Manage Two-Factor Authentication
In this article, we explore common use cases concerning two-factor authentication feature control via TeamCity REST API. Note that these endpoints accept only authentication via access tokens.
Setup 2FA
To start setup of 2FA for the current user, use the following endpoint:
The method will return a secret key, set of recovery keys and UUID for the confirmation of setup.
Confirm 2FA setup
To confirm the setup of 2FA for the current user, use the following endpoint:
where uuid
is the UUID returned by /setup
method, and password
is 6-digit TOTP password. If supplied password matches the secret key found by UUID, 2FA setup is finished.
Disable 2FA for a user
To remove secret key and recovery keys for a specific user, use:
Here, userLocator
is typed as UserLocator. For example, to disable 2FA for john.doe
username, send:
To prevent users from being unable to access TeamCity, disabling 2FA also triggers the default one-week grace period refresh.
Generate recovery keys
To generate a new set of recovery keys for the current user, use:
The format of recovery keys is [0-9a-f]{6}-[0-9a-f]{6}
. Old recovery keys will be discarded.
Refresh grace period for a user
The grace period allows users without configured 2FA to continue using TeamCity. This period duration depends on the teamcity.auth.2fa.grace.period
property; the default value is one week.
This period is automatically refreshed when you explicitly disable 2FA for users. To manually refresh a grace period for a specific user, use the following endpoint: