1. Docs
  2. API Reference
  3. Get MFA enrollment summary for an identity

Get MFA enrollment summary for an identity

GET/portal/v1/accounts/{accountSlug}/identities/{id}/mfa

Authentication

  • Bearer Token Authorization

    JWT access token

Path Parameters

Name Required Type Description
idRequiredstring

Code samples

cURLJavaScriptPythonGo
curl -X GET "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/identities/value/mfa" \
  -H "Authorization: Bearer $CANOPY_TOKEN"

Responses

200 Returns the identity's enrolled factors (TOTP and WebAuthn rows with redacted secrets), the current recovery-code generation count + remaining count, and the most-recent admin-reset timestamp. 
{
  "factors": [
    {
      "id": "00000000-0000-0000-0000-000000000000",
      "type": "totp",
      "label": "iPhone 15",
      "enrolled_at": "2026-04-20T12:00:00.000Z",
      "last_used_at": "2026-04-20T12:00:00.000Z"
    }
  ],
  "recovery_codes_generation": 0,
  "recovery_codes_remaining": 0,
  "mfa_admin_reset_at": "2026-04-20T12:00:00.000Z"
}

application/json

  • factorsMfaFactorResponseDto[]*
  • recovery_codes_generationnumber*

    Generation number of the active recovery-code batch. 0 means no batch has ever been issued; 1+ tracks regenerations.

  • recovery_codes_remainingnumber*

    Unredeemed code count in the current generation.

  • mfa_admin_reset_atstring (date-time)

    Timestamp of the most recent admin force-reset. `null` if MFA has never been reset for this identity.

401 Invalid or expired token
403 This token is not authorized for this endpoint (wrong principal type — e.g., admin token on identity-only endpoint, or vice versa)
404 Identity not found

Returned object

The AccountIdentityMfaResponseDto object View all properties on this resource
On this page

Related endpoints

POSTForce-reset an identity's MFA — admin recovery action
Canopy