Skip to content

docs: Document requires_totp_mfa JWT claim#1281

Open
promptless[bot] wants to merge 1 commit intodevfrom
promptless/document-requires-totp-mfa-jwt-claim
Open

docs: Document requires_totp_mfa JWT claim#1281
promptless[bot] wants to merge 1 commit intodevfrom
promptless/document-requires-totp-mfa-jwt-claim

Conversation

@promptless
Copy link
Copy Markdown
Contributor

@promptless promptless bot commented Mar 23, 2026

Open this suggestion in Promptless to view citations and reasoning process

Adds documentation for the new requires_totp_mfa claim in the JWT Tokens guide. The commit added this field to the example JWT payload but didn't include a description in the "Stack Auth Specific Claims" section. This claim indicates whether the user has TOTP multi-factor authentication enabled.

Trigger Events

stack-auth/stack-auth commit (dev): c8b5168 Add requires_totp_mfa to JWT

Promptless Research (1 webpage)

Agent Response

I've completed my analysis and documentation update for commit c8b5168.

Summary

The commit added a new requires_totp_mfa boolean field to the JWT access token payload. The code change included updating the example JWT in the documentation (jwt.mdx), but the "Stack Auth Specific Claims" section was missing a description explaining what this field means.

Documentation Update

I created a suggestion that adds the missing description for requires_totp_mfa to the Stack Auth Specific Claims section in the JWT documentation:

Before:

- **`refresh_token_id`**: ID of the associated refresh token
- **`role`**: Always set to `authenticated` for valid users

After:

- **`refresh_token_id`**: ID of the associated refresh token
- **`requires_totp_mfa`**: Whether the user has TOTP multi-factor authentication enabled
- **`role`**: Always set to `authenticated` for valid users

This ensures users reading the JWT documentation understand what the requires_totp_mfa claim represents when they see it in their tokens. The description follows the same style as existing claim descriptions in the document.

Tip: Request one-off documentation tasks in the Dashboard under New Task 🚀

promptless[bot]
promptless bot commented Mar 23, 2026
View reviewed changes
docs/content/docs/(guides)/concepts/jwt.mdx
- **`project_id`**: Your Stack Auth project ID
- **`branch_id`**: The project branch (currently always `main`)
- **`refresh_token_id`**: ID of the associated refresh token
- **`requires_totp_mfa`**: Whether the user has TOTP multi-factor authentication enabled
Copy link
Copy Markdown
Contributor Author

@promptless promptless bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Citation: Based on commit c8b5168 "Add requires_totp_mfa to JWT". The commit added requires_totp_mfa to tokens.tsx, schema-fields.ts, and the example JWT in jwt.mdx, but didn't add a description in the Stack Auth Specific Claims section. The field indicates whether the user has TOTP MFA enabled, as shown in the e2e tests in access-token-refresh.test.ts.
View source

@vercel
Copy link
Copy Markdown

vercel bot commented Mar 23, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
stack-auth-hosted-components Ready Ready Preview, Comment Mar 23, 2026 3:11pm
stack-backend Ready Ready Preview, Comment Mar 23, 2026 3:11pm
stack-dashboard Ready Ready Preview, Comment Mar 23, 2026 3:11pm
stack-demo Ready Ready Preview, Comment Mar 23, 2026 3:11pm
stack-docs Ready Ready Preview, Comment Mar 23, 2026 3:11pm

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Mar 23, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 23, 2026

Greptile Summary

This PR fills a documentation gap by adding the missing requires_totp_mfa claim to the "Stack Auth Specific Claims" section of the JWT Tokens guide, aligning the prose descriptions with the example payload that already included the field.

  • The new entry is correctly placed (between refresh_token_id and role, matching the example payload order) and follows the existing description style.
  • The description "Whether the user has TOTP multi-factor authentication enabled" is slightly less precise than the internal OpenAPI spec (packages/stack-shared/src/interface/crud/users.ts) which reads "Whether the user is required to use TOTP MFA to sign in" — the claim name, its Prisma field (requiresTotpMfa), and its SDK mapping to isMultiFactorRequired all favor "required to use" semantics over "has enabled."

Confidence Score: 5/5

  • This is a documentation-only change with no runtime impact; safe to merge.
  • Single-line docs addition to a .mdx file with no code changes. The only note is a minor wording imprecision ("has TOTP enabled" vs. "required to use TOTP MFA to sign in"), which is a non-blocking P2 suggestion. No correctness, security, or runtime concerns.
  • No files require special attention.

Important Files Changed

Filename Overview
docs/content/docs/(guides)/concepts/jwt.mdx Adds missing requires_totp_mfa claim description to the Stack Auth Specific Claims section; the wording "has TOTP MFA enabled" slightly diverges from the internal OpenAPI description "required to use TOTP MFA to sign in."

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[User Signs In] --> B{Has TOTP MFA\nrequired?}
    B -- No --> C[Issue JWT\nrequires_totp_mfa: false]
    B -- Yes --> D[Issue partial JWT\nrequires_totp_mfa: true]
    D --> E[Redirect to\nTOTP verification step]
    E --> F{TOTP\nverified?}
    F -- Yes --> G[Issue full JWT\nrequires_totp_mfa: true]
    F -- No --> H[Auth rejected]
    C --> I[Access granted]
    G --> I
Loading

Reviews (1): Last reviewed commit: "Document requires_totp_mfa JWT claim" | Re-trigger Greptile

greptile-apps[bot]
greptile-apps bot reviewed Mar 23, 2026
View reviewed changes
docs/content/docs/(guides)/concepts/jwt.mdx
- **`project_id`**: Your Stack Auth project ID
- **`branch_id`**: The project branch (currently always `main`)
- **`refresh_token_id`**: ID of the associated refresh token
- **`requires_totp_mfa`**: Whether the user has TOTP multi-factor authentication enabled
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Description diverges from internal OpenAPI spec

The added description says "Whether the user has TOTP multi-factor authentication enabled," but the internal OpenAPI spec in packages/stack-shared/src/interface/crud/users.ts describes this field as "Whether the user is required to use TOTP MFA to sign in". These are subtly different: a user could have TOTP configured without it being required at sign-in, or an admin could enforce MFA on users who already have TOTP set up. The claim name itself (requires_totp_mfa) and its SDK mapping to isMultiFactorRequired both reinforce the "required to use" semantics rather than simply "has enabled."

Consider aligning the docs with the existing internal description:

Suggested change
- **`requires_totp_mfa`**: Whether the user has TOTP multi-factor authentication enabled
- **`requires_totp_mfa`**: Whether the user is required to use TOTP MFA to sign in

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@promptless promptless[bot]

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CLAassistant