Unenroll a factor

Permanently delete a previously enrolled MFA factor. After unenrolling, the factor no longer counts toward the user's AAL and cannot be challenged. To enforce MFA again, the user must enroll a new factor.

A live session is required — unenroll calls get_session internally and raises Supabase::Auth::Errors::AuthSessionMissing if the user is signed out.

Signature

supabase.auth.mfa.unenroll(params)

params is a hash. Pass it as a literal ({ factor_id: "..." }) or use Ruby's hash-literal shorthand (factor_id: "...").

Parameters

Name	Type	Required	Description
`factor_id`	String	Required	The ID of the factor to remove. Works for both verified and unverified factors.

Returns

Supabase::Auth::Types::AuthMFAUnenrollResponse

A Struct with :id — the ID of the factor that was removed (echoed back from GoTrue for confirmation).

Example — remove a verified TOTP factor

response = supabase.auth.mfa.unenroll(factor_id: factor_id)

response.id   # => "the-removed-factor-id"

Example — clean up a stuck unverified factor

# Find any unverified factor leftover from an abandoned enrollment and remove it.
factors = supabase.auth.mfa.list_factors
abandoned = factors.all.find { |f| f.status == "unverified" }

if abandoned
  supabase.auth.mfa.unenroll(factor_id: abandoned.id)
end

Example — handling errors

begin
  supabase.auth.mfa.unenroll(factor_id: factor_id)
rescue Supabase::Auth::Errors::AuthSessionMissing
  flash[:error] = "Please sign in again to manage your MFA factors."
rescue Supabase::Auth::Errors::AuthApiError => e
  # 404 if the factor doesn't exist, 403 if it belongs to another user, etc.
  flash[:error] = "Couldn't remove factor: #{e.message}"
end

Hits DELETE /factors/{factor_id} and returns only the deleted factor's ID. Removing the last verified factor downgrades the user's AAL on their next session refresh.