A new platform for documentation and tutorials is launching soon.

We are migrating Vault documentation into HashiCorp Developer, our new developer experience.

Join Now
Type '/' to Search

»Validate Login MFA Request

This endpoint validates a login request which is subject to MFA validation.

MethodPath
POST/sys/mfa/validate

»Parameters

  • mfa_request_id (string: <required>) – A unique identification of an MFA restricted login request. This can be found in the MFA requirement included in the auth response of the login request.

  • mfa_payload (map<string|[]string>: <required>) - A map of login MFA methodIDs to passcode credentials. MFA methodIDs are UUID strings which are used as keys of the map. The values of the map are string slices. In cases where an MFA method is configured not to use passcodes, the passcode remains an empty string.

»Sample Payload

{
  "mfa_request_id": "5879c74a-1418-1948-7be9-97b209d693a7",
  "mfa_payload": {
      "d16fd3c2-50de-0b9b-eed3-0301dadeca10": ["910201"]
  }
}

{
  "mfa_request_id": "5879c74a-1418-1948-7be9-97b209d693a7",
  "mfa_payload": {
      "d16fd3c2-50de-0b9b-eed3-0301dadeca10": ["910201"]
  }
}

»Sample Request

$ curl \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/mfa/validate

$ curl \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/mfa/validate

»Sample Response

In cases where MFA validation fails, a 403 status code is returned with the details about the error. If MFA validation succeeds, the response is identical to a successful login request which contains a client token and its accessor.

{
  "request_id": "7e7dec1d-311a-ecbd-4dd0-ff12a5e38959",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": null,
  "warnings": null,
  "auth": {
    "client_token": "hvs.CAESIKZJNqQbG9E9cQGPXh68NWxi3xp7yPa1Z1RWv1P9UyHVGh4KHGh2cy5GUmYzTzdJOWhIZGFNSm5jdTBsSVNFSTk",
    "accessor": "3fBgbEmHyA5IWABmVEjqManI",
    "policies": [
      "default"
    ],
    "token_policies": [
      "default"
    ],
    "identity_policies": null,
    "metadata": {
      "username": "alice"
    },
    "orphan": true,
    "entity_id": "caeac75b-dbfe-58be-e3fc-957549b7292e",
    "lease_duration": 2764800,
    "renewable": true,
    "mfa_requirement": null
  }
}

{
  "request_id": "7e7dec1d-311a-ecbd-4dd0-ff12a5e38959",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": null,
  "warnings": null,
  "auth": {
    "client_token": "hvs.CAESIKZJNqQbG9E9cQGPXh68NWxi3xp7yPa1Z1RWv1P9UyHVGh4KHGh2cy5GUmYzTzdJOWhIZGFNSm5jdTBsSVNFSTk",
    "accessor": "3fBgbEmHyA5IWABmVEjqManI",
    "policies": [
      "default"
    ],
    "token_policies": [
      "default"
    ],
    "identity_policies": null,
    "metadata": {
      "username": "alice"
    },
    "orphan": true,
    "entity_id": "caeac75b-dbfe-58be-e3fc-957549b7292e",
    "lease_duration": 2764800,
    "renewable": true,
    "mfa_requirement": null
  }
}