Get Backup Code Status
GET
/web/v1/system/security/mfa/backup-codes JWTRequired Gateway Headers
All API requests require gateway headers. See Required Headers for the complete list. In local/test environments, you must also include Cloudflare simulation headers (CF-Connecting-IP, Cf-Ray, cf-ipcountry).
Retrieves the status of the user's backup codes, including masked code identifiers with usage status and the count of remaining unused codes.
Required Headers
| Header | Example Value | Description |
|---|---|---|
| Content-Type | application/json | Request content type |
| Accept | application/json | Expected response type |
| X-Client-Hash | Client device fingerprint | |
| Accept-Language | en, zh, zh-Hant, ja, vi | Response language (default: en) |
| Authorization | Bearer | JWT access token |
Request Parameters
No request parameters required.
Request Example
No request body required.
Success Response
Success 200
{
"version": "2.0.0",
"timestamp": 1709337600000,
"success": true,
"code": "2000",
"message": "SUCCESS",
"data": {
"codes": [
{
"code": "a1b2****",
"isUsed": false,
"usedAt": null
},
{
"code": "e5f6****",
"isUsed": true,
"usedAt": "2026-03-25T14:30:00Z"
}
],
"remainingCount": 9
}
}| Field | Type | Description |
|---|---|---|
codes | object[] | Array of backup code objects with usage status |
codes[].code | string | Masked backup code identifier (e.g. "a1b2****") |
codes[].isUsed | boolean | Whether the code has been consumed |
codes[].usedAt | string (ISO 8601) or null | Timestamp when the code was used, null if unused |
remainingCount | integer | Number of unused backup codes remaining |
Error Responses
Unauthorized 401
{
"success": false,
"code": "4010",
"message": "Invalid or expired token"
}Notes
- Codes are masked for security (first 4 chars +
****); full codes are never exposed after generation. - Each code object indicates whether it has been used and when.
- After each backup code is used,
remainingCountdecreases by 1.