SMS MFA API
Account API endpoints for SMS MFA enrolment, verification, and step-up challenges
SMS MFA delivers one-time codes to a user's verified phone number. Enrolment follows the same POST → PUT pattern as TOTP. Step-up challenges during OAuth consent use internal endpoints called by the auth app.
Authentication
| API | Token | Base URL |
|---|---|---|
| Account API | User access token | https://TENANT.api.wocha.ai/v1/account |
| Internal API | Service secret (x-internal-service-secret) | https://TENANT.api.wocha.ai/v1/internal |
Account API endpoints require a user OAuth access token. Internal step-up endpoints are called by the auth app only.
Prerequisites
- SMS enabled and
mfa_enabled: truein tenant SMS settings - User has a verified phone number on their identity (
PUT /v1/account/phone) smsincluded in tenant MFA policyallowed_factors
SMS MFA enrolment flow
Start SMS MFA enrolment
Response 201 Created:
Sends an OTP to the user's verified phone number. Pending enrolment expires after 15 minutes.
Errors:
| Status | Code | When |
|---|---|---|
422 | validation_error | No verified phone number on identity |
409 | conflict | SMS MFA already enrolled |
503 | service_unavailable | SMS MFA not enabled for tenant |
429 | rate_limited | Rate limit exceeded |
Verify and activate SMS MFA
Response 200 OK:
On success, the SMS code credential is activated in Kratos with via: sms and the
pending enrolment is cleared.
Errors:
| Status | Code | When |
|---|---|---|
422 | validation_error | Invalid code, expired enrolment, or max attempts |
404 | not_found | No pending SMS MFA enrolment — call POST first |
409 | conflict | SMS MFA already enrolled |
Remove SMS MFA
Response 200 OK:
Removes the SMS code credential from the identity. The verified phone number trait is
retained — remove it separately via DELETE /v1/account/phone if needed.
Step-up challenge flow
During OAuth consent, when SMS is the preferred MFA factor and the session is at AAL1, the auth app calls internal endpoints:
The auth app marks the Kratos session as AAL2-equivalent in Valkey after successful verification, allowing consent to proceed without native Kratos code MFA.
SDK usage
React hooks
REST API
cURL
Factor prioritisation
When multiple MFA factors are enrolled, Wocha challenges the strongest factor by default:
WebAuthn > TOTP > SMS > Email
Override with preferred_factor: "sms" in the tenant MFA policy. SMS step-up uses the
Wocha gateway verify page (/sms-verify) rather than native Kratos AAL2.
Security notes
SMS OTP is classified as a restricted authenticator under NIST SP 800-63B section 5.1.3.3. Wocha supports it for broad device compatibility but recommends TOTP or WebAuthn for high-security applications. See the SMS authentication guide for full security documentation.
Related
- Phone API — verify a phone number before SMS MFA enrolment
- MFA API — TOTP enrolment and MFA status
- Adaptive MFA — phone risk signals at consent time
- Step-up authentication — request AAL2 via
acr_values