Validate MFA challenge ID

Authenticate the challenge ID (generated with /MFAChallenge.json) and token that was sent to your mobile device registered with In response, an mfaId value is generated and your API session is MFA trusted.

In your /MFAAuthenticate.json request, if you set rememberMe as true, the mfaId value is marked as trusted for 30 days. After 30 days, the MFA trusted session expires and you must use /MFAAuthenticate.json to generate a new mfaId.

Using /MFAAuthenticate.json is step three of signing in with an MFA trusted API session.

Multi-Factor Authentication (MFA)

The following protected endpoints require MFA for login with a trusted API session:

  • Invite a vendor (not in the network) with /SendVendorInvite.json
  • Invite a customer in the network with /SendInvite.json
  • Add a vendor bank account with /VendorBankAccount.json
  • Pay a vendor in the network with /PayBills.json

Note: See Multi-factor authentication (MFA)/2-step verification in the Help for more information about all the security measures in place for your account operations.

Sign in with an MFA trusted API session is a three-step process:

  1. Sign in to generate a sessionId value with /Login.json.
  2. Generate an MFA challenge ID with /MFAChallenge.json. When you call /MFAChallenge.json, a token is sent to your mobile device registered with
  3. Authenticate the challenge ID and token with /MFAAuthenticate.json. At this point, the sessionId (from step one) is MFA trusted.
Click Try It! to start a request and see the response here!