Skip to main content

Disable 2FA for the caller

POST 

/api/v1/auth/2fa/disable

Disable 2FA for the authenticated user after confirming possession.

Requires a valid TOTP code or a backup code.

Side effects:

  • Every server-side trusted-device entry is wiped.

  • The __Host-aisafe_trusted_device cookie is cleared on the response so this browser stops sending a stale trust grant.

  • 400 if 2FA is not enabled.

  • 401 if the verification code is wrong.

  • Rate limit: 10 / 15 min / user (auth_mfa tier, 2fa_disable budget — separate from the login budget so a login lockout can't block self-disable; see ).

Request

Responses

Successful Response