2FAuth is built on top of its own REST API (following OpenAPI 3.1 specification), which can be used to make any other app communicate with 2FAuth.
The API provides endpoints to manage most of the 2FAuth resources:
|twofaccounts||The 2FA accounts stored in 2FAuth which you need to generate One-Time Passwords (OTP)|
|one-time password||The One-Time Passwords (TOTP or HOTP) generated on demand|
|groups||The groups used to organize 2FA accounts in 2FAuth|
|qrcode||Two-dimensional barcode used to encode/share 2FA accounts|
|icons||Images used to illustrate 2FA accounts in 2FAuth|
|settings||The 2FAuth user settings, which can be extended with custom settings|
You authenticate in the 2FAuth API with a Personal Access Token (PAT) built upon the OAUTH
Bearer authentication scheme (see RFC 6750).
That means the PAT has to be passed via the HTTP
Authorization header in every request made to the API.
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiIxIiwianRpIjoiMzZjOTc5NmFlZGI2OGQyYmE2YTIyMTE0NTN
As 2FAuth is designed to be used by a single user, the PAT grants access to all resources without restriction; there is no scope defined. A PAT is valid until you decide to revoke it.
Creating an access token
Open the 2FAuth Settings > OAUTH section and click the Generate a new token link to generate a new token.
The token will only be shown once, right after its creation, so copy it immediately because you won't be able to display it again.
Revoking a token
You can revoke a personal access token by simply clicking its
button in the Settings > OAUTH section. A request made with a revoked token will receive a
401 Unauthorized response.
The revocation of a token is permanent and cannot be undone.
The API has its own dedicated documentation that you can browse in a lightweight format below.
You may also use the fullscreen format which provides a more comfortable layout and modern features like advanced search, mocking and more: