Add Second Factor (2FA)

Add a new second factor (2FA) to the login settings of the instance. Users will have the possibility to authenticate with the configured factor afterward. It affects all organizations, without custom login settings. Authentication factors are used as an additional factor to add more security to your users (e.g. Authentication App, FingerPrint, Windows Hello, etc). Per definition, it is called a second factor as it is used as an additional authentication after a password. In the UI we generalize this as multi-factor.

application/json

application/grpc

application/grpc-web+proto

Request Body required

type - SECOND_FACTOR_TYPE_OTP: SECOND_FACTOR_TYPE_OTP is the type for TOTP required

Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED, SECOND_FACTOR_TYPE_OTP, SECOND_FACTOR_TYPE_U2F, SECOND_FACTOR_TYPE_OTP_EMAIL, SECOND_FACTOR_TYPE_OTP_SMS]

Default value: SECOND_FACTOR_TYPE_UNSPECIFIED

Request Body required

type - SECOND_FACTOR_TYPE_OTP: SECOND_FACTOR_TYPE_OTP is the type for TOTP required

Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED, SECOND_FACTOR_TYPE_OTP, SECOND_FACTOR_TYPE_U2F, SECOND_FACTOR_TYPE_OTP_EMAIL, SECOND_FACTOR_TYPE_OTP_SMS]

Default value: SECOND_FACTOR_TYPE_UNSPECIFIED

Request Body required

type - SECOND_FACTOR_TYPE_OTP: SECOND_FACTOR_TYPE_OTP is the type for TOTP required

Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED, SECOND_FACTOR_TYPE_OTP, SECOND_FACTOR_TYPE_U2F, SECOND_FACTOR_TYPE_OTP_EMAIL, SECOND_FACTOR_TYPE_OTP_SMS]

Default value: SECOND_FACTOR_TYPE_UNSPECIFIED

Responses

• 200
• 400
• 403
• 404
• default

---

second factor added to default login policy

application/json

application/grpc

application/grpc-web+proto

Schema

Example (from schema)

---

Schema

details object
sequence uint64
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
creationDate date-time
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
changeDate date-time
on read: the timestamp of the last event reduced by the projection
on manipulation: the
resourceOwner resource_owner is the organization an object belongs to

{
  "details": {
    "sequence": "2",
    "creationDate": "2024-06-13T06:44:39.043Z",
    "changeDate": "2024-06-13T06:44:39.043Z",
    "resourceOwner": "69629023906488334"
  }
}

Schema

Example (from schema)

---

Schema

details object
sequence uint64
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
creationDate date-time
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
changeDate date-time
on read: the timestamp of the last event reduced by the projection
on manipulation: the
resourceOwner resource_owner is the organization an object belongs to

{
  "details": {
    "sequence": "2",
    "creationDate": "2024-06-13T06:44:39.043Z",
    "changeDate": "2024-06-13T06:44:39.043Z",
    "resourceOwner": "69629023906488334"
  }
}

Schema

Example (from schema)

---

Schema

details object
sequence uint64
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
creationDate date-time
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
changeDate date-time
on read: the timestamp of the last event reduced by the projection
on manipulation: the
resourceOwner resource_owner is the organization an object belongs to

{
  "details": {
    "sequence": "2",
    "creationDate": "2024-06-13T06:44:39.043Z",
    "changeDate": "2024-06-13T06:44:39.043Z",
    "resourceOwner": "69629023906488334"
  }
}

invalid second-factor type

application/json

application/grpc

application/grpc-web+proto

Schema

Example (from schema)

---

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema

Example (from schema)

---

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema

Example (from schema)

---

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Returned when the user does not have permission to access the resource.

application/json

application/grpc

application/grpc-web+proto

Schema

Example (from schema)

---

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema

Example (from schema)

---

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema

Example (from schema)

---

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Returned when the resource does not exist.

application/json

application/grpc

application/grpc-web+proto

Schema

Example (from schema)

---

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema

Example (from schema)

---

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema

Example (from schema)

---

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

An unexpected error response.

application/json

application/grpc

application/grpc-web+proto

Schema

Example (from schema)

---

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema

Example (from schema)

---

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

Schema

Example (from schema)

---

Schema

code int32
message string
details object[]
Array [
@type string
]

{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}

POST /policies/login/second_factors

Authorization

name: OAuth2type: oauth2scopes: openid,urn:zitadel:iam:org:project:id:zitadel:audflows: {
  "authorizationCode": {
    "authorizationUrl": "$CUSTOM-DOMAIN/oauth/v2/authorize",
    "tokenUrl": "$CUSTOM-DOMAIN/oauth/v2/token",
    "scopes": {
      "openid": "openid",
      "urn:zitadel:iam:org:project:id:zitadel:aud": "urn:zitadel:iam:org:project:id:zitadel:aud"
    }
  }
}

Request

Base URL

https://$CUSTOM-DOMAIN/admin/v1

Bearer Token

Content-Type

application/jsonapplication/grpcapplication/grpc-web+proto

Body required

{
  "type": "SECOND_FACTOR_TYPE_UNSPECIFIED"
}

Accept

application/jsonapplication/grpcapplication/grpc-web+proto

curl / cURL

curl -L -X POST 'https://$CUSTOM-DOMAIN/admin/v1/policies/login/second_factors' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "type": "SECOND_FACTOR_TYPE_UNSPECIFIED"
}'

python / requests

curl -L -X POST 'https://$CUSTOM-DOMAIN/admin/v1/policies/login/second_factors' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "type": "SECOND_FACTOR_TYPE_UNSPECIFIED"
}'

go / native

curl -L -X POST 'https://$CUSTOM-DOMAIN/admin/v1/policies/login/second_factors' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "type": "SECOND_FACTOR_TYPE_UNSPECIFIED"
}'

nodejs / axios

curl -L -X POST 'https://$CUSTOM-DOMAIN/admin/v1/policies/login/second_factors' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "type": "SECOND_FACTOR_TYPE_UNSPECIFIED"
}'

ruby / Net::HTTP

curl -L -X POST 'https://$CUSTOM-DOMAIN/admin/v1/policies/login/second_factors' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "type": "SECOND_FACTOR_TYPE_UNSPECIFIED"
}'

csharp / RestSharp

curl -L -X POST 'https://$CUSTOM-DOMAIN/admin/v1/policies/login/second_factors' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "type": "SECOND_FACTOR_TYPE_UNSPECIFIED"
}'

php / cURL

curl -L -X POST 'https://$CUSTOM-DOMAIN/admin/v1/policies/login/second_factors' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "type": "SECOND_FACTOR_TYPE_UNSPECIFIED"
}'

java / OkHttp

curl -L -X POST 'https://$CUSTOM-DOMAIN/admin/v1/policies/login/second_factors' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "type": "SECOND_FACTOR_TYPE_UNSPECIFIED"
}'

powershell / RestMethod

curl -L -X POST 'https://$CUSTOM-DOMAIN/admin/v1/policies/login/second_factors' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
--data-raw '{
  "type": "SECOND_FACTOR_TYPE_UNSPECIFIED"
}'