Disable 2FA for the caller
POST/api/v1/auth/2fa/disable
Disable 2FA for the authenticated user after confirming possession.
Requires a valid TOTP code or a backup code.
Side effects:
-
Every server-side trusted-device entry is wiped.
-
The
__Host-aisafe_trusted_devicecookie is cleared on the response so this browser stops sending a stale trust grant. -
400 if 2FA is not enabled.
-
401 if the verification code is wrong.
-
Rate limit: 10 / 15 min / user (
auth_mfatier,2fa_disablebudget — separate from the login budget so a login lockout can't block self-disable; see ).
Request
Responses
- 200
- 400
- 401
- 403
- 404
- 409
- 422
- 429
- 500
Successful Response
Bad request — malformed input or failed validation.
Missing, expired, or invalid credentials.
Authenticated but not authorized for this resource. Note: cross-organization reads return 404, not 403.
Resource not found, or hidden for tenant-enumeration safety (the caller lacks permission to know whether the resource exists).
Conflict — the current resource state does not allow this operation (e.g. assessment already started, email already in use).
Semantic validation failure — request shape was valid but contents were not.
Too many requests — rate limited. Retry after the window resets.
Internal server error — unexpected failure.