The MFA enrollment process detected a different IP address during verification. This security measure prevents unauthorized factor enrollment. Complete the entire enrollment flow from the same network to resolve it.
The mfa_ip_address_mismatch error occurs when a user starts the MFA enrollment process from one IP address and then attempts to complete (verify) it from a different IP address. Supabase enforces this security restriction because the MFA enrollment flow involves sensitive steps: generating a secret for TOTP or sending a verification code to a phone. Completing these steps from different IP addresses could indicate unauthorized access or an interception attack. The error message indicates that the IP addresses at enrollment start and verification completion must match.
Confirm that you are connecting from the same IP address when calling both enroll() and verify(). If you changed networks, VPN, or switched between WiFi and cellular, you need to restart the entire enrollment process from your current network.
If your application cached the enrollment challenge or secret, clear it and start fresh. Call supabase.auth.mfa.enroll() again to generate a new challenge.
// Clear any cached enrollment data
sessionStorage.removeItem("mfa_challenge");
sessionStorage.removeItem("mfa_secret");
// Start enrollment fresh
const { data, error } = await supabase.auth.mfa.enroll({
factorType: "totp"
});Complete the entire enrollment flow without switching networks:
// 1. Start enrollment
const { data: enrolled } = await supabase.auth.mfa.enroll({
factorType: "totp"
});
// 2. Display QR code and secret to user
console.log(enrolled.totp.qr_code);
// 3. User scans QR code and enters code
// 4. Verify immediately from the SAME network
const { data: verified, error } = await supabase.auth.mfa.verify({
factorId: enrolled.id,
code: userEnteredCode // from authenticator app
});
if (!error) {
console.log("MFA factor activated successfully");
}If using a VPN, ensure it stays connected throughout the enrollment process. If the VPN is set to auto-disconnect on inactivity, disable that setting during enrollment. Alternatively, complete enrollment while on a stable home or office network without VPN.
If enrolling on mobile, avoid switching between WiFi and cellular networks. If you must use mobile data, keep the same connection type throughout the process. Test on a stable WiFi network first to confirm the enrollment works.
This IP-based check is a security feature in Supabase Auth to prevent man-in-the-middle attacks during MFA enrollment. The restriction applies to all factor types (TOTP, Phone). Some users report confusion when their mobile device switches networks automatically (e.g., WiFi to 4G), which can trigger this error. This is by designโSupabase cannot distinguish between a legitimate network change and an attack. If your application frequently enrolls users on mobile networks, consider documenting this behavior to users or implementing retry logic that guides them through re-enrollment if the IP address changes.
email_conflict_identity_not_deletable: Cannot delete identity because of email conflict
How to fix "Cannot delete identity because of email conflict" in Supabase
mfa_challenge_expired: MFA challenge has expired
How to fix "mfa_challenge_expired: MFA challenge has expired" in Supabase
conflict: Database conflict, usually related to concurrent requests
How to fix "database conflict usually related to concurrent requests" in Supabase
phone_exists: Phone number already exists
How to fix "phone_exists" in Supabase
StorageApiError: resource_already_exists
StorageApiError: Resource already exists