---

## TwoFactorManager
Self-service two-factor (TOTP) management: enrol with an
authenticator app, show one-time backup codes, and disable with a password
re-auth. Talks to `basePath` (default `/api/auth/account/2fa`); pair with the
server handlers `createTwoFactorSetupHandler`, `createTwoFactorEnableHandler`
and `createTwoFactorDisableHandler`. The core stays zero-dependency, so QR
rendering is delegated to the `qr` snippet — without it the otpauth URI +
Base32 secret are shown for manual entry.

**Import:** `import { TwoFactorManager } from '@urbicon-ui/auth';`

### Examples
```svelte
<TwoFactorManager {user} onEnabled={() => auth.checkStatus()}>
  {#snippet qr({ uri })}
    <MyQrCode value={uri} />
  {/snippet}
</TwoFactorManager>
```

### Api
| Prop | Type | Required | Default | Description |
| --- | --- | :---: | --- | --- |
| user | `AuthUser | null` | yes |  | The current authenticated user — its `totpEnabled` seeds the initial state and its `email` labels the otpauth entry. While `null` the panel renders nothing. Resolve `user` before mount, or remount with `{#key user?.id}…{/key}` to re-seed after an async load. |
| basePath | `string` | no | '/api/auth/account/2fa' | API base path for the 2FA account endpoints. |
| class | `string` | no |  | Extra classes on the root element. |
| csrf | `CsrfClientOptions` | no |  | CSRF cookie/header names — only needed when the server overrides the defaults via `config.csrf`. Mutating requests echo the token automatically. |
| fetcher | `typeof globalThis.fetch` | no |  | Custom fetch implementation for all API calls. Defaults to the global `fetch`. |
| onDisabled | `() => void` | no |  | Called after 2FA was disabled. |
| onEnabled | `() => void` | no |  | Called after 2FA was successfully enabled (e.g. refresh your auth store). |
| qr | `Snippet<[{ uri: string; secret: string }]>` | no |  | QR-code renderer for the otpauth URI shown during setup. Receives the `otpauth://` `uri` and the Base32 `secret`. Optional — the package ships no QR encoder (zero-dep), so without this snippet only the URI + secret are shown for manual entry. |
| slotClasses | `Partial<Record<'root' | 'title' | 'section' | 'sectionTitle' | 'field' | 'submit' | 'code' | 'backupCode', string>>` | no |  | Per-slot class overrides. |
| t | `AuthLocale` | no |  | Locale bundle. Auto-detected from i18n context when omitted. |
| unstyled | `boolean` | no |  | Strip all default styling. |

### Slots (slotClasses keys)
`root`, `title`, `section`, `sectionTitle`, `field`, `submit`, `code`, `backupCode`