Verify Backup Code

Verify a backup code during 2FA login. Use this when the user doesn't have access to their authenticator app or email. Requires the 2FA cookie set by /auth/sign-in/email. Note: Each backup code can only be used once. Important: Use credentials: 'include' in fetch to send cookies.

Body
required
application/json
  • code
    Type: string
    required

    One of the backup codes

  • trustDevice
    Type: boolean

    Trust this device for 30 days (skip 2FA on future logins)

Responses
  • application/json
  • 401

    Invalid backup code or missing 2FA cookie

Request Example for post/auth/two-factor/verify-backup-code
curl https://api.gpcn.com/v1/auth/two-factor/verify-backup-code \
  --request POST \
  --header 'Content-Type: application/json' \
  --data '{
  "code": "abc123",
  "trustDevice": true
}'

{
  "user": {},
  "session": {
    "id": "string",
    "token": "string",
    "expiresAt": "2026-05-19T14:02:02.487Z"
  }
}

Backup code verified, session created