Skip to main content

Complete login with a 2FA code

POST 

/api/v1/auth/login/2fa

Complete a 2FA login using the partial token from /auth/login.

Accepts either a live TOTP code or a backup code. When remember_device=true is set, a signed __Host-aisafe_trusted_device cookie (30 d) is placed on the response so subsequent logins from this browser skip the 2FA prompt. See the authentication docs for the cookie contract.

  • 401 on invalid/expired partial tokens or wrong TOTP/backup code.
  • Rate limits (auth_mfa tier): this route declares no blind route-level limiter. Both the per-IP and per-user limits are charged inside the body, routed by code shape, so TOTP and backup-code submissions land in disjoint budgets on both axes — a TOTP brute-force burst (per-IP or per-user) can never starve backup-code recovery. On a 429 the response carries a Retry-After header with the cooldown seconds.

Request

Responses

Successful Response