For this exercise, I am assuming:
Enroll authenticators
SMS or voice
One-time password (OTP)
Push
Email
Devices
GET /api/users/:id/devices
POST /api/users/:id/verifications/:verification_id>
DELETE /api/users/:user_id/devices/:device_id
(for acount recovery purposes)
POST /api/users/:user_id/mfa_token
POST /api/transfers
GET /api/transfers/:transfer_id
POST /api/transfers/:transfer_id
GET /api/transfers
id (String)
amount integer (in cents) REQUIRED
currency currency (ISO currency code) REQUIRED
destination (String) REQUIRED
description (String) optional
metadata hash optional
POST /api/transfers
GET /api/transfers/
GET /api/transfers/:transfer_id
Only non-mandatory fields might be updated
PUT /api/transfers/:transfer_id