Skip to main content
POST
/
auth
/
recover
/
user
/
delegated
Create Delegated Recovery Challenge
curl --request POST \
  --url https://api.dfns.io/auth/recover/user/delegated \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'X-DFNS-USERACTION: <api-key>' \
  --data '
{
  "username": "<string>",
  "credentialId": "<string>"
}
'
{
  "user": {
    "id": "<string>",
    "displayName": "<string>",
    "name": "<string>"
  },
  "temporaryAuthenticationToken": "<string>",
  "challenge": "<string>",
  "supportedCredentialKinds": {
    "firstFactor": [],
    "secondFactor": []
  },
  "authenticatorSelection": {
    "requireResidentKey": true
  },
  "pubKeyCredParams": [
    {
      "alg": 123
    }
  ],
  "excludeCredentials": [
    {
      "id": "cr-6uunn-bm6ja-f6rmod5kqrk5rbel"
    }
  ],
  "otpUrl": "<string>",
  "allowedRecoveryCredentials": [
    {
      "id": "<string>",
      "encryptedRecoveryKey": "<string>"
    }
  ],
  "rp": {
    "id": "<string>",
    "name": "<string>"
  }
}

Documentation Index

Fetch the complete documentation index at: https://docs.dfns.co/llms.txt

Use this file to discover all available pages before exploring further.

Authentication

❌ Organization User (CustomerEmployee)
❌ Delegated User (EndUser)
✅ Service Account

Required Permissions

Auth:Recover:Delegated: Always required.

Authorizations

Authorization
string
header
required

Bearer Token: Used to authenticate API requests. More details how to generate the token: Authentication flows

X-DFNS-USERACTION
string
header
required

User Action Signature: Used to sign the change-inducing API requests. More details how to generate the token: User Action Signing flows

Body

application/json
username
string
required
Minimum string length: 1
credentialId
string
required
Minimum string length: 1

Response

200 - application/json

Success

user
object
required
temporaryAuthenticationToken
string
required
challenge
string
required
supportedCredentialKinds
object
required
authenticatorSelection
object
required
attestation
enum<string>
required

Identifies the information needed to verify the user's signing certificate; can be one of the following:

  • none: indicates no attestation data is required
  • indirect: indicates the attestation data should be given, but that it can be generated using an Anonymization CA
  • direct: indicates the attestation data must be given and should be generated by the authenticator
  • enterprise: indicates the attestation data should include information to uniquely identify the user's device
Available options:
none,
indirect,
direct,
enterprise
pubKeyCredParams
object[]
required
excludeCredentials
object[]
required
otpUrl
string
required
allowedRecoveryCredentials
object[]
required
rp
object
Last modified on May 29, 2026