Disable user MFA

POST https://app.speybooks.com/api/v1/admin/users/{id}/disable-mfa

Disable multi-factor authentication for a user who has lost access to their authenticator app. Clears totp_enabled, totp_verified, and totp_secret.

Returns 404 if the user does not exist or MFA is not currently enabled.

Side Effects

Writes USER_MFA_DISABLED to admin_audit_log

Security Note

This is a high-privilege operation. The audit trail records which admin disabled MFA and when. The user should be advised to re-enable MFA after regaining authenticator access.

Path parameters

id string required

User ID whose MFA to disable.

Response

200 MFA disabled. TOTP secret cleared.

Error codes

400 Invalid user ID.

404 User not found or MFA not enabled.

Request POST /v1/admin/users/{id}/disable-mfa curl

curl -X POST https://api.speybooks.com/v1/admin/users/12/disable-mfa \
  -H "Authorization: Bearer <admin-token>"

Response 200

{
  "success": true
}