Skip to main content
POST
Create User Action Challenge

Authentication

✅ Organization User (CustomerEmployee)
✅ Delegated User (EndUser)
✅ Service Account

Required Permissions

No permission required.

Authorizations

Authorization
string
header
required

Bearer Token: Used to authenticate API requests. More details how to generate the token: Authentication flows

Body

application/json
userActionHttpMethod
enum<string>
required

The HTTP method that will be used to make the request that is being signed.

Available options:
POST,
PUT,
DELETE,
GET
userActionHttpPath
string
required

The path of the request that is being signed.

Minimum string length: 1
userActionPayload
string
required

The JSON-encoded body of the request that is being signed.

userActionServerKind
enum<string>

Optional indicator of which Dfns service being called.

Available options:
Api

Response

200 - application/json

Success

challenge
string
required

Challenge (string) to be signed by the requester with his private key.

challengeIdentifier
string
required

A JWT that identifies the signing session.

supportedCredentialKinds
object[]
required

Identifies the kind of credentials that can be used to sign the user action.

userVerification
enum<string>
required

Value indicating if the user should be prompted for a second factor. Can be one of the following values:

  • required to indicate the user must be prompted for their pin, biometrics, or another second factor option
  • preferred to indicate the user should be prompted for a second factor if it is supported
  • discouraged to indicate the user should not be prompted for their second factor unless the device requires it
Available options:
required,
preferred,
discouraged
attestation
enum<string>
required

Identifies the information needed to verify the user's signing certificate; can be one of the following:

  • none: indicates no attestation data is required
  • indirect: indicates the attestation data should be given, but that it can be generated using an Anonymization CA
  • direct: indicates the attestation data must be given and should be generated by the authenticator
  • enterprise: indicates the attestation data should include information to uniquely identify the user's device
Available options:
none,
indirect,
direct,
enterprise
allowCredentials
object
required

List of credentials that the user can use to sign the user action.

externalAuthenticationUrl
string
required

Optional url containing a secret value that can be used to enable cross device/origin signing.

rp
object

Deprecated. Should not be used.

Last modified on July 9, 2026