Generate a secondary step-up token

Hi all,

I have the following use case:

a user logs in, gets a token and calls some apis.
He wants to perform an api call which more critical. I want to make sure that a MFA challenge was performed in the last 5 mins.
I would like keycloak to issue a secondary token with a specific scope “step-up” valid for a few minutes.
Is this possible?