Registration token not removed when validated


I’m creating a simple web page where a user can configure some settings for his account that uses the REST api.

I’ve created a registration token for a user and I’m validating the token using the /validate/check API method.

The validation of the token works, but the token is not automatically removed after the first successful authentication. According to Registration Code Token — privacyIDEA 3.6 documentation the token should be automatically removed after first use?

Should the removal of the token not happen automatically? Or should my custom application do that manually using the REST api after using the token?

I’m using privacyIDEA 3.6.

Update: when I look at the token in the admin interface, it seems the Count is not increased when i validate the token. Also when I enter an incorrect value for the registration token, the failcount is not increased for this token.


I found my mistake. I had the otponly flag set to 1 in my validate/check call. I expected this to only validate the OTP (and not a password for a user), but it is used in the web UI to test tokens.

1 Like