> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dfns.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Complete User Registration

> Completes the user registration process and creates the user's initial credentials.

All credentials submitted in this call (`firstFactorCredential`, `secondFactorCredential`, `recoveryCredential`) sign the same challenge returned by the registration init endpoint ([Create Registration Challenge](https://docs.dfns.co/api-reference/auth/create-registration-challenge), [Create Delegated Registration Challenge](https://docs.dfns.co/api-reference/auth/create-delegated-registration-challenge), or [Create Social Registration Challenge](https://docs.dfns.co/api-reference/auth/create-social-registration-challenge)).

Always include a `recoveryCredential` for end users. Without one, a user who loses their device cannot recover access and you must initiate a delegated recovery manually. See [Implement end-user recovery](https://docs.dfns.co/guides/developers/end-user-recovery).

The type of credentials being registered is determined by the `credentialKind` field in the nested objects (`firstFactorCredential` , `secondFactorCredential` and `recoveryCredential`). Supported credential kinds are:
* `Fido2`: User action is signed by a user's signing device using `WebAuthn`.
* `Key`: User action is signed by a user's, or token's, private key.
* `PasswordProtectedKey`: User action is signed by a user's, or token's, private key. The encrypted version of the private key is stored by Dfns and returns during the signing flow for the user to decrypt it.
* `RecoveryKey` : Similar to `PasswordProtectedKey`, but this credential can only be used to recover an account not to sign an action or login. Once this credential is used all the other user's credentials are invalidated.


#### Authentication

❌ Organization User (`CustomerEmployee`)\
❌ Delegated User (`EndUser`)\
❌ Service Account\
✅ Registration Code

#### Required Permissions

No permission required.


## OpenAPI

````yaml /openapi.yaml post /auth/registration
openapi: 3.1.0
info:
  version: 1.910.1
  title: Dfns
servers:
  - url: https://api.dfns.io
    description: Default - Europe
  - url: https://api.uae.dfns.io
    description: UAE
  - url: https://api.dfns.ninja
    description: <Deprecated> Staging
security: []
paths:
  /auth/registration:
    post:
      tags:
        - Auth
      summary: Complete User Registration
      description: >
        Completes the user registration process and creates the user's initial
        credentials.


        All credentials submitted in this call (`firstFactorCredential`,
        `secondFactorCredential`, `recoveryCredential`) sign the same challenge
        returned by the registration init endpoint ([Create Registration
        Challenge](https://docs.dfns.co/api-reference/auth/create-registration-challenge),
        [Create Delegated Registration
        Challenge](https://docs.dfns.co/api-reference/auth/create-delegated-registration-challenge),
        or [Create Social Registration
        Challenge](https://docs.dfns.co/api-reference/auth/create-social-registration-challenge)).


        Always include a `recoveryCredential` for end users. Without one, a user
        who loses their device cannot recover access and you must initiate a
        delegated recovery manually. See [Implement end-user
        recovery](https://docs.dfns.co/guides/developers/end-user-recovery).


        The type of credentials being registered is determined by the
        `credentialKind` field in the nested objects (`firstFactorCredential` ,
        `secondFactorCredential` and `recoveryCredential`). Supported credential
        kinds are:

        * `Fido2`: User action is signed by a user's signing device using
        `WebAuthn`.

        * `Key`: User action is signed by a user's, or token's, private key.

        * `PasswordProtectedKey`: User action is signed by a user's, or token's,
        private key. The encrypted version of the private key is stored by Dfns
        and returns during the signing flow for the user to decrypt it.

        * `RecoveryKey` : Similar to `PasswordProtectedKey`, but this credential
        can only be used to recover an account not to sign an action or login.
        Once this credential is used all the other user's credentials are
        invalidated.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                firstFactorCredential:
                  $ref: '#/components/schemas/FirstFactorAttestation'
                secondFactorCredential:
                  $ref: '#/components/schemas/SecondFactorAttestation'
                recoveryCredential:
                  $ref: '#/components/schemas/RecoveryKeyAttestation'
              required:
                - firstFactorCredential
              additionalProperties: false
      responses:
        '200':
          description: Success
          content:
            application/json:
              schema:
                type: object
                properties:
                  credential:
                    type: object
                    properties:
                      uuid:
                        type: string
                        description: UUID of the credential that was registered.
                      kind:
                        type: string
                        enum:
                          - Fido2
                          - Key
                          - Password
                          - Totp
                          - RecoveryKey
                          - PasswordProtectedKey
                        description: Kind of credential that was registered.
                      name:
                        type: string
                        description: Human-readable name of the credential.
                    required:
                      - uuid
                      - kind
                      - name
                  user:
                    type: object
                    properties:
                      id:
                        type: string
                        minLength: 1
                        maxLength: 64
                        pattern: ^us-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
                        description: User id.
                        example: us-6b58p-r53sr-rlrd3l5cj3uc4ome
                      username:
                        type: string
                        description: Username/identifier of the user.
                      orgId:
                        type: string
                        minLength: 1
                        maxLength: 64
                        pattern: ^or-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
                        description: Organization id.
                        example: or-30tnh-itmjs-s235s5ontr3r23h2
                      tenantId:
                        type: string
                        minLength: 1
                        maxLength: 64
                        pattern: ^acct-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
                        description: Tenant id.
                        example: acct-24hka-dhili-9hgvdlvr1ohpibp4
                    required:
                      - id
                      - username
                required:
                  - credential
                  - user
      security:
        - authenticationToken: []
components:
  schemas:
    FirstFactorAttestation:
      oneOf:
        - $ref: '#/components/schemas/Fido2Attestation'
        - $ref: '#/components/schemas/KeyAttestation'
        - $ref: '#/components/schemas/PasswordAttestation'
        - $ref: '#/components/schemas/PasswordProtectedKeyAttestation'
      discriminator:
        propertyName: credentialKind
        mapping:
          Fido2:
            $ref: '#/components/schemas/Fido2Attestation'
          Key:
            $ref: '#/components/schemas/KeyAttestation'
          Password:
            $ref: '#/components/schemas/PasswordAttestation'
          PasswordProtectedKey:
            $ref: '#/components/schemas/PasswordProtectedKeyAttestation'
    SecondFactorAttestation:
      oneOf:
        - $ref: '#/components/schemas/Fido2Attestation'
        - $ref: '#/components/schemas/KeyAttestation'
        - $ref: '#/components/schemas/TotpAttestation'
        - $ref: '#/components/schemas/PasswordProtectedKeyAttestation'
      discriminator:
        propertyName: credentialKind
        mapping:
          Fido2:
            $ref: '#/components/schemas/Fido2Attestation'
          Key:
            $ref: '#/components/schemas/KeyAttestation'
          Totp:
            $ref: '#/components/schemas/TotpAttestation'
          PasswordProtectedKey:
            $ref: '#/components/schemas/PasswordProtectedKeyAttestation'
    RecoveryKeyAttestation:
      type: object
      properties:
        credentialKind:
          type: string
          enum:
            - RecoveryKey
        credentialInfo:
          type: object
          properties:
            credId:
              type: string
              minLength: 1
              description: Base64url-encoded id of the recovery credential.
            clientData:
              type: string
              minLength: 1
              description: >-
                Base64url-encoded, stringified JSON [client
                data](https://docs.dfns.co/api-reference/auth/credentials-data#client-data)
                object.
            attestationData:
              type: string
              minLength: 1
              description: Base64url-encoded public key.
          required:
            - credId
            - clientData
            - attestationData
          additionalProperties: false
        encryptedPrivateKey:
          type: string
          minLength: 1
          description: User-encrypted private key for the recovery credential.
        credentialName:
          type: string
          minLength: 1
          description: Human-readable name to assign to the credential.
      required:
        - credentialKind
        - credentialInfo
      additionalProperties: false
      description: >-
        Register a recovery key. See [Account
        Recovery](https://docs.dfns.co/api-reference/auth/account-recovery) for
        more details.
      title: Recovery Key
    Fido2Attestation:
      type: object
      properties:
        credentialKind:
          type: string
          enum:
            - Fido2
        credentialInfo:
          type: object
          properties:
            credId:
              type: string
              minLength: 1
              description: >-
                Base64url-encoded id of the credential returned by the user's
                WebAuthn client.
            clientData:
              type: string
              minLength: 1
              description: >-
                Base64url-encoded, stringified JSON [client
                data](https://docs.dfns.co/api-reference/auth/credentials-data#client-data)
                object returned by the user's WebAuthn client.
            attestationData:
              type: string
              minLength: 1
              description: >-
                Base64url-encoded attestation data returned by the user's
                WebAuthn client.
          required:
            - credId
            - clientData
            - attestationData
          additionalProperties: false
        credentialName:
          type: string
          minLength: 1
          description: Human-readable name to assign to the credential.
      required:
        - credentialKind
        - credentialInfo
      additionalProperties: false
      description: >-
        Register a Fido2 Credential, also known as Passkeys or WebauthN
        credential.
      title: Fido2/Passkeys
    KeyAttestation:
      type: object
      properties:
        credentialKind:
          type: string
          enum:
            - Key
        credentialInfo:
          type: object
          properties:
            credId:
              type: string
              minLength: 1
              description: Base64url-encoded id of the credential.
            clientData:
              type: string
              minLength: 1
              description: >-
                Base64url-encoded, stringified JSON [client
                data](https://docs.dfns.co/api-reference/auth/credentials-data#client-data)
                object.
            attestationData:
              type: string
              minLength: 1
              description: Base64url-encoded public key.
          required:
            - credId
            - clientData
            - attestationData
          additionalProperties: false
        credentialName:
          type: string
          minLength: 1
          description: Human-readable name to assign to the credential.
      required:
        - credentialKind
        - credentialInfo
      additionalProperties: false
      description: >-
        Register a "raw" public/private keypair, mostly meant to be used by
        Service Accounts. See [Generate a Key
        Pair](https://docs.dfns.co/guides/developers/generate-a-key-pair) for
        more details.
      title: Public/Private key pair
    PasswordAttestation:
      type: object
      properties:
        credentialKind:
          type: string
          enum:
            - Password
        credentialInfo:
          type: object
          properties:
            password:
              type: string
              minLength: 1
              description: User password.
          required:
            - password
          additionalProperties: false
        credentialName:
          type: string
          minLength: 1
          description: Human-readable name to assign to the credential.
      required:
        - credentialKind
        - credentialInfo
      additionalProperties: false
      description: Not supported, will be removed in a future release.
      title: <Deprecated> Password
    PasswordProtectedKeyAttestation:
      type: object
      properties:
        credentialKind:
          type: string
          enum:
            - PasswordProtectedKey
        credentialInfo:
          type: object
          properties:
            credId:
              type: string
              minLength: 1
              description: Base64url-encoded id of the credential.
            clientData:
              type: string
              minLength: 1
              description: >-
                Base64url-encoded, stringified JSON [client
                data](https://docs.dfns.co/api-reference/auth/credentials-data#client-data)
                object.
            attestationData:
              type: string
              minLength: 1
              description: Base64url-encoded public key.
          required:
            - credId
            - clientData
            - attestationData
          additionalProperties: false
        encryptedPrivateKey:
          type: string
          minLength: 1
          description: >-
            User-encrypted private key. Dfns does not have the password to
            decrypt it.
        credentialName:
          type: string
          minLength: 1
          description: Human-readable name to assign to the credential.
      required:
        - credentialKind
        - credentialInfo
        - encryptedPrivateKey
      additionalProperties: false
      description: >-
        Register an encrypted private key. Note that Dfns only stores the
        encrypted private key and should not have access to the password to
        decrypt it!
      title: Password-protected Key
    TotpAttestation:
      type: object
      properties:
        credentialKind:
          type: string
          enum:
            - Totp
        credentialInfo:
          type: object
          properties:
            otpCode:
              type: string
              minLength: 1
              description: TOTP one-time code.
          required:
            - otpCode
          additionalProperties: false
        credentialName:
          type: string
          minLength: 1
          description: Human-readable name to assign to the credential.
      required:
        - credentialKind
        - credentialInfo
      additionalProperties: false
      description: Not supported, will be removed in a future release.
      title: <Deprecated> TOTP
  securitySchemes:
    authenticationToken:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: >-
        **Bearer Token:** Used to authenticate API requests.

        More details how to generate the token: [Authentication
        flows](https://docs.dfns.co/api-reference/auth/login-flows)

````