> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Add an Authenticator

> Associates or adds a new authenticator for multi-factor authentication (MFA).

`POST /mfa/associate`

Associates or adds a new authenticator for multi-factor authentication (MFA).

If the user has active authenticators, an Access Token with the `enroll` scope and the `audience` set to `https://{yourDomain}/mfa/` is required to use this endpoint.

If the user has no active authenticators, you can use the `mfa_token` from the `mfa_required` error in place of an Access Token for this request.

After an authenticator is added, it must be verified. To verify the authenticator, use the response values from the `/mfa/associate` request in place of the values returned from the `/mfa/challenge` endpoint and continue with the verification flow.

A `recovery_codes` field is included in the response the first time an authenticator is added. You can use `recovery_codes` to pass multi-factor authentication as shown on [Verify with recovery code](/multi-factor-authentication/verify-with-recovery-code) above.

To access this endpoint, you must set an Access Token at the Authorization header, with the following claims:

* `scope`: `enroll`
* `audience`: `https://{yourDomain}/mfa/`

## Parameters

<ParamField body="client_id" type="string" required>
  Your application's Client ID.
</ParamField>

<ParamField body="client_assertion" type="string">
  A JWT containing a signed assertion with your application credentials. Required when Private Key JWT is your application authentication method.
</ParamField>

<ParamField body="client_assertion_type" type="string">
  The value is `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`. Required when Private Key JWT is the application authentication method.
</ParamField>

<ParamField body="client_secret" type="string" required>
  Your application's Client Secret. Required when the Token Endpoint Authentication Method field in your Application Settings is `Post` or `Basic`.
</ParamField>

<ParamField body="authenticator_types" type="array" required>
  Value is an array with values 'otp' or 'oob'.
</ParamField>

<ParamField body="oob_channels" type="array">
  Required if `authenticator_types` include `oob`.
</ParamField>

<ParamField body="phone_number" type="string">
  The phone number to use for SMS or Voice. Required if `oob_channels` includes `sms` or `voice`.
</ParamField>

## Response

| Status | Description                                       |
| ------ | ------------------------------------------------- |
| 200    | Successful response for adding an authenticator.  |
| 400    | Bad request due to missing or invalid parameters. |
| 401    | Unauthorized, invalid access token or mfa\_token. |