SAP Customer Data Cloud Positions

accounts.tfa.initTFA REST

Skip to end of metadata
Go to start of metadata



This method initializes two-factor authentication (TFA) by returning a JWT token that can be used to register with a new provider, or to verify the user using an existing provider, or to edit an existing provider.


Note: This method is part of the Customer Identity and the Identity Storage packages. Both packages are premium platforms that require separate activation. If neither are part of your site package, please contact your Gigya Customer Engagement Executive or contact us by filling in a support form on our site. You can also access the support page by clicking "Support" on the upper menu of Gigya's site.



Request URL

Where <Data_Center> is:
  • - For the US data center.
  • - For the European data center.
  • - For the Australian data center.
  • - For the Russian data center.
  • - For the Chinese data center.

If you are not sure of your site's data center, see Finding Your Data Center.




The regToken returned from accounts.initRegistrationaccounts.register or accounts.login API calls when the registration process has not been finalized. Please note that the regToken you receive from Gigya is valid for only one hour.


The name of the TFA provider for which the token mode is set. Acceptable values:

  • gigyaPhone
  • gigyaPush
  • gigyaTotp
  • gigyaEmail

The token mode. The possible values for the mode are:

  • register
  • verify
  • add
  • edit

For verify mode, the JWT contains the attribute: action="verify", telling the provider that we only allow the user to verify himself.

For register/add modes, the JWT contains the attribute: action="register/verify", telling the provider that we need to verify the user, and if he is not already registered we allow registration. register mode can only be called if the user has recently (in the last 5 minutes) performed social login or recently passed a password verification process, otherwise an "Account Pending Recent Login" error will be returned (error code 403110).

For edit mode, the JWT contains the attribute: action="edit", telling the provider that we allow the user to edit his TFA details.  

add/edit modes can be called only if the current user recently (in the last 5 minutes) logged in through that device, otherwise an "Account Pending Recent Login" error will be returned (error code 403110).

clientContextJSON object

Additional information regarding the client who made the login request, used for server-side Risk Based Authentication implementations. When passing the client context, any RBA rules apply and may be triggered.

Includes the following fields:

  • clientIP (string, required): The IP address of the client from which the login was made.
  • deviceID (string, not required): The ID of the end user device from which the login was made. The default is null. The maximum number of allowed characters is 100.
  • captchaVerified (Boolean, not required): Indicates whether the end user has completed a CAPTCHA (or similar) challenge during the registration process. If this is false, and RBA configuration includes a CAPTCHA challenge, the user may be shown a CAPTCHA challenge, based on RBA logic. The default is false.
  • riskScore (float, not required): A positive numerical value indicating the level of risk associated with this login attempt. This is compared to the defined threshold for triggering a configured RBA rule.

Sample object:

clientContext: {
 	clientIP: "",
 	deviceID: "00000000-00000000-01234567-89ABCDEF",
 	captchaVerified: false,
	riskScore: 0.8
format string Determines the format of the response. The options are:
  • json (default)
  • jsonp - If the format is jsonp then you are required to define a callback method (see parameter below).
callback string This parameter is required only when the format parameter is set to jsonp (see above). In such cases this parameter should define the name of the callback method to be called in the response, along with the jsonp response data.
httpStatusCodes Boolean The default value of this parameter is false, which means that the HTTP status code in Gigya's response is always 200 (OK), even if an error occurs. The error code and message is given within the response data (see below). If this parameter is set to true, the HTTP status code in Gigya's response would reflect an error, if one occurs.

Authorization Parameters

Each REST API request must contain identification and authorization parameters.

Some REST APIs may function without these authorization parameters, however, when that occurs, these calls are treated as client-side calls and all client-side rate limits will apply. In order to not reach client-side IP rate limits that may impact your implementation when using server-to-server REST calls, it is Recommended Best Practice to always sign the request or use a secret. A non-exhaustive list of REST APIs that this may apply to are as follows:

  • accounts.login
  • socialize.login
  • accounts.notifyLogin
  • socialize.notifyLogin
  • accounts.finalizeRegistration
  • accounts.linkAccounts

Please refer to the Authorization Parameters section for details. 


Response Data

apiVersion integer Defines the API version that returned the response and may not always be returned.
callId string Unique identifier of the transaction, for debugging purposes.
errorCode integer The result code of the operation. Code '0' indicates success, any other number indicates failure. For a complete list of error codes, see the Error Codes table.
errorDetails string This field will appear in the response only in case of an error and will contain the exception info, if available.
errorMessage string A short textual description of an error, associated with the errorCode, for logging purposes. This field will appear in the response only in case of an error.
fullEventName string The full name of the event that triggered the response. This is an internally used parameter that is not always returned and should not be relied upon by your implementation.
time string The time of the response represented in ISO 8601 format, i.e., yyyy-mm-dd-Thh:MM:ss.SSSZ or
statusCode integer The HTTP response code of the operation. Code '200' indicates success.
This property is deprecated and only returned for backward compatibility.
statusReason string A brief explanation of the status code.
This property is deprecated and only returned for backward compatibility.


gigyaAssertionstringThe JWT token, which is made up of a header object, a body object and a signature:

  "alg": "",
  "typ": "JWT",
  "x5u": ""


  iss - a string representing the issuer, e.g.  "". 
  aud - a string representing the TFA provider name, e.g. "gigyaPhone".
  sub - a string representing a unique Gigya identifier for this user.
  action - a string enum representing the requested action type, can be "verify", "edit", or "registerOrVerify".
  params - a JSON object with string properties and values with TFA provider-specific parameters. These are the params from the policy for this provider.
  iat - an integer representing the creation time of this JWT object in UNIX time.
  jti - a string representing the JWT ID; a crypto-strength nonce value.
  ctx - a string representing an encrypted Gigya context.

Signature: Computed using the private key matching the public key whose URL is specified in the header.

A field that does not contain data will not appear in the response.


Response Example

  "statusCode": 200,
  "errorCode": 0,
  "statusReason": "OK",
  "callId": "21a768038563435ba3e407dc7eb1928b",
  "time": "2015-03-22T11:42:25.943Z",
  "context": "R1680181838",
  "gigyaAssertion": "eyJ0eXAiOiJKV1QiLCJhbGciOiJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLCJ4NXUiOiJodHRwOi8vYWNjb3VudHMuZ2lneWEuY29tL2FjY291bnRzLnRmYS5nZXRDZXJ0aWZpY2F0ZSJ9.eyJhY3Rpb24iOiJyZWdpc3Rlck9yVmVyaWZ5IiwicGFyYW1zIjp7fSwiY3R4IjoiXHUwMDAwY293WGwwazY0MGExMzRjU00wUFV3ckdwbUJWWXhUYUNrZm9sOExHK044ZU5xMk93TGdiRkxBeG9pZXRvT1JXTFg0QThZMUdGNzRIc2xUQzlkbHZkdE9OcUY2bHJSdXJMZk55blpudmVWU2xzekJ4dDY5dXptL0VNeW1QZEUvMU9uclUybGFaOXpLTXg1RHIrWERHd3FScUlkK3U2VUU0MXo2RmV3K0VTZkYzM3VVSm9iSTJIY05YcUlSTStpMTRiIiwiaXNzIjoiZ2lneWEuY29tIiwic3ViIjoiNjIyNjYxMV9jOGZmNjVmZjE4MWQ0MjlkODYxNzQwZDQxYmE1ZGVmYSIsImF1ZCI6WyJnaWd5YVBob25lIl0sImlhdCI6MTM4NzE3NzQ3MiwianRpIjoiWWRnM0hyUlYzZFBlV2txazFCSUdRdjJzU1ovR1FJVEsifQ.Cu6_vsQHfEzkij5SYfO5pewn38iCrl2JlvVyLVAFqmEr6K5HJiCMOKEoMY7V-YkJycDfc2YJFwb5AZQK1SBoj8mBV4f0_qlUdN15pQC6pAtiVw8c3IXCFgZi5STuSbfi6yfTChCAKgG82p2m2-IsWvvrhY0XB4hxFwT_SGDuOcB9wIAYhpHA7rpIAhuLjsk3NESjLkUp3rePh2JPKfB9QiIfqkWdS4MpkCoE8pCeY-ydCgs5x_Quit0-xmiuQ-4z7iFh1PNWE_S5pB4CCfDQICV7bw2zW1qmgNpSFlEZPzlZrwtBKO7D4GZWgRmdNNE9bAhN6fX1zv-J1-mhTPNtTQ"