> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev.auth0-mintlify.app/llms.txt
> Use this file to discover all available pages before exploring further.
# Get a list of authentication methods
> Retrieve detailed list of authentication methods belonging to the authenticated user.
export const Scopes = ({scopes = []}) => {
return
Scopes
{"Scopes define permissions and access levels for API requests and authentication tokens."}
;
};
## OpenAPI
````yaml myaccount-api-oas get /authentication-methods
openapi: 3.1.0
info:
title: My Account
version: '1.0'
description: >-
The Auth0 My Account API provides a dedicated set of endpoints for users to
manage their own account information. Customers can use these APIs to build
self-service experiences in their applications or progressively add details
to a user account.
The My Account API operates within the context of the currently logged-in
user and can be used directly within user-facing applications.
:::tip Using Auth0 domain vs. custom domain
The My Account API supports using your canonical Auth0 domain or your custom
domain, but you must use the same one throughout the entire process,
including:
- Getting an access token
- Setting the audience value
- Calling the My Account API endpoint
For more information, read [Custom
Domains](https://auth0.com/docs/customize/custom-domains).
:::
## Activate the My Account API
You can activate the My Account API for your tenant in the Auth0 Dashboard:
1. Navigate to Authentication > APIs.
2. Locate the MyAccount API banner.
3. Select Activate.
By default, the My Account API is created with the following application API
access policies:
`require_client_grant` for user flows
`deny_all` for client (machine-to-machine) flows
For an application to access the My Account API on the user's behalf, you
must explicitly create a client grant for that application, which allows you
to define the maximum scopes the application can request. Alternatively, you
can change the policy for user access flows to allow_all, which allows any
application in your tenant to request any scope from the My Account API.
Because the My Account API exposes sensitive information and operations,
Auth0 does not recommend using allow_all for user access flows. You should
follow a least privilege principle with the My Account API to ensure
applications only get access to what they truly need, minimizing potential
security risks.
The final permissions granted to the application will be determined by the
intersection of the scopes allowed by the application API access policy, the
Role-Based Access Control (RBAC) permissions assigned to the end user, and
any user consent given (if applicable).
:::info Supported flows
You cannot update the application API policy for client access to the My
Account API, which means you cannot access the My Account API using the
Client Credentials Flow.
:::
To learn more about how to manage application API access policies and their
associated client grants, read [Application Access to APIs: Client
Grants](https://auth0.com/docs/get-started/applications/application-access-to-apis-client-grants).
## Get an access token
You can get an access token for the My Account API in the same way you'd get
an access token for one of your own APIs.
:::info
If you're going to allow the My Account API to perform sensitive operations
(such as enrolling an authentication method), we strongly recommend that you
use [step-up
authentication](https://auth0.com/docs/secure/multi-factor-authentication/step-up-authentication)
to enforce additional security policies through [multi-factor authentication
(MFA)](https://auth0.com/docs/secure/multi-factor-authentication).
:::
If you're using Universal Login, read the following articles:
- [Call Your API Using the Authorization Code
Flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/call-your-api-using-the-authorization-code-flow)
- [Call Your API Using the Authorization Code Flow with
PKCE](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce/call-your-api-using-the-authorization-code-flow-with-pkce)
If you're using embedded login, read the following articles:
- [Call Your API Using Resource Owner Password
Flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow/call-your-api-using-resource-owner-password-flow)
- [Login Flow with Native Passkeys
API](https://auth0.com/docs/native-passkeys-api#login-flow)
## Examples
### Universal Login with authorization code flow
**Step 1: Request authorization code**
```
curl --request GET \
--url 'https://{yourDomain}/authorize?response_type=code&client_id={yourClientId}&redirect_uri=%7ByourRedirectUri%7D&scope=create%3Ame%3Aauthentication_methods&offline_access=&audience=https%3A%2F%2F{yourDomain}%2Fme%2F'
```
**Step 2: Exchange code for access token**
```
curl --request POST \
--url 'https://{yourDomain}/oauth/token' \
--header 'content-type: application/json' \
--data '{"grant_type": "authorization_code","client_id": "{yourClientId}","client_secret": "{yourClientSecret}","code": "{yourAuthorizationCode}","redirect_uri": "{yourRedirectUri}","audience": "{yourAudience}","scope": "create:me:authentication_methods","offline_access": ""}'
```
### Embedded login with native passkeys
**Step 1: Request login challenge**
```
curl --request POST \
--url 'https://{yourDomain}/passkey/challenge' \
--header 'content-type: application/json' \
--data '{"client_id": "{yourClientId}"}'
```
**Step 2: Authenticate existing user**
```
curl --request POST \
--url 'https://{yourDomain}/oauth/token' \
--header 'content-type: application/json' \
--data '{ "grant_type": "urn:okta:params:oauth:grant-type:webauthn", "client_id": "{yourClientId}", "scope": "create:me:authentication_methods offline_access", "audience": "https://{yourDomain}/me/", "auth_session": "{sessionIdFromTheFirstRequest}", "authn_response": "{authenticatorResponse}"}'
```
servers:
- url: https://{host}/me/v1
variables:
host:
default: auth0.auth0.com
description: Custom or canonical host name
security: []
tags:
- name: factors
description: Factors
x-displayName: Factors
- name: connected-accounts
description: Connected Accounts
x-displayName: Connected Accounts
- name: authentication-methods
description: Authentication Methods
x-displayName: Authentication Methods
- name: consents
description: Consents
x-displayName: Consents
paths:
/authentication-methods:
get:
tags:
- authentication-methods
summary: Get a list of authentication methods
description: >-
Retrieve detailed list of authentication methods belonging to the
authenticated user.
operationId: getAuthenticationMethods
parameters:
- $ref: '#/components/parameters/AuthenticationMethodTypeQueryParameter'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/ListAuthenticationMethodsResponseContent'
examples:
multiple-methods:
summary: User with multiple authentication methods enrolled
value:
authentication_methods:
- id: email|dev_XXXXXXXXXXXXXXXX
type: email
confirmed: true
email: user@example.com
usage:
- secondary
created_at: '2025-01-15T10:30:00.000Z'
- id: phone|dev_YYYYYYYYYYYYYYYY
type: phone
confirmed: true
phone_number: '+15551234567'
preferred_authentication_method: sms
usage:
- secondary
created_at: '2025-01-16T14:00:00.000Z'
- id: totp|dev_ZZZZZZZZZZZZZZZZ
type: totp
confirmed: true
usage:
- secondary
created_at: '2025-02-01T09:15:00.000Z'
- id: passkey|dev_AAAAAAAAAAAAAAAA
type: passkey
credential_device_type: multi_device
credential_backed_up: true
identity_user_id: auth0|507f1f77bcf86cd799439011
key_id: dGVzdC1rZXktaWQ
public_key: pQECAyYgASFYI...
transports:
- internal
user_agent: Chrome 131.0.0 / Mac OS X 10.15.7
user_handle: YXV0aDB8NTA3ZjFmNzdiY2Y4NmNkNzk5NDM5MDEx
relying_party_id: example.auth0.com
usage:
- primary
created_at: '2025-03-10T08:00:00.000Z'
- id: password|dXNlci0xMjM
type: password
identity_user_id: auth0|507f1f77bcf86cd799439011
usage:
- primary
created_at: '2024-06-01T12:00:00.000Z'
- id: webauthn-platform|dev_BBBBBBBBBBBBBBBB
type: webauthn-platform
confirmed: true
key_id: dGVzdC1wbGF0Zm9ybS1rZXk
public_key: pQECAyYgASFYI...
usage:
- secondary
created_at: '2025-02-20T11:00:00.000Z'
- id: webauthn-roaming|dev_CCCCCCCCCCCCCCCC
type: webauthn-roaming
confirmed: true
key_id: dGVzdC1yb2FtaW5nLWtleQ
public_key: pQECAyYgASFYI...
usage:
- secondary
created_at: '2025-02-25T16:45:00.000Z'
description: Successfully retrieved authentication methods
headers:
x-ratelimit-limit:
$ref: '#/components/headers/XRateLimitLimitHeader'
x-ratelimit-reset:
$ref: '#/components/headers/XRateLimitResetHeader'
x-ratelimit-remaining:
$ref: '#/components/headers/XRateLimitRemainingHeader'
'400':
$ref: '#/components/responses/BadRequest'
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/Forbidden'
'429':
$ref: '#/components/responses/TooManyRequests'
security:
- Bearer-DPoP:
- read:me:authentication_methods
x-codeSamples: []
components:
parameters:
AuthenticationMethodTypeQueryParameter:
name: type
in: query
description: Filter authentication methods by type
required: false
schema:
$ref: '#/components/schemas/FactorTypeEnum'
schemas:
ListAuthenticationMethodsResponseContent:
type: object
properties:
authentication_methods:
type: array
maxItems: 20
items:
$ref: '#/components/schemas/AuthenticationMethod'
required:
- authentication_methods
additionalProperties: false
FactorTypeEnum:
description: Authentication method type (factor)
enum:
- password
- passkey
- webauthn-platform
- webauthn-roaming
- totp
- phone
- email
- push-notification
- recovery-code
type: string
AuthenticationMethod:
oneOf:
- $ref: '#/components/schemas/AuthenticationMethodPassword'
title: password
- $ref: '#/components/schemas/AuthenticationMethodPasskey'
title: passkey
- $ref: '#/components/schemas/AuthenticationMethodMfaRecoveryCode'
title: recovery-code
- $ref: '#/components/schemas/AuthenticationMethodMfaPushNotification'
title: push-notification
- $ref: '#/components/schemas/AuthenticationMethodMfaTotp'
title: totp
- $ref: '#/components/schemas/AuthenticationMethodWebAuthnPlatform'
title: webauthn-platform
- $ref: '#/components/schemas/AuthenticationMethodWebAuthnRoaming'
title: webauthn-roaming
- $ref: '#/components/schemas/AuthenticationMethodPhone'
title: phone
- $ref: '#/components/schemas/AuthenticationMethodEmail'
title: email
type: object
discriminator:
propertyName: type
mapping:
password:
$ref: '#/components/schemas/AuthenticationMethodPassword'
passkey:
$ref: '#/components/schemas/AuthenticationMethodPasskey'
recovery-code:
$ref: '#/components/schemas/AuthenticationMethodMfaRecoveryCode'
push-notification:
$ref: '#/components/schemas/AuthenticationMethodMfaPushNotification'
totp:
$ref: '#/components/schemas/AuthenticationMethodMfaTotp'
webauthn-platform:
$ref: '#/components/schemas/AuthenticationMethodWebAuthnPlatform'
webauthn-roaming:
$ref: '#/components/schemas/AuthenticationMethodWebAuthnRoaming'
phone:
$ref: '#/components/schemas/AuthenticationMethodPhone'
email:
$ref: '#/components/schemas/AuthenticationMethodEmail'
x-openapi-typescript-ignore: true
ErrorResponse:
properties:
type:
type: string
status:
type: number
title:
type: string
detail:
type: string
validation_errors:
type: array
items:
$ref: '#/components/schemas/ValidationError'
required:
- type
- status
- title
- detail
type: object
additionalProperties: false
AuthenticationMethodPassword:
title: Password Authenticator
allOf:
- $ref: '#/components/schemas/AuthenticationMethodBase'
- type: object
properties:
type:
description: Authentication method type (factor)
default: password
type: string
const: password
identity_user_id:
type: string
description: >-
The ID of the user identity linked with the authentication
method
last_password_reset:
type: string
format: date-time
description: The date of the last password reset
required:
- type
- identity_user_id
AuthenticationMethodPasskey:
title: Passkey Authenticator
allOf:
- $ref: '#/components/schemas/AuthenticationMethodBase'
- type: object
properties:
type:
description: Authentication method type (factor)
default: passkey
type: string
const: passkey
credential_backed_up:
type: boolean
description: Whether the credential was backed up
credential_device_type:
$ref: '#/components/schemas/CredentialDeviceTypeEnum'
identity_user_id:
type: string
description: >-
The ID of the user identity linked with the authentication
method
key_id:
type: string
description: The ID of the credential
public_key:
type: string
description: The public key
transports:
example:
- internal
items:
type: string
type: array
description: >-
The transports used by clients to communicate with the
authenticator
user_agent:
example: Chrome 131.0.0 / Mac OS X 10.15.7
type: string
description: The user-agent of the browser used to create the passkey
user_handle:
type: string
description: The user handle of the user identity
aaguid:
type: string
description: Authenticator Attestation Globally Unique Identifier
relying_party_id:
type: string
description: Relying Party Identifier
last_auth_at:
type: string
format: date-time
description: The date and time when the authentication method was last used
required:
- type
- credential_backed_up
- credential_device_type
- identity_user_id
- key_id
- public_key
- user_handle
AuthenticationMethodMfaRecoveryCode:
title: Recovery Code Authenticator
allOf:
- $ref: '#/components/schemas/AuthenticationMethodMfaBase'
- type: object
properties:
type:
const: recovery-code
description: Authentication method type (factor)
default: recovery-code
type: string
required:
- type
AuthenticationMethodMfaPushNotification:
title: Push Notification Authenticator
allOf:
- $ref: '#/components/schemas/AuthenticationMethodMfaBase'
- type: object
properties:
name:
type: string
description: The friendly name of the authentication method
type:
const: push-notification
description: Authentication method type (factor)
default: push-notification
type: string
required:
- type
AuthenticationMethodMfaTotp:
title: TOTP Authenticator
allOf:
- $ref: '#/components/schemas/AuthenticationMethodMfaBase'
- type: object
properties:
name:
type: string
description: The friendly name of the authentication method
type:
const: totp
description: Authentication method type (factor)
default: totp
type: string
required:
- type
AuthenticationMethodWebAuthnPlatform:
title: WebAuthn Platform MFA Authenticator
allOf:
- $ref: '#/components/schemas/AuthenticationMethodWebAuthn'
- type: object
properties:
type:
const: webauthn-platform
description: Authentication method type (factor)
default: webauthn-platform
type: string
required:
- type
AuthenticationMethodWebAuthnRoaming:
title: WebAuthn Roaming MFA Authenticator
allOf:
- $ref: '#/components/schemas/AuthenticationMethodWebAuthn'
- type: object
properties:
type:
const: webauthn-roaming
description: Authentication method type (factor)
default: webauthn-roaming
type: string
required:
- type
AuthenticationMethodPhone:
title: Phone MFA Authenticator
allOf:
- $ref: '#/components/schemas/AuthenticationMethodMfaBase'
- type: object
properties:
name:
type: string
description: The friendly name of the authentication method
type:
const: phone
description: Authentication method type (factor)
default: phone
type: string
phone_number:
type: string
description: >-
The destination phone number used to send verification codes via
text and voice.
preferred_authentication_method:
$ref: '#/components/schemas/PhoneAuthenticationMethodEnum'
required:
- type
- phone_number
- preferred_authentication_method
AuthenticationMethodEmail:
title: Email MFA Authenticator
allOf:
- $ref: '#/components/schemas/AuthenticationMethodMfaBase'
- type: object
properties:
name:
type: string
description: The friendly name of the authentication method
type:
const: email
description: Authentication method type (factor)
default: email
type: string
email:
type: string
description: The email address used to send verification messages.
required:
- type
- email
ValidationError:
type: object
properties:
detail:
type: string
field:
type: string
pointer:
type: string
source:
type: string
required:
- detail
additionalProperties: false
AuthenticationMethodBase:
type: object
properties:
id:
type: string
description: The unique identifier of the authentication method
created_at:
type: string
format: date-time
description: The date and time when the authentication method was created
usage:
$ref: '#/components/schemas/Usage'
required:
- id
- created_at
- usage
CredentialDeviceTypeEnum:
description: Credential device type for passkey authentication methods
enum:
- multi_device
- single_device
type: string
AuthenticationMethodMfaBase:
allOf:
- $ref: '#/components/schemas/AuthenticationMethodBase'
- type: object
properties:
confirmed:
type: boolean
description: The authentication method status
last_auth_at:
type: string
format: date-time
description: The date and time when the authentication method was last used
required:
- confirmed
AuthenticationMethodWebAuthn:
allOf:
- $ref: '#/components/schemas/AuthenticationMethodMfaBase'
- type: object
properties:
name:
type: string
description: The friendly name of the authentication method
key_id:
type: string
description: The ID of the credential
public_key:
type: string
description: The public key
required: []
PhoneAuthenticationMethodEnum:
description: Preferred authentication method for phone-based authentication
enum:
- sms
- voice
type: string
Usage:
description: Primary and/or secondary factor
type: array
items:
$ref: '#/components/schemas/UsageEnum'
UsageEnum:
description: Usage type for authentication factors
enum:
- primary
- secondary
type: string
headers:
XRateLimitLimitHeader:
required: true
description: >-
The maximum number of requests permissible during the limit’s window
window
schema:
type: number
XRateLimitResetHeader:
required: true
description: >-
The anticipated time (as a UNIX timestamp, in seconds) when the bucket
will be replenished
schema:
type: number
XRateLimitRemainingHeader:
required: true
description: >-
The number of remaining requests remaining in the current window until
requests are rejected
schema:
type: number
RetryAfterHeader:
required: true
description: The number of seconds the client should wait before making a new request
schema:
type: number
XAuth0ErrorKindHeader:
description: >-
An indicator that the rate limit exceeded a is global (per tenant)
limit.
schema:
type: string
const: global-rate-limit
responses:
BadRequest:
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
description: Invalid input based on schema.
Unauthorized:
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
description: Unauthorized.
Forbidden:
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
description: Forbidden.
TooManyRequests:
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
description: Too Many Requests.
headers:
retry-after:
$ref: '#/components/headers/RetryAfterHeader'
x-ratelimit-limit:
$ref: '#/components/headers/XRateLimitLimitHeader'
x-ratelimit-reset:
$ref: '#/components/headers/XRateLimitResetHeader'
x-ratelimit-remaining:
$ref: '#/components/headers/XRateLimitRemainingHeader'
x-auth0-error-kind:
$ref: '#/components/headers/XAuth0ErrorKindHeader'
securitySchemes:
Bearer-DPoP:
type: http
scheme: bearer
description: Bearer and DPoP tokens are supported depending on the API configuration
````