> ## Documentation Index
> Fetch the complete documentation index at: https://docs.metriport.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create AAL2 Challenge

> Issues a fresh multifactor challenge for a verified user.

Returns a single-use URL where the user authenticates with their enrolled authenticator. After the
user satisfies the challenge, they're redirected to your `redirectUrl` with
`?aal2SessionId=aal2_...&status=verified` appended. Pass the `aal2SessionId` on subsequent
IAS-purposed queries via the `x-aal2-session` header.

## Body

<ParamField body="proofedIdentityId" type="string" required>
  The verified identity to challenge. Must be in `active`
  status.
</ParamField>

<ParamField body="redirectUrl" type="string" required>
  HTTPS URL on your account's allowlist.
</ParamField>

## Response

<ResponseField name="challengeId" type="string" required>
  Unique identifier for this AAL2 challenge.
</ResponseField>

<ResponseField name="challengeUrl" type="string" required>
  Single-use URL for the user to complete the challenge.
</ResponseField>

<ResponseField name="expiresAt" type="string" required>
  ISO-8601 timestamp when the challenge URL expires.
</ResponseField>

<ResponseField name="method" type="string" required>
  How the user will complete the challenge: `totp` is a time-based one-time password from an
  authenticator app (e.g. Google Authenticator, 1Password). `webauthn` is a Web Authentication
  challenge in the browser (passkey or security key).
</ResponseField>

```json Response theme={null}
{
  "challengeId": "aalc_018f7c40...",
  "challengeUrl": "https://auth.ias.metriport.com/aal2/eyJhbGc...",
  "expiresAt": "2026-04-29T14:42:00.000Z",
  "method": "totp"
}
```