Before you start

The Auth0 Management API provides several endpoints you can use to manage your users’ authentication methods. This method relies on authenticating using a confidential application. To learn more about confidential vs. public applications, read Confidential and Public Applications.

Get all authentication methods

Use the Gets a list of authentication methods endpoint to get a list of all of the authentication methods a user has either fully or partially enrolled. This endpoint requires the scope: read:authentication_methods.

Examples

The following request returns a list of all authentication methods for a specified user. 
curl --request GET \
  --url https://%7ByourDomain%7D/api/v2/users/%7BuserId%7D/authentication-methods \
  --header 'authorization: Bearer {yourMgmtApiAccessToken}'

Responses

For each valid request, the will return a response in the JSON format. 
[
  {
    "id": "totp|dev_XXXXXXXXXXXXXXXX",
    "type": "totp",
    "confirmed": true,
    "created_at": "2021-09-23T22:57:30.206Z",
    "last_auth_at": "2021-09-23T22:57:51.652Z"
  }
]

Get a single authentication method

Use the Gets an authentication method by ID endpoint to get a single authentication method for a user specified by the authentication method’s ID. This endpoint requires the scope: read:authentication_methods.

Examples

The following request returns a single authentication method for a user based on the specified authentication method’s ID. 
curl --request GET \
  --url https://%7ByourDomain%7D/api/v2/users/%7BuserId%7D/authentication-methods/%7BauthenticationMethodId%7D \
  --header 'authorization: Bearer {yourMgmtApiAccessToken}'

Responses

For each valid request, the Management API will return a response in the JSON format. 
{
    "id": "totp|dev_XXXXXXXXXXXXXXXX",
    "type": "totp",
    "confirmed": true,
    "created_at": "2021-09-23T22:57:30.206Z",
    "last_auth_at": "2021-09-23T22:57:51.652Z"
}

Create an authentication method

Use the Creates an authentication method for a given user endpoint to create an authentication method for a user, including SMS, email, one-time password (OTP), or WebAuthn with security keys. To learn more about available MFA authentication factors, read Multi-Factor Authentication Factors. This endpoint requires the scope: create:authentication_methods.
Authentication methods created through this endpoint will be confirmed automatically and available immediately. Verify with the user that the authentication method is configured correctly and is still valid.

SMS

Send users an OTP over SMS which the user is then prompted to enter before they can finish authenticating.

Examples

The following request creates a SMS authentication method for a user. 
curl --request POST \
  --url https://%7ByourDomain%7D/api/v2/users/%7BuserId%7D/authentication-methods \
  --header 'authorization: Bearer {yourMgmtApiAccessToken}' \
  --data '{ "type": "phone", "name": "SMS", "phone_number": "+00000000000" }'

Responses

For each valid request, the Management API will return a response in the JSON format. 
{
    "type": "phone",
    "name": "SMS",
    "created_at": "2023-01-01T00:00:00.000Z",
    "phone_number": "user@example.com",
    "id": "phone|dev_XXXXXXXXXXXXXXXX"
}

Email

Send users an OTP over email which the user is then prompted to enter before they can finish authenticating. The email factor is only supported when a user has no other factors available.

Examples

The following request creates an email authentication method for a user. 
curl --request POST \
  --url https://%7ByourDomain%7D/api/v2/users/%7BuserId%7D/authentication-methods \
  --header 'authorization: Bearer {yourMgmtApiAccessToken}' \
  --data '{ "type": "email", "name": "Email Factor", "email": "user@example.com" }'

Responses

For each valid request, the Management API will return a response in the JSON format. 
{
    "type": "email",
    "name": "Email Factor",
    "created_at": "2023-01-01T00:00:00.000Z",
    "email": "user@example.com",
    "id": "email|dev_XXXXXXXXXXXXXXXX"
}

One-time passwords (OTP)

Enable users to use an authenticator application, such as Google Authenticator, on their personal device to generate an OTP that changes periodically, which the user is prompted to enter before they finish authenticating.

Examples

The following request creates an OTP authentication method for a user. 
curl --request POST \
  --url https://%7ByourDomain%7D/api/v2/users/%7BuserId%7D/authentication-methods \
  --header 'authorization: Bearer {yourMgmtApiAccessToken}' \
  --data '{ "type": "totp", "name": "OTP Application", "totp_secret": "{yourSecret}" }'

Responses

For each valid request, the Management API will return a response in the JSON format. 
{
    "type": "totp",
    "name": "OTP Application",
    "created_at": "2023-01-01T00:00:00.000Z",
    "email": "user@example.com",
    "id": "totp|dev_XXXXXXXXXXXXXXXX"
}

WebAuthn with security keys

Enable users to use FIDO-compliant security keys (for example, Yubikey or Google Titan) to perform multi-factor authentication.

Examples

The following request creates a WebAuthn with security keys authentication method for a user. 
curl --request POST \
  --url https://%7ByourDomain%7D/api/v2/users/%7BuserId%7D/authentication-methods \
  --header 'authorization: Bearer {yourMgmtApiAccessToken}' \
  --data '{ "type": "webauthn_roaming", "name": "WebAuthn with security keys", "public_key": "{yourPublicKey}", "key_id": "{yourKeyId}", "relying_party_identifier": "{yourDomain}" }'

Responses

For each valid request, the Management API will return a response in the JSON format. 
{
    "type": "webauthn-roaming",
    "name": "WebAuthn with security keys",
    "relyingPartyIdentifier": "example-tenant.auth0.com",
    "keyId": "X9FrwMfmzj...",
    "publicKey": "bXktcHVibGljLWtle...",
    "created_at": "2023-03-09T17:33:47.545Z",
    "id": "webauthn-roaming|dev_XXXXXXXXXXXXXXXX"
}

Replace all authentication methods

Use the Updates all authentication methods by replacing them with the given ones endpoint to replace all existing authentication methods with those provided. This endpoint requires the scope: update:authentication_methods.

Examples

The following request replaces all existing authentication methods for a user. 
curl --request PUT \
  --url https://%7ByourDomain%7D/api/v2/users/%7BuserId%7D/authentication-methods \
  --header 'authorization: Bearer {yourMgmtApiAccessToken}' \
  --data '[{ "type": "phone", "preferred_authentication_method": "sms", "phone_number": "+00000000000", "name": "SMS" }]'

Responses

For each valid request, the Management API will return a response in the JSON format. 
[
  {
    "id": "phone|dev_XXXXXXXXXXXXXXXX",
    "type": "phone",
    "name": "SMS",
    "phone_number": "+00000000000",
    "created_at": "2023-03-09T17:53:23.647Z",
    "preferred_authentication_method": "sms",
    "authentication_methods": [
      {
        "id": "sms|dev_XXXXXXXXXXXXXXXX",
        "type": "sms"
      }
    ]
  }
]

Update a single authentication method

Use the Updates an authentication method endpoint to update a single authentication method for a user. This endpoint requires the scope: update:authentication_methods.

Examples

The following request updates a single authentication method for a user based on the specific authentication method’s ID. 
curl --request PATCH \
  --url https://%7ByourDomain%7D/api/v2/users/%7BuserId%7D/authentication-methods/%7BauthenticationMethodId%7D \
  --header 'authorization: Bearer {yourMgmtApiAccessToken}' \
  --data '{ "name": "Mobile SMS" }'

Responses

For each valid request, the Management API will return a response in the JSON format. 
{
    "type": "phone",
    "name": "Mobile SMS",
    "created_at": "2023-01-12T00:03:52.855Z",
    "last_auth_at": "2023-01-12T00:04:05.157Z",
    "phone_number": "+00000000000",
    "preferred_authentication_method": "sms",
    "id": "phone|dev_XXXXXXXXXXXXXXXX",
    "authentication_methods": [
        {
            "id": "phone|dev_XXXXXXXXXXXXXXXX",
            "type": "phone"
        }
    ]
}

Delete all authentication methods

Use the Deletes all authentication methods for the given user endpoint to delete all authentication methods for a user. This endpoint requires the scope: delete:authentication_methods.

Examples

The following request deletes all authentication methods for a user. 
curl --request DELETE \
  --url https://%7ByourDomain%7D/api/v2/users/%7BuserId%7D/authentication-methods \
  --header 'authorization: Bearer {yourMgmtApiAccessToken}'

Responses

For each valid request, the Management API will return a response with a 204 status code and empty body.

Delete a single authentication method

Use the Deletes an authentication method by ID endpoint to delete a single authentication method for a user.

Examples

The following request deletes a single authentication method for a user based on the specified authentication method’s ID. 
curl --request DELETE \
  --url https://%7ByourDomain%7D/api/v2/users/%7BuserId%7D/authentication-methods/%7BauthenticationMethodId%7D \
  --header 'authorization: Bearer {yourMgmtApiAccessToken}'

Responses

For each valid request, the Management API will return a response with a 204 status code and empty body.

Learn more