Overview
The Require MFA on CLI API option enforces Multi-Factor Authentication when executing JetBackup API commands via the CLI.
When enabled, any CLI API request must be authenticated using a valid MFA token, adding an extra layer of security beyond standard user permissions.
This applies primarily to the user executing the CLI commands, typically the root user.
Prerequisites
Before enabling Require MFA on CLI API, the following conditions must be met:
-
MFA must be enabled on the server
-
MFA must be configured for the user running the CLI API commands
-
In most environments, this is the
rootuser
-
-
The user must complete the MFA activation process (via GUI or CLI, depending on the control panel)
If MFA is not enabled for the executing user, CLI API calls will fail once this option is enabled.
Enabling Require MFA on CLI API
-
Navigate to:
JetBackup 5 → Settings → Privacy & Security → Multi Factor Authentication
-
Enable the following options as needed:
-
MFA Enabled: Yes
-
Require MFA on CLI API: Yes
-
-
Save the changes
Once enabled, all CLI API calls will require MFA verification.
CLI Behavior After Enabling MFA Requirement
Attempting a CLI API Call Without MFA
If an API call is executed without an MFA token, JetBackup will return an error:
Response:
This indicates that MFA enforcement is active and a valid token must be provided.
Verifying MFA and Retrieving a Token
To authenticate CLI access, you must verify an MFA code and retrieve a temporary token.
Step 1: Verify MFA Code
Run the following command using a valid 6-digit code from your Authenticator app:
Response:
The returned token is required for subsequent CLI API calls.
Step 2: Execute CLI API Calls With MFA Token
Include the token using the -T option:
Once authenticated, the command will execute successfully.
Token Notes
-
MFA tokens are temporary
-
When a token expires, you must re-run
verifyMFACode -
All custom scripts, cron jobs, and hooks using the CLI API must be updated to handle MFA tokens
Important Considerations
-
Enabling Require MFA on CLI API without configuring MFA for the executing user will block all CLI API access
-
Automation scripts must be updated to:
-
Prompt for MFA verification
-
Cache and refresh tokens as needed
-
-
Recovery codes should be stored securely and treated as sensitive credentials
Summary
The Require MFA on CLI API feature significantly improves security by enforcing MFA on all CLI-based API interactions.
Proper configuration is essential, especially in environments like DirectAdmin where MFA must be initialized via the CLI.
If you rely on automation or custom integrations, ensure they are updated before enabling this option to avoid service disruption.
DirectAdmin: Configuring MFA via CLI (No GUI Access for Root)
In DirectAdmin environments, the panel login is typically performed using the admin user, not root.
As a result, there is no GUI option to configure MFA for the root account.
In these cases, MFA must be configured entirely via the CLI.
Step 1: Enable MFA for Root
Login to your DirectAdmin Server Terminal as root and execute the following command:
This enables MFA for the root account.
Step 2: Retrieve MFA Secret and Recovery Code
This command returns:
-
Secret key – used to manually add MFA to an Authenticator app
-
Recovery code – must be stored securely for account recovery
Step 3: Add MFA to Authenticator App
Manually add a new account in your Authenticator app using the provided secret.
Step 4: Verify MFA for the First Time
Where CODE is the current 6-digit MFA code.
This command returns an MFA token.
Step 5: Use the Token for All CLI API Calls
From this point forward, every CLI API command must include the -T option.
