Complete login with a 2FA code
POST/api/v1/auth/login/2fa
Complete a 2FA login using the partial token from /auth/login.
Accepts either a live TOTP code or a backup code. When
remember_device=true is set, a signed __Host-aisafe_trusted_device
cookie (30 d) is placed on the response so subsequent logins from this
browser skip the 2FA prompt. See the authentication docs for
the cookie contract.
- 401 on invalid/expired partial tokens or wrong TOTP/backup code.
- Rate limits (
auth_mfatier): this route declares no blind route-level limiter. Both the per-IP and per-user limits are charged inside the body, routed by code shape, so TOTP and backup-code submissions land in disjoint budgets on both axes — a TOTP brute-force burst (per-IP or per-user) can never starve backup-code recovery. On a 429 the response carries aRetry-Afterheader with the cooldown seconds.
Request
Responses
- 200
- 400
- 404
- 409
- 422
- 429
- 500
Successful Response
Bad request — malformed input or failed validation.
Resource not found, or hidden for tenant-enumeration safety (the caller lacks permission to know whether the resource exists).
Conflict — the current resource state does not allow this operation (e.g. assessment already started, email already in use).
Semantic validation failure — request shape was valid but contents were not.
Too many requests — rate limited. Retry after the window resets.
Internal server error — unexpected failure.