DocumentationTutorialsTry Cloud!

totp

Create TOTP MFA method

This endpoint creates an MFA method of type TOTP.

Method
Path

POST

/identity/mfa/method/totp

Parameters

  • method_name (string) - The unique name identifier for this MFA method. Supported from Vault 1.13.0.

  • issuer (string: <required>) - The name of the key's issuing organization.

  • period (int or duration format string: 30) - The length of time used to generate a counter for the TOTP token calculation.

  • key_size (int: 20) – Specifies the size in bytes of the generated key.

  • qr_size (int: 200) - The pixel size of the generated square QR code.

  • algorithm (string: "SHA1") – Specifies the hashing algorithm used to generate the TOTP code. Options include "SHA1", "SHA256" and "SHA512".

  • digits (int: 6) - The number of digits in the generated TOTP token. This value can either be 6 or 8.

  • skew (int: 1) - The number of delay periods that are allowed when validating a TOTP token. This value can either be 0 or 1.

  • max_validation_attempts (int: 5) - The maximum number of consecutive failed validation attempts.

Sample payload

{
  "issuer": "vault"
}

Sample request

Update TOTP MFA method

This endpoint updates the configuration of an MFA method of type TOTP.

Method
Path

POST

/identity/mfa/method/totp/:method_id

Parameters

  • method_id (string: <required>) - UUID of the MFA method.

  • and all of the parameters documented under the preceding "Create" endpoint.

Sample payload

Identical to the preceding "Create" endpoint.

Sample request

Read TOTP MFA method

This endpoint queries the MFA configuration of TOTP type for a given method ID.

Method
Path

GET

/identity/mfa/method/totp/:method_id

Parameters

  • method_id (string: <required>) – UUID of the MFA method.

Sample request

Sample response

Delete TOTP MFA method

This endpoint deletes a TOTP MFA method. MFA methods can only be deleted if they're not currently in use by a login enforcement.

Method
Path

DELETE

/identity/mfa/method/totp/:method_id

Parameters

  • method_id (string: <required>) - UUID of the MFA method.

Sample request

List TOTP MFA methods

This endpoint lists TOTP MFA methods that are visible in the current namespace or in parent namespaces.

Method
Path

LIST

/identity/mfa/method/totp

Sample request

Sample response

Generate a TOTP MFA secret

This endpoint generates an MFA secret in the entity of the calling token, if it doesn't exist already, using the configuration stored under the given MFA method ID.

Method
Path

POST

/identity/mfa/method/totp/generate

Parameters

  • method_id (string: <required>) - UUID of the MFA method.

Sample payload

Sample request

Sample response

Administratively generate a TOTP MFA secret

This endpoint can be used to generate a TOTP MFA secret. Unlike the generate API which stores the generated secret on the entity ID of the calling token, the admin-generate API stores the generated secret on the given entity ID.

Method
Path

POST

/identity/mfa/method/totp/admin-generate

Parameters

  • method_id (string: <required>) - UUID of the MFA method.

  • entity_id (string: <required>) - Entity ID on which the generated secret needs to get stored.

Sample payload

Sample request

Sample response

Administratively destroy TOTP MFA secret

This endpoint deletes a TOTP MFA secret from the given entity ID.

To overwrite a secret on the entity, explicitly deleting the secret first is required. This API can be used to delete the secret and the generate or admin-generate APIs should be used to regenerate a new secret.

Method
Path

POST

/identity/mfa/method/totp/admin-destroy

Parameters

  • method_id (string: <required>) - UUID of the MFA method.

  • entity_id (string: <required>) - Entity ID from which the MFA secret should be removed.

Sample payload

Sample request

PreviouspingidNextlogin-enforcement

Last updated