--- title: MFA Authentication Code description: The /authenticationCodes endpoint provides operations to create, read, and delete an authentication code. The authentication code (which can be a QR code) enables users to sign on without any data entry, such as providing a username, password, or entering a one-time passcode. The user scans the code, and if successful, gains access to an application's services. component: pingone-api page_id: pingone-api:mfa:mfa-authentication/mfa-authentication-code canonical_url: https://developer.pingidentity.com/pingone-api/mfa/mfa-authentication/mfa-authentication-code.html section_ids: authentication-codes-request-data-model: Authentication codes request data model authentication-codes-response-data-model: Authentication codes response data model --- # MFA Authentication Code The `/authenticationCodes` endpoint provides operations to create, read, and delete an authentication code. The authentication code (which can be a QR code) enables users to sign on without any data entry, such as providing a username, password, or entering a one-time passcode. The user scans the code, and if successful, gains access to an application's services. ## Authentication codes request data model | Property | Type | Required? | Mutable? | Description | | ------------------- | ------- | --------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `application.id` | String | Required | Mutable | The ID of a mobile application for which the code is valid; only the specified mobile application can scan the QR code. | | `clientContext` | String | Optional | Mutable | An ObjectNode that provides relevant information to the mobile application that can be shown to application users. For example, `Do you want to approve this transaction?`. For more information, refer to [Create Authentication Code](#post-create-authentication-code). | | `lifeTime.duration` | Integer | Optional | Mutable | The length of time for this authentication code to be valid. The minimum value is 10 seconds; the maximum value is 30 minutes; the default is 1 minute. If the `lifeTime.duration` property is set, a value for `lifeTime.timeUnit` is required. | | `lifeTime.timeUnit` | String | Optional | Mutable | The time unit for the `lifeTime.duration` property. Options are `SECONDS` and `MINUTES`. If the `lifeTime.timeUnit` property is set, a value for `lifeTime.duration` is required. | | `userApproval` | String | Optional | Mutable | Whether the mobile device must verify that the user approves the authentication with the scanned code. Options are `REQUIRED` and `NOT_REQUIRED`. | ## Authentication codes response data model | Property | Type | Required? | Mutable? | Description | | -------------------------------------- | ------ | --------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `code` | String | N/A | Read-only | The authentication code. The code is eight characters in length, and it can include numbers and uppercase letters. | | `createdAt` | Date | N/A | Read-only | When the resource was created. | | `environment.id` | String | N/A | Read-only | The environment's unique identifier. | | `expiresAt` | Date | N/A | Read-only | The expiration time of authentication code. | | `id` | String | N/A | Read-only | The resource's unique identifier. | | `status` | String | N/A | Read-only | The status of the authentication code. Options are `UNCLAIMED`, `CLAIMED`, `EXPIRED`, `DENIED`, and `COMPLETED`. The `EXPIRED` status is active for 5 minutes after the code is no longer valid. | | `updatedAt` | Date | N/A | Read-only | When the resource was last updated. | | `uri` | String | N/A | Read-only | A universal link (for example, `https://www.example.com/pingonesdk?authentication_code={{generated token}}`). This property can also set a link to a schema application (for example, `pingoneapp://pingonesdk?authentication_code={{generated token}}`). If a universal link or schema application link is not set, the response does not include the `pingonesdk?authentication_code={{generated token}}` portion of the URL. | | `user.id` | UUID | N/A | Read-only | The unique identifier of the authenticated user. | | `_embedded.device.otpStatus.status` | String | N/A | Read-only | Whether or not the device can be used currently for OTP-based authentication. Value returned is ENABLED or DISABLED. Relevant only for devices where `type` is MOBILE. | | `_embedded.device.otpStatus.reason` | String | N/A | Read-only | If the status is DISABLED, contains the reason that the device cannot be used for OTP-based authentication, for example, that the application used a version of the MFA SDK that does not support OTP. Relevant only for devices where `type` is MOBILE. | | `_embedded.device.pushStatus.status` | String | N/A | Read-only | Whether or not the device can be used currently for push-based authentication. Value returned is ENABLED or DISABLED. Relevant only for devices where `type` is MOBILE. | | `_embedded.device.pushStatus.reason` | String | N/A | Read-only | If the status is DISABLED, contains the reason that the device cannot be used for push-based authentication, for example, that the push option was disabled for the application in the MFA policy. Relevant only for devices where `type` is MOBILE. | | `_embedded.device.usableStatus.status` | String | N/A | Read-only | Whether or not the device can be used currently for authentication. Value returned is ENABLED or DISABLED. | | `_embedded.device.usableStatus.reason` | String | N/A | Read-only | If the status is DISABLED, contains the reason that the device cannot be used for authentication, for example, that the defined daily notifications limit has already been reached. | For descriptions of other fields under `_embedded.device`, refer to [MFA Devices](#mfa-devices). For descriptions of fields under `_embedded.user`, refer to [Users data model](/pingone/platform/v1/api/#user-operations).