Realtime Two Factor Authentication

To learn more about Two Factor Authentication(2FA) in Rocket.Chat, see Two Factor Authentication and REST Two Factor Authentication.

Call a method with 2FA

NameRequires AuthPermissionSetting



Payload Parameters





The 2FA code




The initial method for the request you're trying to make.




The method of the 2FA, for example -email


{ "_id": "298gMs93982Le9A7pZjo2D2iB", "rid": "64a1f373376181965ab77f54", "msg": "Whats 4*!" }


An array of parameters used for the initial method;

Example Call

    "msg": "callWithTwoFactorRequired"
    "code": "38290",
    "ddpMethod": "updateMessage",
    "id": "342",
    "method": "email",
    "params": [{
        "_id": "298gMs93982Le9A7pZjo2D2iB",
        "rid": "64a1f373376181965ab77f54",
        "msg": "Whats 4*!"

If the two factor was not accepted the error totp-invalid will be returned;


When a request that requires 2FA is made without a 2FA code, it returns a TOTP-Require error. The error also details the method of 2FA required ( email or authenticator app).

  "msg": "result",
  "id": "1",
  "error": {
    "isClientSafe": true,
    "error": "totp-required",
    "reason": "TOTP Required",
    "details": {
      "method": "email",
      "codeGenerated": false,
      "codeCount": 1,
      "codeExpires": [
      "availableMethods": [
    "message": "TOTP Required [totp-required]",
    "errorType": "Meteor.Error"
  • method: The method selected by the server. It is useful to inform the user where to look for the code.

  • codeGenerated: Email only. Used to inform if the code was generated or if there are tokens available already.

  • codeCount: (optional) Email only. The number of available codes already sent via email.

  • codeExpires: (optional) Email only. A list of expiration dates of the tokens.

  • availableMethods: The list of available 2FA methods for Two Factor. It is useful in deciding the method to use when making a request.

Request a new email code

If the user didn't receive the 2FA code, you can request to send a new code via email by calling the DDP Method sendEmailCode passing the user's email or username. It's required to pass the email or username because this Method can be called when the user is not logged in.


  • success: array of emails to where the code was sent;

  • error-parameter-required: The parameter emailOrUsername was not provided;

  • error-invalid-user: The user was not found with the provided emailOrUsername;

Example'sendEmailCode', emailOrUsername, (error, result) => {});

Enabling the Two Factor via Email

It's possible to enable the email check by calling the Method 2fa:enable-email.

The two factor via email will only work if the user has at least one verified email.


  • success: true is returned;

  • error-not-authorized if the user is not logged in;

Example'2fa:enable-email', (error, result) => {});

Disabling the Two Factor via Email

To disable the 2FA, call the method 2fa:disable-email.

This Method requires 2FA to be executed.


  • success: true is returned;

  • error: A 2FA error is returned;

Example'2fa:disable-email', (error, result) => {});

Last updated

Rocket.Chat versions receive support for six months after release.