Skip to content

Two-Factor Authentication (2FA)

Manage 2FA for users and workspaces via the Cloud API.

Base URL: https://api.multilogin.com

Set Up 2FA

POST /user/setup_2fa

Set up a new 2FA device for the current user. Returns a device_id used for managing the device later.

bash
curl -X POST https://api.multilogin.com/user/setup_2fa \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json"

Response:

json
{
  "status": {"error_code": "", "http_code": 200, "message": "Success"},
  "data": {
    "device_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "secret": "JBSWY3DPEHPK3PXP",
    "qr_code_url": "otpauth://totp/MultiloginX:user@example.com?secret=JBSWY3DPEHPK3PXP"
  }
}

Get 2FA Devices

GET /user/get_2fa_devices

List all 2FA devices registered for the current user.

bash
curl https://api.multilogin.com/user/get_2fa_devices \
  -H "Authorization: Bearer YOUR_TOKEN"

Revoke 2FA Device

POST /user/revoke_2fa_device

Revoke a specific 2FA device by its ID.

ParameterTypeRequiredDescription
device_idUUIDYesDevice ID from setup or device list

WARNING

At least one 2FA device must remain active at all times. You cannot revoke the last device.

bash
curl -X POST https://api.multilogin.com/user/revoke_2fa_device \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"device_id": "DEVICE_UUID"}'

Response:

json
{
  "status": {"error_code": "", "http_code": 200, "message": "Success"},
  "data": null
}

Enable/Disable 2FA for Workspace

POST /workspace/update_2fa

Toggle 2FA requirement for all workspace members.

ParameterTypeRequiredDescription
enablebooleanYestrue to enable, false to disable
bash
# Enable
curl -X POST https://api.multilogin.com/workspace/update_2fa \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"enable": true}'

# Disable
curl -X POST https://api.multilogin.com/workspace/update_2fa \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"enable": false}'

Response:

json
{
  "status": {"error_code": "", "http_code": 200, "message": "2FA enabled for workspace"},
  "data": null
}

Disable 2FA for User

POST /user/disable_2fa

Disable 2FA entirely for the current user account.

Critical Ordering

2FA must be disabled at the workspace level BEFORE it can be disabled for the user. If workspace 2FA is still enabled, this call will fail.

bash
curl -X POST https://api.multilogin.com/user/disable_2fa \
  -H "Authorization: Bearer YOUR_TOKEN"

2FA Management Flow

Best Practices

  • Always set up 2FA for production accounts
  • Keep at least one backup 2FA device registered
  • When disabling: workspace first, then user -- always in that order
  • Store backup codes securely
  • Regularly audit registered 2FA devices