> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
# Challenge Request
> Request an MFA challenge (OTP or OOB) to continue authentication at the token endpoint.
export const ResponseSchema = ({statusCode, type = "{}", children}) => {
const [open, setOpen] = useState(false);
return
;
};
## Endpoint
`POST /mfa/challenge`
The Multi-factor Authentication (MFA) API endpoints allow you to enforce MFA when users interact with [the Token endpoints](#get-token), as well as enroll and manage user authenticators.
First, request a challenge based on the challenge types supported by the application and user. If you know that one-time password (OTP) is supported, you can skip the challenge request.
Next, verify the multi-factor authentication using the `/oauth/token` endpoint and the specified challenge type: a one-time password (OTP), a recovery code, or an out-of-band (OOB) challenge.
To learn more, read:
* [Multi-factor Authentication and Resource Owner Password](https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa)
* [Multi-factor Authentication API](https://auth0.com/docs/secure/multi-factor-authentication/multi-factor-authentication-developer-resources/mfa-api)
* [Multi-factor Authentication in Auth0](https://auth0.com/docs/secure/multi-factor-authentication)
## Challenge Request
Request a challenge for multi-factor authentication (MFA) based on the challenge types supported by the application and user.
The `challenge_type` is how the user will get the challenge and prove possession. Supported challenge types include:
* `otp`: for one-time password (OTP)
* `oob`: for SMS/Voice messages or out-of-band (OOB)
If OTP is supported by the user and you don't want to request a different factor, you can skip the challenge request and [verify the multi-factor authentication with a one-time password](#verify-with-one-time-password-otp-).
### Remarks
* This endpoint does not support enrollment; the user must be enrolled with the preferred method before requesting a challenge.
* Auth0 chooses the challenge type based on the application's supported types and types the user is enrolled with.
* An `unsupported_challenge_type` error is returned if your application does not support any of the challenge types the user has enrolled with.
* An `unsupported_challenge_type` error is returned if the user is not enrolled.
* If the user is not enrolled, you will get an `association_required` error, indicating the user needs to enroll to use MFA. Read [Add an authenticator](/multi-factor-authentication/add-an-authenticator) below on how to proceed.
### Learn More
* [Authenticate With Resource Owner Password Grant and MFA](https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa)
* [Manage Authenticator Factors using the MFA API](https://auth0.com/docs/secure/multi-factor-authentication/manage-mfa-auth0-apis/manage-authenticator-factors-mfa-api)
## Body Parameters
The token received from mfa\_required error.
Your application's Client ID.
Your application's Client Secret.
A whitespace-separated list of challenge types accepted by your application.
Allowed values: `oob`, `otp`
A JWT containing a signed assertion with your application credentials.
The value is urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
The ID of the authenticator to challenge.
## Response Schema
The type of challenge this authenticator issues. Possible values: `otp`, `oob`.
The code for the out-of-band challenge. Only present when `challenge_type` is `oob`.
The method used for binding. Only present when applicable. Possible values: `prompt`.
Error code.
Detailed error description.
## Response Messages
| Status | Description |
| ------ | -------------------------------------------------------------------------- |
| 200 | Challenge request successful |
| 400 | Invalid request, such as unsupported challenge type or missing enrollment. |