Appearance
Two-Factor Authentication (2FA)
Manage 2FA for users and workspaces via the Cloud API.
Base URL: https://api.multilogin.com
Set Up 2FA
POST /user/setup_2fa
Set up a new 2FA device for the current user. Returns a device_id used for managing the device later.
bash
curl -X POST https://api.multilogin.com/user/setup_2fa \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json"Response:
json
{
"status": {"error_code": "", "http_code": 200, "message": "Success"},
"data": {
"device_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"secret": "JBSWY3DPEHPK3PXP",
"qr_code_url": "otpauth://totp/MultiloginX:user@example.com?secret=JBSWY3DPEHPK3PXP"
}
}Get 2FA Devices
GET /user/get_2fa_devices
List all 2FA devices registered for the current user.
bash
curl https://api.multilogin.com/user/get_2fa_devices \
-H "Authorization: Bearer YOUR_TOKEN"Revoke 2FA Device
POST /user/revoke_2fa_device
Revoke a specific 2FA device by its ID.
| Parameter | Type | Required | Description |
|---|---|---|---|
device_id | UUID | Yes | Device ID from setup or device list |
WARNING
At least one 2FA device must remain active at all times. You cannot revoke the last device.
bash
curl -X POST https://api.multilogin.com/user/revoke_2fa_device \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"device_id": "DEVICE_UUID"}'Response:
json
{
"status": {"error_code": "", "http_code": 200, "message": "Success"},
"data": null
}Enable/Disable 2FA for Workspace
POST /workspace/update_2fa
Toggle 2FA requirement for all workspace members.
| Parameter | Type | Required | Description |
|---|---|---|---|
enable | boolean | Yes | true to enable, false to disable |
bash
# Enable
curl -X POST https://api.multilogin.com/workspace/update_2fa \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"enable": true}'
# Disable
curl -X POST https://api.multilogin.com/workspace/update_2fa \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"enable": false}'Response:
json
{
"status": {"error_code": "", "http_code": 200, "message": "2FA enabled for workspace"},
"data": null
}Disable 2FA for User
POST /user/disable_2fa
Disable 2FA entirely for the current user account.
Critical Ordering
2FA must be disabled at the workspace level BEFORE it can be disabled for the user. If workspace 2FA is still enabled, this call will fail.
bash
curl -X POST https://api.multilogin.com/user/disable_2fa \
-H "Authorization: Bearer YOUR_TOKEN"2FA Management Flow
Best Practices
- Always set up 2FA for production accounts
- Keep at least one backup 2FA device registered
- When disabling: workspace first, then user -- always in that order
- Store backup codes securely
- Regularly audit registered 2FA devices