> ## Documentation Index > Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # Challenge Request > The Multi-factor Authentication (MFA) API endpoints allow you to enforce MFA when users interact with the Token endpoints, as well as enroll and manage user authenticators. `POST /mfa/challenge` The Multi-factor Authentication (MFA) API endpoints allow you to enforce MFA when users interact with [the Token endpoints](#get-token), as well as enroll and manage user authenticators. First, request a challenge based on the challenge types supported by the application and user. If you know that one-time password (OTP) is supported, you can skip the challenge request. Next, verify the multi-factor authentication using the `/oauth/token` endpoint and the specified challenge type: a one-time password (OTP), a recovery code, or an out-of-band (OOB) challenge. To learn more, read: * [Multi-factor Authentication and Resource Owner Password](https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa) * [Multi-factor Authentication API](https://auth0.com/docs/secure/multi-factor-authentication/multi-factor-authentication-developer-resources/mfa-api) * [Multi-factor Authentication in Auth0](https://auth0.com/docs/secure/multi-factor-authentication) ## Challenge Request Request a challenge for multi-factor authentication (MFA) based on the challenge types supported by the application and user. The `challenge_type` is how the user will get the challenge and prove possession. Supported challenge types include: * `otp`: for one-time password (OTP) * `oob`: for SMS/Voice messages or out-of-band (OOB) If OTP is supported by the user and you don't want to request a different factor, you can skip the challenge request and [verify the multi-factor authentication with a one-time password](#verify-with-one-time-password-otp-). ### Remarks * This endpoint does not support enrollment; the user must be enrolled with the preferred method before requesting a challenge. * Auth0 chooses the challenge type based on the application's supported types and types the user is enrolled with. * An `unsupported_challenge_type` error is returned if your application does not support any of the challenge types the user has enrolled with. * An `unsupported_challenge_type` error is returned if the user is not enrolled. * If the user is not enrolled, you will get an `association_required` error, indicating the user needs to enroll to use MFA. Read [Add an authenticator](/multi-factor-authentication/add-an-authenticator) below on how to proceed. ### Learn More * [Authenticate With Resource Owner Password Grant and MFA](https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa) * [Manage Authenticator Factors using the MFA API](https://auth0.com/docs/secure/multi-factor-authentication/manage-mfa-auth0-apis/manage-authenticator-factors-mfa-api) ## Parameters The token received from mfa\_required error. Your application's Client ID. Your application's Client Secret. A whitespace-separated list of challenge types accepted by your application. Allowed values: `oob`, `otp` A JWT containing a signed assertion with your application credentials. The value is urn:ietf:params:oauth:client-assertion-type:jwt-bearer. The ID of the authenticator to challenge. ## Response | Status | Description | | ------ | -------------------------------------------------------------------------- | | 200 | Challenge request successful | | 400 | Invalid request, such as unsupported challenge type or missing enrollment. |