Update my 2FA preferences
Lets the account owner configure its own 2FA. You can always harden (enable actions, move to a stronger channel: totp > email > sms/whatsapp) but never go below the organization floor. Weakening (disabling an active action or lowering the channel) requires an X-OTP-Token for the security_settings action. Choosing channel:totp requires the authenticator app already enrolled. Enabling 2FA for the login action over a phone channel (sms/whatsapp) requires the account phone number to be verified first (complete any SMS/WhatsApp OTP challenge); otherwise the request is rejected with 409 phone_verification_required — this prevents locking yourself out with a mistyped number.
Authorizations
Session JWT (from register/login) or API key (pk_...).
X-API-Key: <token> is accepted as an alternative header.
Headers
Body
login, payout, crypto_withdrawal, transfer, banking_operation, card_reveal, api_key_create, member_add, phone_change, password_change, email_change, security_settings sms, whatsapp, email, totp Response
Updated effective policy.