Redeem a single-use recovery code to satisfy an in-flight MFA challenge
/v1/identity/auth/mfa/challenge/recovery-codeRequest body
challenge_tokenstringChallenge token returned by /v1/identity/auth/login when `requires_mfa_challenge` was true.
codestringA single-use recovery code shown during enrollment. Dashes and case are normalised server-side — `ABCD-EFGH-IJKL-MNOP` and `abcdefghijklmnop` are accepted equivalently.
remember_devicebooleanWhen true and the env's `mfa_trusted_device_days` > 0, issue a 'remember this device' cookie so future logins from this browser skip the MFA challenge. Default false.
Code samples
curl -X POST "https://api.canopy.dev/v1/identity/auth/mfa/challenge/recovery-code" \
-H "Content-Type: application/json" \
-d '{
"challenge_token": "string",
"code": "ABCD-EFGH-IJKL-MNOP",
"remember_device": false
}'const response = await fetch("https://api.canopy.dev/v1/identity/auth/mfa/challenge/recovery-code", {
method: "POST",
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify({
"challenge_token": "string",
"code": "ABCD-EFGH-IJKL-MNOP",
"remember_device": false
}),
});
const data = await response.json();import requests
response = requests.post(
"https://api.canopy.dev/v1/identity/auth/mfa/challenge/recovery-code",
headers={
"Content-Type": "application/json"
},
json={
"challenge_token": "string",
"code": "ABCD-EFGH-IJKL-MNOP",
"remember_device": False,
},
)
data = response.json()package main
import (
"bytes"
"encoding/json"
"net/http"
)
func main() {
payload := map[string]interface{}{
"challenge_token": "string",
"code": "ABCD-EFGH-IJKL-MNOP",
"remember_device": false,
}
body, _ := json.Marshal(payload)
req, _ := http.NewRequest("POST", "https://api.canopy.dev/v1/identity/auth/mfa/challenge/recovery-code", bytes.NewBuffer(body))
req.Header.Set("Content-Type", "application/json")
resp, _ := http.DefaultClient.Do(req)
defer resp.Body.Close()
}Responses
{
"requires_application_selection": false,
"requires_mfa_challenge": false,
"expires_in": 0,
"identity": {
"id": "string",
"email": "string",
"first_name": "string",
"last_name": "string"
},
"access_token": "string",
"token_type": "string",
"applications": [
{
"id": "string",
"name": "string",
"slug": "string"
}
],
"mfa_challenge": {
"challenge_token": "string",
"available_factors": [
"totp"
],
"expires_at": "2026-04-20T12:00:00.000Z"
},
"mfa_enrollment_pending": false,
"grace_expires_at": "2026-04-20T12:00:00.000Z"
}application/json
requires_application_selectionbooleanrequires_mfa_challengebooleanTrue when the env requires MFA and the identity has ≥ 1 enrolled factor. The client must POST one of `/v1/identity/auth/mfa/challenge/*` with the supplied `mfa_challenge.challenge_token` to mint a session.
expires_innumberidentityIdentityUserDtoaccess_tokenstringtoken_typestringapplicationsIdentityApplicationSummaryDto[]mfa_challengeIdentityMfaChallengePromptDtomfa_enrollment_pendingbooleanTrue when the env requires MFA, the identity has not yet enrolled a factor, and the per-env grace timer has time on it. Session is fully issued; the client should nudge the user to enroll a factor before `grace_expires_at`.
grace_expires_atstring (date-time)Wall-clock deadline by which the identity must enroll a factor; after this, login is blocked with `mfa.enrollment_required` until an admin force-resets MFA.