> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flowxi.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Verify login 2FA (step 2)

> Validates TOTP and issues a token (enforces 1 token/device). Challenge bound to IP + User-Agent + device_id.




## OpenAPI

````yaml api-reference/openapi.yaml post /api/v1/auth/2fa/verify-login
openapi: 3.0.3
info:
  title: Flowxi API Documentation
  version: 1.0.0
servers:
  - url: https://api.flowxi.app
security:
  - bearerAuth: []
tags:
  - name: Health
    description: Service healthcheck.
  - name: Registration
    description: Registration flows (magic link + email OTP).
  - name: Auth
    description: Login and session management.
  - name: Two-factor authentication
    description: TOTP 2FA endpoints (login verification + manage 2FA).
  - name: Devices
    description: Session/device listing and revocation.
  - name: Me
    description: Profile of the authenticated user (Sanctum session).
paths:
  /api/v1/auth/2fa/verify-login:
    post:
      tags:
        - Two-factor authentication
      summary: Verify login 2FA (step 2)
      description: >
        Validates TOTP and issues a token (enforces 1 token/device). Challenge
        bound to IP + User-Agent + device_id.
      operationId: postApiV1Auth2faVerifyLogin
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - challenge_id
                - code
              properties:
                challenge_id:
                  type: string
                  format: uuid
                  example: 6ff8f7f6-1eb3-3525-be4a-3932c805afed
                code:
                  type: string
                  example: '123456'
      responses:
        '200':
          description: Token issued.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenIssuedResponse'
        '400':
          description: >-
            Challenge invalid (binding mismatch / user invalid / missing
            device_id).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
              example:
                code: MFA_CHALLENGE_INVALID
                message: Invalid challenge.
        '403':
          description: Invalid TOTP code.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
              example:
                code: MFA_CODE_INVALID
                message: Invalid 2FA code.
        '410':
          description: Challenge expired or missing.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
              example:
                code: MFA_CHALLENGE_GONE
                message: Challenge expired.
        '429':
          description: Too many attempts.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiError'
              example:
                code: MFA_TOO_MANY_ATTEMPTS
                message: Too many attempts.
        '500':
          $ref: '#/components/responses/ServerError'
      security: []
components:
  schemas:
    TokenIssuedResponse:
      allOf:
        - $ref: '#/components/schemas/ApiOkBase'
        - type: object
          required:
            - access_token
            - token_type
            - user_id
            - account_status
          properties:
            access_token:
              type: string
              description: Bearer token (plain text). Shown only once.
              example: 125|XXXXXXXXXXXXXXXXXXXXXXXX
            token_type:
              type: string
              example: Bearer
            user_id:
              type: integer
              example: 123
            account_status:
              type: string
              example: active
      example:
        code: TOKEN_ISSUED
        message: Token issued.
        access_token: 125|XXXXXXXXXXXXXXXXXXXXXXXX
        token_type: Bearer
        user_id: 123
        account_status: active
    ApiError:
      type: object
      required:
        - code
        - message
      properties:
        code:
          type: string
          description: Machine-readable error code.
          example: UNAUTHENTICATED
        message:
          type: string
          description: Localized, user-facing message.
          example: Unauthenticated.
    ApiOkBase:
      type: object
      required:
        - code
        - message
      properties:
        code:
          type: string
          example: OK
        message:
          type: string
          example: OK
  responses:
    ServerError:
      description: Server error.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ApiError'
          example:
            code: SERVER_ERROR
            message: Server error.
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: Sanctum

````