HashiCorp Developer AI Private beta now available Sign up today
Vault
Vault Home

You are viewing documentation for version v1.16.x. View latest version.

validate

Validate login MFA request

This endpoint validates a login request which is subject to MFA validation.

MethodPath
POST/sys/mfa/validate

Parameters

  • mfa_request_id (string: <required>) – A unique identification of an MFA restricted login request. This can be found in the MFA requirement included in the auth response of the login request.

  • mfa_payload (map<string|[]string>: <required>) - A map of login MFA methodIDs to passcode credentials. MFA methodIDs are UUID strings which are used as keys of the map. The values of the map are string slices. In cases where an MFA method is configured not to use passcodes, the passcode remains an empty string.

Sample payload

{
  "mfa_request_id": "5879c74a-1418-1948-7be9-97b209d693a7",
  "mfa_payload": {
      "d16fd3c2-50de-0b9b-eed3-0301dadeca10": ["910201"]
  }
}

As of Vault 1.13.0, it is also possible to use an MFA method name as the key to the mfa_payload. In versions 1.12.x and below,passcode= was used for Duo MFA only. Starting in version 1.13.x, passcode= is optional for all supported MFA methods.

{
  "mfa_request_id": "5879c74a-1418-1948-7be9-97b209d693a7",
  "mfa_payload": {
      "sample_mfa_method_name": ["passcode=910201"]
  }
}

### Sample request

```shell-session
$ curl \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/mfa/validate

Sample response

In cases where MFA validation fails, a 403 status code is returned with the details about the error. If MFA validation succeeds, the response is identical to a successful login request which contains a client token and its accessor.

{
  "request_id": "7e7dec1d-311a-ecbd-4dd0-ff12a5e38959",
  "lease_id": "",
  "lease_duration": 0,
  "renewable": false,
  "data": null,
  "warnings": null,
  "auth": {
    "client_token": "hvs.CAESIKZJNqQbG9E9cQGPXh68NWxi3xp7yPa1Z1RWv1P9UyHVGh4KHGh2cy5GUmYzTzdJOWhIZGFNSm5jdTBsSVNFSTk",
    "accessor": "3fBgbEmHyA5IWABmVEjqManI",
    "policies": [
      "default"
    ],
    "token_policies": [
      "default"
    ],
    "identity_policies": null,
    "metadata": {
      "username": "alice"
    },
    "orphan": true,
    "entity_id": "caeac75b-dbfe-58be-e3fc-957549b7292e",
    "lease_duration": 2764800,
    "renewable": true,
    "mfa_requirement": null
  }
}