How I can solve this error 400#too_many_unverified_factors?

Questions
1

Hi Everyone!

We’re currently testing OTP via SMS in a real scenario using the /v1/otps/sms/send endpoint in our test environment.

We’ve been using the same phone number repeatedly during testing, and it was working fine initially. However, we’ve now started receiving the following error:

{
  "status_code": 400,
  "error_type": "too_many_unverified_factors",
  "error_message": "We were unable to create a new auth factor. This user already has too many unverified factors."
}

What’s unexpected is that even when we try with different users, we continue to receive the same error.

Could you help us understand:

  • What triggers this limit exactly?
  • Is it tied to the phone number, the user, or both?
  • How can we clear or reset these unverified factors for testing purposes?

We’re also concerned about this behavior potentially affecting production, so any guidance or best practices would be greatly appreciated.

Thanks in advance!

2

Hey @Dieison_Moura !

This error gets thrown whenever you try to add an auth factor to a User that already has an unverified factor; calling Send SMS OTP will attempt to add the phone number to the User.

In this case, it looks like this Test User already has an unverified email address associated with it, so we prevent you from adding a new auth factor for security reasons.
This isn’t specific to the type of auth factor specifically, and is tied to the User/user_id.

Depending on the authentication flows you want to support in your app (i.e. Do you want to have users being able to potentially have both an email and phone number? Do you need to support MFA? etc.), you could either:

  • Verify the email by sending an email magic link or email OTP
  • If you don’t need the email as an auth factor to test your flows, exchange it for a phone number, then call send SMS OTP

Please let us know if you have any questions!