Initialize the MFA. For internal use.

Published on Mar 2, 2026

2 minute read

Post

/authentication/otp/initialize

This API starts the Multi-Factor Authentication process. It requires the partial AuthToken from Authentication call. The Controller will initiate the flow and return details required to continue MFA.

Security

HTTP

Type bearer

Body parameters

Optional MFA initialization details.

object

userPassword

string

Some MFA configurations require user password in order to authenticate the user along with the multi-factor. Otherwise not required.

ExampletSW3!QBv(rj{UuLY

Responses

200

MFA initialization response.

object

type

string

The type of the Multi-Factor Authentication.

'AlreadySeeded': The MFA provider is the built-in Time-based OTP provider and the user has already a seed in the system. OTP is required on the next step.
'Secret': The MFA provider is the built-in Time-based OTP provider and this is the first time the user is doing an MFA. It includes details about the seed. OTP is required on the next step.
'Challenge': The MFA provider is a RADIUS provider. It might include a challenge that needs to be sent back. OTP is required on the next step.
'Push': The MFA provider is a RADIUS provider but the authentication is done externally, such as a mobile app that prompts. Send a dummy OTP right away to trigger the external authentication.

Valid values[ "AlreadySeeded", "Secret", "Challenge", "Push" ]

secret

string

The seed for the built-in Time-based OTP provider. Used when configuring TOTP apps manually. Only available in Secret type.

Example6XOEKS6WZASFPA5A

otpAuthUrl

string

A URL for triggering TOTP apps directly and configuring an entry automatically. Only available in Secret type.

Exampleotpauth://totp/admin@local@appgate.company.com?secret=6XOEKS6WZASFPA5A&issuer=Appgate%20SDP

barcode

string (byte)

The barcode image in jpg format. Base64 encoded. Only available in Secret type.

responseMessage

string

A message from the RADIUS MFA provider. Only available in Challenge type.

ExamplePlease enter enter 1234 to your token.

state

string (byte)

State send by the RADIUS MFA provider as challenge. It needs to be sent back during MFA authentication. Only available in Challenge type.

timeout

number

How long the Controller wait for RADIUS response. Especially useful for external authentication mechanism. Clients waiting shorter than this timeout will fail with a wrong error. Only available in Challenge and Push type.

Example10.0

sendPassword

boolean

Whether the RADIUS MFA provider expecting the user password for authentication. If true, the user password needs to be sent as otp instead of a dummy value. Only available in Push type.

400

JSON error. Check the JSON format.

object

Generic HTTP error.

string

Machine readable error code.

message

string

Human readable error details.

401

Token error. Login again.

object

Generic HTTP error.

string

Machine readable error code.

message

string

Human readable error details.

406

Invalid 'Accept' header.

object

Generic HTTP error.

string

Machine readable error code.

message

string

Human readable error details.

422

Request validation error. Check "errors" array for details.

Expand All

object

Http 422 error for object validation.

string

Machine readable error code.

message

string

Human readable error details.

errors

Array of object

List of fields with validation errors.

object

field

string

Name of the field that failed validation.

Examplename

message

string

Failure reason.

Examplemay not be null

500

Unexpected server side error.

object

Generic HTTP error.

string

Machine readable error code.

message

string

Human readable error details.

Was this article helpful?