Method: accounts.mfaEnrollment.start

Step one of the MFA enrollment process. In SMS case, this sends an SMS verification code to the user.

HTTP request

POST https://identitytoolkit.googleapis.com/v2/accounts/mfaEnrollment:start

The URL uses gRPC Transcoding syntax.

Request body

The request body contains data with the following structure:

JSON representation 
{
  "idToken": string,
  "tenantId": string,

  // Union field enrollment_info can be only one of the following:
  "phoneEnrollmentInfo": {
    object (StartMfaPhoneRequestInfo)
  },
  "totpEnrollmentInfo": {
    object (StartMfaTotpEnrollmentRequestInfo)
  }
  // End of list of possible types for union field enrollment_info.
}
Fields
idToken

string

Required. User's ID token.
tenantId

string

The ID of the Identity Platform tenant that the user enrolling MFA belongs to. If not set, the user belongs to the default Identity Platform project.
Union field enrollment_info. MFA information by type of 2nd factor. enrollment_info can be only one of the following:
phoneEnrollmentInfo

object (StartMfaPhoneRequestInfo)

Verification info to authorize sending an SMS for phone verification.
totpEnrollmentInfo

object (StartMfaTotpEnrollmentRequestInfo)

Sign-in info specific to TOTP auth.

Response body

mfaEnrollment.start response.

If successful, the response body contains data with the following structure:

JSON representation 
{

  // Union field enrollment_response can be only one of the following:
  "phoneSessionInfo": {
    object (StartMfaPhoneResponseInfo)
  },
  "totpSessionInfo": {
    object (StartMfaTotpEnrollmentResponseInfo)
  }
  // End of list of possible types for union field enrollment_response.
}
Fields
Union field enrollment_response. MFA start enrollment response by 2nd factor type. enrollment_response can be only one of the following:
phoneSessionInfo

object (StartMfaPhoneResponseInfo)

Verification info to authorize sending an SMS for phone verification.
totpSessionInfo

object (StartMfaTotpEnrollmentResponseInfo)

Enrollment response info specific to TOTP auth.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/identitytoolkit
  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

StartMfaTotpEnrollmentRequestInfo

This type has no fields.

Mfa request info specific to TOTP auth for StartMfa.

StartMfaTotpEnrollmentResponseInfo

Mfa response info specific to TOTP auth for StartMfa.

JSON representation 
{
  "sharedSecretKey": string,
  "verificationCodeLength": integer,
  "hashingAlgorithm": string,
  "periodSec": integer,
  "sessionInfo": string,
  "finalizeEnrollmentTime": string
}
Fields
sharedSecretKey

string

A base 32 encoded string that represents the shared TOTP secret.

The base 32 encoding is the one specified by RFC4648#section-6. (This is the same as the base 32 encoding from RFC3548#section-5.)
verificationCodeLength

integer

The length of the verification code that needs to be generated.
hashingAlgorithm

string

The hashing algorithm used to generate the verification code.
periodSec

integer

Duration in seconds at which the verification code will change.
sessionInfo

string

An encoded string that represents the enrollment session.
finalizeEnrollmentTime

string (Timestamp format)

The time by which the enrollment must finish.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".