Remove an enrolled MFA factor
/v1/identity/auth/mfa/factors/{id}Authentication
- Bearer Token
AuthorizationJWT access token
Path Parameters
| Name | Required | Type | Description |
|---|---|---|---|
id | string |
Headers
x-mfa-step-up-tokenrequired
Code samples
curl -X DELETE "https://api.canopy.dev/v1/identity/auth/mfa/factors/value" \ -H "x-mfa-step-up-token: value" \ -H "Authorization: Bearer $CANOPY_TOKEN"
const response = await fetch("https://api.canopy.dev/v1/identity/auth/mfa/factors/value", {
method: "DELETE",
headers: {
"x-mfa-step-up-token": "value",
"Authorization": "Bearer $CANOPY_TOKEN"
},
});
const data = await response.json();import requests
response = requests.delete(
"https://api.canopy.dev/v1/identity/auth/mfa/factors/value",
headers={
"x-mfa-step-up-token": "value",
"Authorization": "Bearer $CANOPY_TOKEN"
},
)
data = response.json()package main
import (
"net/http"
)
func main() {
req, _ := http.NewRequest("DELETE", "https://api.canopy.dev/v1/identity/auth/mfa/factors/value", nil)
req.Header.Set("x-mfa-step-up-token", "value")
req.Header.Set("Authorization", "Bearer $CANOPY_TOKEN")
resp, _ := http.DefaultClient.Do(req)
defer resp.Body.Close()
}Responses
204 Deletes the factor row. Requires a fresh `X-Mfa-Step-Up-Token` proving the caller still controls a factor — this prevents a session-hijack from silently disenrolling the user's second factor. On 401, the body's `error.code` is `mfa.step_up_required` (header missing or invalid) or `auth.invalid_token` (caller's bearer token is invalid).
401 Invalid or expired token
403 This token is not authorized for this endpoint (wrong principal type — e.g., admin token on identity-only endpoint, or vice versa)
404 Factor not found or does not belong to the caller