Autional Autional
API Reference GitHub autional.com →

POST /auth/mfa/verify-challenge

Complete multi-factor authentication using a challenge_token and MFA verification code (TOTP/SMS/Email). Upon successful verification, return the real JWT token, replacing the temporary challenge token. References: RFC 6238 (TOTP), RFC 4226 (HOTP), NIST SP 800-63B §5.1, OWASP ASVS V2.8.

Multi-Factor Authentication None application/json

Request Body

Schema: dto.VerifyMFAChallengeRequest

FieldTypeRequiredExampleConstraintsDescription
challenge_token string Yes
code string Yes
mfa_method string No totp/sms/email/push — default totp; for push, code is challenge_id

Responses

StatusDescriptionSchema
200MFA verification successful, returns real JWT tokendto.LoginResponse
400Invalid challenge token or verification codegitee_com_linmes_authms_base_dto.SimpleResponse
500MFA service unavailable or internal server errorgitee_com_linmes_authms_base_dto.SimpleResponse

Referenced Schemas

dto.LoginResponse

User login result

FieldTypeRequiredExampleConstraintsDescription
access_token string No eyJhbGciOi... Access token
challenge_token string No chg_abc123... MFA challenge token (short-lived, requires MFA verification)
expires_in integer No 1800 Expiration time
mfa_check_reason string No new_device MFA trigger reason description
must_change_password boolean No False Password must be changed
password_expires_in integer No 30 Days until password expires
password_warning string No expiring Password warning: expiring/expired_grace/expired
refresh_token string No eyJhbGciOi... Refresh token
required_mfa_methods array of

string

No List of recommended MFA methods
requires_mfa boolean No False Adaptive MFA: additional MFA verification required
risk_assessment object No Risk assessment
risk_level string No low Risk level: low/medium/high
token_type string No Bearer Token type
user object No User info
user_id string No User ID (redundant with User.ID for flat access)

dto.RiskAssessmentInfo

FieldTypeRequiredExampleConstraintsDescription
level string No
recommended_mfa_methods array of

string

No
require_mfa boolean No
score integer No

dto.UserInfo

User basic information

FieldTypeRequiredExampleConstraintsDescription
created_at string No 2026-01-15T10:30:00Z Account creation time
email string No john@example.com Email
id string No usr_abc123 User ID
must_change_password boolean No False Password must be changed
password_expires_in integer No 30 Days until password expires
password_warning string No expiring Password warning: expiring/expired_grace/expired
phone string No 13800138000 Phone
status string No active Status
username string No john.doe Username

gitee_com_linmes_authms_base_dto.SimpleResponse

FieldTypeRequiredExampleConstraintsDescription
code integer No
message string No
timestamp string No