Revoke OTP
POST
/web/v1/users/self/security/mfa/otp/revoke JWTPermanently revokes OTP-based MFA for the authenticated user. Deletes the OTP secret and removes the OTP method. If OTP was the last MFA method, account-level MFA is automatically disabled. Returns 204 No Content.
Required Headers
| Header | Example Value | Description |
|---|---|---|
| Content-Type | application/json | Request content type |
| Accept | application/json | Expected response type |
| X-Client-Hash | Client device fingerprint | |
| Accept-Language | en, zh, zh-Hant, ja, vi | Response language (default: en) |
| Authorization | Bearer | JWT access token |
Request Parameters
No request parameters required.
Success Response
No Content 204
Error Responses
Unauthorized 401
{
"success": false,
"code": "4010",
"message": "Invalid or expired token"
}Notes
- Returns HTTP 204 No Content on success.
- Completely removes OTP configuration — to re-enable OTP, the user must go through setup and verify again.
- If this was the only MFA method, account-level MFA is automatically disabled.
- Rate limited to 5 requests per 300-second window.