Skip to main content
POST
/
auth
/
recover
/
user
/
delegated
Create Delegated Recovery Challenge
curl --request POST \
  --url https://api.dfns.io/auth/recover/user/delegated \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'X-DFNS-USERACTION: <api-key>' \
  --data '
{
  "username": "<string>",
  "credentialId": "<string>"
}
'
{
  "user": {
    "id": "<string>",
    "displayName": "<string>",
    "name": "<string>"
  },
  "temporaryAuthenticationToken": "<string>",
  "challenge": "<string>",
  "supportedCredentialKinds": {
    "firstFactor": [],
    "secondFactor": []
  },
  "authenticatorSelection": {
    "requireResidentKey": true
  },
  "pubKeyCredParams": [
    {
      "alg": 123
    }
  ],
  "excludeCredentials": [
    {
      "id": "cr-6uunn-bm6ja-f6rmod5kqrk5rbel"
    }
  ],
  "otpUrl": "<string>",
  "allowedRecoveryCredentials": [
    {
      "id": "<string>",
      "encryptedRecoveryKey": "<string>"
    }
  ],
  "rp": {
    "id": "<string>",
    "name": "<string>"
  }
}

Authentication

❌ Organization User (CustomerEmployee)
❌ Delegated User (EndUser)
✅ Service Account

Required Permissions

Auth:Recover:Delegated: Always required.

Authorizations

Authorization
string
header
required

Bearer Token: Used to authenticate API requests. More details how to generate the token: Authentication flows

X-DFNS-USERACTION
string
header
required

User Action Signature: Used to sign the change-inducing API requests. More details how to generate the token: User Action Signing flows

Body

application/json
username
string
required

Username/identifier of the user to recover.

Minimum string length: 1
credentialId
string
required

Identifier of the recovery credential to use.

Minimum string length: 1

Response

200 - application/json

Success

user
object
required
temporaryAuthenticationToken
string
required

JWT used to identify the registration session when calling Complete User Registration.

challenge
string
required

Challenge to be signed by the credential being registered.

supportedCredentialKinds
object
required

Credential kinds that can be used to register the user.

authenticatorSelection
object
required
attestation
enum<string>
required

Identifies the information needed to verify the user's signing certificate; can be one of the following:

  • none: indicates no attestation data is required
  • indirect: indicates the attestation data should be given, but that it can be generated using an Anonymization CA
  • direct: indicates the attestation data must be given and should be generated by the authenticator
  • enterprise: indicates the attestation data should include information to uniquely identify the user's device
Available options:
none,
indirect,
direct,
enterprise
pubKeyCredParams
object[]
required

Public key credential parameters supported for the registration.

excludeCredentials
object[]
required

Credentials to exclude from the registration (already registered for the user).

otpUrl
string
required

URL to provision a TOTP credential, when applicable.

allowedRecoveryCredentials
object[]
required
rp
object

Deprecated. Should not be used.

Last modified on June 8, 2026