api/openapi/rest.yaml shows that request_2fa_token has a "domain" parameter and gives "facebook.com" as an example of what to put in this parameter.

However, the code in internal/api/browser_extension/app/command/request_2fa_token.go makes it clear that what is expected in this parameter is a URL, not a domain, since it tries to parse the domain parameter as a URL and sets the requested site to an empty string if the parse fails.

There are thus two problems here. The first, which may be too hard to fix at this point, is that you called the parameter domain instead of url. The second, which is easier to fix, is that your openapi definition documents incorrectly what goes into the parameter. You could keep the bad parameter name if it's too hard to fix but at least update the documentation to accurately reflect what is expected.