> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dfns.co/llms.txt
> Use this file to discover all available pages before exploring further.
# Create Delegated Recovery Challenge
>
Only a [Service Account](https://docs.dfns.co/api-reference/auth/service-accounts) can use this endpoint.
This endpoint enables setting up a recovery workflow for Delegated Signing. Via this configuration, the end user will not receive an email from Dfns but instead can establish recovery credentials that leverage the customer's brand for the recovery workflow.
Once the user has been verified by your auth system and this API has been called, you can call [Recover User](https://docs.dfns.co/api-reference/auth/recover-user) to complete the recovery process.
#### Authentication
❌ Organization User (`CustomerEmployee`)\
❌ Delegated User (`EndUser`)\
✅ Service Account
#### Required Permissions
`Auth:Recover:Delegated`: Always required.
## OpenAPI
````yaml /openapi.yaml post /auth/recover/user/delegated
openapi: 3.1.0
info:
version: 1.795.3
title: Dfns
servers:
- url: https://api.dfns.io
description: Default - Europe
- url: https://api.uae.dfns.io
description: UAE
- url: https://api.dfns.ninja
description: Staging
security: []
paths:
/auth/recover/user/delegated:
post:
tags:
- Auth
summary: Create Delegated Recovery Challenge
description: >
Only a [Service
Account](https://docs.dfns.co/api-reference/auth/service-accounts) can
use this endpoint.
This endpoint enables setting up a recovery workflow for Delegated
Signing. Via this configuration, the end user will not receive an email
from Dfns but instead can establish recovery credentials that leverage
the customer's brand for the recovery workflow.
Once the user has been verified by your auth system and this API has
been called, you can call [Recover
User](https://docs.dfns.co/api-reference/auth/recover-user) to complete
the recovery process.
requestBody:
content:
application/json:
schema:
type: object
properties:
username:
type: string
minLength: 1
credentialId:
type: string
minLength: 1
required:
- username
- credentialId
additionalProperties: false
responses:
'200':
description: Success
content:
application/json:
schema:
type: object
properties:
user:
type: object
properties:
id:
type: string
displayName:
type: string
name:
type: string
required:
- id
- displayName
- name
temporaryAuthenticationToken:
type: string
challenge:
type: string
rp:
type: object
properties:
id:
type: string
name:
type: string
required:
- id
- name
supportedCredentialKinds:
type: object
properties:
firstFactor:
type: array
items:
type: string
enum:
- Fido2
- Key
- Password
- Totp
- RecoveryKey
- PasswordProtectedKey
secondFactor:
type: array
items:
type: string
enum:
- Fido2
- Key
- Password
- Totp
- RecoveryKey
- PasswordProtectedKey
required:
- firstFactor
- secondFactor
authenticatorSelection:
type: object
properties:
authenticatorAttachment:
type: string
enum:
- platform
- cross-platform
residentKey:
type: string
enum:
- required
- preferred
- discouraged
requireResidentKey:
type: boolean
userVerification:
type: string
enum:
- required
- preferred
- discouraged
description: >
Value indicating if the user should be prompted for a
second factor. Can be one of the following values:
* required to indicate the user must be prompted for
their pin, biometrics, or another second factor option
* preferred to indicate the user should be prompted
for a second factor if it is supported
* discouraged to indicate the user should not be
prompted for their second factor unless the device
requires it
required:
- residentKey
- requireResidentKey
- userVerification
attestation:
type: string
enum:
- none
- indirect
- direct
- enterprise
description: >
Identifies the information needed to verify the user's
signing certificate; can be one of the following:
* none: indicates no attestation data is required
* indirect: indicates the attestation data should be
given, but that it can be generated using an Anonymization
CA
* direct: indicates the attestation data must be given and
should be generated by the authenticator
* enterprise: indicates the attestation data should
include information to uniquely identify the user's device
pubKeyCredParams:
type: array
items:
type: object
properties:
type:
type: string
enum:
- public-key
alg:
type: number
required:
- type
- alg
excludeCredentials:
type: array
items:
type: object
properties:
type:
type: string
enum:
- public-key
description: Is always `public-key`.
id:
type: string
minLength: 1
maxLength: 64
pattern: ^cr-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
description: ID that identifies the credential.
example: cr-6uunn-bm6ja-f6rmod5kqrk5rbel
required:
- type
- id
otpUrl:
type: string
allowedRecoveryCredentials:
type: array
items:
type: object
properties:
id:
type: string
encryptedRecoveryKey:
type: string
required:
- id
- encryptedRecoveryKey
additionalProperties: false
required:
- user
- temporaryAuthenticationToken
- challenge
- supportedCredentialKinds
- authenticatorSelection
- attestation
- pubKeyCredParams
- excludeCredentials
- otpUrl
- allowedRecoveryCredentials
additionalProperties: false
security:
- authenticationToken: []
userActionSignature: []
components:
securitySchemes:
authenticationToken:
type: http
scheme: bearer
bearerFormat: JWT
description: >-
**Bearer Token:** Used to authenticate API requests.
More details how to generate the token: [Authentication
flows](https://docs.dfns.co/api-reference/auth/login-flows)
userActionSignature:
type: apiKey
in: header
name: X-DFNS-USERACTION
description: >-
**User Action Signature:** Used to sign the change-inducing API
requests.
More details how to generate the token: [User Action Signing
flows](https://docs.dfns.co/api-reference/auth/signing-flows)
````