> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Verify with Recovery Code

> Verifies multi-factor authentication (MFA) using a recovery code.

`POST /oauth/token`

Verifies multi-factor authentication (MFA) using a recovery code. Some multi-factor authentication (MFA) providers (such as Guardian) support using a recovery code to login. Use this method to authenticate when the user's enrolled device is unavailable, or the user cannot receive the challenge or accept it due to connectivity issues.

To verify MFA using a recovery code your app must prompt the user for the recovery code, and then make a request to `/oauth/token` with `grant_type=http://auth0.com/oauth/grant-type/mfa-recovery-code`. Include the collected recovery code and the `mfa_token` from the `mfa_required` error. If the recovery code is accepted, the response will be the same as for `password` or `http://auth0.com/oauth/grant-type/password-realm` grant types. It might also include a `recovery_code` field, which the application must display to the end-user to be stored securely for future use.

## Parameters

<ParamField header="DPoP" type="string">
  A DPoP proof for the request. This is optional and only required if your application uses Demonstrating Proof-of-Possession.
</ParamField>

## Request Body

<ParamField body="grant_type" type="string" required>
  Denotes the flow you are using. For recovery code use `http://auth0.com/oauth/grant-type/mfa-recovery-code`.

  Allowed values: `http://auth0.com/oauth/grant-type/mfa-recovery-code`
</ParamField>

<ParamField body="client_id" type="string" required>
  Your application's Client ID.
</ParamField>

<ParamField body="client_assertion" type="string">
  A JWT containing a signed assertion with your application credentials.
</ParamField>

<ParamField body="client_assertion_type" type="string">
  The value is `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`.

  Allowed values: `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`
</ParamField>

<ParamField body="client_secret" type="string">
  Your application's Client Secret.
</ParamField>

<ParamField body="mfa_token" type="string" required>
  The `mfa_token` you received from `mfa_required` error.
</ParamField>

<ParamField body="recovery_code" type="string" required>
  Recovery code provided by the end-user.
</ParamField>

## Response

| Status | Description                                         |
| ------ | --------------------------------------------------- |
| 200    | Successful response for recovery code verification. |
| 400    | Bad request due to missing or invalid parameters.   |
| 401    | Unauthorized, invalid mfa\_token or recovery\_code. |