/sys/mfa/validate - HTTP API | Vault by HashiCorp

»Validate Login MFA Request

This endpoint validates a login request which is subject to MFA validation.

Method	Path
`POST`	`/sys/mfa/validate`

»Parameters

mfa_request_id (string: <required>) – A unique identification of an MFA restricted login request. This can be found in the MFA requirement included in the auth response of the login request.
mfa_payload (map<string|[]string>: <required>) - A map of login MFA methodIDs to passcode credentials. MFA methodIDs are UUID strings which are used as keys of the map. The values of the map are string slices. In cases where an MFA method is configured not to use passcodes, the passcode remains an empty string.

»Sample Payload

{
  "mfa_request_id": "5879c74a-1418-1948-7be9-97b209d693a7",
  "mfa_payload": {
      "d16fd3c2-50de-0b9b-eed3-0301dadeca10": ["910201"]
  }
}

{
  "mfa_request_id": "5879c74a-1418-1948-7be9-97b209d693a7",
  "mfa_payload": {
      "d16fd3c2-50de-0b9b-eed3-0301dadeca10": ["910201"]
  }
}

»Sample Request

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/mfa/validate

$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/mfa/validate

»Sample Response

In cases where MFA validation fails, a 403 status code is returned with the details about the error. If MFA validation succeeds, the response is identical to a successful login request which contains a client token and its accessor.

{
  "request_id": "7e7dec1d-311a-ecbd-4dd0-ff12a5e38959",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": null,
  "warnings": null,
  "auth": {
    "client_token": "hvs.CAESIKZJNqQbG9E9cQGPXh68NWxi3xp7yPa1Z1RWv1P9UyHVGh4KHGh2cy5GUmYzTzdJOWhIZGFNSm5jdTBsSVNFSTk",
    "accessor": "3fBgbEmHyA5IWABmVEjqManI",
    "policies": [
      "default"
    ],
    "token_policies": [
      "default"
    ],
    "identity_policies": null,
    "metadata": {
      "username": "alice"
    },
    "orphan": true,
    "entity_id": "caeac75b-dbfe-58be-e3fc-957549b7292e",
    "lease_duration": 2764800,
    "renewable": true,
    "mfa_requirement": null
  }
}

{
  "request_id": "7e7dec1d-311a-ecbd-4dd0-ff12a5e38959",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": null,
  "warnings": null,
  "auth": {
    "client_token": "hvs.CAESIKZJNqQbG9E9cQGPXh68NWxi3xp7yPa1Z1RWv1P9UyHVGh4KHGh2cy5GUmYzTzdJOWhIZGFNSm5jdTBsSVNFSTk",
    "accessor": "3fBgbEmHyA5IWABmVEjqManI",
    "policies": [
      "default"
    ],
    "token_policies": [
      "default"
    ],
    "identity_policies": null,
    "metadata": {
      "username": "alice"
    },
    "orphan": true,
    "entity_id": "caeac75b-dbfe-58be-e3fc-957549b7292e",
    "lease_duration": 2764800,
    "renewable": true,
    "mfa_requirement": null
  }
}