Bug: TOTP MFA verification always fails with `user_invalid_token`

Bug: TOTP MFA verify always returns user_invalid_token (Cloud 1.8.1, Frankfurt)*

Project ID: 68dd48440003e537d849 SDK: appwrite@18.2.0 (also tested with 16.1.0)

createMfaAuthenticator({ type: 'totp' }) works and returns a valid secret/URI. Authenticator app generates codes fine. But updateMfaAuthenticator AND the challenge flow (createMfaChallenge → updateMfaChallenge) both always fail with 401 user_invalid_token.

This worked perfectly ~1 day ago with the same codebase. Then it stopped without any code changes. Tested with fresh accounts, incognito mode, different browsers, cleared cookies — same error every time.

I verified client-side with Web Crypto API that the OTP code is mathematically correct (SHA-1 matches the authenticator app). Also tried SHA-256/SHA-512 with ±30s time offsets — server rejects everything. Also tried direct fetch bypassing the SDK entirely, with and without X-Appwrite-Response-Format header — same result.

One thing I noticed: the returned secret is 64 bytes (103 base32 chars), which is way longer than the usual 20-byte TOTP secret. The URI has no algorithm parameter. It seems like the server might verify against a different secret or algorithm than what it returns.

Is this a known issue with Cloud 1.8.1? Any workaround?

Thanks!

Bug: TOTP MFA verification always fails with user_invalid_token