Two factor authentication

OAuth2 authentication requires two factor authentication when debiting funds with the wallet:transactions:send scope. When 2FA is required, the API will respond with a 402 status and two_factor_required error. To successfully complete the request, you must make the same request again with the user's 2FA token in the CB-2FA-TOKEN header together with the current access token.

Here's a step by step example:

1. User is sending funds and the app calls POST api.coinbase.com/v2/accounts/primary/transactions
2. Server responds with 402 and sends the user a 2FA token via SMS if he doesn't have Authy installed
3. App re-plays the request from step 1 with exactly same parameters and the 2FA token in the CB-2FA-TOKEN header
4. Transaction is sent and 201 CREATED status code is returned

Keep in mind that 2FA tokens expire quickly, so you'll need to re-try the request after the user supplies his token. Two factor authentication affects only users who have 2FA enabled in their user settings. Depending on the user's settings, the token will be delivered via SMS or the user must obtain the 2FA token from his Authy application.