrect. Any thoughts on what I’m doing wrong?

1 Like

Fixed formatting in original post.

Anyone have thoughts on what I’m doing wrong? This is becoming a bit of a blocker for me unfortunately.


I am facing the same issue using Google Authenticator.
POST /mfa/challenge returns
“error”: “server_error”,
“error_description”: “Unauthorized”


Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?