Skip to main content
Guardian is Auth0’s multifactor authentication (MFA) service. Use these methods to configure and manage MFA factors, enrollments, and policies.

Overview

The Guardian client provides access to MFA management through three main sub-resources: 
type Client struct {
    Enrollments *enrollments.Client
    Factors     *factors.Client
    Policies    *policies.Client
}

Enrollments

Manage user MFA enrollments. Access via managementClient.Guardian.Enrollments.

Get Enrollment

Retrieve details of a specific enrollment. 
enrollment, err := managementClient.Guardian.Enrollments.Get(context.Background(), "dev_abc123")
if err != nil {
    // Handle error
}
fmt.Printf("Enrollment status: %s\n", enrollment.GetStatus())

Delete Enrollment

Remove a user’s MFA enrollment. 
err := managementClient.Guardian.Enrollments.Delete(context.Background(), "dev_abc123")
if err != nil {
    // Handle error
}

Factors

Manage available MFA factors (SMS, push notifications, OTP, etc.). Access via managementClient.Guardian.Factors.

List Factors

Get all available MFA factors. 
factors, err := managementClient.Guardian.Factors.List(context.Background())
if err != nil {
    // Handle error
}

for _, factor := range factors {
    fmt.Printf("Factor: %s (enabled: %v)\n", factor.GetName(), factor.GetEnabled())
}

Update Factor

Enable or disable an MFA factor. 
factor, err := managementClient.Guardian.Factors.Update(context.Background(), "sms", &management.UpdateFactorRequest{
    Enabled: auth0.Bool(true),
})
if err != nil {
    // Handle error
}

Factor Types

Common MFA factors include:
  • SMS: Text message verification
  • Push Notification: Push-based authentication (Guardian app)
  • OTP: One-time password (TOTP)
  • Email: Email-based verification
  • WebAuthn: Hardware keys and biometrics
  • Duo: Duo Security integration

Policies

Manage MFA policies that determine when MFA is required. Access via managementClient.Guardian.Policies.

Get Policies

Retrieve current MFA policies. 
policies, err := managementClient.Guardian.Policies.Get(context.Background())
if err != nil {
    // Handle error
}
fmt.Printf("MFA policy: %s\n", policies.GetPolicy())

Update Policies

Set MFA policy requirements. 
policy, err := managementClient.Guardian.Policies.Update(context.Background(), &management.UpdatePolicyRequest{
    Policy: auth0.String("all-applications"), // or "confidence-score"
})
if err != nil {
    // Handle error
}

Policy Options

  • never: MFA is never required
  • confidence-score: Adaptive MFA based on risk
  • all-applications: MFA required for all applications

Complete Example

Here’s a complete example of configuring Guardian MFA: 
package main

import (
    "context"
    "fmt"
    "log"
    
    "github.com/auth0/go-auth0/v2"
    "github.com/auth0/go-auth0/v2/management"
)

func main() {
    managementClient, err := management.New(
        "yourtenant.auth0.com",
        management.WithClientCredentials(clientID, clientSecret),
    )
    if err != nil {
        log.Fatal(err)
    }
    
    ctx := context.Background()
    
    // Enable SMS factor
    _, err = managementClient.Guardian.Factors.Update(ctx, "sms", &management.UpdateFactorRequest{
        Enabled: auth0.Bool(true),
    })
    if err != nil {
        log.Fatal(err)
    }
    
    // Enable OTP factor
    _, err = managementClient.Guardian.Factors.Update(ctx, "otp", &management.UpdateFactorRequest{
        Enabled: auth0.Bool(true),
    })
    if err != nil {
        log.Fatal(err)
    }
    
    // Set policy to require MFA for all applications
    _, err = managementClient.Guardian.Policies.Update(ctx, &management.UpdatePolicyRequest{
        Policy: auth0.String("all-applications"),
    })
    if err != nil {
        log.Fatal(err)
    }
    
    fmt.Println("Guardian MFA configured successfully")
}

SMS Configuration

For SMS factors, you can configure the provider: 
// Configure Twilio as SMS provider
smsConfig, err := managementClient.Guardian.Factors.SMS.Update(ctx, &management.SMSConfiguration{
    Provider: auth0.String("twilio"),
    From:     auth0.String("+1234567890"),
    MessagingServiceSID: auth0.String("MGxxxxx"),
    AuthToken: auth0.String("your-auth-token"),
    SID:      auth0.String("ACxxxxx"),
})

Push Notifications

Configure push notifications (Guardian app): 
pushConfig, err := managementClient.Guardian.Factors.Push.Update(ctx, &management.PushConfiguration{
    Provider: auth0.String("guardian"),
})

Build docs developers (and LLMs) love

Get started for freeTalk to us