> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Add an Authenticator

> Associate a new authenticator with a user to enable multi-factor authentication (MFA).

export const ResponseSchema = ({statusCode, type = "{}", children}) => {
  const [open, setOpen] = useState(false);
  return <div className="border border-gray-100 dark:border-gray-800 rounded-lg mb-3 overflow-hidden">
      <div className={`flex items-center gap-2.5 px-4 py-2.5 cursor-pointer select-none ${open ? "bg-gray-50 dark:bg-gray-800" : ""}`} onClick={() => setOpen(!open)}>
        {statusCode && <span className="border border-gray-300 dark:border-gray-600 text-gray-700 dark:text-gray-300 font-mono text-xs px-1.5 py-0.5 rounded">
            {statusCode.startsWith("default") ? "default" : statusCode}
          </span>}
        <span className="text-gray-500 dark:text-gray-400 text-sm font-mono">
          {type}
        </span>
        <span className="text-gray-400 dark:text-gray-500 text-sm italic">
          application/json
        </span>
        <svg className={`ml-auto opacity-50 transition-transform duration-200 ${open ? "rotate-180" : ""}`} width="16" height="16" viewBox="0 0 16 16" fill="none">
          <path d="M4 6l4 4 4-4" stroke="currentColor" strokeWidth="1.5" strokeLinecap="round" strokeLinejoin="round" />
        </svg>
      </div>
      {open && <div className="px-4 pt-1 pb-3 border-t border-gray-100 dark:border-gray-800">
          {children}
        </div>}
    </div>;
};

## Endpoint

`POST /mfa/associate`

Associates or adds a new authenticator for multi-factor authentication (MFA).

If the user has active authenticators, an Access Token with the `enroll` scope and the `audience` set to `https://{yourDomain}/mfa/` is required to use this endpoint.

If the user has no active authenticators, you can use the `mfa_token` from the `mfa_required` error in place of an Access Token for this request.

After an authenticator is added, it must be verified. To verify the authenticator, use the response values from the `/mfa/associate` request in place of the values returned from the `/mfa/challenge` endpoint and continue with the verification flow.

A `recovery_codes` field is included in the response the first time an authenticator is added. You can use `recovery_codes` to pass multi-factor authentication as shown on [Verify with recovery code](/multi-factor-authentication/verify-with-recovery-code) above.

To access this endpoint, you must set an Access Token at the Authorization header, with the following claims:

* `scope`: `enroll`
* `audience`: `https://{yourDomain}/mfa/`

## Body Parameters

<ParamField body="client_id" type="string" required>
  Your application's Client ID.
</ParamField>

<ParamField body="client_assertion" type="string">
  A JWT containing a signed assertion with your application credentials. Required when Private Key JWT is your application authentication method.
</ParamField>

<ParamField body="client_assertion_type" type="string">
  The value is `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`. Required when Private Key JWT is the application authentication method.
</ParamField>

<ParamField body="client_secret" type="string" required>
  Your application's Client Secret. Required when the Token Endpoint Authentication Method field in your Application Settings is `Post` or `Basic`.
</ParamField>

<ParamField body="authenticator_types" type="array" required>
  Value is an array with values 'otp' or 'oob'.
</ParamField>

<ParamField body="oob_channels" type="array">
  Required if `authenticator_types` include `oob`.
</ParamField>

<ParamField body="phone_number" type="string">
  The phone number to use for SMS or Voice. Required if `oob_channels` includes `sms` or `voice`.
</ParamField>

## Response Schema

<ResponseSchema>
  <ResponseField name="oob_code" type="string">
    The code for out-of-band authentication.
  </ResponseField>

  <ResponseField name="binding_method" type="string">
    Indicates the binding method.
  </ResponseField>

  <ResponseField name="authenticator_type" type="string">
    The authenticator type.
  </ResponseField>

  <ResponseField name="oob_channels" type="string">
    The OOB channels the authenticator uses.
  </ResponseField>

  <ResponseField name="recovery_codes" type="array">
    An array of recovery codes Auth0 generates for the user. When a user adds an authenticator, recovery codes display only once.
  </ResponseField>
</ResponseSchema>

## Response Messages

| Status | Description                                       |
| ------ | ------------------------------------------------- |
| 200    | Successful response for adding an authenticator.  |
| 400    | Bad request due to missing or invalid parameters. |
| 401    | Unauthorized, invalid access token or mfa\_token. |