Recover User

curl --request POST \
  --url https://api.dfns.io/auth/recover/user \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "recovery": {
    "credentialAssertion": {
      "credId": "<string>",
      "clientData": "<string>",
      "signature": "<string>",
      "algorithm": "<string>"
    }
  },
  "newCredentials": {
    "firstFactorCredential": {
      "credentialInfo": {
        "credId": "<string>",
        "clientData": "<string>",
        "attestationData": "<string>"
      },
      "credentialName": "<string>",
      "challengeIdentifier": "<string>"
    },
    "secondFactorCredential": {
      "credentialInfo": {
        "credId": "<string>",
        "clientData": "<string>",
        "attestationData": "<string>"
      },
      "credentialName": "<string>",
      "challengeIdentifier": "<string>"
    }
  }
}
'

{
  "credential": {
    "uuid": "<string>",
    "name": "<string>"
  },
  "user": {
    "id": "<string>",
    "username": "<string>",
    "orgId": "<string>"
  }
}

Recover User

Recovers a user, using a recovery credential. After successfully recovering the user, all of the user’s previous credentials and personal access tokens will be invalidated.

This flow requires cryptographic validation of newly created credential(s) using a recovery credential. The recovery.credentialAssertion.clientData field’s challenge must be the base64url-encoded representation of the newCredential object.

The process is as follows:

Construct the newCredential object, using the challenge obtained from either the Create Recovery Challenge or Create Delegated Recovery Challenge endpoints.
Serialize the newCredential object to JSON and then base64url-encode the resulting JSON string. This base64url-encoded string will serve as the challenge for the recovery.credentialAssertion object.
Construct the recovery.credentialAssertion object, using the base64url-encoded string generated in step 2 as its challenge.

POST

auth

recover

user

Recover User

curl --request POST \
  --url https://api.dfns.io/auth/recover/user \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "recovery": {
    "credentialAssertion": {
      "credId": "<string>",
      "clientData": "<string>",
      "signature": "<string>",
      "algorithm": "<string>"
    }
  },
  "newCredentials": {
    "firstFactorCredential": {
      "credentialInfo": {
        "credId": "<string>",
        "clientData": "<string>",
        "attestationData": "<string>"
      },
      "credentialName": "<string>",
      "challengeIdentifier": "<string>"
    },
    "secondFactorCredential": {
      "credentialInfo": {
        "credId": "<string>",
        "clientData": "<string>",
        "attestationData": "<string>"
      },
      "credentialName": "<string>",
      "challengeIdentifier": "<string>"
    }
  }
}
'

{
  "credential": {
    "uuid": "<string>",
    "name": "<string>"
  },
  "user": {
    "id": "<string>",
    "username": "<string>",
    "orgId": "<string>"
  }
}

Authentication

❌ Organization User (CustomerEmployee)
❌ Delegated User (EndUser)
❌ Service Account
✅ Recovery Code

Required Permissions

No permission required.

Authorizations

Authorization

string

header

required

Bearer Token: Used to authenticate API requests. More details how to generate the token: Authentication flows

Body

application/json

recovery

object

required

Show child attributes

newCredentials

object

required

Show child attributes

Response

200 - application/json

Success

credential

object

required

Show child attributes

user

object

required

Show child attributes

Last modified on May 29, 2026

Create Delegated Recovery Challenge

Service Accounts

⌘I

Documentation Index

​Authentication

​Required Permissions

Authorizations

Body

Response

Authentication

Required Permissions