The UserRepresentation contains a totp member. The 23.0.0 docs show this as an optional boolean, but it's otherwise undocumented. After some experimenting, I think that:
The other alternative is requiredActions. If you add CONFIGURE_TOTP to the array you can enable TOTP, but if you remove CONFIGURE_TOTP from the array TOTP remains enabled.
So what have I missed? How do I turn off TOTP? Thanks.
Figured it out. In 23.0.1 you can disable OTP manually from the UI by going to users > credentials, and deleting the OTP credential. If you get a debug window in the browser and check the network activity this turns into a DELETE /admin/realms/{realm}/users/{id}/credentials/{credentialId}.
The only difficult bit is getting the credentialId. To do this, GET /admin/realms/{realm}/users/{id}/credentials, which returns an array of CredentialRepresentation. If you have an object with a type of otp then that's your OTP credential, and the associated id is the required credentialId.
The only other confusing part is that totp in the user's UserRepresentation is actually read-only. It sets itself true when the user has completed OTP setup. The UI behaves in exactly the same way: if you select your user, and look at the credentials tab, the OTP credential doesn't appear till the user has completed setup and logged in with a TOTP.