Skip to main content
API docs by Redocly

FIDO2 API (2.0)

RESTful API for handling WebAuthn logic with support for FIDO2 flows with passkeys.

client-events

Error reporting endpoint

Report a client side event.

Report a client event. It does not change state of the flow.

Authorizations:
sessionAuth_header_Authorization
Request Body schema: application/json
required
event
required
string

Client side event.

isError
boolean
Default: false

Whether the event is a result of an error.

Responses

Request samples

Content type
application/json
{
  • "event": "ERROR_DISCOVERABLE_CREDENTIALS_UNSUPPORTED",
  • "isError": true
}

Response samples

Content type
application/json
{
  • "session": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo..."
}

profile

User Profile API

Delete a user profile and all associated passkey

Authorizations:
apiKey_header_Authorization
path Parameters
id
required
string
Example: 2a363a42-a397-4af0-b089-0935fc223017

Internal user identifier

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Delete email from the profile

Authorizations:
apiKey_header_Authorization
path Parameters
id
required
string
Example: 2a363a42-a397-4af0-b089-0935fc223017

Internal user identifier

Request Body schema: application/json
required
email
required
string

Email address

Responses

Request samples

Content type
application/json
{
  • "email": "test@loginid.io"
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Update profile email address

Authorizations:
apiKey_header_Authorization
path Parameters
id
required
string
Example: 2a363a42-a397-4af0-b089-0935fc223017

Internal user identifier

Request Body schema: application/json
required
email
required
string

Email address

requestVerification
boolean
Default: true

Whether to update the email address immediately or send an authorization code to verify.

Responses

Request samples

Content type
application/json
{
  • "email": "luke.skywalker@tatuin.com",
  • "requestVerification": true
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Delete phone from the profile

Authorizations:
apiKey_header_Authorization
path Parameters
id
required
string
Example: 2a363a42-a397-4af0-b089-0935fc223017

Internal user identifier

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Update the profile phone number

Authorizations:
apiKey_header_Authorization
path Parameters
id
required
string
Example: 2a363a42-a397-4af0-b089-0935fc223017

Internal user identifier

Request Body schema: application/json
required
messagingConsent
boolean
Default: false

Whether the user consents to receiving SMS messages on this number. The phone will not be used for sending messages if no consent is provided.

phoneNumber
required
string

Phone number

requestVerification
boolean
Default: true

Whether to update the phone number immediately or send an authorization code to verify. This method will fail if verification is requested but no consent is provided.

Responses

Request samples

Content type
application/json
{
  • "messagingConsent": true,
  • "phoneNumber": "+14161234567",
  • "requestVerification": true
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Verify phone number with received authorization code

Request Body schema: application/json
required
authCode
required
string

Verification code

username
required
string

Username associated with the code

Responses

Request samples

Content type
application/json
{
  • "authCode": "123456",
  • "username": "user@example.com"
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Verify phone number with received authorization code

Request Body schema: application/json
required
authCode
required
string

Verification code

username
required
string

Username associated with the code

Responses

Request samples

Content type
application/json
{
  • "authCode": "123456",
  • "username": "user@example.com"
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

tx

FIDO2 transaction confirmation flow

Complete transaction confirmation

Request Body schema: application/json
required
authenticatorData
required
string

This attribute contains the authenticator data returned by the authenticator.

clientData
required
string

Base64 encoded byte array which is a JSON-compatible serialization of client data passed to the authenticator by the client in order to generate this assertion. The exact JSON serialization MUST be preserved, as the hash of the serialized client data has been computed over it.

keyHandle
required
string

Identified of the passkey credential.

session
required
string >= 16 characters

An opaque object containing session data.

signature
required
string

Base64 encoded the raw signature returned from the authenticator.

Responses

Request samples

Content type
application/json
{
  • "authenticatorData": "ix523n3XniH01jM4CIuOn1z0Jw6QbRATXYOsCUyQN...",
  • "clientData": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo...",
  • "keyHandle": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo...",
  • "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r...",
  • "signature": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo..."
}

Response samples

Content type
application/json
{
  • "authCred": {
    },
  • "credentialId": "2a363a42-a397-4af0-b089-0935fc223017",
  • "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

Start transaction confirmation flow

Request Body schema: application/json
required
nonce
required
string

Random string

txPayload
required
string

Payload of transaction

txType
required
string

Type of transaction

username
required
string

Username of user

Responses

Request samples

Content type
application/json
{
  • "nonce": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r...",
  • "txPayload": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo...",
  • "txType": "raw",
  • "username": "testUser"
}

Response samples

Content type
application/json
{
  • "assertionOptions": {
    },
  • "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r...",
  • "txId": "2a363a42-a397-4af0-b089-0935fc223017"
}

auth

FIDO2 authentication flow

Complete WebAuthn authentication

Request Body schema: application/json
required
required
object (AuthenticatorAssertionResponse)
session
required
string >= 16 characters

An opaque object containing session data.

Responses

Request samples

Content type
application/json
{
  • "assertionResult": {
    },
  • "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r..."
}

Response samples

Content type
application/json
{
  • "deviceId": "8222fe14-4973-469f-843d-73b0f9e0a3a9",
  • "jwtAccess": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  • "passkeyId": "482b7723-eb3e-4814-809f-05af16284fcc",
  • "userId": "2a363a42-a397-4af0-b089-0935fc223017"
}

Start WebAuthn authentication flow

header Parameters
User-Agent
string
Example: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Raw user-agent header as set by a browser

Request Body schema: application/json
required
required
object (Application)

Application making the request. It contains additional info about the caller to distinguish between tenants.

required
object (DeviceInfo)

Information about the device. All of these attributes are optional and should be provided on best effort basis. If provide, they will be taken into consideration in order to improve user experience.

object

TrustIDs provided with the request

object (UserLogin)

Responses

Request samples

Content type
application/json
{
  • "app": {
    },
  • "deviceInfo": {
    },
  • "trustItems": {
    },
  • "user": {
    }
}

Response samples

Content type
application/json
{
  • "action": "proceed",
  • "assertionOptions": {
    },
  • "crossAuthMethods": [
    ],
  • "fallbackMethods": [
    ],
  • "passkeyType": "device",
  • "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r..."
}

Request OTP code by an authenticated user

An authenticated user can request an authentication code directly using this method. The code can be used for authentication from another device.

Authorizations:
jwt_header_Authorization

Responses

Response samples

Content type
application/json
{
  • "code": "123456",
  • "expiresAt": "2021-01-01T00:00:00Z"
}

Request OTP code to be sent via email.

Send authentication code to the provided email. The SMS will only be sent if the email address is known to the application, however, this method will return success regardless.

Request Body schema: application/json
required
required
object (UserLogin)
username
required
string

Username

usernameType
string
Default: "other"
Enum: "email" "phone" "other"

Username type

Responses

Request samples

Content type
application/json
{
  • "user": {
    }
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Request OTP code to be sent via SMS.

Send authentication code to the provided phone number. The SMS will only be sent if the phone is registered with the application, however, it will return success regardless.

Request Body schema: application/json
required
required
object (UserLogin)
username
required
string

Username

usernameType
string
Default: "other"
Enum: "email" "phone" "other"

Username type

Responses

Request samples

Content type
application/json
{
  • "user": {
    }
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Verify authentication code and return JWT access token with appropriate scopes

Request Body schema: application/json
required
authCode
required
string

Authentication code

required
object (UserLogin)

Responses

Request samples

Content type
application/json
{
  • "authCode": "123456",
  • "user": {
    }
}

Response samples

Content type
application/json
{
  • "deviceId": "8222fe14-4973-469f-843d-73b0f9e0a3a9",
  • "jwtAccess": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  • "passkeyId": "482b7723-eb3e-4814-809f-05af16284fcc",
  • "userId": "2a363a42-a397-4af0-b089-0935fc223017"
}

mfa

Multi Factor authentication flow methods

Begin and appropriate flow for the provided username.

Perform pre-authentication.

header Parameters
User-Agent
required
string
Example: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Raw user-agent header as set by a browser

Request Body schema: application/json
required
object (DeviceInfo)

Information about the device. All of these attributes are optional and should be provided on best effort basis. If provide, they will be taken into consideration in order to improve user experience.

payload
string

Payload to be signed

object

TrustIDs provided with the request

object (User)

Responses

Request samples

Content type
application/json
{
  • "deviceInfo": {
    },
  • "payload": "ak4BXFgauyDtsRvnXWfaTW1DyetX7fTViGY9DRQGQ+g=",
  • "trustItems": {
    },
  • "user": {
    }
}

Response samples

Content type
application/json
{
  • "flow": "signIn",
  • "msg": "Additional authentication is required.",
  • "msgCode": "additional_auth_required",
  • "next": [
    ],
  • "session": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo..."
}

Request OTP authentication using one of the available methods.

Request OTP.

Authorizations:
sessionAuth_header_Authorization
Request Body schema: application/json
required
method
required
string
Enum: "email" "sms"

OTP method

option
string

An OTP option selected by the user (i.e. address to send the OTP request to - phone, email, etc.)

Responses

Request samples

Content type
application/json
{
  • "method": "email",
  • "option": "user@example.com"
}

Response samples

Content type
application/json
{
  • "session": "UxaynsCYdykyHKaA0G7IeWaBG6DGJoGFN8mbJgvRo..."
}

Confirm OTP received in a previous step.

Verify OTP received by one of the methods.

Authorizations:
sessionAuth_header_Authorization
Request Body schema: application/json
required
otp
required
string

Responses

Request samples

Content type
application/json
{
  • "otp": "123456"
}

Response samples

Content type
application/json
{
  • "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "deviceId": "8222fe14-4973-469f-843d-73b0f9e0a3a9",
  • "flow": "signIn",
  • "idToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "payload": "JfeMhXGH1GABxRAXRopd7vtsLEJe16f9ok3oiA8DoEADZ8TOqvgYy...",
  • "payloadSignature": "eyJhbGciOiJIUzI1NiJ9.ew0KICAic3ViIjogIjEyMzQ1Njc4OTAiLA...",
  • "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT..."
}

Authenticate using passkey.

Authenticate with a passkeys.

Authorizations:
sessionAuth_header_Authorization
Request Body schema: application/json
required
required
object (AuthenticatorAssertionResponse)
authenticatorData
required
string

A base64 encoded authenticator data structure encodes contextual bindings made by the authenticator.

clientDataJSON
required
string

Base64 encoded byte array which is a JSON-compatible serialization of client data passed to the authenticator by the client in order to generate this assertion. The exact JSON serialization MUST be preserved, as the hash of the serialized client data has been computed over it.

credentialId
required
string

A base64 encoded byte sequence identifying a public key credential source and its authentication assertions.

signature
required
string

Base64 encoded the raw signature returned from the authenticator.

userHandle
string

User handle returned from the authenticator, or null if the authenticator did not return a user handle.

Responses

Request samples

Content type
application/json
{
  • "assertionResult": {
    }
}

Response samples

Content type
application/json
{
  • "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "deviceId": "8222fe14-4973-469f-843d-73b0f9e0a3a9",
  • "flow": "signIn",
  • "idToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "payload": "JfeMhXGH1GABxRAXRopd7vtsLEJe16f9ok3oiA8DoEADZ8TOqvgYy...",
  • "payloadSignature": "eyJhbGciOiJIUzI1NiJ9.ew0KICAic3ViIjogIjEyMzQ1Njc4OTAiLA...",
  • "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT..."
}

Register a new passkey.

Register a new passkey.

Authorizations:
sessionAuth_header_Authorization
Request Body schema: application/json
required
required
object (CreationResult)
attestationObject
required
string

Base64 encoded byte array containing an attestation object, which is opaque to, and cryptographically protected against tampering by, the client.

authenticatorData
string

A base64 encoded authenticator data structure encodes contextual bindings made by the authenticator.

clientDataJSON
required
string

Base64 encoded byte array which is a JSON-compatible serialization of client data passed to the authenticator by the client in order to generate this credential. The exact JSON serialization MUST be preserved, as the hash of the serialized client data has been computed over it.

credentialId
required
string

A base64 encoded byte sequence identifying a public key credential source and its authentication assertions.

publicKey
string

Base64 encoded DER SubjectPublicKeyInfo of the new credential, or null if this is not available.

publicKeyAlgorithm
integer <int64>
transports
Array of strings
Items Enum: "usb" "nfc" "ble" "internal" "hybrid" "cable" "smart-card"

These values are the transports that the authenticator is believed to support, or an empty sequence if the information is unavailable.

Responses

Request samples

Content type
application/json
{
  • "creationResult": {
    }
}

Response samples

Content type
application/json
{
  • "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "deviceId": "8222fe14-4973-469f-843d-73b0f9e0a3a9",
  • "flow": "signIn",
  • "idToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "payload": "JfeMhXGH1GABxRAXRopd7vtsLEJe16f9ok3oiA8DoEADZ8TOqvgYy...",
  • "payloadSignature": "eyJhbGciOiJIUzI1NiJ9.ew0KICAic3ViIjogIjEyMzQ1Njc4OTAiLA...",
  • "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT..."
}

Transaction confirmation using passkey.

Confirm a transaction with a passkey.

Authorizations:
sessionAuth_header_Authorization
Request Body schema: application/json
required
required
object (AuthenticatorAssertionResponse)
authenticatorData
required
string

A base64 encoded authenticator data structure encodes contextual bindings made by the authenticator.

clientDataJSON
required
string

Base64 encoded byte array which is a JSON-compatible serialization of client data passed to the authenticator by the client in order to generate this assertion. The exact JSON serialization MUST be preserved, as the hash of the serialized client data has been computed over it.

credentialId
required
string

A base64 encoded byte sequence identifying a public key credential source and its authentication assertions.

signature
required
string

Base64 encoded the raw signature returned from the authenticator.

userHandle
string

User handle returned from the authenticator, or null if the authenticator did not return a user handle.

Responses

Request samples

Content type
application/json
{
  • "assertionResult": {
    }
}

Response samples

Content type
application/json
{
  • "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "deviceId": "8222fe14-4973-469f-843d-73b0f9e0a3a9",
  • "flow": "signIn",
  • "idToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "payload": "JfeMhXGH1GABxRAXRopd7vtsLEJe16f9ok3oiA8DoEADZ8TOqvgYy...",
  • "payloadSignature": "eyJhbGciOiJIUzI1NiJ9.ew0KICAic3ViIjogIjEyMzQ1Njc4OTAiLA...",
  • "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT..."
}

Verify auth token created by a third party via management API.

Verify authentication token received from a third party.

Authorizations:
sessionAuth_header_Authorization
Request Body schema: application/json
required
token
required
string

Authorization token produced by mgmt API.

Responses

Request samples

Content type
application/json
{
  • "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}

Response samples

Content type
application/json
{
  • "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "deviceId": "8222fe14-4973-469f-843d-73b0f9e0a3a9",
  • "flow": "signIn",
  • "idToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT...",
  • "payload": "JfeMhXGH1GABxRAXRopd7vtsLEJe16f9ok3oiA8DoEADZ8TOqvgYy...",
  • "payloadSignature": "eyJhbGciOiJIUzI1NiJ9.ew0KICAic3ViIjogIjEyMzQ1Njc4OTAiLA...",
  • "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NT..."
}

reg

FIDO2 registration flow

Complete WebAuthn registration flow

Request Body schema: application/json
required
required
object (CreationResult)
passkeyName
string

Passkey name that will be shown to the user in passkey list.

session
required
string >= 16 characters

An opaque object containing session data.

Responses

Request samples

Content type
application/json
{
  • "creationResult": {
    },
  • "passkeyName": "Windows Hello (Win11,Chrome) - 2025-04-07 20:46",
  • "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r..."
}

Response samples

Content type
application/json
{
  • "deviceId": "8222fe14-4973-469f-843d-73b0f9e0a3a9",
  • "jwtAccess": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  • "passkeyId": "482b7723-eb3e-4814-809f-05af16284fcc",
  • "userId": "2a363a42-a397-4af0-b089-0935fc223017"
}

Start WebAuthn registration flow

Authorizations:
jwt_header_Authorization
header Parameters
User-Agent
string
Example: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Raw user-agent header as set by a browser

Request Body schema: application/json
required
required
object (Application)

Application making the request. It contains additional info about the caller to distinguish between tenants.

required
object (DeviceInfo)

Information about the device. All of these attributes are optional and should be provided on best effort basis. If provide, they will be taken into consideration in order to improve user experience.

object (PasskeyOptions)
object

TrustIDs provided with the request

object (User)

Responses

Request samples

Content type
application/json
{
  • "app": {
    },
  • "deviceInfo": {
    },
  • "passkeyOptions": {
    },
  • "trustItems": {
    },
  • "user": {
    }
}

Response samples

Content type
application/json
{
  • "action": "proceed",
  • "registrationRequestOptions": {
    },
  • "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r..."
}

passkeys

FIDO2 pass-key management

List passkeys of the user

Authorizations:
jwt_header_Authorization

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    },
  • {
    }
]

Delete passkey

Authorizations:
jwt_header_Authorization
path Parameters
id
required
string
Example: 2a363a42-a397-4af0-b089-0935fc223017

Internal passkey identifier

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Rename passkey

Authorizations:
jwt_header_Authorization
path Parameters
id
required
string
Example: 2a363a42-a397-4af0-b089-0935fc223017

Internal passkey identifier

Request Body schema: application/json
required
name
required
string

Internal passkey identifier

Responses

Request samples

Content type
application/json
{
  • "name": "My iPhone SE"
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Get AAGUID Metadata

Authorizations:
jwt_header_Authorization
path Parameters
aaguid
required
string
Example: 2a363a42-a397-4af0-b089-0935fc223017

AAGUID identifier

Responses

Response samples

Content type
application/json
{
  • "iconDark": "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2aWV3Qm94PSIwIDAgNDggNDgiPgogIDxkZWZzPgogICAgPGxpbmVhckdyYWRpZW50IGlkPSJhIiB4MT0iMy4yMTczIiB5MT0iMTUiIHgyPSI0NC43ODEyIiB5Mj0iMTUiIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KICAgICAgPHN0b3Agb2Zmc2V0PSIwIiBzdG9wLWNvbG9yPSIjZDkzMDI1Ii8+CiAgICAgIDxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iI2VhNDMzNSIvPgogICAgPC9saW5lYXJHcmFkaWVudD4KICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iYiIgeDE9IjIwLjcyMTkiIHkxPSI0Ny42NzkxIiB4Mj0iNDEuNTAzOSIgeTI9IjExLjY4MzciIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KICAgICAgPHN0b3Agb2Zmc2V0PSIwIiBzdG9wLWNvbG9yPSIjZmNjOTM0Ii8+CiAgICAgIDxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iI2ZiYmMwNCIvPgogICAgPC9saW5lYXJHcmFkaWVudD4KICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iYyIgeDE9IjI2LjU5ODEiIHkxPSI0Ni41MDE1IiB4Mj0iNS44MTYxIiB5Mj0iMTAuNTA2IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+CiAgICAgIDxzdG9wIG9mZnNldD0iMCIgc3RvcC1jb2xvcj0iIzFlOGUzZSIvPgogICAgICA8c3RvcCBvZmZzZXQ9IjEiIHN0b3AtY29sb3I9IiMzNGE4NTMiLz4KICAgIDwvbGluZWFyR3JhZGllbnQ+CiAgICAKICAgIDxwYXRoIGlkPSJwIiBkPSJNMTMuNjA4NiAzMC4wMDMxIDMuMjE4IDEyLjAwNkEyMy45OTQgMjMuOTk0IDAgMCAwIDI0LjAwMjUgNDhsMTAuMzkwNi0xNy45OTcxLS4wMDY3LS4wMDY4YTExLjk4NTIgMTEuOTg1MiAwIDAgMS0yMC43Nzc4LjAwN1oiLz4KICA8L2RlZnM+CiAgCiAgPHVzZSB4bGluazpocmVmPSIjcCIgZmlsbD0idXJsKCNhKSIgdHJhbnNmb3JtPSJyb3RhdGUoMTIwIDI0IDI0KSIvPgogIDx1c2UgeGxpbms6aHJlZj0iI3AiIGZpbGw9InVybCgjYikiIHRyYW5zZm9ybT0icm90YXRlKC0xMjAgMjQgMjQpIi8+CiAgPHVzZSB4bGluazpocmVmPSIjcCIgZmlsbD0idXJsKCNjKSIvPgogIAogIDxjaXJjbGUgY3g9IjI0IiBjeT0iMjQiIHI9IjEyIiBzdHlsZT0iZmlsbDojZmZmIi8+CiAgPGNpcmNsZSBjeD0iMjQiIGN5PSIyNCIgcj0iOS41IiBzdHlsZT0iZmlsbDojMWE3M2U4Ii8+Cjwvc3ZnPg==",
  • "iconLight": "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2aWV3Qm94PSIwIDAgNDggNDgiPgogIDxkZWZzPgogICAgPGxpbmVhckdyYWRpZW50IGlkPSJhIiB4MT0iMy4yMTczIiB5MT0iMTUiIHgyPSI0NC43ODEyIiB5Mj0iMTUiIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KICAgICAgPHN0b3Agb2Zmc2V0PSIwIiBzdG9wLWNvbG9yPSIjZDkzMDI1Ii8+CiAgICAgIDxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iI2VhNDMzNSIvPgogICAgPC9saW5lYXJHcmFkaWVudD4KICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iYiIgeDE9IjIwLjcyMTkiIHkxPSI0Ny42NzkxIiB4Mj0iNDEuNTAzOSIgeTI9IjExLjY4MzciIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KICAgICAgPHN0b3Agb2Zmc2V0PSIwIiBzdG9wLWNvbG9yPSIjZmNjOTM0Ii8+CiAgICAgIDxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iI2ZiYmMwNCIvPgogICAgPC9saW5lYXJHcmFkaWVudD4KICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iYyIgeDE9IjI2LjU5ODEiIHkxPSI0Ni41MDE1IiB4Mj0iNS44MTYxIiB5Mj0iMTAuNTA2IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+CiAgICAgIDxzdG9wIG9mZnNldD0iMCIgc3RvcC1jb2xvcj0iIzFlOGUzZSIvPgogICAgICA8c3RvcCBvZmZzZXQ9IjEiIHN0b3AtY29sb3I9IiMzNGE4NTMiLz4KICAgIDwvbGluZWFyR3JhZGllbnQ+CiAgICAKICAgIDxwYXRoIGlkPSJwIiBkPSJNMTMuNjA4NiAzMC4wMDMxIDMuMjE4IDEyLjAwNkEyMy45OTQgMjMuOTk0IDAgMCAwIDI0LjAwMjUgNDhsMTAuMzkwNi0xNy45OTcxLS4wMDY3LS4wMDY4YTExLjk4NTIgMTEuOTg1MiAwIDAgMS0yMC43Nzc4LjAwN1oiLz4KICA8L2RlZnM+CiAgCiAgPHVzZSB4bGluazpocmVmPSIjcCIgZmlsbD0idXJsKCNhKSIgdHJhbnNmb3JtPSJyb3RhdGUoMTIwIDI0IDI0KSIvPgogIDx1c2UgeGxpbms6aHJlZj0iI3AiIGZpbGw9InVybCgjYikiIHRyYW5zZm9ybT0icm90YXRlKC0xMjAgMjQgMjQpIi8+CiAgPHVzZSB4bGluazpocmVmPSIjcCIgZmlsbD0idXJsKCNjKSIvPgogIAogIDxjaXJjbGUgY3g9IjI0IiBjeT0iMjQiIHI9IjEyIiBzdHlsZT0iZmlsbDojZmZmIi8+CiAgPGNpcmNsZSBjeD0iMjQiIGN5PSIyNCIgcj0iOS41IiBzdHlsZT0iZmlsbDojMWE3M2U4Ii8+Cjwvc3ZnPg==",
  • "id": "eb385800-d35e-4108-9b49-48010731cd37",
  • "name": "Thales"
}

mgmt

Management API

Get AAGUID Metadata

Authorizations:
apiKey_header_Authorization
path Parameters
aaguid
required
string
Example: 2a363a42-a397-4af0-b089-0935fc223017

AAGUID identifier

Responses

Response samples

Content type
application/json
{
  • "iconDark": "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2aWV3Qm94PSIwIDAgNDggNDgiPgogIDxkZWZzPgogICAgPGxpbmVhckdyYWRpZW50IGlkPSJhIiB4MT0iMy4yMTczIiB5MT0iMTUiIHgyPSI0NC43ODEyIiB5Mj0iMTUiIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KICAgICAgPHN0b3Agb2Zmc2V0PSIwIiBzdG9wLWNvbG9yPSIjZDkzMDI1Ii8+CiAgICAgIDxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iI2VhNDMzNSIvPgogICAgPC9saW5lYXJHcmFkaWVudD4KICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iYiIgeDE9IjIwLjcyMTkiIHkxPSI0Ny42NzkxIiB4Mj0iNDEuNTAzOSIgeTI9IjExLjY4MzciIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KICAgICAgPHN0b3Agb2Zmc2V0PSIwIiBzdG9wLWNvbG9yPSIjZmNjOTM0Ii8+CiAgICAgIDxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iI2ZiYmMwNCIvPgogICAgPC9saW5lYXJHcmFkaWVudD4KICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iYyIgeDE9IjI2LjU5ODEiIHkxPSI0Ni41MDE1IiB4Mj0iNS44MTYxIiB5Mj0iMTAuNTA2IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+CiAgICAgIDxzdG9wIG9mZnNldD0iMCIgc3RvcC1jb2xvcj0iIzFlOGUzZSIvPgogICAgICA8c3RvcCBvZmZzZXQ9IjEiIHN0b3AtY29sb3I9IiMzNGE4NTMiLz4KICAgIDwvbGluZWFyR3JhZGllbnQ+CiAgICAKICAgIDxwYXRoIGlkPSJwIiBkPSJNMTMuNjA4NiAzMC4wMDMxIDMuMjE4IDEyLjAwNkEyMy45OTQgMjMuOTk0IDAgMCAwIDI0LjAwMjUgNDhsMTAuMzkwNi0xNy45OTcxLS4wMDY3LS4wMDY4YTExLjk4NTIgMTEuOTg1MiAwIDAgMS0yMC43Nzc4LjAwN1oiLz4KICA8L2RlZnM+CiAgCiAgPHVzZSB4bGluazpocmVmPSIjcCIgZmlsbD0idXJsKCNhKSIgdHJhbnNmb3JtPSJyb3RhdGUoMTIwIDI0IDI0KSIvPgogIDx1c2UgeGxpbms6aHJlZj0iI3AiIGZpbGw9InVybCgjYikiIHRyYW5zZm9ybT0icm90YXRlKC0xMjAgMjQgMjQpIi8+CiAgPHVzZSB4bGluazpocmVmPSIjcCIgZmlsbD0idXJsKCNjKSIvPgogIAogIDxjaXJjbGUgY3g9IjI0IiBjeT0iMjQiIHI9IjEyIiBzdHlsZT0iZmlsbDojZmZmIi8+CiAgPGNpcmNsZSBjeD0iMjQiIGN5PSIyNCIgcj0iOS41IiBzdHlsZT0iZmlsbDojMWE3M2U4Ii8+Cjwvc3ZnPg==",
  • "iconLight": "data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2aWV3Qm94PSIwIDAgNDggNDgiPgogIDxkZWZzPgogICAgPGxpbmVhckdyYWRpZW50IGlkPSJhIiB4MT0iMy4yMTczIiB5MT0iMTUiIHgyPSI0NC43ODEyIiB5Mj0iMTUiIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KICAgICAgPHN0b3Agb2Zmc2V0PSIwIiBzdG9wLWNvbG9yPSIjZDkzMDI1Ii8+CiAgICAgIDxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iI2VhNDMzNSIvPgogICAgPC9saW5lYXJHcmFkaWVudD4KICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iYiIgeDE9IjIwLjcyMTkiIHkxPSI0Ny42NzkxIiB4Mj0iNDEuNTAzOSIgeTI9IjExLjY4MzciIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KICAgICAgPHN0b3Agb2Zmc2V0PSIwIiBzdG9wLWNvbG9yPSIjZmNjOTM0Ii8+CiAgICAgIDxzdG9wIG9mZnNldD0iMSIgc3RvcC1jb2xvcj0iI2ZiYmMwNCIvPgogICAgPC9saW5lYXJHcmFkaWVudD4KICAgIDxsaW5lYXJHcmFkaWVudCBpZD0iYyIgeDE9IjI2LjU5ODEiIHkxPSI0Ni41MDE1IiB4Mj0iNS44MTYxIiB5Mj0iMTAuNTA2IiBncmFkaWVudFVuaXRzPSJ1c2VyU3BhY2VPblVzZSI+CiAgICAgIDxzdG9wIG9mZnNldD0iMCIgc3RvcC1jb2xvcj0iIzFlOGUzZSIvPgogICAgICA8c3RvcCBvZmZzZXQ9IjEiIHN0b3AtY29sb3I9IiMzNGE4NTMiLz4KICAgIDwvbGluZWFyR3JhZGllbnQ+CiAgICAKICAgIDxwYXRoIGlkPSJwIiBkPSJNMTMuNjA4NiAzMC4wMDMxIDMuMjE4IDEyLjAwNkEyMy45OTQgMjMuOTk0IDAgMCAwIDI0LjAwMjUgNDhsMTAuMzkwNi0xNy45OTcxLS4wMDY3LS4wMDY4YTExLjk4NTIgMTEuOTg1MiAwIDAgMS0yMC43Nzc4LjAwN1oiLz4KICA8L2RlZnM+CiAgCiAgPHVzZSB4bGluazpocmVmPSIjcCIgZmlsbD0idXJsKCNhKSIgdHJhbnNmb3JtPSJyb3RhdGUoMTIwIDI0IDI0KSIvPgogIDx1c2UgeGxpbms6aHJlZj0iI3AiIGZpbGw9InVybCgjYikiIHRyYW5zZm9ybT0icm90YXRlKC0xMjAgMjQgMjQpIi8+CiAgPHVzZSB4bGluazpocmVmPSIjcCIgZmlsbD0idXJsKCNjKSIvPgogIAogIDxjaXJjbGUgY3g9IjI0IiBjeT0iMjQiIHI9IjEyIiBzdHlsZT0iZmlsbDojZmZmIi8+CiAgPGNpcmNsZSBjeD0iMjQiIGN5PSIyNCIgcj0iOS41IiBzdHlsZT0iZmlsbDojMWE3M2U4Ii8+Cjwvc3ZnPg==",
  • "id": "eb385800-d35e-4108-9b49-48010731cd37",
  • "name": "Thales"
}

Remove AAGUIDs from blacklist

Authorizations:
apiKey_header_Authorization
Request Body schema: application/json
required
aaguids
required
Array of strings

List of AAGUIDs to delete from the blacklist

Responses

Request samples

Content type
application/json
{
  • "aaguids": [
    ]
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Get content of AAGUID blacklist

Authorizations:
apiKey_header_Authorization

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    },
  • {
    }
]

Add or Update AAGUIDs in the blacklist

Authorizations:
apiKey_header_Authorization
Request Body schema: application/json
required
required
Array of objects (AaguidBlacklist)

List of blacklist items to add/update

Array
aaguid
required
string

AAGUID

auth
required
boolean

Block authentication

reg
required
boolean

Block passkey registration

Responses

Request samples

Content type
application/json
{
  • "items": [
    ]
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Clear the AAGUID blacklist

Authorizations:
apiKey_header_Authorization

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Delete device

Authorizations:
apiKey_header_Authorization
path Parameters
deviceId
required
string
Example: 0546b8b1-b80a-4ea4-b4f6-60bf2ae314e5

Device identifier

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Get device details

Authorizations:
apiKey_header_Authorization
path Parameters
deviceId
required
string
Example: 0546b8b1-b80a-4ea4-b4f6-60bf2ae314e5

Device identifier

Responses

Response samples

Content type
application/json
{
  • "deviceInfo": {
    },
  • "users": [
    ]
}

Discover passkey authentication options

Authorizations:
apiKey_header_Authorization
Request Body schema: application/json
required
object (DeviceInfo)

Information about the device. All of these attributes are optional and should be provided on best effort basis. If provide, they will be taken into consideration in order to improve user experience.

securityKey
boolean
Default: false

Whether the authenticator is a security key

traceId
string

A unique id for tracing all events associated with an interaction. A random ID will be generated by the system if not provided.

required
object (User)
userAgent
required
string

Raw user-agent header as set by clients browser

Responses

Request samples

Content type
application/json
{
  • "deviceInfo": {
    },
  • "securityKey": false,
  • "traceId": "6957cf6e-a86c-44fb-b25a-bd97cb9ff830",
  • "user": {
    },
  • "userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
}

Response samples

Content type
application/json
{
  • "authRequestOptions": {
    },
  • "lastLoginDeviceId": "efb15eb3-85bc-497a-9014-e29fb2b49bc0",
  • "lastLoginTs": "2025-01-02T15:52:12Z",
  • "matchResult": "PasskeyFound",
  • "regRequestOptions": {
    },
  • "session": "w5zY9tpNgePsqkTsQlNPVCR2rwUlCdhCLhVwXsN2r...",
  • "traceId": "6957cf6e-a86c-44fb-b25a-bd97cb9ff830",
  • "userId": "OH96SFA59OQP9TG9SB23LCEE"
}

Create an authorization token with requested scopes

Authorizations:
apiKey_header_Authorization
Request Body schema: application/json
required
grants
required
Array of strings
Items Enum: "passkey:read" "passkey:write" "profile:read" "profile:write" "reg:write" "auth:write"

List of requested grants

username
string

User identifier

Responses

Request samples

Content type
application/json
{
  • "grants": [
    ],
  • "username": "testUser"
}

Response samples

Content type
application/json
{
  • "token": "oWIsYWQl6RB0cFC9jM8Hy85TmqAMyc0QqSXMsh0Fo9U="
}

Create an authorization token after authenticating user in an external system

Authorizations:
apiKey_header_Authorization
Request Body schema: application/json
required
username
required
string

User identifier

Responses

Request samples

Content type
application/json
{
  • "username": "testUser"
}

Response samples

Content type
application/json
{
  • "token": "oWIsYWQl6RB0cFC9jM8Hy85TmqAMyc0QqSXMsh0Fo9U="
}

Delete passkey

Authorizations:
apiKey_header_Authorization
path Parameters
passkeyId
required
string
Example: testUser

Passkey identifier

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Get passkey details

Authorizations:
apiKey_header_Authorization
path Parameters
passkeyId
required
string
Example: testUser

Passkey identifier

Responses

Response samples

Content type
application/json
{
  • "passkeyInfo": {
    },
  • "user": {
    }
}

Rename a passkey

Authorizations:
apiKey_header_Authorization
path Parameters
passkeyId
required
string
Example: testUser

Passkey identifier

Request Body schema: application/json
required
passkeyName
required
string

New passkey name

Responses

Request samples

Content type
application/json
{
  • "passkeyName": "My favorite iCloud passkey"
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Validate JWT Access Token

Authorizations:
apiKey_header_Authorization
Request Body schema: application/json
required
jwtAccess
required
string

JWT access token

Responses

Request samples

Content type
application/json
{
  • "jwtAccess": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Permanently delete the user account and all associated devices and passkeys

Authorizations:
apiKey_header_Authorization
path Parameters
userId
required
string
Example: df7c43a5-c721-4818-a68b-e1d7ff55d07c

User identifier

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Permanently delete all devices associated with user account

Authorizations:
apiKey_header_Authorization
path Parameters
userId
required
string
Example: df7c43a5-c721-4818-a68b-e1d7ff55d07c

User identifier

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Permanently delete all passkeys associated with user account

Authorizations:
apiKey_header_Authorization
path Parameters
userId
required
string
Example: df7c43a5-c721-4818-a68b-e1d7ff55d07c

User identifier

Responses

Response samples

Content type
application/json
{
  • "msg": "Internal error",
  • "msgCode": "internal_error"
}

Find user and retrieve user details

Authorizations:
apiKey_header_Authorization
query Parameters
username
required
string
Example: username=testUser

A username the user can be identified by

Responses

Response samples

Content type
application/json
{
  • "devices": [
    ],
  • "passkeys": [
    ],
  • "user": {
    }
}

.well-known

FIDO2 well-known endpoints

JWKS for auth token validation

Responses

Response samples

Content type
application/json
{
  • "keys": [
    ]
}

version

Get Version

Show software version

Responses

Response samples

Content type
application/json
{
  • "hash": "cd243db4",
  • "version": "1.2.3"
}