Mideye Authentication API

MFA in one API call.

Second-factor authentication as a REST API: send a phone number, get back an approval. Mideye delivers the challenge as a Mideye+ push or an SMS magic link, no server installation, no user directory, nothing to host.

How it works

Three steps. Seconds end to end.

Perfect for SaaS applications and API-driven authentication: your application keeps its own login, Mideye adds the second factor.

1

Your app calls the API

One authenticated request with the user's phone number. Run it synchronously for a single blocking call, or asynchronously and follow the result by polling or a live Server-Sent Events stream.

2

The user approves

Users with the Mideye+ app get an instant push prompt. Everyone else receives an SMS magic link, the fallback is automatic, no logic needed on your side.

3

Your app gets the result

A clear final status, accepted, rejected, or timeout, plus which channel delivered it, so you always know how the user approved.

Features

Built for developers, hardened for production.

Smart delivery

Push first, SMS magic link as automatic fallback, but never an unwanted SMS: a user timeout or explicit reject ends the flow instead of triggering a fallback message.

Sync, async, or streaming

Block on a single call, poll a result URL, or subscribe to a Server-Sent Events stream for live status updates, whichever fits your architecture.

White-label prompts

Customize the push title, prompt text, button labels, and SMS text per request. Your brand, your language, your wording.

Abuse protection built in

Per-number rate limiting with sliding windows keeps OTP spam and prompt bombing off your users' phones. OAuth 2.0 client-credentials security on every call.

Hardware tokens too: a separate verify endpoint validates OATH, YubiKey, and HID one-time passwords for users without phones.

Data residency

European infrastructure, Swedish company.

Your users' data stays in the EU/EEA.

The cloud service runs on Nordic hosting with Nordic enterprises. User phone numbers and authentication logs stay in the EU/EEA, designed for GDPR compliance requirements.

Hosted in the Nordics

Data processed and stored in the Nordic countries.

EU/EEA infrastructure

Mideye infrastructure within the EU/EEA.

Swedish company

Mideye AB, headquartered in Stockholm since 1999.

Use cases

Wherever a yes/no from a human matters.

Step-up authentication

Require a second factor for sensitive operations, changing account details, large transfers, admin actions, without re-architecting your login.

Transaction verification

Confirm payments and orders with a push prompt that shows exactly what the user is approving.

Document signing

A recorded approval from the signer's own phone as part of your signing flow.

Customer portals

Add MFA to customer-facing logins where you know a phone number but manage no directory.

The same API powers the Mideye Credential Provider for Windows logon, and our upcoming Entra ID external MFA and Keycloak integrations, both in beta.

Interface

A request you can read at a glance.

FieldRequiredDescription
msisdnYesPhone number in international format (e.g., +46701234567)
timeoutNoHow long to wait for the user, 10–60 seconds (default: 30)
display.titleNoPush notification title
display.authenticationTextNoMain text shown in the approval prompt
display.smsTextNoCustom SMS message text
display.buttonAcceptText / display.buttonRejectTextNoCustom button labels
accepted

User approved

rejected

User rejected

timeout

No response in time

pending

Awaiting the user (async)

Every final result also reports the channel that delivered it, app push or SMS magic link.

Ready to add MFA to your app?

Get API credentials and integration support from our engineers, most teams make their first successful call the same day.