MYPASS Elite
Developer Documentation

Enterprise MFA API Reference

Integrate push MFA into your apps. REST API, webhooks, device enrollment, and APN configuration — all documented for enterprise deployment.

Get API credentialsContact support

Overview

MYPASS Elite is an enterprise push-based multi-factor authentication (MFA) platform. Integrate Okta Verify–style one-tap MFA into your apps using our REST API. End users approve login requests on the MyPass Elite iOS app or your own branded app.

Key flows: Device enrollment (QR-based), MFA send/poll, webhooks, and APN configuration. Tenants obtain Client ID and Client Secret from the portal and use them server-side only.

Integration Scenario

Example: A Case Management System (CMS) adds MFA at login using MYPASS Elite.

  1. CMS registers as a tenant on mypass_web and receives Client ID + Client Secret.
  2. CMS backend stores credentials server-side; at login, after username/password, calls MYPASS API to send MFA push.
  3. End user enrolls by scanning a QR code with MyPass Elite (or CMS registers the device via API).
  4. On next login: user enters credentials → CMS calls POST /mfa/send → user receives push on MyPass Elite → user taps Approve → CMS polls GET /mfa/status until approved → login completes.

Customer API (MFA & Devices)

Authenticate with X-Client-ID and X-Client-Secret (or Basic Auth). Base URL: /api/v1

MethodPathPurpose
POST/mfa/sendSend MFA push (user_ref, optional session_ref, message)
GET/mfa/status/:sessionIdPoll session status until not pending
DELETE/mfa/cancel/:sessionIdCancel pending session
POST/devices/registerRegister device (user_ref, device_token, platform, device_name)
GET/devices/user/:userRefList devices for a user
DELETE/devices/:deviceTokenRemove a device
POST/users/enrollEnroll a user for MFA
GET/usersList enrolled users

POST /mfa/send

Request body:

{
  "user_ref": "user_abc123",
  "session_ref": "txn_9988",
  "message": "Approve login from Chrome?"
}

session_ref and message are optional. Response includes session_id (UUID), expires_at, and devices_pushed. Use session_id for polling and cancel — not session_ref.

MFA Session Status

Poll GET /mfa/status/:sessionId every ~2 seconds until status ≠ pending.

StatusMeaning
pendingUser has not responded
approvedUser approved → login can succeed
deniedUser denied
expiredSession timed out
failedPush delivery failed for all devices
cancelledSession cancelled

Webhooks

When configured, MYPASS POSTs to your webhook_url. Event mfa.response is sent when the user approves or denies. Optional HMAC signature in header X-MYPASS-Signature.

{
  "event": "mfa.response",
  "session_id": "uuid",
  "session_ref": "txn_9988",
  "status": "approved",
  "responded_at": "2026-03-13T10:44:12Z"
}

Device Enrollment (QR Flow)

Admin creates a one-time registration token. User scans QR with MyPass Elite. No API key required for enrollment.

  • GET /devices/enrollment/:token — Get challenge type and user info
  • POST /devices/verify-enrollment — Verify email OTP or TOTP (if challenge)
  • POST /devices/resend-otp — Resend OTP email
  • POST /devices/complete-enrollment — Register device with token, device_token, platform, device_name

APN Configuration

In the tenant portal (Dashboard → APN Config), configure your APN settings. Use Platform mode to deliver push via MYPASS Elite app, or Tenant mode with your own APNs .p8 key for a branded app. Device tokens are stored and used for push delivery; iOS uses APNs, Android uses FCM.

Ready to integrate?

Sign up for a free account to get your Client ID and Client Secret.

Start freeContact us