Skip to main content
POST
/
auth
/
recover
/
user
/
init
Create Recovery Challenge
curl --request POST \
  --url https://api.dfns.io/auth/recover/user/init \
  --header 'Content-Type: application/json' \
  --data '
{
  "username": "<string>",
  "verificationCode": "<string>",
  "credentialId": "<string>",
  "orgId": "or-30tnh-itmjs-s235s5ontr3r23h2",
  "accountId": "acct-24hka-dhili-9hgvdlvr1ohpibp4"
}
'
{
  "user": {
    "id": "<string>",
    "displayName": "<string>",
    "name": "<string>"
  },
  "temporaryAuthenticationToken": "<string>",
  "challenge": "<string>",
  "supportedCredentialKinds": {
    "firstFactor": [],
    "secondFactor": []
  },
  "authenticatorSelection": {
    "requireResidentKey": true
  },
  "pubKeyCredParams": [
    {
      "alg": 123
    }
  ],
  "excludeCredentials": [
    {
      "id": "cr-6uunn-bm6ja-f6rmod5kqrk5rbel"
    }
  ],
  "otpUrl": "<string>",
  "allowedRecoveryCredentials": [
    {
      "id": "<string>",
      "encryptedRecoveryKey": "<string>"
    }
  ],
  "rp": {
    "id": "<string>",
    "name": "<string>"
  }
}

Authentication

No authentication required.

Required Permissions

No authentication required.

Body

application/json
username
string
required

Username/identifier of the user to recover.

Minimum string length: 1
verificationCode
string
required

Recovery verification code sent to the user by email.

Minimum string length: 1
credentialId
string
required

Identifier of the recovery credential to use.

Minimum string length: 1
orgId
string

Organization id.

Required string length: 1 - 64
Pattern: ^or-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
Example:

"or-30tnh-itmjs-s235s5ontr3r23h2"

accountId
string

Account id.

Required string length: 1 - 64
Pattern: ^acct-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
Example:

"acct-24hka-dhili-9hgvdlvr1ohpibp4"

Response

200 - application/json

Success

user
object
required
temporaryAuthenticationToken
string
required

JWT used to identify the registration session when calling Complete User Registration.

challenge
string
required

Challenge to be signed by the credential being registered.

supportedCredentialKinds
object
required

Credential kinds that can be used to register the user.

authenticatorSelection
object
required
attestation
enum<string>
required

Identifies the information needed to verify the user's signing certificate; can be one of the following:

  • none: indicates no attestation data is required
  • indirect: indicates the attestation data should be given, but that it can be generated using an Anonymization CA
  • direct: indicates the attestation data must be given and should be generated by the authenticator
  • enterprise: indicates the attestation data should include information to uniquely identify the user's device
Available options:
none,
indirect,
direct,
enterprise
pubKeyCredParams
object[]
required

Public key credential parameters supported for the registration.

excludeCredentials
object[]
required

Credentials to exclude from the registration (already registered for the user).

otpUrl
string
required

URL to provision a TOTP credential, when applicable.

allowedRecoveryCredentials
object[]
required
rp
object

Deprecated. Should not be used.

Last modified on June 8, 2026