Authenticator

Each agent identity can have one authenticator app — a virtual TOTP/HOTP device that lets your agent complete MFA challenges autonomously. You add accounts from otpauth:// URIs (the same URIs encoded in QR codes), and generate one-time passwords on demand.

Create an authenticator app for an identity, then add accounts. Each account corresponds to a single OTP credential — the kind of entry you'd normally scan a QR code to create in Google Authenticator or Authy.

Once an account is set up, generate one-time passwords whenever your agent needs to complete an MFA challenge. For TOTP accounts, valid_for_seconds tells you how long the code is valid.

List all accounts in the authenticator, update their labels, or delete them when they're no longer needed.

Unlinking detaches the authenticator app from the identity but does not delete it — the app remains available for reassignment. To fully clean up, delete the app after unlinking. Deleting an app also deletes all its accounts.

To reassign an existing app to a different identity:

Most authenticator operations go through the identity, but you can also manage apps at the organization level — listing all apps across identities, fetching a specific app, or deleting one directly.