Auth

Two-Factor Authentication

Secure your logins with one-time codes! Learn how to generate secrets, enable/disable 2FA.

Two-factor authentication (2FA) in Directus is a security measure that requires a generated one-use code to be provided after log in to complete authentication. 2FA for the Data Studio can be enabled or enforced in the user page. A one-time password (OTP) is required when logging in via the Data Studio or API.

To enable 2FA, you will need an external authenticator app or support for OTPs in your password manager.

Generate 2FA Secret

A 2FA secret is required to set up OTPs in your authenticator app.

POST /users/me/tfa/generate
{
    "password": "d1r3ctu5"
}

The response will contain the secret and an otpauth_url which can be optionally rendered as a QR code and to be used by authenticator apps.

Save the secret in your authenticator app either manually or via the otpauth_url QR code.

Enable 2FA

To complete 2FA setup, you will need both the secret and a generated otp from your authenticator app.

POST /users/me/tfa/enable
{
    "otp": "123456",
    "secret": "GV3UEVQVOM4D4O33"
}

You must now log in with a otp property whose value is generated by your authenticator app.

Disable 2FA

To disable 2FA, you need to generate and use a OTP from your authenticator app.

POST /users/me/tfa/disable
{
    "otp": "123456"
}