FIDO2 API (2.0)
RESTful API for handling WebAuthn logic with support for FIDO2 flows with passkeys.
Create an authorization token with requested scopes
Authorizations:
Request Body schema: application/jsonrequired
grants required | Array of strings Items Enum: "passkey:read" "passkey:write" "profile:read" "profile:write" "reg:write" "auth:write" List of requested grants |
username | string User identifier |
Responses
Request samples
- Payload
{- "grants": [
- "passkey:read",
- "passkey:write",
- "reg:write"
], - "username": "testUser"
}
Response samples
- 200
- 400
- 401
- 500
{- "token": "oWIsYWQl6RB0cFC9jM8Hy85TmqAMyc0QqSXMsh0Fo9U="
}
Validate JWT Access Token
Authorizations:
Request Body schema: application/jsonrequired
jwtAccess required | string JWT access token |
Responses
Request samples
- Payload
{- "jwtAccess": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
Response samples
- 400
- 401
- 500
{- "msg": "A serious error",
- "msgCode": "serious_error"
}
Response samples
- 200
- 401
- 403
- 404
- 500
[- {
- "createdAt": "2023-06-15 13:29:41 EDT",
- "credentialSynced": false,
- "device": "iPhone SE (2nd Gen)",
- "id": "eb385800-d35e-4108-9b49-48010731cd37",
- "name": "My Phone"
}, - {
- "createdAt": "2023-06-15 13:29:41 EDT",
- "credentialSynced": true,
- "device": "MacBook Pro (Google Chrome)",
- "id": "1b385800-d35e-4108-9b49-48010731cd37",
- "name": "My Laptop"
}, - {
- "createdAt": "2023-06-15 13:29:41 EDT",
- "credentialSynced": false,
- "device": "MacBook Pro",
- "id": "ab385800-d35e-4108-9b49-48010731cd37",
- "name": "My Tablet"
}
]
Rename passkey
Authorizations:
path Parameters
id required | string Example: 2a363a42-a397-4af0-b089-0935fc223017 Internal passkey identifier |
Request Body schema: application/jsonrequired
name required | string Internal passkey identifier |
Responses
Request samples
- Payload
{- "name": "My iPhone SE"
}
Response samples
- 400
- 401
- 403
- 404
- 500
{- "msg": "A serious error",
- "msgCode": "serious_error"
}
Delete a user profile and all associated passkey
Authorizations:
path Parameters
id required | string Example: 2a363a42-a397-4af0-b089-0935fc223017 Internal user identifier |
Responses
Response samples
- 404
- 500
{- "msg": "A serious error",
- "msgCode": "serious_error"
}
Update profile email address
Authorizations:
path Parameters
id required | string Example: 2a363a42-a397-4af0-b089-0935fc223017 Internal user identifier |
Request Body schema: application/jsonrequired
email required | string Email address |
requestVerification | boolean Default: true Whether to update the email address immediately or send an authorization code to verify. |
Responses
Request samples
- Payload
{- "email": "luke.skywalker@tatuin.com",
- "requestVerification": true
}
Response samples
- 400
- 401
- 404
- 500
{- "msg": "A serious error",
- "msgCode": "serious_error"
}
Update the profile phone number
Authorizations:
path Parameters
id required | string Example: 2a363a42-a397-4af0-b089-0935fc223017 Internal user identifier |
Request Body schema: application/jsonrequired
messagingConsent | boolean Default: false Whether the user consents to receiving SMS messages on this number. The phone will not be used for sending messages if no consent is provided. |
phoneNumber required | string Phone number |
requestVerification | boolean Default: true Whether to update the phone number immediately or send an authorization code to verify. This method will fail if verification is requested but no consent is provided. |
Responses
Request samples
- Payload
{- "messagingConsent": true,
- "phoneNumber": "+14161234567",
- "requestVerification": true
}
Response samples
- 400
- 401
- 404
- 500
{- "msg": "A serious error",
- "msgCode": "serious_error"
}
Verify phone number with received authorization code
Request Body schema: application/jsonrequired
authCode required | string Verification code |
username required | string Username associated with the code |
Responses
Request samples
- Payload
{- "authCode": "123456",
- "username": "user@example.com"
}
Response samples
- 400
- 401
- 404
- 500
{- "msg": "A serious error",
- "msgCode": "serious_error"
}
Verify phone number with received authorization code
Request Body schema: application/jsonrequired
authCode required | string Verification code |
username required | string Username associated with the code |
Responses
Request samples
- Payload
{- "authCode": "123456",
- "username": "user@example.com"
}
Response samples
- 400
- 404
- 500
{- "msg": "A serious error",
- "msgCode": "serious_error"
}
Complete WebAuthn registration
Request Body schema: application/jsonrequired
required | object (AuthenticatorAssertionResponse) |
session required | string >= 16 characters An opaque object containing session data. |
Responses
Request samples
- Payload
{- "assertionResult": {
- "authenticatorData": "ix523n3XniH01jM4CIuOn1z0Jw6QbRATXYOsCUyQN...",
- "clientDataJSON": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo...",
- "credentialId": "2aChi2dALRLdVP5i/zKr7yvMrP8FIy7MK4lbyUsjO...",
- "signature": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo...",
- "userHandle": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo..."
}, - "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r..."
}
Response samples
- 200
- 400
- 404
- 500
{- "deviceID": "2a363a42-a397-4af0-b089-0935fc223017",
- "jwtAccess": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
Start WebAuthn registration flow
header Parameters
User-Agent | string Example: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 Raw user-agent header as set by a browser |
Request Body schema: application/jsonrequired
required | object (Application) Application making the request. It contains additional info about the caller to distinguish between tenants. |
required | object (DeviceInfo) Information about the device. All of these attributes are optional and should be provided on best effort basis. If provide, they will be taken into consideration in order to improve user experience. |
object (UserLogin) |
Responses
Request samples
- Payload
{- "app": {
- "id": "2a363a42-a397-4af0-b089-0935fc223017"
}, - "deviceInfo": {
- "clientName": "Chrome",
- "clientType": "browser",
- "clientVersion": "120.0.0.0",
- "deviceId": "2a363a42-a397-4af0-b089-0935fc223017",
- "osArch": "aarch64",
- "osName": "iPhone",
- "osVersion": "14.2.1",
- "screenHeight": 1080,
- "screenWidth": 1920
}, - "user": {
- "username": "admin@example.com",
- "usernameType": "email"
}
}
Response samples
- 200
- 400
- 404
- 500
{- "action": "proceed",
- "assertionOptions": {
- "allowCredentials": [
- {
- "id": "oAjxAhjnoQXLmRRAczwPg2E/S2zVS+DKlO6WNvgH9ys=",
- "transports": [
- "usb",
- "internal"
], - "type": "public-key"
}, - {
- "id": "dqJvLVzdodYfQfKPB8zgF+rtoxNx5WUgH7kFHp8SegY=",
- "type": "public-key"
}
], - "challenge": "gUEHYYYEpkj+eNo9DOPb/17K36VT0rTUAPyM03JeoeM=",
- "timeout": 5000,
- "userVerification": "discouraged"
}, - "crossAuthMethods": [
- "otp",
- "otp:sms",
- "otp:email"
], - "fallbackMethods": [
- "ciam"
], - "passkeyType": "device",
- "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r..."
}
Request OTP code by an authenticated user
An authenticated user can request an authentication code directly using this method. The code can be used for authentication from another device.
Authorizations:
Responses
Response samples
- 200
- 401
- 403
- 404
- 500
{- "code": "123456",
- "expiresAt": "2021-01-01T00:00:00Z"
}
Request OTP code to be sent via email.
Send authentication code to the provided email. The SMS will only be sent if the email address is known to the application, however, this method will return success regardless.
Request Body schema: application/jsonrequired
required | object (UserLogin) | ||||
|
Responses
Request samples
- Payload
{- "user": {
- "username": "admin@example.com",
- "usernameType": "email"
}
}
Response samples
- 400
- 404
- 500
{- "msg": "A serious error",
- "msgCode": "serious_error"
}
Request OTP code to be sent via SMS.
Send authentication code to the provided phone number. The SMS will only be sent if the phone is registered with the application, however, it will return success regardless.
Request Body schema: application/jsonrequired
required | object (UserLogin) | ||||
|
Responses
Request samples
- Payload
{- "user": {
- "username": "admin@example.com",
- "usernameType": "email"
}
}
Response samples
- 400
- 404
- 500
{- "msg": "A serious error",
- "msgCode": "serious_error"
}
Verify authentication code and return JWT access token with appropriate scopes
Request Body schema: application/jsonrequired
authCode required | string Authentication code |
required | object (UserLogin) |
Responses
Request samples
- Payload
{- "authCode": "123456",
- "user": {
- "username": "admin@example.com",
- "usernameType": "email"
}
}
Response samples
- 200
- 400
- 404
- 500
{- "deviceID": "2a363a42-a397-4af0-b089-0935fc223017",
- "jwtAccess": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
Complete WebAuthn registration flow
Request Body schema: application/jsonrequired
required | object (CreationResult) |
session required | string >= 16 characters An opaque object containing session data. |
Responses
Request samples
- Payload
{- "creationResult": {
- "attestationObject": "5lvuZBkX1w7/0+XKcldttzA7vTwilEq3qnnXSq/a0...",
- "authenticatorData": "ix523n3XniH01jM4CIuOn1z0Jw6QbRATXYOsCUyQN...",
- "clientDataJSON": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo...",
- "credentialId": "2aChi2dALRLdVP5i/zKr7yvMrP8FIy7MK4lbyUsjO...",
- "publicKey": "wDUH6JkyU7SMswFPjyqEvhMB5GlhtqzS1VtfM/91Y...",
- "publicKeyAlgorithm": -8,
- "transports": [
- "hybrid",
- "cable",
- "internal"
]
}, - "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r..."
}
Response samples
- 200
- 400
- 403
- 500
{- "deviceID": "2a363a42-a397-4af0-b089-0935fc223017",
- "jwtAccess": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
Start WebAuthn registration flow
Authorizations:
header Parameters
User-Agent | string Example: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 Raw user-agent header as set by a browser |
Request Body schema: application/jsonrequired
required | object (Application) Application making the request. It contains additional info about the caller to distinguish between tenants. |
required | object (DeviceInfo) Information about the device. All of these attributes are optional and should be provided on best effort basis. If provide, they will be taken into consideration in order to improve user experience. |
object (PasskeyOptions) | |
session | string >= 16 characters An opaque object containing user data. It is used in place of "user" attribute for creating passkeys for pre-authorized users ("user" attribute is ignored if session is present). The value of this attribute is generated by this service and require backend integration for obtaining it. This value is time sensitive and has rather short expiry. |
object (User) |
Responses
Request samples
- Payload
{- "app": {
- "id": "2a363a42-a397-4af0-b089-0935fc223017"
}, - "deviceInfo": {
- "clientName": "Chrome",
- "clientType": "browser",
- "clientVersion": "120.0.0.0",
- "deviceId": "2a363a42-a397-4af0-b089-0935fc223017",
- "osArch": "aarch64",
- "osName": "iPhone",
- "osVersion": "14.2.1",
- "screenHeight": 1080,
- "screenWidth": 1920
}, - "passkeyOptions": {
- "conditionalCreate": false
}, - "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r...",
- "user": {
- "displayName": "System Administrator",
- "username": "admin@example.com",
- "usernameType": "email"
}
}
Response samples
- 200
- 400
- 401
- 403
- 500
{- "action": "proceed",
- "registrationRequestOptions": {
- "attestation": "direct",
- "authenticatorSelection": {
- "authenticatorAttachment": "platform",
- "requireResidentKey": true,
- "residentKey": "required",
- "userVerification": "preferred"
}, - "challenge": "gUEHYYYEpkj+eNo9DOPb/17K36VT0rTUAPyM03JeoeM=",
- "excludeCredentials": [
- {
- "id": "oAjxAhjnoQXLmRRAczwPg2E/S2zVS+DKlO6WNvgH9ys=",
- "transports": [
- "usb",
- "internal"
], - "type": "public-key"
}, - {
- "id": "dqJvLVzdodYfQfKPB8zgF+rtoxNx5WUgH7kFHp8SegY=",
- "type": "public-key"
}
], - "pubKeyCredParams": [
- {
- "alg": -7,
- "type": "public-key"
}, - {
- "alg": -257,
- "type": "public-key"
}
], - "rp": {
- "id": "api.loginid.io",
- "name": "Login ID Inc."
}, - "timeout": 10000,
- "user": {
- "displayName": "System Administrator",
- "id": "5e084987-3b3d-4cd7-8b19-385f8f5e253b",
- "name": "admin"
}
}, - "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r..."
}
Complete transaction confirmation
Request Body schema: application/jsonrequired
authenticatorData required | string This attribute contains the authenticator data returned by the authenticator. |
clientData required | string Base64 encoded byte array which is a JSON-compatible serialization of client data passed to the authenticator by the client in order to generate this assertion. The exact JSON serialization MUST be preserved, as the hash of the serialized client data has been computed over it. |
keyHandle required | string Identified of the passkey credential. |
session required | string >= 16 characters An opaque object containing session data. |
signature required | string Base64 encoded the raw signature returned from the authenticator. |
Responses
Request samples
- Payload
{- "authenticatorData": "ix523n3XniH01jM4CIuOn1z0Jw6QbRATXYOsCUyQN...",
- "clientData": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo...",
- "keyHandle": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo...",
- "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r...",
- "signature": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo..."
}
Response samples
- 200
- 400
- 403
- 500
{- "authCred": {
- "createdAt": "2023-06-15 13:29:41 EDT",
- "credentialSynced": true,
- "device": "iPhone SE",
- "id": "eb385800-d35e-4108-9b49-48010731cd37",
- "name": "My Phone"
}, - "credentialId": "2a363a42-a397-4af0-b089-0935fc223017",
- "jwtAccess": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
- "lNonce": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r...",
- "nonce": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r...",
- "txHash": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r...",
- "txId": "2a363a42-a397-4af0-b089-0935fc223017"
}
Start transaction confirmation flow
Request Body schema: application/jsonrequired
nonce required | string Random string |
txPayload required | string Payload of transaction |
txType required | string Type of transaction |
username required | string Username of user |
Responses
Request samples
- Payload
{- "nonce": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r...",
- "txPayload": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo...",
- "txType": "raw",
- "username": "testUser"
}
Response samples
- 200
- 400
- 500
{- "assertionOptions": {
- "allowCredentials": [
- {
- "id": "oAjxAhjnoQXLmRRAczwPg2E/S2zVS+DKlO6WNvgH9ys=",
- "transports": [
- "usb",
- "internal"
], - "type": "public-key"
}, - {
- "id": "dqJvLVzdodYfQfKPB8zgF+rtoxNx5WUgH7kFHp8SegY=",
- "type": "public-key"
}
], - "challenge": "gUEHYYYEpkj+eNo9DOPb/17K36VT0rTUAPyM03JeoeM=",
- "timeout": 5000,
- "userVerification": "discouraged"
}, - "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r...",
- "txId": "2a363a42-a397-4af0-b089-0935fc223017"
}
Response samples
- 200
- 404
- 500
{- "keys": [
- {
- "alg": "ES256",
- "crv": "P-256",
- "key_ops": [
- "verify"
], - "kid": "unique-key-id",
- "kty": "EC",
- "use": "sig",
- "x": "-a4DlQ0kMffMB1wZJSjNAA1YTVB0dXrTUGszywNy-e4",
- "y": "y5gcJVgSq7B5hr7vN1rbNaGQ3mqMN7soz5Ua1SqzWGw"
}, - {
- "alg": "ES256",
- "crv": "P-256",
- "key_ops": [
- "verify"
], - "kid": "unique-key-id",
- "kty": "EC",
- "use": "sig",
- "x": "-a4DlQ0kMffMB1wZJSjNAA1YTVB0dXrTUGszywNy-e4",
- "y": "y5gcJVgSq7B5hr7vN1rbNaGQ3mqMN7soz5Ua1SqzWGw"
}, - {
- "alg": "ES256",
- "crv": "P-256",
- "key_ops": [
- "verify"
], - "kid": "unique-key-id",
- "kty": "EC",
- "use": "sig",
- "x": "-a4DlQ0kMffMB1wZJSjNAA1YTVB0dXrTUGszywNy-e4",
- "y": "y5gcJVgSq7B5hr7vN1rbNaGQ3mqMN7soz5Ua1SqzWGw"
}
]
}