Skip to main content
API docs by Redocly

FIDO2 API (2.0)

RESTful API for handling WebAuthn logic with support for FIDO2 flows with passkeys.

client-events

Error reporting endpoint

Report a client side event.

Report a client event. It does not change state of the flow.

Authorizations:
sessionAuth_header_Authorization
Request Body schema: application/json
required
event
required
string

Client side event.

isError
boolean
Default: false

Whether the event is a result of an error.

Responses

Request samples

Content type
application/json
{
  • "event": "ERROR_DISCOVERABLE_CREDENTIALS_UNSUPPORTED",
  • "isError": true
}

Response samples

Content type
application/json
{
  • "session": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo..."
}

oidc

OIDC authentication flow

Handle OIDC callback and log user in (redirects to app with access token in fragment)

Handle OIDC provider callback, exchange code for tokens, and log user in. Redirects to the app (redirectUri from state) with the access token in the URL fragment.

path Parameters
providerId
required
string
Example: BSFVV3JL84FROR80LOLQ9RA1

OIDC provider ID

query Parameters
code
required
string
Example: code=Perferendis omnis.

Authorization code from provider

state
required
string
Example: state=Velit sunt harum aliquid nam distinctio.

State parameter for CSRF protection and redirectUri

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Start OIDC login flow (redirects to provider)

Initiate OIDC login flow and redirect to provider. Requires redirectUri, which will be encoded in the OIDC state and used for the final redirect after callback.

path Parameters
providerId
required
string
Example: BSFVV3JL84FROR80LOLQ9RA1

OIDC provider ID

query Parameters
redirectUri
required
string
Example: redirectUri=Consequuntur voluptas est.

Where to redirect after login (required, will be encoded in state)

Responses

Response samples

Content type
application/json
{
  • "Location": "Enim corrupti hic et."
}

profile

User Profile API

Delete a user profile and all associated passkey

Authorizations:
apiKey_header_Authorization
path Parameters
id
required
string
Example: 2a363a42-a397-4af0-b089-0935fc223017

Internal user identifier

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Delete email from the profile

Authorizations:
apiKey_header_Authorization
path Parameters
id
required
string
Example: 2a363a42-a397-4af0-b089-0935fc223017

Internal user identifier

Request Body schema: application/json
required
email
required
string

Email address

Responses

Request samples

Content type
application/json
{
  • "email": "test@loginid.io"
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Update profile email address

Authorizations:
apiKey_header_Authorization
path Parameters
id
required
string
Example: 2a363a42-a397-4af0-b089-0935fc223017

Internal user identifier

Request Body schema: application/json
required
email
required
string

Email address

requestVerification
boolean
Default: true

Whether to update the email address immediately or send an authorization code to verify.

Responses

Request samples

Content type
application/json
{
  • "email": "luke.skywalker@tatuin.com",
  • "requestVerification": false
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Delete phone from the profile

Authorizations:
apiKey_header_Authorization
path Parameters
id
required
string
Example: 2a363a42-a397-4af0-b089-0935fc223017

Internal user identifier

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Update the profile phone number

Authorizations:
apiKey_header_Authorization
path Parameters
id
required
string
Example: 2a363a42-a397-4af0-b089-0935fc223017

Internal user identifier

Request Body schema: application/json
required
messagingConsent
boolean
Default: false

Whether the user consents to receiving SMS messages on this number. The phone will not be used for sending messages if no consent is provided.

phoneNumber
required
string

Phone number

requestVerification
boolean
Default: true

Whether to update the phone number immediately or send an authorization code to verify. This method will fail if verification is requested but no consent is provided.

Responses

Request samples

Content type
application/json
{
  • "messagingConsent": true,
  • "phoneNumber": "+14161234567",
  • "requestVerification": true
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Verify phone number with received authorization code

Request Body schema: application/json
required
authCode
required
string

Verification code

username
required
string

Username associated with the code

Responses

Request samples

Content type
application/json
{
  • "authCode": "123456",
  • "username": "user@example.com"
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Verify phone number with received authorization code

Request Body schema: application/json
required
authCode
required
string

Verification code

username
required
string

Username associated with the code

Responses

Request samples

Content type
application/json
{
  • "authCode": "123456",
  • "username": "user@example.com"
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

scim

SCIM 2.0 API (Users, Groups, Metadata)

List Groups

Retrieve a paginated list of groups.

Authorizations:
apiKey_header_Authorization
query Parameters
startIndex
integer <int64> >= 1
Default: 1
Example: startIndex=3324577760176095000

The 1-based index of the first result to return

count
integer <int64> >= 1
Default: 100
Example: count=935185726672714100

The maximum number of results to return

filter
string
Example: filter=displayName eq "Engineering"

A filter expression used to request a subset of resources. The expression language is defined in RFC 7644 Section 3.4.2.2.

Responses

Response samples

Content type
application/scim+json
{
  • "Resources": [
    ],
  • "itemsPerPage": 9129645466741842000,
  • "schemas": [
    ],
  • "startIndex": 6241991185069286000,
  • "totalResults": 4640450288031876000
}

Create Group

Create a new group.

Authorizations:
apiKey_header_Authorization
Request Body schema: application/json
required
displayName
required
string
externalId
string

String that is an identifier for the resource as defined by the provisioning client

schemas
required
Array of strings
Default: ["urn:ietf:params:scim:schemas:core:2.0:Group"]

Responses

Request samples

Content type
application/json
{
  • "displayName": "Consequatur voluptas.",
  • "externalId": "Placeat accusamus.",
  • "schemas": [
    ]
}

Response samples

Content type
application/scim+json
{
  • "displayName": "Neque ad dolor deleniti.",
  • "externalId": "Et id aut reiciendis explicabo.",
  • "id": "Vitae nostrum ut.",
  • "members": [
    ],
  • "meta": {
    },
  • "schemas": [
    ]
}

Delete Group

Delete a group by their unique ID. This operation is irreversible.

Authorizations:
apiKey_header_Authorization
path Parameters
id
required
string
Example: In qui ut non voluptatum quia molestias.

Group ID

Responses

Response samples

Content type
application/scim+json
{
  • "detail": "Doloremque nihil harum eveniet qui.",
  • "msgCode": "internal_error",
  • "schemas": [
    ],
  • "scimType": "mutability",
  • "status": 8188556209773982000
}

Get Group

Retrieve a group by their unique ID.

Authorizations:
apiKey_header_Authorization
path Parameters
id
required
string
Example: Labore vel.

Group ID

Responses

Response samples

Content type
application/scim+json
{
  • "displayName": "Assumenda facilis dolorem quis.",
  • "externalId": "Quod enim.",
  • "id": "Quis et ipsam.",
  • "members": [
    ],
  • "meta": {
    },
  • "schemas": [
    ]
}

Patch Group

Update one or more group attributes or membership by their unique ID.

Authorizations:
apiKey_header_Authorization
path Parameters
id
required
string
Example: Deleniti eum dolorem sed sit minima.

Group ID

Request Body schema: application/json
required
required
Array of objects (PatchOperation)
schemas
required
Array of strings

Responses

Request samples

Content type
application/json
{
  • "operations": [
    ],
  • "schemas": [
    ]
}

Response samples

Content type
application/scim+json
{
  • "displayName": "Quibusdam laudantium.",
  • "externalId": "Est repellendus quis consequatur voluptatem.",
  • "id": "Quia et.",
  • "members": [
    ],
  • "meta": {
    },
  • "schemas": [
    ]
}

Replace Group

Replace a group by their unique ID. This is a full update and will overwrite all group attributes and membership.

Authorizations:
apiKey_header_Authorization
path Parameters
id
required
string
Example: Maiores consequatur reiciendis quibusdam.

Group ID

Request Body schema: application/json
required
displayName
string

A human-readable name for the Group

externalId
string

String that is an identifier for the resource as defined by the provisioning client

Array of objects (GroupMember)

A list of members of the Group

schemas
required
Array of strings
Default: ["urn:ietf:params:scim:schemas:core:2.0:Group"]

The schemas that define the structure of the resource

Responses

Request samples

Content type
application/json
{
  • "displayName": "Eius qui ut neque et optio ea.",
  • "externalId": "Et enim neque quae excepturi nam.",
  • "members": [
    ],
  • "schemas": [
    ]
}

Response samples

Content type
application/scim+json
{
  • "displayName": "Quos reiciendis.",
  • "externalId": "Facilis aliquid repellat rerum.",
  • "id": "Temporibus harum qui pariatur.",
  • "members": [
    ],
  • "meta": {
    },
  • "schemas": [
    ]
}

Get Resource Types

Returns supported resource types (e.g. User, Groups, etc.)

Responses

Response samples

Content type
application/scim+json
{
  • "Resources": [
    ],
  • "itemsPerPage": 3192503453975107600,
  • "schemas": [
    ],
  • "startIndex": 4728531958757788000,
  • "totalResults": 858395367342561400
}

List Schemas

Retrieve the supported SCIM schema definitions.

Responses

Response samples

Content type
application/scim+json
{
  • "Resources": [
    ],
  • "itemsPerPage": 6997773159632998000,
  • "schemas": [
    ],
  • "startIndex": 6795952448826702000,
  • "totalResults": 883946558846414300
}

Get Service Provider Configuration

Returns SCIM service provider configuration.

Responses

Response samples

Content type
application/scim+json
{
  • "authenticationSchemes": [
    ],
  • "bulk": {
    },
  • "changePassword": {
    },
  • "documentationUri": "Consequatur deleniti quod delectus.",
  • "etag": {
    },
  • "filter": {
    },
  • "patch": {
    },
  • "schemas": [
    ],
  • "sort": {
    }
}

List Users

Retrieve a paginated list of users.

Authorizations:
apiKey_header_Authorization
query Parameters
startIndex
integer <int64> >= 1
Default: 1
Example: startIndex=7080538789857038000

The 1-based index of the first result to return

count
integer <int64> >= 1
Default: 100
Example: count=83548536345606050

The maximum number of results to return

filter
string
Example: filter=userName eq "bjensen@example.com"

A filter expression used to request a subset of resources. The expression language is defined in RFC 7644 Section 3.4.2.2.

Responses

Response samples

Content type
application/scim+json
{
  • "Resources": [
    ],
  • "itemsPerPage": 4346342717106070000,
  • "schemas": [
    ],
  • "startIndex": 486781692556257860,
  • "totalResults": 1859016645043469800
}

Create User

Create a new user.

Authorizations:
apiKey_header_Authorization
Request Body schema: application/json
required
active
boolean
displayName
string
Array of objects (Email)

Email addresses for the User

externalId
string
object (Name)
schemas
required
Array of strings
Default: ["urn:ietf:params:scim:schemas:core:2.0:User"]
userName
required
string

Responses

Request samples

Content type
application/json
{
  • "active": false,
  • "displayName": "Expedita ab similique aut consectetur commodi.",
  • "emails": [
    ],
  • "externalId": "Saepe et aut fugiat officia totam.",
  • "name": {
    },
  • "schemas": [
    ],
  • "userName": "Blanditiis rerum."
}

Response samples

Content type
application/scim+json
{
  • "active": false,
  • "displayName": "Cum minus sint.",
  • "emails": [
    ],
  • "externalId": "Qui expedita nostrum in.",
  • "groups": [
    ],
  • "id": "Odit cupiditate expedita recusandae.",
  • "meta": {
    },
  • "name": {
    },
  • "schemas": [
    ],
  • "userName": "Debitis eligendi."
}

Delete User

Delete a user by their unique ID. This operation is irreversible.

Authorizations:
apiKey_header_Authorization
path Parameters
id
required
string
Example: Aliquam vel accusamus nihil voluptas.

User ID

Responses

Response samples

Content type
application/scim+json
{
  • "detail": "Officia minus asperiores voluptas aut quisquam dicta.",
  • "msgCode": "internal_error",
  • "schemas": [
    ],
  • "scimType": "invalidVers",
  • "status": 8068526449262351000
}

Get User

Retrieve a user by their unique ID.

Authorizations:
apiKey_header_Authorization
path Parameters
id
required
string
Example: Provident velit similique blanditiis temporibus et.

User ID

Responses

Response samples

Content type
application/scim+json
{
  • "active": true,
  • "displayName": "Nemo et quod.",
  • "emails": [
    ],
  • "externalId": "Debitis voluptate laborum voluptatem.",
  • "groups": [
    ],
  • "id": "Qui deserunt.",
  • "meta": {
    },
  • "name": {
    },
  • "schemas": [
    ],
  • "userName": "Pariatur qui."
}

Patch User

Update one or more user attributes by their unique ID.

Authorizations:
apiKey_header_Authorization
path Parameters
id
required
string
Example: Voluptatibus saepe aperiam.

User ID

Request Body schema: application/json
required
required
Array of objects (PatchOperation)
schemas
required
Array of strings

Responses

Request samples

Content type
application/json
{
  • "operations": [
    ],
  • "schemas": [
    ]
}

Response samples

Content type
application/scim+json
{
  • "active": true,
  • "displayName": "Quia ipsa rerum temporibus.",
  • "emails": [
    ],
  • "externalId": "Et deleniti est rem et et.",
  • "groups": [
    ],
  • "id": "Est voluptatibus deserunt quo sed saepe placeat.",
  • "meta": {
    },
  • "name": {
    },
  • "schemas": [
    ],
  • "userName": "Possimus dolorem qui."
}

Replace User

Replace a user by their unique ID. The semantics of this operation are defined by the SCIM specification (RFC 7644, Section 3.5.1). This is a full replace and clients must provide the complete resource representation including all attributes.

Authorizations:
apiKey_header_Authorization
path Parameters
id
required
string
Example: Est nihil recusandae nihil.

The identifier of the resource to be replaced

Request Body schema: application/json
required
active
boolean
Default: true

A Boolean value indicating the User's administrative status

displayName
string

The name of the User, suitable for display to end-users

Array of objects (Email)

Email addresses for the User

externalId
string

The external ID of the User

Array of objects (GroupRef)

A list of groups to which the user belongs. READ-ONLY

object (Name)
schemas
required
Array of strings
Default: ["urn:ietf:params:scim:schemas:core:2.0:User"]

The schemas that define the structure of the resource

userName
required
string

Unique identifier for the User, typically used by the user to directly authenticate

Responses

Request samples

Content type
application/json
{
  • "active": false,
  • "displayName": "Omnis atque consequatur.",
  • "emails": [
    ],
  • "externalId": "Ut eos sint soluta consequatur quaerat.",
  • "groups": [
    ],
  • "name": {
    },
  • "schemas": [
    ],
  • "userName": "bjensen"
}

Response samples

Content type
application/scim+json
{
  • "active": false,
  • "displayName": "Possimus qui earum esse.",
  • "emails": [
    ],
  • "externalId": "Provident et est voluptas voluptates ut dolorum.",
  • "groups": [
    ],
  • "id": "Dolores quisquam aperiam.",
  • "meta": {
    },
  • "name": {
    },
  • "schemas": [
    ],
  • "userName": "Inventore in deleniti adipisci omnis quia ut."
}

tx

FIDO2 transaction confirmation flow

Complete transaction confirmation

Request Body schema: application/json
required
authenticatorData
required
string

This attribute contains the authenticator data returned by the authenticator.

clientData
required
string

Base64 encoded byte array which is a JSON-compatible serialization of client data passed to the authenticator by the client in order to generate this assertion. The exact JSON serialization MUST be preserved, as the hash of the serialized client data has been computed over it.

keyHandle
required
string

Identified of the passkey credential.

session
required
string >= 16 characters

An opaque object containing session data.

signature
required
string

Base64 encoded the raw signature returned from the authenticator.

Responses

Request samples

Content type
application/json
{
  • "authenticatorData": "Qui dolorem quia nesciunt quos enim.",
  • "clientData": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo...",
  • "keyHandle": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo...",
  • "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r...",
  • "signature": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo..."
}

Response samples

Content type
application/json
{
  • "authCred": {
    },
  • "credentialId": "2a363a42-a397-4af0-b089-0935fc223017",
  • "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

Start transaction confirmation flow

Request Body schema: application/json
required
nonce
required
string

Random string

txPayload
required
string

Payload of transaction

txType
required
string

Type of transaction

username
required
string

Username of user

Responses

Request samples

Content type
application/json
{
  • "nonce": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r...",
  • "txPayload": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo...",
  • "txType": "raw",
  • "username": "testUser"
}

Response samples

Content type
application/json
{
  • "assertionOptions": {
    },
  • "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r...",
  • "txId": "2a363a42-a397-4af0-b089-0935fc223017"
}

auth

FIDO2 authentication flow

Complete WebAuthn authentication

Request Body schema: application/json
required
required
object (AuthenticatorAssertionResponse)
session
required
string >= 16 characters

An opaque object containing session data.

Responses

Request samples

Content type
application/json
{
  • "assertionResult": {
    },
  • "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r..."
}

Response samples

Content type
application/json
{
  • "deviceId": "8222fe14-4973-469f-843d-73b0f9e0a3a9",
  • "jwtAccess": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  • "passkeyId": "482b7723-eb3e-4814-809f-05af16284fcc",
  • "userId": "2a363a42-a397-4af0-b089-0935fc223017"
}

Start WebAuthn authentication flow

header Parameters
User-Agent
string
Example: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Raw user-agent header as set by a browser

Request Body schema: application/json
required
required
object (Application)

Application making the request. It contains additional info about the caller to distinguish between tenants.

required
object (DeviceInfo)

Information about the device. All of these attributes are optional and should be provided on best effort basis. If provide, they will be taken into consideration in order to improve user experience.

object

TrustIDs provided with the request

object (UserLogin)

Responses

Request samples

Content type
application/json
{
  • "app": {
    },
  • "deviceInfo": {
    },
  • "trustItems": {
    },
  • "user": {
    }
}

Response samples

Content type
application/json
{
  • "action": "proceed",
  • "assertionOptions": {
    },
  • "crossAuthMethods": [
    ],
  • "fallbackMethods": [
    ],
  • "passkeyType": "device",
  • "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r..."
}

Request OTP code by an authenticated user

An authenticated user can request an authentication code directly using this method. The code can be used for authentication from another device.

Authorizations:
jwt_header_Authorization

Responses

Response samples

Content type
application/json
{
  • "code": "123456",
  • "expiresAt": "2021-01-01T00:00:00Z"
}

Request OTP code to be sent via email.

Send authentication code to the provided email. The SMS will only be sent if the email address is known to the application, however, this method will return success regardless.

Request Body schema: application/json
required
required
object (UserLogin)
username
required
string

Username

usernameType
string
Default: "other"
Enum: "email" "phone" "other"

Username type

Responses

Request samples

Content type
application/json
{
  • "user": {
    }
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Request OTP code to be sent via SMS.

Send authentication code to the provided phone number. The SMS will only be sent if the phone is registered with the application, however, it will return success regardless.

Request Body schema: application/json
required
required
object (UserLogin)
username
required
string

Username

usernameType
string
Default: "other"
Enum: "email" "phone" "other"

Username type

Responses

Request samples

Content type
application/json
{
  • "user": {
    }
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Verify authentication code and return JWT access token with appropriate scopes

Request Body schema: application/json
required
authCode
required
string

Authentication code

required
object (UserLogin)

Responses

Request samples

Content type
application/json
{
  • "authCode": "123456",
  • "user": {
    }
}

Response samples

Content type
application/json
{
  • "deviceId": "8222fe14-4973-469f-843d-73b0f9e0a3a9",
  • "jwtAccess": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  • "passkeyId": "482b7723-eb3e-4814-809f-05af16284fcc",
  • "userId": "2a363a42-a397-4af0-b089-0935fc223017"
}

mfa

Multi Factor authentication flow methods

Begin and appropriate flow for the provided username.

Perform pre-authentication.

header Parameters
User-Agent
required
string
Example: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Raw user-agent header as set by a browser

Request Body schema: application/json
required
object (DeviceInfo)

Information about the device. All of these attributes are optional and should be provided on best effort basis. If provide, they will be taken into consideration in order to improve user experience.

payload
string

Payload to be signed

traceId
string

A unique id for tracing all events associated with an interaction. A random ID will be generated by the system if not provided.

object

TrustIDs provided with the request

object (MfaUser)

Responses

Request samples

Content type
application/json
{
  • "deviceInfo": {
    },
  • "payload": "ak4BXFgauyDtsRvnXWfaTW1DyetX7fTViGY9DRQGQ+g=",
  • "traceId": "6957cf6e-a86c-44fb-b25a-bd97cb9ff830",
  • "trustItems": {
    },
  • "user": {
    }
}

Response samples

Content type
application/json
{
  • "flow": "signIn",
  • "msg": "Additional authentication is required.",
  • "msgCode": "additional_auth_required",
  • "next": [
    ],
  • "session": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo..."
}

Begin and appropriate flow for the provided username.

Perform discovery if trustID and/or checkoutID are known to the system.

Request Body schema: application/json
required
required
object

TrustIDs provided with the request

property name*
additional property
string

Responses

Request samples

Content type
application/json
{
  • "trustItems": {
    }
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Request OTP authentication using one of the available methods.

Request OTP.

Authorizations:
sessionAuth_header_Authorization
Request Body schema: application/json
required
method
required
string
Enum: "email" "sms"

OTP method

option
string

An OTP option selected by the user (i.e. address to send the OTP request to - phone, email, etc.)

Responses

Request samples

Content type
application/json
{
  • "method": "email",
  • "option": "user@example.com"
}

Response samples

Content type
application/json
{
  • "session": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo..."
}

Confirm OTP received in a previous step.

Verify OTP received by one of the methods.

Authorizations:
sessionAuth_header_Authorization
Request Body schema: application/json
required
otp
required
string

Responses

Request samples

Content type
application/json
{
  • "otp": "123456"
}

Response samples

Content type
application/json
{
  • "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "deviceId": "8222fe14-4973-469f-843d-73b0f9e0a3a9",
  • "flow": "signIn",
  • "idToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "payload": "JfeMhXGH1GABxRAXRopd7vtsLEJe16f9ok3oiA8DoEADZ8TOqvgYy...",
  • "payloadSignature": "eyJhbGciOiJIUzI1NiJ9.ew0KICAic3ViIjogIjEyMzQ1Njc4OTAiLA...",
  • "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT..."
}

Authenticate using passkey.

Authenticate with a passkeys.

Authorizations:
sessionAuth_header_Authorization
Request Body schema: application/json
required
required
object (AuthenticatorAssertionResponse)
authenticatorData
required
string

A base64 encoded authenticator data structure encodes contextual bindings made by the authenticator.

clientDataJSON
required
string

Base64 encoded byte array which is a JSON-compatible serialization of client data passed to the authenticator by the client in order to generate this assertion. The exact JSON serialization MUST be preserved, as the hash of the serialized client data has been computed over it.

credentialId
required
string

A base64 encoded byte sequence identifying a public key credential source and its authentication assertions.

signature
required
string

Base64 encoded the raw signature returned from the authenticator.

userHandle
string

User handle returned from the authenticator, or null if the authenticator did not return a user handle.

Responses

Request samples

Content type
application/json
{
  • "assertionResult": {
    }
}

Response samples

Content type
application/json
{
  • "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "deviceId": "8222fe14-4973-469f-843d-73b0f9e0a3a9",
  • "flow": "signIn",
  • "idToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "payload": "JfeMhXGH1GABxRAXRopd7vtsLEJe16f9ok3oiA8DoEADZ8TOqvgYy...",
  • "payloadSignature": "eyJhbGciOiJIUzI1NiJ9.ew0KICAic3ViIjogIjEyMzQ1Njc4OTAiLA...",
  • "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT..."
}

Register a new passkey.

Register a new passkey.

Authorizations:
sessionAuth_header_Authorization
Request Body schema: application/json
required
required
object (CreationResult)
attestationObject
required
string

Base64 encoded byte array containing an attestation object, which is opaque to, and cryptographically protected against tampering by, the client.

authenticatorData
string

A base64 encoded authenticator data structure encodes contextual bindings made by the authenticator.

clientDataJSON
required
string

Base64 encoded byte array which is a JSON-compatible serialization of client data passed to the authenticator by the client in order to generate this credential. The exact JSON serialization MUST be preserved, as the hash of the serialized client data has been computed over it.

credentialId
required
string

A base64 encoded byte sequence identifying a public key credential source and its authentication assertions.

publicKey
string

Base64 encoded DER SubjectPublicKeyInfo of the new credential, or null if this is not available.

publicKeyAlgorithm
integer <int64>
transports
Array of strings
Items Enum: "usb" "nfc" "ble" "internal" "hybrid" "cable" "smart-card"

These values are the transports that the authenticator is believed to support, or an empty sequence if the information is unavailable.

Responses

Request samples

Content type
application/json
{
  • "creationResult": {
    }
}

Response samples

Content type
application/json
{
  • "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "deviceId": "8222fe14-4973-469f-843d-73b0f9e0a3a9",
  • "flow": "signIn",
  • "idToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "payload": "JfeMhXGH1GABxRAXRopd7vtsLEJe16f9ok3oiA8DoEADZ8TOqvgYy...",
  • "payloadSignature": "eyJhbGciOiJIUzI1NiJ9.ew0KICAic3ViIjogIjEyMzQ1Njc4OTAiLA...",
  • "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT..."
}

Transaction confirmation using passkey.

Confirm a transaction with a passkey.

Authorizations:
sessionAuth_header_Authorization
Request Body schema: application/json
required
required
object (AuthenticatorAssertionResponse)
authenticatorData
required
string

A base64 encoded authenticator data structure encodes contextual bindings made by the authenticator.

clientDataJSON
required
string

Base64 encoded byte array which is a JSON-compatible serialization of client data passed to the authenticator by the client in order to generate this assertion. The exact JSON serialization MUST be preserved, as the hash of the serialized client data has been computed over it.

credentialId
required
string

A base64 encoded byte sequence identifying a public key credential source and its authentication assertions.

signature
required
string

Base64 encoded the raw signature returned from the authenticator.

userHandle
string

User handle returned from the authenticator, or null if the authenticator did not return a user handle.

Responses

Request samples

Content type
application/json
{
  • "assertionResult": {
    }
}

Response samples

Content type
application/json
{
  • "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "deviceId": "8222fe14-4973-469f-843d-73b0f9e0a3a9",
  • "flow": "signIn",
  • "idToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "payload": "JfeMhXGH1GABxRAXRopd7vtsLEJe16f9ok3oiA8DoEADZ8TOqvgYy...",
  • "payloadSignature": "eyJhbGciOiJIUzI1NiJ9.ew0KICAic3ViIjogIjEyMzQ1Njc4OTAiLA...",
  • "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT..."
}

Update the payload to be signed using transaction confirmation.

Update the payload to be signed.

Authorizations:
sessionAuth_header_Authorization
Request Body schema: application/json
required
payload
required
string

Payload to be signed

Responses

Request samples

Content type
application/json
{
  • "payload": "ak4BXFgauyDtsRvnXWfaTW1DyetX7fTViGY9DRQGQ+g="
}

Response samples

Content type
application/json
{
  • "flow": "signIn",
  • "msg": "Additional authentication is required.",
  • "msgCode": "additional_auth_required",
  • "next": [
    ],
  • "session": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo..."
}

Verify auth token created by a third party via management API.

Verify authentication token received from a third party.

Authorizations:
sessionAuth_header_Authorization
Request Body schema: application/json
required
token
required
string

Authorization token produced by mgmt API.

Responses

Request samples

Content type
application/json
{
  • "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}

Response samples

Content type
application/json
{
  • "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "deviceId": "8222fe14-4973-469f-843d-73b0f9e0a3a9",
  • "flow": "signIn",
  • "idToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "payload": "JfeMhXGH1GABxRAXRopd7vtsLEJe16f9ok3oiA8DoEADZ8TOqvgYy...",
  • "payloadSignature": "eyJhbGciOiJIUzI1NiJ9.ew0KICAic3ViIjogIjEyMzQ1Njc4OTAiLA...",
  • "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT..."
}

reg

FIDO2 registration flow

Complete WebAuthn registration flow

Request Body schema: application/json
required
required
object (CreationResult)
passkeyName
string

Passkey name that will be shown to the user in passkey list.

session
required
string >= 16 characters

An opaque object containing session data.

Responses

Request samples

Content type
application/json
{
  • "creationResult": {
    },
  • "passkeyName": "Windows Hello (Win11,Chrome) - 2025-04-07 20:46",
  • "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r..."
}

Response samples

Content type
application/json
{
  • "deviceId": "8222fe14-4973-469f-843d-73b0f9e0a3a9",
  • "jwtAccess": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  • "passkeyId": "482b7723-eb3e-4814-809f-05af16284fcc",
  • "userId": "2a363a42-a397-4af0-b089-0935fc223017"
}

Start WebAuthn registration flow

Authorizations:
jwt_header_Authorization
header Parameters
User-Agent
string
Example: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Raw user-agent header as set by a browser

Request Body schema: application/json
required
required
object (Application)

Application making the request. It contains additional info about the caller to distinguish between tenants.

required
object (DeviceInfo)

Information about the device. All of these attributes are optional and should be provided on best effort basis. If provide, they will be taken into consideration in order to improve user experience.

object (PasskeyOptions)
object

TrustIDs provided with the request

object (User)

Responses

Request samples

Content type
application/json
{
  • "app": {
    },
  • "deviceInfo": {
    },
  • "passkeyOptions": {
    },
  • "trustItems": {
    },
  • "user": {
    }
}

Response samples

Content type
application/json
{
  • "action": "proceed",
  • "registrationRequestOptions": {
    },
  • "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r..."
}

passkeys

FIDO2 pass-key management

List passkeys of the user

Authorizations:
jwt_header_Authorization

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    },
  • {
    }
]

Delete passkey

Authorizations:
jwt_header_Authorization
path Parameters
id
required
string
Example: 2a363a42-a397-4af0-b089-0935fc223017

Internal passkey identifier

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Rename passkey

Authorizations:
jwt_header_Authorization
path Parameters
id
required
string
Example: 2a363a42-a397-4af0-b089-0935fc223017

Internal passkey identifier

Request Body schema: application/json
required
name
required
string

Internal passkey identifier

Responses

Request samples

Content type
application/json
{
  • "name": "My iPhone SE"
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Get AAGUID Metadata

Authorizations:
jwt_header_Authorization
path Parameters
aaguid
required
string
Example: 2a363a42-a397-4af0-b089-0935fc223017

AAGUID identifier

Responses

Response samples

Content type
application/json
{
  • "iconDark": "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2aWV3Qm94PSIwIDAgNDggNDgiPgogIDxkZWZzPgogICAgPGxpbmVhckdyYWRpZW50IGlkPSJhIiB4MT0iMy4yMTczIiB5MT0iMTUiIHgyPSI0NC43ODEyIiB5Mj0iMTUiIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KICAgICAgPHN0b3Agb2Zmc2V0PSIwIiBzdG9wLWNvbG9yPSIjZDkzMDI1Ii8+CiAgICAgIDxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iI2VhNDMzNSIvPgogICAgPC9saW5lYXJHcmFkaWVudD4KICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iYiIgeDE9IjIwLjcyMTkiIHkxPSI0Ny42NzkxIiB4Mj0iNDEuNTAzOSIgeTI9IjExLjY4MzciIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KICAgICAgPHN0b3Agb2Zmc2V0PSIwIiBzdG9wLWNvbG9yPSIjZmNjOTM0Ii8+CiAgICAgIDxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iI2ZiYmMwNCIvPgogICAgPC9saW5lYXJHcmFkaWVudD4KICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iYyIgeDE9IjI2LjU5ODEiIHkxPSI0Ni41MDE1IiB4Mj0iNS44MTYxIiB5Mj0iMTAuNTA2IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+CiAgICAgIDxzdG9wIG9mZnNldD0iMCIgc3RvcC1jb2xvcj0iIzFlOGUzZSIvPgogICAgICA8c3RvcCBvZmZzZXQ9IjEiIHN0b3AtY29sb3I9IiMzNGE4NTMiLz4KICAgIDwvbGluZWFyR3JhZGllbnQ+CiAgICAKICAgIDxwYXRoIGlkPSJwIiBkPSJNMTMuNjA4NiAzMC4wMDMxIDMuMjE4IDEyLjAwNkEyMy45OTQgMjMuOTk0IDAgMCAwIDI0LjAwMjUgNDhsMTAuMzkwNi0xNy45OTcxLS4wMDY3LS4wMDY4YTExLjk4NTIgMTEuOTg1MiAwIDAgMS0yMC43Nzc4LjAwN1oiLz4KICA8L2RlZnM+CiAgCiAgPHVzZSB4bGluazpocmVmPSIjcCIgZmlsbD0idXJsKCNhKSIgdHJhbnNmb3JtPSJyb3RhdGUoMTIwIDI0IDI0KSIvPgogIDx1c2UgeGxpbms6aHJlZj0iI3AiIGZpbGw9InVybCgjYikiIHRyYW5zZm9ybT0icm90YXRlKC0xMjAgMjQgMjQpIi8+CiAgPHVzZSB4bGluazpocmVmPSIjcCIgZmlsbD0idXJsKCNjKSIvPgogIAogIDxjaXJjbGUgY3g9IjI0IiBjeT0iMjQiIHI9IjEyIiBzdHlsZT0iZmlsbDojZmZmIi8+CiAgPGNpcmNsZSBjeD0iMjQiIGN5PSIyNCIgcj0iOS41IiBzdHlsZT0iZmlsbDojMWE3M2U4Ii8+Cjwvc3ZnPg==",
  • "iconLight": "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2aWV3Qm94PSIwIDAgNDggNDgiPgogIDxkZWZzPgogICAgPGxpbmVhckdyYWRpZW50IGlkPSJhIiB4MT0iMy4yMTczIiB5MT0iMTUiIHgyPSI0NC43ODEyIiB5Mj0iMTUiIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KICAgICAgPHN0b3Agb2Zmc2V0PSIwIiBzdG9wLWNvbG9yPSIjZDkzMDI1Ii8+CiAgICAgIDxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iI2VhNDMzNSIvPgogICAgPC9saW5lYXJHcmFkaWVudD4KICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iYiIgeDE9IjIwLjcyMTkiIHkxPSI0Ny42NzkxIiB4Mj0iNDEuNTAzOSIgeTI9IjExLjY4MzciIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KICAgICAgPHN0b3Agb2Zmc2V0PSIwIiBzdG9wLWNvbG9yPSIjZmNjOTM0Ii8+CiAgICAgIDxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iI2ZiYmMwNCIvPgogICAgPC9saW5lYXJHcmFkaWVudD4KICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iYyIgeDE9IjI2LjU5ODEiIHkxPSI0Ni41MDE1IiB4Mj0iNS44MTYxIiB5Mj0iMTAuNTA2IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+CiAgICAgIDxzdG9wIG9mZnNldD0iMCIgc3RvcC1jb2xvcj0iIzFlOGUzZSIvPgogICAgICA8c3RvcCBvZmZzZXQ9IjEiIHN0b3AtY29sb3I9IiMzNGE4NTMiLz4KICAgIDwvbGluZWFyR3JhZGllbnQ+CiAgICAKICAgIDxwYXRoIGlkPSJwIiBkPSJNMTMuNjA4NiAzMC4wMDMxIDMuMjE4IDEyLjAwNkEyMy45OTQgMjMuOTk0IDAgMCAwIDI0LjAwMjUgNDhsMTAuMzkwNi0xNy45OTcxLS4wMDY3LS4wMDY4YTExLjk4NTIgMTEuOTg1MiAwIDAgMS0yMC43Nzc4LjAwN1oiLz4KICA8L2RlZnM+CiAgCiAgPHVzZSB4bGluazpocmVmPSIjcCIgZmlsbD0idXJsKCNhKSIgdHJhbnNmb3JtPSJyb3RhdGUoMTIwIDI0IDI0KSIvPgogIDx1c2UgeGxpbms6aHJlZj0iI3AiIGZpbGw9InVybCgjYikiIHRyYW5zZm9ybT0icm90YXRlKC0xMjAgMjQgMjQpIi8+CiAgPHVzZSB4bGluazpocmVmPSIjcCIgZmlsbD0idXJsKCNjKSIvPgogIAogIDxjaXJjbGUgY3g9IjI0IiBjeT0iMjQiIHI9IjEyIiBzdHlsZT0iZmlsbDojZmZmIi8+CiAgPGNpcmNsZSBjeD0iMjQiIGN5PSIyNCIgcj0iOS41IiBzdHlsZT0iZmlsbDojMWE3M2U4Ii8+Cjwvc3ZnPg==",
  • "id": "eb385800-d35e-4108-9b49-48010731cd37",
  • "name": "Thales"
}

mgmt

Management API

Get AAGUID Metadata

Authorizations:
apiKey_header_Authorization
path Parameters
aaguid
required
string
Example: 2a363a42-a397-4af0-b089-0935fc223017

AAGUID identifier

Responses

Response samples

Content type
application/json
{
  • "iconDark": "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2aWV3Qm94PSIwIDAgNDggNDgiPgogIDxkZWZzPgogICAgPGxpbmVhckdyYWRpZW50IGlkPSJhIiB4MT0iMy4yMTczIiB5MT0iMTUiIHgyPSI0NC43ODEyIiB5Mj0iMTUiIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KICAgICAgPHN0b3Agb2Zmc2V0PSIwIiBzdG9wLWNvbG9yPSIjZDkzMDI1Ii8+CiAgICAgIDxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iI2VhNDMzNSIvPgogICAgPC9saW5lYXJHcmFkaWVudD4KICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iYiIgeDE9IjIwLjcyMTkiIHkxPSI0Ny42NzkxIiB4Mj0iNDEuNTAzOSIgeTI9IjExLjY4MzciIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KICAgICAgPHN0b3Agb2Zmc2V0PSIwIiBzdG9wLWNvbG9yPSIjZmNjOTM0Ii8+CiAgICAgIDxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iI2ZiYmMwNCIvPgogICAgPC9saW5lYXJHcmFkaWVudD4KICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iYyIgeDE9IjI2LjU5ODEiIHkxPSI0Ni41MDE1IiB4Mj0iNS44MTYxIiB5Mj0iMTAuNTA2IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+CiAgICAgIDxzdG9wIG9mZnNldD0iMCIgc3RvcC1jb2xvcj0iIzFlOGUzZSIvPgogICAgICA8c3RvcCBvZmZzZXQ9IjEiIHN0b3AtY29sb3I9IiMzNGE4NTMiLz4KICAgIDwvbGluZWFyR3JhZGllbnQ+CiAgICAKICAgIDxwYXRoIGlkPSJwIiBkPSJNMTMuNjA4NiAzMC4wMDMxIDMuMjE4IDEyLjAwNkEyMy45OTQgMjMuOTk0IDAgMCAwIDI0LjAwMjUgNDhsMTAuMzkwNi0xNy45OTcxLS4wMDY3LS4wMDY4YTExLjk4NTIgMTEuOTg1MiAwIDAgMS0yMC43Nzc4LjAwN1oiLz4KICA8L2RlZnM+CiAgCiAgPHVzZSB4bGluazpocmVmPSIjcCIgZmlsbD0idXJsKCNhKSIgdHJhbnNmb3JtPSJyb3RhdGUoMTIwIDI0IDI0KSIvPgogIDx1c2UgeGxpbms6aHJlZj0iI3AiIGZpbGw9InVybCgjYikiIHRyYW5zZm9ybT0icm90YXRlKC0xMjAgMjQgMjQpIi8+CiAgPHVzZSB4bGluazpocmVmPSIjcCIgZmlsbD0idXJsKCNjKSIvPgogIAogIDxjaXJjbGUgY3g9IjI0IiBjeT0iMjQiIHI9IjEyIiBzdHlsZT0iZmlsbDojZmZmIi8+CiAgPGNpcmNsZSBjeD0iMjQiIGN5PSIyNCIgcj0iOS41IiBzdHlsZT0iZmlsbDojMWE3M2U4Ii8+Cjwvc3ZnPg==",
  • "iconLight": "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2aWV3Qm94PSIwIDAgNDggNDgiPgogIDxkZWZzPgogICAgPGxpbmVhckdyYWRpZW50IGlkPSJhIiB4MT0iMy4yMTczIiB5MT0iMTUiIHgyPSI0NC43ODEyIiB5Mj0iMTUiIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KICAgICAgPHN0b3Agb2Zmc2V0PSIwIiBzdG9wLWNvbG9yPSIjZDkzMDI1Ii8+CiAgICAgIDxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iI2VhNDMzNSIvPgogICAgPC9saW5lYXJHcmFkaWVudD4KICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iYiIgeDE9IjIwLjcyMTkiIHkxPSI0Ny42NzkxIiB4Mj0iNDEuNTAzOSIgeTI9IjExLjY4MzciIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KICAgICAgPHN0b3Agb2Zmc2V0PSIwIiBzdG9wLWNvbG9yPSIjZmNjOTM0Ii8+CiAgICAgIDxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iI2ZiYmMwNCIvPgogICAgPC9saW5lYXJHcmFkaWVudD4KICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iYyIgeDE9IjI2LjU5ODEiIHkxPSI0Ni41MDE1IiB4Mj0iNS44MTYxIiB5Mj0iMTAuNTA2IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+CiAgICAgIDxzdG9wIG9mZnNldD0iMCIgc3RvcC1jb2xvcj0iIzFlOGUzZSIvPgogICAgICA8c3RvcCBvZmZzZXQ9IjEiIHN0b3AtY29sb3I9IiMzNGE4NTMiLz4KICAgIDwvbGluZWFyR3JhZGllbnQ+CiAgICAKICAgIDxwYXRoIGlkPSJwIiBkPSJNMTMuNjA4NiAzMC4wMDMxIDMuMjE4IDEyLjAwNkEyMy45OTQgMjMuOTk0IDAgMCAwIDI0LjAwMjUgNDhsMTAuMzkwNi0xNy45OTcxLS4wMDY3LS4wMDY4YTExLjk4NTIgMTEuOTg1MiAwIDAgMS0yMC43Nzc4LjAwN1oiLz4KICA8L2RlZnM+CiAgCiAgPHVzZSB4bGluazpocmVmPSIjcCIgZmlsbD0idXJsKCNhKSIgdHJhbnNmb3JtPSJyb3RhdGUoMTIwIDI0IDI0KSIvPgogIDx1c2UgeGxpbms6aHJlZj0iI3AiIGZpbGw9InVybCgjYikiIHRyYW5zZm9ybT0icm90YXRlKC0xMjAgMjQgMjQpIi8+CiAgPHVzZSB4bGluazpocmVmPSIjcCIgZmlsbD0idXJsKCNjKSIvPgogIAogIDxjaXJjbGUgY3g9IjI0IiBjeT0iMjQiIHI9IjEyIiBzdHlsZT0iZmlsbDojZmZmIi8+CiAgPGNpcmNsZSBjeD0iMjQiIGN5PSIyNCIgcj0iOS41IiBzdHlsZT0iZmlsbDojMWE3M2U4Ii8+Cjwvc3ZnPg==",
  • "id": "eb385800-d35e-4108-9b49-48010731cd37",
  • "name": "Thales"
}

Remove AAGUIDs from blacklist

Authorizations:
apiKey_header_Authorization
Request Body schema: application/json
required
aaguids
required
Array of strings

List of AAGUIDs to delete from the blacklist

Responses

Request samples

Content type
application/json
{
  • "aaguids": [
    ]
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Get content of AAGUID blacklist

Authorizations:
apiKey_header_Authorization

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    },
  • {
    }
]

Add or Update AAGUIDs in the blacklist

Authorizations:
apiKey_header_Authorization
Request Body schema: application/json
required
required
Array of objects (AaguidBlacklist)

List of blacklist items to add/update

Array
aaguid
required
string

AAGUID

auth
required
boolean

Block authentication

reg
required
boolean

Block passkey registration

Responses

Request samples

Content type
application/json
{
  • "items": [
    ]
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Clear the AAGUID blacklist

Authorizations:
apiKey_header_Authorization

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Delete device

Authorizations:
apiKey_header_Authorization
path Parameters
deviceId
required
string
Example: 0546b8b1-b80a-4ea4-b4f6-60bf2ae314e5

Device identifier

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Get device details

Authorizations:
apiKey_header_Authorization
path Parameters
deviceId
required
string
Example: 0546b8b1-b80a-4ea4-b4f6-60bf2ae314e5

Device identifier

Responses

Response samples

Content type
application/json
{
  • "deviceInfo": {
    },
  • "users": [
    ]
}

Discover passkey authentication options

Authorizations:
apiKey_header_Authorization
Request Body schema: application/json
required
object (DeviceInfo)

Information about the device. All of these attributes are optional and should be provided on best effort basis. If provide, they will be taken into consideration in order to improve user experience.

securityKey
boolean
Default: false

Whether the authenticator is a security key

traceId
string

A unique id for tracing all events associated with an interaction. A random ID will be generated by the system if not provided.

required
object (User)
userAgent
required
string

Raw user-agent header as set by clients browser

Responses

Request samples

Content type
application/json
{
  • "deviceInfo": {
    },
  • "securityKey": false,
  • "traceId": "6957cf6e-a86c-44fb-b25a-bd97cb9ff830",
  • "user": {
    },
  • "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
}

Response samples

Content type
application/json
{
  • "authRequestOptions": {
    },
  • "lastLoginDeviceId": "efb15eb3-85bc-497a-9014-e29fb2b49bc0",
  • "lastLoginTs": "2025-01-02T15:52:12Z",
  • "matchResult": "PasskeyFound",
  • "regRequestOptions": {
    },
  • "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r...",
  • "traceId": "6957cf6e-a86c-44fb-b25a-bd97cb9ff830",
  • "userId": "OH96SFA59OQP9TG9SB23LCEE"
}

Create an authorization token with requested scopes

Authorizations:
apiKey_header_Authorization
Request Body schema: application/json
required
grants
required
Array of strings
Items Enum: "passkey:read" "passkey:write" "profile:read" "profile:write" "reg:write" "auth:write"

List of requested grants

username
string

User identifier

Responses

Request samples

Content type
application/json
{
  • "grants": [
    ],
  • "username": "testUser"
}

Response samples

Content type
application/json
{
  • "token": "oWIsYWQl6RB0cFC9jM8Hy85TmqAMyc0QqSXMsh0Fo9U="
}

Create an authorization token after authenticating user in an external system

Authorizations:
apiKey_header_Authorization
Request Body schema: application/json
required
username
required
string

User identifier

Responses

Request samples

Content type
application/json
{
  • "username": "testUser"
}

Response samples

Content type
application/json
{
  • "token": "oWIsYWQl6RB0cFC9jM8Hy85TmqAMyc0QqSXMsh0Fo9U="
}

Delete passkey

Authorizations:
apiKey_header_Authorization
path Parameters
passkeyId
required
string
Example: testUser

Passkey identifier

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Get passkey details

Authorizations:
apiKey_header_Authorization
path Parameters
passkeyId
required
string
Example: testUser

Passkey identifier

Responses

Response samples

Content type
application/json
{
  • "passkeyInfo": {
    },
  • "user": {
    }
}

Rename a passkey

Authorizations:
apiKey_header_Authorization
path Parameters
passkeyId
required
string
Example: testUser

Passkey identifier

Request Body schema: application/json
required
passkeyName
required
string

New passkey name

Responses

Request samples

Content type
application/json
{
  • "passkeyName": "My favorite iCloud passkey"
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Validate JWT Access Token

Authorizations:
apiKey_header_Authorization
Request Body schema: application/json
required
jwtAccess
required
string

JWT access token

Responses

Request samples

Content type
application/json
{
  • "jwtAccess": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Permanently delete the user account and all associated devices and passkeys

Authorizations:
apiKey_header_Authorization
path Parameters
userId
required
string
Example: df7c43a5-c721-4818-a68b-e1d7ff55d07c

User identifier

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Permanently delete all devices associated with user account

Authorizations:
apiKey_header_Authorization
path Parameters
userId
required
string
Example: df7c43a5-c721-4818-a68b-e1d7ff55d07c

User identifier

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Permanently delete all passkeys associated with user account

Authorizations:
apiKey_header_Authorization
path Parameters
userId
required
string
Example: df7c43a5-c721-4818-a68b-e1d7ff55d07c

User identifier

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Find user and retrieve user details

Authorizations:
apiKey_header_Authorization
query Parameters
username
required
string
Example: username=testUser

A username the user can be identified by

Responses

Response samples

Content type
application/json
{
  • "devices": [
    ],
  • "passkeys": [
    ],
  • "user": {
    }
}

.well-known

FIDO2 well-known endpoints

JWKS for auth token validation

Responses

Response samples

Content type
application/json
{
  • "keys": [
    ]
}

version

Get Version

Show software version

Responses

Response samples

Content type
application/json
{
  • "hash": "cd243db4",
  • "version": "1.2.3"
}