> ## Documentation Index
> Fetch the complete documentation index at: https://docs.scute.io/llms.txt
> Use this file to discover all available pages before exploring further.

# March 2026

> MFA everywhere, email OTP, fuzzy search

# March 2026

***

## API

### MFA now works across all login methods

Previously, multi-factor authentication only kicked in through the challenge-based flow. Now it works everywhere,  magic links, OTP, WebAuthn, all of it.

If a user has MFA enrolled and your app requires it, they'll get an `mfa_required` response instead of tokens, regardless of how they signed in.

WebAuthn logins skip MFA by default (it's already two factors,  your device and your face), but you can turn that off per app if you're feeling strict.

### Email OTP

The OTP endpoint used to be phone-only. Now it handles email too.

Set `email_auth_type` to `"otp"` on your app and the same `/auth/:app_id/otps` endpoint accepts email addresses. It figures out what you sent it and does the right thing.

### User search got smarter

The users endpoint now supports a `?q=` parameter. It does fuzzy matching across email, phone, and name using PostgreSQL's `pg_trgm` extension. Results come back ranked by relevance.

No more exact-match-only filtering.

### Verifications API — new actions

Two new endpoints:

* `DELETE /v1/verify/:app_id/verifications/:id` — cancel a verification
* `POST /v1/verify/:app_id/verifications/:id/resend` — resend it (cancels the old one, creates a fresh one with the same params)

The create endpoint also now accepts full challenge params directly (`purpose`, `method`, `intent`, etc.) alongside the legacy format.

### MFA status endpoint

New endpoint for the dashboard:

```
GET /v1/verify/:app_id/users/:user_id/mfa
```

Returns a user's MFA enrollments, which methods they have, backup codes remaining, everything you need to show on a user detail page.

### Rails 7.1

Upgraded from 7.0 to 7.1. Nothing breaks, everything's a little faster.

***

## Dashboard

### Auth settings redesign

The authentication settings page got a full rework. You can now see a visual preview of your login flow, step by step, that updates as you change settings.

New options in the settings panel:

* **Email auth type** — switch between magic link and OTP
* **MFA policy** — disabled, optional, or required
* **Allowed MFA methods** — pick from TOTP, passkeys, email OTP, SMS OTP, backup codes
* **WebAuthn skip MFA** — toggle whether passkey logins bypass MFA
* **MFA grace period** — give users time to set up MFA after you enable it

### Challenges page

"User Verification" in the nav is now "Challenges", because that's what they are.

New full page for browsing, filtering, and creating challenges. You can filter by purpose, method, and status. Each challenge opens in a detail sheet with the full timeline and metadata.

You can also create challenges directly from the dashboard now, with a dialog that supports all challenge types and purposes.

### MFA verify screen

New MFA verification UI in the login flow. Shows a 6-digit code input (or 8-digit for backup codes), lets users switch between available MFA methods, and handles TOTP / email / SMS / backup codes.
