Manage Authentication Methods with Management API
Auth0 provides several API Endpoints to allow you to manage authenticators with a Confidential Client. These endpoints allow you to create, update, and delete authenticators.
Prerequisites
To get started, you need to create a Machine to Machine Application with access granted to the Auth0 Management API.
Scopes
| Name | Description |
|---|---|
| read:authentication_methods | to read authentication methods |
| create:authentication_methods | to create authentication methods |
| update:authentication_methods | to update authentication methods and to replace all authentication methods |
| delete:authentication_methods | to delete authentication methods |
List All Authentication Methods
Documentation for this API: Auth0 Management API v2
curl --request GET
'https://{yourDomain}/api/v2/{yourUserId}/authentication_methods' \
--header 'Authorization: bearer {yourToken}'Was this helpful?
List a Single Authentication Method
Documentation for this API: Auth0 Management API v2
curl --location --request GET 'https://{yourDomain}/api/v2/users/{yourUserId}/authentication-methods/{yourAuthMethodID}' \
--header 'Authorization: bearer {yourAccessToken}'Was this helpful?
Create an Authentication Method
You can create SMS, Email, OTP and WebAuthn Security Keys authentication methods with the Factor Management API.
Documentation for this API: Auth0 Management API v2
SMS
curl --request POST 'https://{yourdomain}/api/v2/users/{yourUserId}/authentication-methods' \
--header 'Authorization: bearer {yourAccessToken}' \
--data '{
"type":"phone",
"name":"SMS",
"phone_number":"+12223334444"
}'Was this helpful?
curl --request POST 'https://{yourDomain}/api/v2/users/{yourUserId}/authentication-methods' \
--header 'Authorization: bearer {yourAccessToken}' \
--header 'Content-Type: application/json' \
--data '{
"type":"email",
"name":"Email Factor",
"email":"user@example.com"
}'Was this helpful?
If successful, you will receive a 201 response with the factor in the response body.
{
"type": "email",
"name": "Email Factor",
"created_at": "2023-01-01T00:00:00.000Z",
"email": "user@example.com",
"id": "email|dev_xTd8Mx7MLOgOkwww"
}Was this helpful?
OTP
curl --location --request POST 'https://{yourDomain}/api/v2/users/auth0%7C63bf4e5d38784a1ddbde3235/authentication-methods' \
--header 'Authorization: bearer {yourAccessToken}' \
--header 'Content-Type: application/json' \
--data '{
"type":"totp",
"name":"OTP Application",
"totp_secret":"{yourSecret}"
}'Was this helpful?
WebAuthn Roaming / Security Key
curl --request POST 'https://{yourDomain}/api/v2/users/{yourUserId}/authentication-methods' \
--header 'Authorization: bearer {yourAccessToken}' \
--header 'Content-Type: application/json' \
--data '{
"type":"webauthn_roaming",
"name":"WebAuthn Security Key",
"public_key":"{yourPublicKey}",
"key_id": "{yourKeyId}",
"relying_party_identifier":"{yourDomain}"
}'Was this helpful?
Update Authentication Methods
You can replace all of a user’s authentication methods or update a single authentication method.
API to replace all of a user’s authentication methods: Auth0 Management API v2
API to update a single authentication method: Auth0 Management API v2
Here is an example of updating a single authentication method:
curl --location --request PATCH 'https://{yourDomain}/api/v2/users/auth0%7C63bf4e5d38784a1ddbde3235/authentication-methods/phone%7Cdev_ADQ2WUbR3yuWRwww' \
--header 'Authorization: bearer {yourAccessToken}' \
--header 'Content-Type: application/json' \
--data '{
"name":"Mobile SMS"
}'Was this helpful?
If successful, you will receive a 200 OK status code along with the updated authentication method.
{
"type": "phone",
"name": "Mobile SMS",
"created_at": "2023-01-12T00:03:52.855Z",
"last_auth_at": "2023-01-12T00:04:05.157Z",
"phone_number": "+1 2223334444",
"preferred_authentication_method": "sms",
"id": "phone|dev_ADQ2WUbR3yuWRylx",
"authentication_methods": [
{
"id": "sms|ADQ2WUbR3yuWRwww",
"type": "sms"
}
]
}Was this helpful?
Delete an Authentication Method
Documentation for this API: Auth0 Management API v2
All authentication method types can be deleted by id.
curl --request DELETE 'https://{yourDomain}/api/v2/users/{yourUserId}/authentication-methods/{yourAuthMethod}' \
--header 'Authorization: bearer {yourAccessToken}'Was this helpful?
If successful, you will receive a 204 response code.