> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to use Multi-Factor Authentication (MFA) with Custom Token Exchange.

# Multi-Factor Authentication (MFA) with Custom Token Exchange

export const ReleaseStageNotice = ({feature, stage, plans, contact, terms}) => {
  const stageTextMap = {
    "beta": "Beta",
    "ea": "Early Access"
  };
  const stageText = stageTextMap[stage] || "a product release stage";
  const prsLink = "/docs/troubleshoot/product-lifecycle/product-release-stages";
  const linkify = (text, url) => {
    return <a href={url} target="_blank" rel="noreferrer" class="link">{text}</a>;
  };
  const includeDetails = (plans, contact, terms) => {
    const hasDetails = terms || plans || contact;
    if (!hasDetails) return null;
    return <span data-as="p">
            {plans && <>This feature is available for {linkify(`${plans} plans`, "https://auth0.com/pricing")}. </>}
            {contact && "To participate, contact " + contact + ". "}
            {terms && <>By using this feature, you agree to the applicable Free Trial terms in Okta's {linkify("Master Subscription Agreement", "https://www.okta.com/legal")}.</>}
        </span>;
  };
  return <Warning>
            <span data-as="p">
                <strong>The {feature} feature is in {linkify(stageText, prsLink)}.</strong>
            </span>

            {includeDetails(plans, contact, terms)}
        </Warning>;
};

<ReleaseStageNotice feature="Custom Token Exchange (CTE)" stage="ea" plans="B2C Professional, B2B Professional, and Enterprise" terms="true" />

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  MFA is not compatible with Custom Token Exchange transactions where an actor is set via `api.authentication.setActor()`. If MFA is required (via policy or Post-Login Action) and the Custom Token Exchange Action sets an actor, the transaction fails with a `400` error: `MFA is not supported using actor_token with the requested token exchange profile.`
</Callout>

To add protection against token theft or other security risks, you can add Multi-factor Authentication to a Custom Token Exchange request using one of the following methods:

* [Enable and configure your MFA policy ](/docs/secure/multi-factor-authentication/enable-mfa) for your tenant
* Use `api.multifactor.enable()`in a Post-Login Action

When you add MFA, the Auth0 Authorization Server rejects the initial Custom Token Exchange call to the `/token` endpoint with a `mfa_required` error. You can use the error in the [Auth0 MFA API](/docs/secure/multi-factor-authentication/multi-factor-authentication-developer-resources/mfa-api) to challenge and verify a factor to obtain the requested Auth0 access, ID, and refresh tokens.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  Custom Token Exchange does not support `api.authentication.challengeWith()` or `api.authentication.enrollWith()`. If you use those methods with your Post-Login Action, the transaction will fail with a non-recoverable error. Make sure you don't use those methods when `event.transaction.protocol==oauth2-token-exchange` depending on the `subject_token_type` value.
</Callout>

When a Custom Token Exchange transaction is associated with an Organization, `api.multifactor.enable()` and MFA policies are also not supported.

To learn more about how to use the MFA grant, read [Authenticate Using the Resource Owner Password Flow with MFA](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa), as Custom Token Exchange follows the same model. You can also check out a detailed example in [Use case: Perform MFA during Custom Token Exchange](/docs/authenticate/custom-token-exchange/cte-example-use-cases#use-case%3A-perform-mfa-during-custom-token-exchange).