OAuth2 authentication requires two factor authentication when debiting funds with the
wallet:transactions:send scope. When 2FA is required, the API will respond with a
402 status and
two_factor_required error. To successfully complete the request, you must make the same request again with the user’s 2FA token in the
CB-2FA-TOKEN header together with the current access token.
Here’s a step by step example:
402and sends the user a 2FA token via SMS if he doesn’t have Authy installed
201 CREATEDstatus code is returned
Keep in mind that 2FA tokens expire quickly, so you’ll need to re-try the request after the user supplies his token. Two factor authentication affects only users who have 2FA enabled in their user settings. Depending on the user’s settings, the token will be delivered via SMS or the user must obtain the 2FA token from his Authy application.
If you’re building an application which needs to work without direct user interaction, you can bypass 2FA with a separate
wallet:transactions:send:bypass-2fa scope. Because of the security sensitivity of this option, this scope is available by whitelist only. You may request that your app be added to the whitelist via your application settings. When using this scope you must make it abundantly clear to the user that the application is moving funds in the background, without user interaction or per-transaction approval. It is strongly advised to use this option only with low specified send limits.