API Authorization
Identity & Access Management
Wallets & Transactions
Management
Webhooks
curl --request POST \
--url https://api.dfns.io/auth/registration/delegated \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--header 'X-DFNS-USERACTION: <api-key>' \
--data '
{
"email": "<string>",
"kind": "EndUser",
"externalId": "<string>"
}
'{
"user": {
"id": "<string>",
"displayName": "<string>",
"name": "<string>"
},
"temporaryAuthenticationToken": "<string>",
"challenge": "<string>",
"supportedCredentialKinds": {
"firstFactor": [
"Fido2"
],
"secondFactor": [
"Fido2"
]
},
"authenticatorSelection": {
"residentKey": "required",
"requireResidentKey": true,
"userVerification": "required",
"authenticatorAttachment": "platform"
},
"attestation": "none",
"pubKeyCredParams": [
{
"type": "public-key",
"alg": 123
}
],
"excludeCredentials": [
{
"type": "public-key",
"id": "cr-6uunn-bm6ja-f6rmod5kqrk5rbel"
}
],
"otpUrl": "<string>",
"rp": {
"id": "<string>",
"name": "<string>"
}
}Create Delegated Registration Challenge
Only a Service Account can use this endpoint.
If you want to use your own authentication system, while still using Delegated Signing, you can use this endpoint to register a new End User in your organization, without your user needing to receive an email from Dfns.
This endpoint will:
- Create a new User attached to your organization
- Initiates a User Registration Challenge and returns the registration challenge.
On successful creation, the user’s registration challenge will be returned. You will then need to call Complete User Registration or Complete End User Registration with Wallets to complete the user’s registration.
curl --request POST \
--url https://api.dfns.io/auth/registration/delegated \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--header 'X-DFNS-USERACTION: <api-key>' \
--data '
{
"email": "<string>",
"kind": "EndUser",
"externalId": "<string>"
}
'{
"user": {
"id": "<string>",
"displayName": "<string>",
"name": "<string>"
},
"temporaryAuthenticationToken": "<string>",
"challenge": "<string>",
"supportedCredentialKinds": {
"firstFactor": [
"Fido2"
],
"secondFactor": [
"Fido2"
]
},
"authenticatorSelection": {
"residentKey": "required",
"requireResidentKey": true,
"userVerification": "required",
"authenticatorAttachment": "platform"
},
"attestation": "none",
"pubKeyCredParams": [
{
"type": "public-key",
"alg": 123
}
],
"excludeCredentials": [
{
"type": "public-key",
"id": "cr-6uunn-bm6ja-f6rmod5kqrk5rbel"
}
],
"otpUrl": "<string>",
"rp": {
"id": "<string>",
"name": "<string>"
}
}Authentication
❌ Organization User (CustomerEmployee)❌ Delegated User (
EndUser)✅ Service Account
Required Permissions
Auth:Register:Delegated: Always required.Authorizations
Bearer Token: Used to authenticate API requests. More details how to generate the token: Authentication flows
User Action Signature: Used to sign the change-inducing API requests. More details how to generate the token: User Action Signing flows
Body
Response
Success
Show child attributes
Show child attributes
Show child attributes
Show child attributes
Show child attributes
Show child attributes
Identifies the information needed to verify the user's signing certificate; can be one of the following:
- none: indicates no attestation data is required
- indirect: indicates the attestation data should be given, but that it can be generated using an Anonymization CA
- direct: indicates the attestation data must be given and should be generated by the authenticator
- enterprise: indicates the attestation data should include information to uniquely identify the user's device
none, indirect, direct, enterprise Show child attributes
Show child attributes
Show child attributes
Show child attributes
Show child attributes
Show child attributes
Was this page helpful?