DocumentationTwo-factor authentication

Two-factor authentication

Enable TOTP 2FA for dashboard admins.

Admins can protect dashboard accounts with TOTP (authenticator apps such as Google Authenticator, 1Password, or Authy). When enabled, password login alone is not enough — you must complete a second step.

Enable 2FA

From Settings → Security (or the 2FA section in account settings):

  1. Scan the QR code with your authenticator app
  2. Enter the 6-digit code to confirm
  3. Save backup codes if the UI offers them

The API equivalent:

POST /auth/2fa/enable
Authorization: Bearer <accessToken>
Content-Type: application/json

{ "code": "123456" }

The enable flow returns a secret and QR payload for enrollment before you submit the first valid code.

Login with 2FA active

Standard login:

POST /auth/login

When 2FA is enabled, the response indicates a challenge instead of tokens. Complete verification at:

POST /auth/login/verify-2fa
Content-Type: application/json

{
  "email": "[email protected]",
  "password": "...",
  "totpCode": "123456"
}

On success you receive accessToken and refreshToken as usual.

Disable or recover

Disabling 2FA requires a valid TOTP code while authenticated. If you lose access to your authenticator, contact your organization owner or MailingCore support with account verification.

See Authentication for JWT and API key overview.