Security and Invitations

When To Use It

Use this flow when the UI manages MFA, security preferences, backup-code state, or invitation inbox actions.

Prerequisites

1. valid JWT session
2. valid X-Client-Hash
3. Secure Channel for sensitive mutations

Call Sequence

1. read security config and MFA state
2. create Secure Channel for protected mutations
3. enable or disable MFA methods as needed
4. load invitation inbox separately from onboarding

Branch Decisions

1. MFA already configured or not
2. OTP setup or email method path
3. invitation accept, decline, or defer

Common Failures

1. mutation attempted without Secure Channel
2. invitation inbox expected from onboarding payload
3. wrong portal or session context
4. stale X-Client-Hash

Reference Entry