Manage Two-Factor Authentication

In this article, we explore common use cases concerning two-factor authentication feature control via TeamCity REST API. Note that these endpoints accept only authentication via access tokens.

Setup 2FA

To start setup of 2FA for the current user, use the following endpoint:

/app/rest/2FA/setup

The method will return a secret key, set of recovery keys and UUID for the confirmation of setup.

Confirm 2FA setup

To confirm the setup of 2FA for the current user, use the following endpoint:

/app/rest/2FA/confirm?uuid=<uuid>&password=<password>

where uuid is the UUID returned by /setup method, and password is 6-digit TOTP password. If supplied password matches the secret key found by UUID, 2FA setup is finished.

Disable 2FA for a user

To remove secret key and recovery keys for a specific user, use:

/app/rest/2FA/<userLocator>/disable

Here, userLocator is typed as UserLocator. For example, to disable 2FA for john.doe username, send:

/app/rest/2FA/username:john.doe/disable

Generate recovery keys

To generate a new set of recovery keys for the current user, use:

/app/rest/2FA/newRecoveryKeys

The format of recovery keys is [0-9a-f]{6}-[0-9a-f]{6}. Old recovery keys will be discarded.

Refresh grace period for a user

To refresh grace period (a period when user can sign in without enabled 2FA) for a specific user, use the following endpoint:

/app/rest/2FA/<userLocator>/refreshGracePeriod

Grace period length is managed by the teamcity.auth.2fa.grace.period property; the default value is 1 week.

Last modified: 12 October 2023