GET /v1/auth/login/mfa/state
GET /v1/auth/login/mfa/state?challenge_token=… — read the factor
list and expiry for a pending login challenge.
Auth-free by design: the challenge token IS the proof of first
factor. Read-only; does NOT consume an attempt against the
challenge's 5-attempt cap. Used by the OAuth-then-MFA path: the
dashboard reads challenge_token from window.location.hash
(URL fragment, never sent to a server) and calls this endpoint to
render the factor picker before the user types a code.
Tags: auth
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
challenge_token | query | string | ✓ | The challenge token issued by the password-login or OAuth-complete path. |
Responses
200
JSON
{
"$ref": "#/components/schemas/ChallengeStateResponse"
}401 — UNAUTHENTICATED — invalid or expired challenge
Code samples
TypeScript
TypeScript
import { firecase } from "@firecase/sdk";
const result = await firecase.get("/auth/login/mfa/state");
console.log(result);Python
Python
import firecase
result = firecase.get("/auth/login/mfa/state")
print(result)curl
Bash
curl -X GET https://api.firecase.ai/v1/auth/login/mfa/state \
-H "Authorization: Bearer $FIRECASE_API_KEY" \
-H "Content-Type: application/json"