Setup OTP

POST/web/v1/users/self/security/mfa/otp/setupJWT

Initializes TOTP (Time-based One-Time Password) setup by generating a secret key and QR code URI for the user's authenticator app. The secret is only returned once.

Authentication

Auth Chain: WEB Chain — requires Authorization: Bearer <jwt> These headers are injected by the system (frontend does nothing): X-PORTAL-ACCESS-CODE (Nginx), X-Request-Id (Gateway)

Request Parameters

No request parameters required.

Success Response

Success200

{
  "version": "1.3.0",
  "timestamp": 1709337600000,
  "success": true,
  "code": "2000",
  "message": "SUCCESS",
  "data": {
    "secret": "JBSWY3DPEHPK3PXP",
    "qrCodeUri": "otpauth://totp/SlaunchX:user@example.com?secret=JBSWY3DPEHPK3PXP&issuer=SlaunchX",
    "issuer": "SlaunchX",
    "accountName": "user@example.com"
  }
}

Error Responses

Unauthorized401

{
  "success": false,
  "code": "4010",
  "message": "Invalid or expired token"
}

Notes

The secret and QR code URI are only returned once.
After verification, the secret is encrypted and stored; it cannot be retrieved again.
Use the QR code URI with any TOTP-compatible authenticator app.

Setup OTP ​

Authentication ​

Request Parameters ​

Success Response ​

Error Responses ​