> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev.auth0-mintlify.app/llms.txt
> Use this file to discover all available pages before exploring further.
# Start the enrollment of a supported authentication method.
> Start the enrollment of a supported authentication method.
export const Scopes = ({scopes = []}) => {
return
Scopes
{"Scopes define permissions and access levels for API requests and authentication tokens."}
;
};
## OpenAPI
````yaml myaccount-api-oas post /authentication-methods
openapi: 3.1.0
info:
title: My Account
version: '1.0'
description: >-
The Auth0 My Account API provides a dedicated set of endpoints for users to
manage their own account information. Customers can use these APIs to build
self-service experiences in their applications or progressively add details
to a user account.
The My Account API operates within the context of the currently logged-in
user and can be used directly within user-facing applications.
:::tip Using Auth0 domain vs. custom domain
The My Account API supports using your canonical Auth0 domain or your custom
domain, but you must use the same one throughout the entire process,
including:
- Getting an access token
- Setting the audience value
- Calling the My Account API endpoint
For more information, read [Custom
Domains](https://auth0.com/docs/customize/custom-domains).
:::
## Activate the My Account API
You can activate the My Account API for your tenant in the Auth0 Dashboard:
1. Navigate to Authentication > APIs.
2. Locate the MyAccount API banner.
3. Select Activate.
By default, the My Account API is created with the following application API
access policies:
`require_client_grant` for user flows
`deny_all` for client (machine-to-machine) flows
For an application to access the My Account API on the user's behalf, you
must explicitly create a client grant for that application, which allows you
to define the maximum scopes the application can request. Alternatively, you
can change the policy for user access flows to allow_all, which allows any
application in your tenant to request any scope from the My Account API.
Because the My Account API exposes sensitive information and operations,
Auth0 does not recommend using allow_all for user access flows. You should
follow a least privilege principle with the My Account API to ensure
applications only get access to what they truly need, minimizing potential
security risks.
The final permissions granted to the application will be determined by the
intersection of the scopes allowed by the application API access policy, the
Role-Based Access Control (RBAC) permissions assigned to the end user, and
any user consent given (if applicable).
:::info Supported flows
You cannot update the application API policy for client access to the My
Account API, which means you cannot access the My Account API using the
Client Credentials Flow.
:::
To learn more about how to manage application API access policies and their
associated client grants, read [Application Access to APIs: Client
Grants](https://auth0.com/docs/get-started/applications/application-access-to-apis-client-grants).
## Get an access token
You can get an access token for the My Account API in the same way you'd get
an access token for one of your own APIs.
:::info
If you're going to allow the My Account API to perform sensitive operations
(such as enrolling an authentication method), we strongly recommend that you
use [step-up
authentication](https://auth0.com/docs/secure/multi-factor-authentication/step-up-authentication)
to enforce additional security policies through [multi-factor authentication
(MFA)](https://auth0.com/docs/secure/multi-factor-authentication).
:::
If you're using Universal Login, read the following articles:
- [Call Your API Using the Authorization Code
Flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/call-your-api-using-the-authorization-code-flow)
- [Call Your API Using the Authorization Code Flow with
PKCE](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce/call-your-api-using-the-authorization-code-flow-with-pkce)
If you're using embedded login, read the following articles:
- [Call Your API Using Resource Owner Password
Flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow/call-your-api-using-resource-owner-password-flow)
- [Login Flow with Native Passkeys
API](https://auth0.com/docs/native-passkeys-api#login-flow)
## Examples
### Universal Login with authorization code flow
**Step 1: Request authorization code**
```
curl --request GET \
--url 'https://{yourDomain}/authorize?response_type=code&client_id={yourClientId}&redirect_uri=%7ByourRedirectUri%7D&scope=create%3Ame%3Aauthentication_methods&offline_access=&audience=https%3A%2F%2F{yourDomain}%2Fme%2F'
```
**Step 2: Exchange code for access token**
```
curl --request POST \
--url 'https://{yourDomain}/oauth/token' \
--header 'content-type: application/json' \
--data '{"grant_type": "authorization_code","client_id": "{yourClientId}","client_secret": "{yourClientSecret}","code": "{yourAuthorizationCode}","redirect_uri": "{yourRedirectUri}","audience": "{yourAudience}","scope": "create:me:authentication_methods","offline_access": ""}'
```
### Embedded login with native passkeys
**Step 1: Request login challenge**
```
curl --request POST \
--url 'https://{yourDomain}/passkey/challenge' \
--header 'content-type: application/json' \
--data '{"client_id": "{yourClientId}"}'
```
**Step 2: Authenticate existing user**
```
curl --request POST \
--url 'https://{yourDomain}/oauth/token' \
--header 'content-type: application/json' \
--data '{ "grant_type": "urn:okta:params:oauth:grant-type:webauthn", "client_id": "{yourClientId}", "scope": "create:me:authentication_methods offline_access", "audience": "https://{yourDomain}/me/", "auth_session": "{sessionIdFromTheFirstRequest}", "authn_response": "{authenticatorResponse}"}'
```
servers:
- url: https://{host}/me/v1
variables:
host:
default: auth0.auth0.com
description: Custom or canonical host name
security: []
tags:
- name: factors
description: Factors
x-displayName: Factors
- name: connected-accounts
description: Connected Accounts
x-displayName: Connected Accounts
- name: authentication-methods
description: Authentication Methods
x-displayName: Authentication Methods
- name: consents
description: Consents
x-displayName: Consents
paths:
/authentication-methods:
post:
tags:
- authentication-methods
summary: Start the enrollment of a supported authentication method.
description: Start the enrollment of a supported authentication method.
operationId: createAuthenticationMethod
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/CreateAuthenticationMethodRequestContent'
examples:
phone:
summary: Enroll a phone number for SMS/voice OTP
value:
type: phone
phone_number: '+15551234567'
preferred_authentication_method: sms
email:
summary: Enroll an email address for OTP
value:
type: email
email: user@example.com
totp:
summary: Enroll a TOTP authenticator app
value:
type: totp
push-notification:
summary: Enroll a push notification authenticator
value:
type: push-notification
recovery-code:
summary: Generate a recovery code
value:
type: recovery-code
password:
summary: Enroll a password credential
value:
type: password
passkey:
summary: Enroll a passkey
value:
type: passkey
responses:
'202':
content:
application/json:
schema:
$ref: '#/components/schemas/CreateAuthenticationMethodResponseContent'
examples:
phone:
summary: Phone enrollment started
value:
id: phone|dev_XXXXXXXXXXXXXXXX
auth_session: Fe26.2**05c400ed...
email:
summary: Email enrollment started
value:
id: email|dev_XXXXXXXXXXXXXXXX
auth_session: Fe26.2**05c400ed...
totp:
summary: TOTP enrollment started — includes QR code data
value:
id: totp|dev_XXXXXXXXXXXXXXXX
auth_session: Fe26.2**05c400ed...
barcode_uri: >-
otpauth://totp/my-tenant:auth0%7C507f1f77bcf86cd799439011?secret=JBSWY3DPEHPK3PXP&issuer=my-tenant&algorithm=SHA1&digits=6&period=30
manual_input_code: JBSWY3DPEHPK3PXP
push-notification:
summary: Push notification enrollment started — includes QR code data
value:
id: push-notification|dev_XXXXXXXXXXXXXXXX
auth_session: Fe26.2**05c400ed...
barcode_uri: >-
otpauth://totp/my-tenant:auth0%7C507f1f77bcf86cd799439011?secret=JBSWY3DPEHPK3PXP&issuer=my-tenant&algorithm=SHA1&digits=6&period=30
recovery-code:
summary: Recovery code generated
value:
id: recovery-code|dev_XXXXXXXXXXXXXXXX
auth_session: Fe26.2**05c400ed...
recovery_code: ABCDEFGHIJKLMNOPQRSTUVWX
password:
summary: Password enrollment started — includes password policy
value:
id: password|new
auth_session: Fe26.2**05c400ed...
policy:
complexity:
min_length: 8
character_types:
- lowercase
- uppercase
- number
- special
character_type_rule: three_of_four
identical_characters: block
sequential_characters: block
max_length_exceeded: truncate
profile_data:
active: true
blocked_fields:
- name
- email
history:
active: true
size: 5
dictionary:
active: true
default: en_10k
passkey:
summary: >-
Passkey enrollment started — includes WebAuthn creation
options
value:
auth_session: Fe26.2**05c400ed...
authn_params_public_key:
challenge: dGVzdC1jaGFsbGVuZ2U
timeout: 60000
rp:
id: example.auth0.com
name: My Application
user:
id: YXV0aDB8NTA3ZjFmNzdiY2Y4NmNkNzk5NDM5MDEx
name: user@example.com
displayName: User
pubKeyCredParams:
- type: public-key
alg: -7
- type: public-key
alg: -257
authenticatorSelection:
residentKey: required
userVerification: preferred
description: Enrollment started
headers:
Location:
$ref: '#/components/headers/LocationHeader'
x-ratelimit-limit:
$ref: '#/components/headers/XRateLimitLimitHeader'
x-ratelimit-reset:
$ref: '#/components/headers/XRateLimitResetHeader'
x-ratelimit-remaining:
$ref: '#/components/headers/XRateLimitRemainingHeader'
'400':
$ref: '#/components/responses/BadRequest'
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/Forbidden'
'415':
$ref: '#/components/responses/UnsupportedMediaType'
'429':
$ref: '#/components/responses/TooManyRequests'
security:
- Bearer-DPoP:
- create:me:authentication_methods
x-codeSamples: []
components:
schemas:
CreateAuthenticationMethodRequestContent:
description: Request content for creating an authentication method
oneOf:
- $ref: '#/components/schemas/CreatePasskeyAuthenticationMethod'
title: passkey
- $ref: '#/components/schemas/CreateTotpAuthenticationMethod'
title: totp
- $ref: '#/components/schemas/CreatePushNotificationAuthenticationMethod'
title: push-notification
- $ref: '#/components/schemas/CreateRecoveryCodeAuthenticationMethod'
title: recovery-code
- $ref: '#/components/schemas/CreateEmailAuthenticationMethod'
title: email
- $ref: '#/components/schemas/CreatePhoneAuthenticationMethod'
title: phone
- $ref: '#/components/schemas/CreatePasswordAuthenticationMethod'
title: password
type: object
discriminator:
propertyName: type
mapping:
passkey:
$ref: '#/components/schemas/CreatePasskeyAuthenticationMethod'
totp:
$ref: '#/components/schemas/CreateTotpAuthenticationMethod'
push-notification:
$ref: '#/components/schemas/CreatePushNotificationAuthenticationMethod'
recovery-code:
$ref: '#/components/schemas/CreateRecoveryCodeAuthenticationMethod'
email:
$ref: '#/components/schemas/CreateEmailAuthenticationMethod'
phone:
$ref: '#/components/schemas/CreatePhoneAuthenticationMethod'
password:
$ref: '#/components/schemas/CreatePasswordAuthenticationMethod'
x-openapi-typescript-ignore: true
CreateAuthenticationMethodResponseContent:
anyOf:
- $ref: '#/components/schemas/PasskeyCreationResponse'
- $ref: '#/components/schemas/WebAuthnCreationResponse'
- $ref: '#/components/schemas/MfaBaseCreationResponse'
title: Email/Phone enrollment information
- $ref: '#/components/schemas/QrCodeCreationResponse'
- $ref: '#/components/schemas/RecoveryCodeCreationResponse'
- $ref: '#/components/schemas/PasswordCreationResponse'
CreatePasskeyAuthenticationMethod:
title: Passkey enrollment payload
allOf:
- $ref: '#/components/schemas/IdentityAuthenticationMethodBase'
- type: object
properties:
type:
description: Authentication method type (factor)
default: passkey
type: string
const: passkey
use_exclude_credentials:
type: boolean
x-internal: true
description: >-
When enabled, Auth0 includes the user's existing credentials in
the excludeCredentials field during passkey enrollment. This
prevents users from accidentally registering multiple passkeys
from the same authenticator, reducing credential clutter and
avoiding confusion at sign-in.
required:
- type
CreateTotpAuthenticationMethod:
title: TOTP enrollment payload
type: object
properties:
type:
const: totp
description: Authentication method type (factor)
default: totp
type: string
required:
- type
additionalProperties: false
CreatePushNotificationAuthenticationMethod:
title: Push Notification enrollment payload
type: object
properties:
type:
const: push-notification
description: Authentication method type (factor)
default: push-notification
type: string
required:
- type
additionalProperties: false
CreateRecoveryCodeAuthenticationMethod:
title: Recovery Code enrollment payload
type: object
properties:
type:
const: recovery-code
description: Authentication method type (factor)
default: recovery-code
type: string
required:
- type
additionalProperties: false
CreateEmailAuthenticationMethod:
title: Email enrollment payload
type: object
properties:
type:
const: email
description: Authentication method type (factor)
default: email
type: string
email:
type: string
description: The email address to use for sending one-time codes.
required:
- type
- email
additionalProperties: false
CreatePhoneAuthenticationMethod:
title: Phone enrollment payload
type: object
properties:
type:
const: phone
description: Authentication method type (factor)
default: phone
type: string
phone_number:
type: string
description: >-
The destination phone number used to send verification codes via
text and voice.
preferred_authentication_method:
$ref: '#/components/schemas/PhoneAuthenticationMethodEnum'
description: The preferred communication method.
required:
- type
- phone_number
additionalProperties: false
CreatePasswordAuthenticationMethod:
title: Password authentication method creation payload
allOf:
- $ref: '#/components/schemas/IdentityAuthenticationMethodBase'
- type: object
properties:
type:
description: Authentication method type (factor)
default: password
type: string
const: password
connection: true
identity_user_id: true
required:
- type
additionalProperties: false
PasskeyCreationResponse:
title: Passkey enrollment information
properties:
auth_session:
type: string
description: The unique session identifier for the enrollment.
authn_params_public_key:
$ref: '#/components/schemas/PublicKeyCredentialCreationOptions'
required:
- auth_session
- authn_params_public_key
type: object
WebAuthnCreationResponse:
allOf:
- $ref: '#/components/schemas/MfaBaseCreationResponse'
- title: WebAuthn enrollment information
properties:
authn_params_public_key:
$ref: '#/components/schemas/PublicKeyCredentialCreationOptions'
required:
- authn_params_public_key
type: object
MfaBaseCreationResponse:
type: object
properties:
id:
type: string
description: The unique identifier for the authentication method.
auth_session:
type: string
description: The unique session identifier for the enrollment.
required:
- id
- auth_session
QrCodeCreationResponse:
allOf:
- $ref: '#/components/schemas/MfaBaseCreationResponse'
- title: TOTP/Push enrollment information
type: object
properties:
barcode_uri:
type: string
description: The URI for the QR code to be scanned by the authenticator.
manual_input_code:
type: string
description: >-
The manual input code for the authenticator in case QR codes
cannot be used.
required:
- barcode_uri
RecoveryCodeCreationResponse:
allOf:
- $ref: '#/components/schemas/MfaBaseCreationResponse'
- title: Recovery Code enrollment information
type: object
properties:
recovery_code:
type: string
description: The recovery code value.
required:
- recovery_code
PasswordCreationResponse:
title: Password enrollment information
type: object
properties:
id:
type: string
description: The unique identifier for the password authentication method.
policy:
$ref: '#/components/schemas/PasswordAuthenticationMethodPolicy'
auth_session:
type: string
description: The unique session identifier for the password change operation.
required:
- id
- policy
- auth_session
ErrorResponse:
properties:
type:
type: string
status:
type: number
title:
type: string
detail:
type: string
validation_errors:
type: array
items:
$ref: '#/components/schemas/ValidationError'
required:
- type
- status
- title
- detail
type: object
additionalProperties: false
IdentityAuthenticationMethodBase:
type: object
properties:
connection:
$ref: '#/components/schemas/Connection'
identity_user_id:
$ref: '#/components/schemas/IdentityUserId'
PhoneAuthenticationMethodEnum:
description: Preferred authentication method for phone-based authentication
enum:
- sms
- voice
type: string
PublicKeyCredentialCreationOptions:
properties:
authenticatorSelection:
$ref: '#/components/schemas/AuthenticatorSelection'
challenge:
type: string
pubKeyCredParams:
example:
- type: public-key
alg: -8
- type: public-key
alg: -7
- type: public-key
alg: -257
items:
$ref: '#/components/schemas/PublicKeyCredentialParameter'
type: array
rp:
$ref: '#/components/schemas/RelyingParty'
timeout:
type: number
example: 60000
user:
$ref: '#/components/schemas/User'
excludeCredentials:
type: array
x-internal: true
items:
$ref: '#/components/schemas/PublicKeyCredentialDescriptor'
description: Existing credentials to exclude from re-registration.
required:
- challenge
- pubKeyCredParams
- rp
- user
type: object
PasswordAuthenticationMethodPolicy:
type: object
description: The password policy configuration for the connection in flexible format.
properties:
complexity:
$ref: '#/components/schemas/PasswordComplexityPolicy'
profile_data:
$ref: '#/components/schemas/PasswordProfileDataPolicy'
history:
$ref: '#/components/schemas/PasswordHistoryPolicy'
dictionary:
$ref: '#/components/schemas/PasswordDictionaryPolicy'
required:
- complexity
- profile_data
- history
- dictionary
additionalProperties: false
ValidationError:
type: object
properties:
detail:
type: string
field:
type: string
pointer:
type: string
source:
type: string
required:
- detail
additionalProperties: false
Connection:
description: Name of the database connection
type: string
minLength: 1
maxLength: 128
pattern: ^[a-zA-Z0-9-]+$
IdentityUserId:
description: Identity provider user ID
type: string
minLength: 1
maxLength: 255
pattern: ^\S+$
AuthenticatorSelection:
type: object
properties:
residentKey:
$ref: '#/components/schemas/ResidentKeyEnum'
userVerification:
$ref: '#/components/schemas/UserVerificationEnum'
additionalProperties: false
PublicKeyCredentialParameter:
type: object
properties:
alg:
type: number
type:
$ref: '#/components/schemas/PublicKeyTypeEnum'
required:
- alg
- type
additionalProperties: false
RelyingParty:
type: object
properties:
id:
type: string
name:
type: string
required:
- name
additionalProperties: false
User:
type: object
properties:
id:
type: string
name:
type: string
displayName:
type: string
required:
- id
- name
- displayName
additionalProperties: false
PublicKeyCredentialDescriptor:
type: object
properties:
id:
type: string
description: The credential ID.
type:
type: string
const: public-key
transports:
type: array
items:
type: string
description: Hints about the transports the authenticator may use.
required:
- id
- type
additionalProperties: false
PasswordComplexityPolicy:
type: object
description: Password complexity requirements
properties:
min_length:
type: integer
description: Minimum password length
character_types:
type: array
items:
$ref: '#/components/schemas/PasswordCharacterTypeEnum'
description: Required character types
character_type_rule:
$ref: '#/components/schemas/PasswordCharacterTypeRuleEnum'
identical_characters:
$ref: '#/components/schemas/PasswordIdenticalCharactersEnum'
sequential_characters:
$ref: '#/components/schemas/PasswordSequentialCharactersEnum'
max_length_exceeded:
$ref: '#/components/schemas/PasswordMaxLengthExceededEnum'
required:
- min_length
- character_types
- character_type_rule
- identical_characters
- sequential_characters
- max_length_exceeded
additionalProperties: false
PasswordProfileDataPolicy:
type: object
description: Settings for blocking personal information in passwords
properties:
active:
type: boolean
description: >-
Whether to block personal information (name, email, etc.) in
passwords
blocked_fields:
type: array
items:
type: string
description: >-
User profile fields to block from passwords (e.g., 'name', 'email',
'user_metadata.first')
required:
- active
- blocked_fields
additionalProperties: false
PasswordHistoryPolicy:
type: object
description: Password history enforcement settings
properties:
active:
type: boolean
description: Whether password history is enforced
size:
type: integer
description: Number of previous passwords to remember and prevent reuse
required:
- active
- size
additionalProperties: false
PasswordDictionaryPolicy:
type: object
description: Dictionary checking settings to block weak or banned passwords
properties:
active:
type: boolean
description: Whether dictionary checking is enabled
default:
$ref: '#/components/schemas/PasswordDictionaryDefaultEnum'
required:
- active
- default
additionalProperties: false
ResidentKeyEnum:
type: string
description: The resident key requirement
enum:
- required
UserVerificationEnum:
type: string
description: The user verification requirement
enum:
- required
- preferred
- discouraged
PublicKeyTypeEnum:
type: string
description: The public key credential type
enum:
- public-key
PasswordCharacterTypeEnum:
type: string
enum:
- uppercase
- lowercase
- number
- special
description: Character type for password complexity requirements
PasswordCharacterTypeRuleEnum:
type: string
enum:
- all
- three_of_four
description: How character types are enforced in password complexity
PasswordIdenticalCharactersEnum:
type: string
enum:
- allow
- block
description: Whether to allow 3 or more consecutive identical characters
PasswordSequentialCharactersEnum:
type: string
enum:
- allow
- block
description: Whether to allow sequential characters
PasswordMaxLengthExceededEnum:
type: string
enum:
- truncate
- error
description: Behavior when password exceeds maximum length
PasswordDictionaryDefaultEnum:
type: string
enum:
- en_10k
- en_100k
description: Default dictionary to use for checking weak passwords
headers:
LocationHeader:
required: true
description: URL of the authentication method resource.
schema:
type: string
format: uri
examples:
verify:
summary: Location URL for a newly verified passkey authentication method
value: >-
https://auth0.auth0.com/me/v1/authentication-methods/passkey%7Cdev_XXXXXXXXXXXXXXXX
create:
summary: >-
Location URL for a newly created but not verified passkey
authentication method
value: https://auth0.auth0.com/me/v1/authentication-methods/passkey%7Cnew
XRateLimitLimitHeader:
required: true
description: >-
The maximum number of requests permissible during the limit’s window
window
schema:
type: number
XRateLimitResetHeader:
required: true
description: >-
The anticipated time (as a UNIX timestamp, in seconds) when the bucket
will be replenished
schema:
type: number
XRateLimitRemainingHeader:
required: true
description: >-
The number of remaining requests remaining in the current window until
requests are rejected
schema:
type: number
RetryAfterHeader:
required: true
description: The number of seconds the client should wait before making a new request
schema:
type: number
XAuth0ErrorKindHeader:
description: >-
An indicator that the rate limit exceeded a is global (per tenant)
limit.
schema:
type: string
const: global-rate-limit
responses:
BadRequest:
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
description: Invalid input based on schema.
Unauthorized:
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
description: Unauthorized.
Forbidden:
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
description: Forbidden.
UnsupportedMediaType:
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
description: Unsupported Media Type.
TooManyRequests:
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
description: Too Many Requests.
headers:
retry-after:
$ref: '#/components/headers/RetryAfterHeader'
x-ratelimit-limit:
$ref: '#/components/headers/XRateLimitLimitHeader'
x-ratelimit-reset:
$ref: '#/components/headers/XRateLimitResetHeader'
x-ratelimit-remaining:
$ref: '#/components/headers/XRateLimitRemainingHeader'
x-auth0-error-kind:
$ref: '#/components/headers/XAuth0ErrorKindHeader'
securitySchemes:
Bearer-DPoP:
type: http
scheme: bearer
description: Bearer and DPoP tokens are supported depending on the API configuration
````