I have a website where I want to implement MFA on, but I also have a web API that the user can access with the same account. Is it possible to only allow MFA from the website but not when coming from the API? Both the Web app and API are on the same domain.
When you say a user accesses the api with the same account, what do you mean by that? What is the authorization mechanism for the API? You might consider using API Access Management for your API, if your not already. Then, you’d provide an access token to your API using an Authorization header. That provides proof of authorization, but doesn’t have anything to do with authentication and therefore MFA would not be involved for API access.
The user creates an account in the website.
Now the user can access the website, or the web API with the account created.
It’s not clear to me exactly what you mean by “Now the user can access … the web API with the account created”.
Do you have any code examples? Typically, when you interact with an API, you need to provide some sort of authorization to that API. This can be in the forum of a custom HTTP header using an API token. Or, it can be an Authorization header using a variety of schemes. With OAuth2, the Authorization header value would be "Bearer " + . Bearer is the scheme in this case.
I have decided to only call Okta from my website, and authenticate users using my service locally.