Authenticate the challenge ID (generated with /MFAChallenge.json) and token that was sent to your mobile device registered with Bill.com. In response, an mfaId value is generated and your API session is MFA trusted.
In your /MFAAuthenticate.json request, if you set rememberMe as true, the mfaId value is marked as trusted for 30 days. After 30 days, the MFA trusted session expires and you must use /MFAAuthenticate.json to generate a new mfaId.
Using /MFAAuthenticate.json is step three of signing in with an MFA trusted API session.
Multi-Factor Authentication (MFA)
The following protected endpoints require MFA for login with a trusted API session:
- Invite a vendor (not in the Bill.com network) with
/SendVendorInvite.json - Invite a customer in the Bill.com network with
/SendInvite.json - Add a vendor bank account with
/VendorBankAccount.json - Pay a vendor in the Bill.com network with
/PayBills.json
Note: See Multi-factor authentication (MFA)/2-step verification in the Bill.com Help for more information about all the security measures in place for your Bill.com account operations.
Sign in with an MFA trusted API session is a three-step process:
- Sign in to generate a
sessionIdvalue with/Login.json. - Generate an MFA challenge ID with
/MFAChallenge.json. When you call/MFAChallenge.json, a token is sent to your mobile device registered with Bill.com. - Authenticate the challenge ID and token with
/MFAAuthenticate.json. At this point, thesessionId(from step one) is MFA trusted.