Is there a way for a user to do remove an optional OTP configured?

My app allows optional OTP credentials.
We allow users to configure it by rendering this URL in our internal user management portal - http://<keycloak>/realms/<realm>/protocol/openid-connect/auth?[...]&kc_action=CONFIGURE_TOTP
So it allows users can configure it, but it’s not a required action.

I want to give users the ability to disable/delete OTP after adding it. We don’t want to expose the user account portal to end users.

Is there a way to do this? I see that in old version of user account management console there was a file named ‘totp.ftl’ that served this purpose but has been removed in the newer version.

This is possible through the account API using the users access token in the authorization header as bearer token. Unfortunately this API is not documented.
Easiest way to find out the exact endpoint is to open the account console in the browser, open the browsers developer console, go to network tab and see which request is being sent when clicking on the button to remove OTP.

1 Like

I wrote an OpenAPI file for the undocumented Account API. The method you’re looking for is here OpenAPI specification for Keycloak account API · GitHub