This page documents the Guardian multi-factor authentication (MFA) system in the Auth0.NET Management API, including configuration of factor types (SMS, voice, push notifications, OTP, email, Duo, WebAuthn), provider setup (Twilio, SNS, APNS, FCM), enrollment management, and message templates.
For runtime MFA operations during authentication flows, see Multi-Factor Authentication.
The Guardian system provides multi-factor authentication capabilities through the IGuardianClient interface, accessible via ManagementApiClient.Guardian. It supports configuration and management of multiple authentication factors, provider integrations, and enrollment workflows.
Sources: src/Auth0.ManagementApi/IManagementApiClient.cs50 tests/Auth0.ManagementApi.IntegrationTests/GuardianTests.cs41 tests/Auth0.ManagementApi.IntegrationTests/GuardianTests.cs54
Guardian supports multiple distinct multi-factor authentication factor types, enumerated in GuardianFactorNameEnum. Each factor can be independently enabled or disabled at the tenant level.
Factor Enumeration:
| Factor Name | Enum Value | Use Case |
|---|---|---|
Sms | sms | SMS text message verification codes |
PushNotification | push-notification | Auth0 Guardian mobile app push notifications |
Email | email | Email-based verification codes |
Otp | otp | Time-based one-time passwords (TOTP) |
Duo | duo | Duo Security integration |
WebauthnRoaming | webauthn-roaming | Hardware security keys (USB, NFC) |
WebauthnPlatform | webauthn-platform | Platform authenticators (Touch ID, Face ID, Windows Hello) |
RecoveryCode | recovery-code | Backup recovery codes |
Sources: docs/api/Auth0.ManagementApi.Models.GuardianFactorName.html120-143 tests/Auth0.ManagementApi.IntegrationTests/GuardianTests.cs156-173
Sources: tests/Auth0.ManagementApi.IntegrationTests/GuardianTests.cs41
Administrators can enable or disable individual MFA factors at the tenant level using the SetAsync method on the factors client.
Sources: tests/Auth0.ManagementApi.IntegrationTests/GuardianTests.cs155-163
Guardian supports multiple providers for SMS and push notification delivery, such as Twilio and AWS SNS.
Twilio configuration requires account credentials (Sid, AuthToken) and a sender identity (From).
Sources: tests/Auth0.ManagementApi.IntegrationTests/GuardianTests.cs179-185
Guardian allows customization of SMS enrollment and verification messages sent to users.
Sources: tests/Auth0.ManagementApi.IntegrationTests/GuardianTests.cs75-84
Guardian provides APIs to manage user MFA enrollments, including creating enrollment tickets and deleting existing enrollments.
Enrollment tickets generate a URL or send an email that allows users to enroll in MFA.
Sources: tests/Auth0.ManagementApi.IntegrationTests/GuardianTests.cs122-130
Retrieve details about a specific MFA enrollment or remove it. Deleting an enrollment will throw a ManagementApiException with a 404 status if the ID is not found.
Sources: tests/Auth0.ManagementApi.IntegrationTests/GuardianTests.cs54-68
| Method | HTTP Endpoint | Description |
|---|---|---|
Factors.ListAsync() | GET guardian/factors | Retrieve all MFA factors and their status |
Factors.SetAsync(name, request) | PUT guardian/factors/{name} | Enable or disable a specific factor |
Enrollments.CreateTicketAsync(request) | POST guardian/enrollments/ticket | Generate enrollment ticket for a user |
Enrollments.GetAsync(id) | GET guardian/enrollments/{id} | Retrieve enrollment details |
Enrollments.DeleteAsync(id) | DELETE guardian/enrollments/{id} | Remove an enrollment |
| Method | HTTP Endpoint | Description |
|---|---|---|
Factors.Phone.SetTwilioProviderAsync(request) | PUT guardian/factors/phone/providers/twilio | Update Twilio SMS configuration |
Factors.Sms.GetTemplatesAsync() | GET guardian/factors/sms/templates | Get SMS message templates |
Factors.Sms.SetTemplatesAsync(request) | PUT guardian/factors/sms/templates | Update SMS message templates |
Sources: tests/Auth0.ManagementApi.IntegrationTests/GuardianTests.cs41-185
Refresh this wiki