Rocket.Chat supports two-factor authentication (2FA), requiring users to provide a password and a secondary verification code during authentication.
Sources for two-factor codes
Two-factor codes can be generated using the following methods:
Authenticator apps: Applications such as Google Authenticator or Authy can generate time-based verification codes.
Email: Verified email addresses can be used to receive verification codes.
Password fallback: When no other 2FA method is configured, the password may serve as a fallback. This behavior is disabled during login to prevent duplicate password prompts.
See the 2FA configuration guide for additional details.
API calls and 2FA
Realtime and REST API requests may require 2FA verification. Client implementations should handle these responses and retry requests with the required authentication data. Refer to the Realtime API and REST API documentation for more information.
Trusted clients
After successful 2FA validation, a client, identified by a hash of the user-agent and IP address is trusted for five minutes by default. This duration can be adjusted in workspace administration settings. Some endpoints may always require 2FA. The error code totp-required is used for compatibility purposes and does not indicate that TOTP is the only supported method.
Personal access tokens
Personal Access Tokens allow authenticated requests without repeated 2FA verification and are commonly used for long-running integrations or automation workflows. These tokens do not expire automatically and should be stored securely.