Skip to main content

Enable 2FA

Initiate the two-factor authentication setup process. Returns a QR code and secret that the user can scan with an authenticator app. 
curl -X POST https://api.cryptoshop.com/api/security/2fa/enable \
  -H "Authorization: Bearer YOUR_TOKEN"

Response

success
boolean
required
Indicates if the request was successful
message
string
required
Status message
qrCode
string
required
Base64-encoded QR code image that can be scanned by authenticator apps (Google Authenticator, Authy, etc.)
secret
string
required
The base32-encoded secret key (for manual entry into authenticator apps)
{
  "success": true,
  "message": "2FA setup initiated",
  "qrCode": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA...",
  "secret": "JBSWY3DPEHPK3PXP"
}

Error Responses

{
  "success": false,
  "error": "2FA is already enabled"
}
After calling this endpoint, the user should scan the QR code with their authenticator app and then call the verify endpoint to complete the setup.

Verify 2FA

Complete the 2FA setup by verifying a code from the authenticator app. This confirms that the user has successfully configured their authenticator. 
curl -X POST https://api.cryptoshop.com/api/security/2fa/verify \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "code": "123456"
  }'

Request Body

code
string
required
The 6-digit code from the authenticator app

Response

success
boolean
required
Indicates if the request was successful
message
string
required
Success message
{
  "success": true,
  "message": "2FA enabled successfully"
}

Error Responses

{
  "success": false,
  "error": "2FA code is required"
}
1

Enable 2FA

Call the /api/security/2fa/enable endpoint to get the QR code and secret
2

Scan QR Code

Have the user scan the QR code with their authenticator app (Google Authenticator, Authy, Microsoft Authenticator, etc.)
3

Verify Code

User enters the 6-digit code from their authenticator app, which is then sent to /api/security/2fa/verify
4

2FA Enabled

Once verified, 2FA is fully enabled for the user’s account
The verification process uses a time-based one-time password (TOTP) algorithm with a window of 2, allowing codes from the current time period as well as one period before and after to account for clock drift.
Make sure to complete the verification step immediately after enabling 2FA. If 2FA is initialized but not verified, the user won’t be able to enable it again without contacting support.

Build docs developers (and LLMs) love

Get started for freeTalk to us