--- title: "Rocket Chat Two-Factor Authentication" slug: "two-factor-authentication" description: "Learn how to set up two-factor authentication in Rocket Chat apps. Strengthen security, protect user accounts, and safeguard collaboration." updated: 2026-02-05T17:08:09Z published: 2026-02-05T17:08:09Z --- > ## Documentation Index > Fetch the complete documentation index at: https://developer.rocket.chat/llms.txt > Use this file to discover all available pages before exploring further. # Two-Factor Authentication Rocket.Chat supports two-factor authentication (2FA), requiring users to provide a password and a secondary verification code during authentication. ## Sources for two-factor codes Two-factor codes can be generated using the following methods: 1. **Authenticator apps:**Applications such as Google Authenticator or Authy can generate time-based verification codes. 2. **Email:**Verified email addresses can be used to receive verification codes. 3. **Password fallback:**When no other 2FA method is configured, the password may serve as a fallback. This behavior is disabled during login to prevent duplicate password prompts. See the [2FA configuration guide](https://docs.rocket.chat/docs/two-factor-authentication-configuration) for additional details. ## API calls and 2FA Realtime and REST API requests may require 2FA verification. Client implementations should handle these responses and retry requests with the required authentication data. Refer to the [Realtime API](https://developer.rocket.chat/apidocs/realtime-twofactor-authentication) and [REST API](/apidocs/introduction-to-two-factor-authentication) documentation for more information. ## Trusted clients After successful 2FA validation, a client, identified by a hash of the user-agent and IP address is trusted for five minutes by default. This duration can be adjusted in [workspace administration settings](https://docs.rocket.chat/docs/two-factor-authentication-configuration). Some endpoints may always require 2FA. The error code `totp-required` is used for compatibility purposes and does not indicate that TOTP is the only supported method. ## Personal access tokens [Personal Access Tokens](http://Personal Access Tokens)allow authenticated requests without repeated 2FA verification and are commonly used for long-running integrations or automation workflows. These tokens do not expire automatically and should be stored securely.