MFA using Xano - need to get the actual response from the login endpoint

Ask us anything How do I?
1

Hi everyone,

I’m trying to setup MFA authentication. I have the logic pretty clear, but unfortunately it’s not working as I was expecting.

I created a login endpoint in Xano and I setup that login endpoint in the auth plugin in weweb.

My login endpoint in Xano was supposed to have 4 inputs:

user/password - challenge id / otp

The logic I planned to use was the following:

  • If the user/password is correct, and MFA is not enabled for the user, I’d automatically execute the login.
  • If the user/password is correct, and MFA is enabled for the user, the login endpoint provides the challenge id and sends the OTP to the user.
  • Then the login is executed again with the challenge id and the otp. If everything is correct, the user is logged in.

The problem I found: when I first execute the login, if the value I send back is the challenge id instead of the auth token, I get an error (expected) BUT I can’t see anywhere the actual API response.

The alternative is setting up two endpoints, one with the logic and another one with the actual login, but that involves sending the user+password two times to Xano which is far from ideal from a security perspective.

I’ve tried sending back the challenge id enclosed as an “auth token”, but even if I do that I can’t retrieve the value. I see it on the debugger but I can’t put it on a variable.

Any thoughts?

Thank you!

2

Hi @garcilaso :waving_hand:

Can you show us the workflow you’re working with and what you see?

You should be able to see the API response in the logs:

CleanShot 2026-02-09 at 10.01.12@2x
CleanShot 2026-02-09 at 10.01.12@2x2648×1460 315 KB

And also in the workflow tab under the relevant action:

CleanShot 2026-02-09 at 10.02.31@2x
CleanShot 2026-02-09 at 10.02.31@2x2064×1642 316 KB

In the screenshot above it’s in the error branch of action 1 but that will vary if the API doesn’t return an error.

Does that help?

3

Hi @Joyce, thank you for your reply!

The problem was that my login endpoint wasn’t returning an error. The endpoint was delivering the right information. However, when it’s processed by weweb, I got an error (because it was a login endpoint and it was impossible to log the user in with the given response (the callenge_id instead of the appropriate auth token)). That’s the reason why you can’t see the error in the workflow, and you can’t see the api response either.

I have taken a different approach and this one is following great: instead of returning the challenge_id as an actual api response, i’m returning it as an error in a Xano pre-condition. With that, I can pick it in the workflow and work with it.

I have the solution up and running great now, with just one api endpoint :grin:

1 Like
4

Very cool! Thanks a lot for taking the time to share the solution on here as well :grinning_face: