Skip to main content
POST
/
v1
/
b2b
/
totp
C#
// POST /v1/b2b/totp
const stytch = require('stytch');

const client = new stytch.B2BClient({
  project_id: '${projectId}',
  secret: '${secret}',
});

const params = {
  organization_id: "${organizationId}",
  member_id: "${memberId}",
};

client.TOTPs.Create(params)
  .then(resp => { console.log(resp) })
  .catch(err => { console.log(err) });
{
  "request_id": "<string>",
  "member_id": "<string>",
  "totp_registration_id": "<string>",
  "secret": "<string>",
  "qr_code": "<string>",
  "recovery_codes": [
    "<string>"
  ],
  "member": {
    "organization_id": "<string>",
    "member_id": "<string>",
    "email_address": "<string>",
    "status": "<string>",
    "name": "<string>",
    "sso_registrations": [
      {
        "connection_id": "<string>",
        "external_id": "<string>",
        "registration_id": "<string>",
        "sso_attributes": {}
      }
    ],
    "is_breakglass": true,
    "member_password_id": "<string>",
    "oauth_registrations": [
      {
        "provider_type": "<string>",
        "provider_subject": "<string>",
        "member_oauth_registration_id": "<string>",
        "profile_picture_url": "<string>",
        "locale": "<string>"
      }
    ],
    "email_address_verified": true,
    "mfa_phone_number_verified": true,
    "is_admin": true,
    "totp_registration_id": "<string>",
    "retired_email_addresses": [
      {
        "email_id": "<string>",
        "email_address": "<string>"
      }
    ],
    "is_locked": true,
    "mfa_enrolled": true,
    "mfa_phone_number": "<string>",
    "default_mfa_method": "<string>",
    "roles": [
      {
        "role_id": "<string>",
        "sources": [
          {
            "type": "<string>",
            "details": {}
          }
        ]
      }
    ],
    "trusted_metadata": {},
    "untrusted_metadata": {},
    "created_at": "<string>",
    "updated_at": "<string>",
    "scim_registration": {
      "connection_id": "<string>",
      "registration_id": "<string>",
      "external_id": "<string>",
      "scim_attributes": {
        "user_name": "<string>",
        "id": "<string>",
        "external_id": "<string>",
        "active": true,
        "groups": [
          {
            "value": "<string>",
            "display": "<string>"
          }
        ],
        "display_name": "<string>",
        "nick_name": "<string>",
        "profile_url": "<string>",
        "user_type": "<string>",
        "title": "<string>",
        "preferred_language": "<string>",
        "locale": "<string>",
        "timezone": "<string>",
        "emails": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "phone_numbers": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "addresses": [
          {
            "formatted": "<string>",
            "street_address": "<string>",
            "locality": "<string>",
            "region": "<string>",
            "postal_code": "<string>",
            "country": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "ims": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "photos": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "entitlements": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "roles": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "x509certificates": [
          {
            "value": "<string>",
            "type": "<string>",
            "primary": true
          }
        ],
        "name": {
          "formatted": "<string>",
          "family_name": "<string>",
          "given_name": "<string>",
          "middle_name": "<string>",
          "honorific_prefix": "<string>",
          "honorific_suffix": "<string>"
        },
        "enterprise_extension": {
          "employee_number": "<string>",
          "cost_center": "<string>",
          "division": "<string>",
          "department": "<string>",
          "organization": "<string>",
          "manager": {
            "value": "<string>",
            "ref": "<string>",
            "display_name": "<string>"
          }
        }
      }
    },
    "external_id": "<string>",
    "lock_created_at": "<string>",
    "lock_expires_at": "<string>"
  },
  "organization": {
    "organization_id": "<string>",
    "organization_name": "<string>",
    "organization_logo_url": "<string>",
    "organization_slug": "<string>",
    "sso_jit_provisioning": "<string>",
    "sso_jit_provisioning_allowed_connections": [
      "<string>"
    ],
    "sso_active_connections": [
      {
        "connection_id": "<string>",
        "display_name": "<string>",
        "identity_provider": "<string>"
      }
    ],
    "email_allowed_domains": [
      "<string>"
    ],
    "email_jit_provisioning": "<string>",
    "email_invites": "<string>",
    "auth_methods": "<string>",
    "allowed_auth_methods": [
      "<string>"
    ],
    "mfa_policy": "<string>",
    "rbac_email_implicit_role_assignments": [
      {
        "domain": "<string>",
        "role_id": "<string>"
      }
    ],
    "mfa_methods": "<string>",
    "allowed_mfa_methods": [
      "<string>"
    ],
    "oauth_tenant_jit_provisioning": "<string>",
    "claimed_email_domains": [
      "<string>"
    ],
    "first_party_connected_apps_allowed_type": "<string>",
    "allowed_first_party_connected_apps": [
      "<string>"
    ],
    "third_party_connected_apps_allowed_type": "<string>",
    "allowed_third_party_connected_apps": [
      "<string>"
    ],
    "custom_roles": [
      {
        "role_id": "<string>",
        "description": "<string>",
        "permissions": [
          {
            "resource_id": "<string>",
            "actions": [
              "<string>"
            ]
          }
        ]
      }
    ],
    "trusted_metadata": {},
    "created_at": "<string>",
    "updated_at": "<string>",
    "organization_external_id": "<string>",
    "sso_default_connection_id": "<string>",
    "scim_active_connection": {
      "connection_id": "<string>",
      "display_name": "<string>",
      "bearer_token_last_four": "<string>",
      "bearer_token_expires_at": "<string>"
    },
    "allowed_oauth_tenants": {}
  },
  "status_code": 123
}
This endpoint returns a QR code and secret, either of which can be used to set up a TOTP authenticator application. If the already has an active MFA factor, then passing an intermediate session token, session token, or session JWT with the existing MFA factor on it is required to prevent bypassing MFA. Otherwise, passing an intermediate session token, session token, or session JWT is not required, but if passed must match the member_id passed.

Authorizations

Authorization
string
header
required

Basic authentication header of the form Basic <encoded-value>, where <encoded-value> is the base64-encoded string username:password.

Body

application/json

Request type

organization_id
string
required

Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.

member_id
string
required

Globally unique UUID that identifies a specific Member. The member_id is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.

expiration_minutes
integer<int32>

The expiration for the TOTP registration. If the newly created TOTP registration is not authenticated within this time frame the member will have to restart the registration flow. Defaults to 60 (1 hour) with a minimum of 5 and a maximum of 1440.

intermediate_session_token
string

The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the OTP SMS Authenticate endpoint, TOTP Authenticate endpoint, or Recovery Codes Recover endpoint to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the Exchange Intermediate Session endpoint to join a specific Organization that allows the factors represented by the intermediate session token; or the Create Organization via Discovery endpoint to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes.

session_token
string

A secret token for a given Stytch Session.

session_jwt
string

The JSON Web Token (JWT) for a given Stytch Session.

Response

Successful response

request_id
string
required

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

member_id
string
required

Globally unique UUID that identifies a specific Member.

totp_registration_id
string
required

The unique ID for a TOTP instance.

secret
string
required

The TOTP secret key shared between the authenticator app and the server used to generate TOTP codes.

qr_code
string
required

The QR code image encoded in base64.

recovery_codes
string[]
required

An array of recovery codes that can be used to recover a Member's account.

member
object
required
organization
object
required
status_code
integer<int32>
required

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.