Send security answers
This endpoint allows an authenticated user to verify their location by answering their security questions.
This endpoint was the cause of the first NFA to FA exploit from early 2020.
Request
- Method:
POST
- Endpoint:
/user/security/location
- Full URL:
https://api.mojang.com/user/security/location
- Headers:
Authorization: Bearer [JWT/auth token here]
The POST body must be similar to:
[
{
"id": 123, // answer ID
"answer": "Never Gonna"
},
{
"id": 456, // answer ID
"answer": "Give You"
},
{
"id": 789, // answer ID
"answer": "Up"
}
]
Response
204: No Content
No response for this status code. You have successfully authorized your location / IP address.
400: Bad Request
When you get this response, most likely you've submitted the same answer ID and answer multiple times. This is what the old NFA to FA exploit was based off of.
{
"error" : "IllegalArgumentException",
"errorMessage" : "3 answers required to secure location"
}
403: Forbidden
When you get this response, one of the answers you submitted wasn't correct.
{
"error" : "ForbiddenOperationException",
"errorMessage" : "At least one answer was incorrect"
}