What parameters does POST /V1/tfa/provider/u2fkey/authentication-challenge accept?

This endpoint accepts 2 parameters: username (string) required; password (string) required.

Does POST /V1/tfa/provider/u2fkey/authentication-challenge require authentication?

This endpoint can be called anonymously — no Authorization header required.

POSTTwoFactorAuth · Magento 2.4.9 Anonymous

POST /V1/tfa/provider/u2fkey/authentication-challenge

Q: What does the POST /V1/tfa/provider/u2fkey/authentication-challenge endpoint do in Magento 2?

POST /V1/tfa/provider/u2fkey/authentication-challenge is a Magento 2 REST endpoint in the TwoFactorAuth module. Get the information to initiate a WebAuthn registration ceremony. Callable anonymously — no Authorization header required.

Q: What does POST /V1/tfa/provider/u2fkey/authentication-challenge return?

The endpoint returns Magento\TwoFactorAuth\Api\Data\U2fWebAuthnRequestInterface.

POST /V1/tfa/provider/u2fkey/authentication-challenge is a Magento 2 REST endpoint in the TwoFactorAuth module. Get the information to initiate a WebAuthn registration ceremony. Callable anonymously — no Authorization header required.

Last verified: 2026-05-23 against Magento 2.4.9.

Returns

Magento\TwoFactorAuth\Api\Data\U2fWebAuthnRequestInterface

Service contract

Magento\TwoFactorAuth\Api\U2fKeyAuthenticateInterface::getAuthenticationData

Authorization

Anonymous — no Authorization header required.

Body parameters

username string Required

password string Required

Example request

Auto-generated from the service contract — paste-ready against your store's /rest/default base. Replace the host, store code, ACL token, and any required values before running.

Headers

application/json

Content-Type

application/json

Path

/V1/tfa/provider/u2fkey/authentication-challenge

Body

{
  "password": "",
  "username": ""
}

Related in TwoFactorAuth

Other endpoints shipped by the same module.

POST

/V1/integration/admin/token

Anonymous

TwoFactorAuth · Magento\TwoFactorAuth\Api\AdminTokenServiceInterface::createAdminAccessToken

→

GET

/V1/tfa/default-provider-code/:userId

Get default provider

TwoFactorAuth · Magento\TwoFactorAuth\Api\UserConfigManagerInterface::getDefaultProvider

→

PUT

/V1/tfa/default-provider-code/:userId

Set default provider code

TwoFactorAuth · Magento\TwoFactorAuth\Api\TfaInterface::setDefaultProviderCode

→

GET

/V1/tfa/forced-providers

Retrieve forced providers list

TwoFactorAuth · Magento\TwoFactorAuth\Api\TfaInterface::getForcedProviders

→

GET

/V1/tfa/installed-providers

Get a list of providers

TwoFactorAuth · Magento\TwoFactorAuth\Api\TfaInterface::getAllProviders

→

POST

/V1/tfa/provider/authy/activate

Anonymous

Activate the provider and get an admin token

TwoFactorAuth · Magento\TwoFactorAuth\Api\AuthyConfigureInterface::activate

→

Every Magento dev tool, in one hosted workspace.

Free to sign up. Nothing to install. Drafts, audits, and projects saved across every tool.

Open app →