> ## Documentation Index > Fetch the complete documentation index at: https://docs.dfns.co/llms.txt > Use this file to discover all available pages before exploring further. # Recover User > Recovers a user, using a recovery credential. After successfully recovering the user, all of the user's previous credentials and personal access tokens will be invalidated. This flow requires cryptographic validation of newly created credential(s) using a recovery credential. The `recovery.credentialAssertion.clientData` field's challenge must be the _base64url-encoded_ representation of the `newCredential` object. The process is as follows: 1. Construct the `newCredential` object, using the challenge obtained from either the [Create Recovery Challenge](https://docs.dfns.co/api-reference/auth/create-recovery-challenge) or [Create Delegated Recovery Challenge](https://docs.dfns.co/api-reference/auth/create-delegated-recovery-challenge) endpoints. 2. Serialize the `newCredential` object to JSON and then base64url-encode the resulting JSON string. This _base64url-encoded_ string will serve as the challenge for the `recovery.credentialAssertion` object. 3. Construct the `recovery.credentialAssertion` object, using the _base64url-encoded_ string generated in step 2 as its challenge. ## OpenAPI ````yaml /openapi.yaml post /auth/recover/user openapi: 3.1.0 info: version: 1.807.0 title: Dfns servers: - url: https://api.dfns.io description: Default - Europe - url: https://api.uae.dfns.io description: UAE - url: https://api.dfns.ninja description: Staging security: [] paths: /auth/recover/user: post: tags: - Auth summary: Recover User description: > Recovers a user, using a recovery credential. After successfully recovering the user, all of the user's previous credentials and personal access tokens will be invalidated. This flow requires cryptographic validation of newly created credential(s) using a recovery credential. The `recovery.credentialAssertion.clientData` field's challenge must be the _base64url-encoded_ representation of the `newCredential` object. The process is as follows: 1. Construct the `newCredential` object, using the challenge obtained from either the [Create Recovery Challenge](https://docs.dfns.co/api-reference/auth/create-recovery-challenge) or [Create Delegated Recovery Challenge](https://docs.dfns.co/api-reference/auth/create-delegated-recovery-challenge) endpoints. 2. Serialize the `newCredential` object to JSON and then base64url-encode the resulting JSON string. This _base64url-encoded_ string will serve as the challenge for the `recovery.credentialAssertion` object. 3. Construct the `recovery.credentialAssertion` object, using the _base64url-encoded_ string generated in step 2 as its challenge. requestBody: content: application/json: schema: type: object properties: recovery: type: object properties: kind: type: string enum: - RecoveryKey credentialAssertion: type: object properties: credId: type: string minLength: 1 description: >- Base64url-encoded id of the credential returned by the user's WebAuthn client. clientData: type: string minLength: 1 description: >- Base64url-encoded, stringified JSON [client data](https://docs.dfns.co/api-reference/auth/credentials-data#client-data) object returned by the user's WebAuthn client. signature: type: string minLength: 1 description: >- Base64url-encoded signature returned by the user's WebAuthn client. algorithm: type: string description: >- The algorithm/digest that the credential will use to sign data. If the algoritm is not specified then the algorithm will be determined by the key. required: - credId - clientData - signature additionalProperties: false required: - kind - credentialAssertion additionalProperties: false newCredentials: type: object properties: firstFactorCredential: $ref: '#/components/schemas/FirstFactorAttestation' secondFactorCredential: $ref: '#/components/schemas/SecondFactorAttestation' recoveryCredential: allOf: - $ref: '#/components/schemas/RecoveryKeyAttestation' - properties: credentialKind: type: string enum: - RecoveryKey credentialInfo: type: object properties: credId: type: string minLength: 1 clientData: type: string minLength: 1 attestationData: type: string minLength: 1 required: - credId - clientData - attestationData additionalProperties: false encryptedPrivateKey: type: string minLength: 1 credentialName: type: string minLength: 1 required: - credentialKind - credentialInfo required: - firstFactorCredential additionalProperties: false required: - recovery - newCredentials additionalProperties: false responses: '200': description: Success content: application/json: schema: type: object properties: credential: type: object properties: uuid: type: string kind: type: string enum: - Fido2 - Key - Password - Totp - RecoveryKey - PasswordProtectedKey name: type: string required: - uuid - kind - name user: type: object properties: id: type: string username: type: string orgId: type: string required: - id - username - orgId required: - credential - user security: - authenticationToken: [] components: schemas: FirstFactorAttestation: oneOf: - allOf: - $ref: '#/components/schemas/Fido2Attestation' - properties: credentialKind: type: string enum: - Fido2 credentialInfo: type: object properties: credId: type: string minLength: 1 clientData: type: string minLength: 1 attestationData: type: string minLength: 1 required: - credId - clientData - attestationData additionalProperties: false credentialName: type: string minLength: 1 required: - credentialKind - credentialInfo - allOf: - $ref: '#/components/schemas/KeyAttestation' - properties: credentialKind: type: string enum: - Key credentialInfo: type: object properties: credId: type: string minLength: 1 clientData: type: string minLength: 1 attestationData: type: string minLength: 1 required: - credId - clientData - attestationData additionalProperties: false credentialName: type: string minLength: 1 required: - credentialKind - credentialInfo - allOf: - $ref: '#/components/schemas/PasswordAttestation' - properties: credentialKind: type: string enum: - Password credentialInfo: type: object properties: password: type: string minLength: 1 required: - password additionalProperties: false credentialName: type: string minLength: 1 required: - credentialKind - credentialInfo - allOf: - $ref: '#/components/schemas/PasswordProtectedKeyAttestation' - properties: credentialKind: type: string enum: - PasswordProtectedKey credentialInfo: type: object properties: credId: type: string minLength: 1 clientData: type: string minLength: 1 attestationData: type: string minLength: 1 required: - credId - clientData - attestationData additionalProperties: false encryptedPrivateKey: type: string minLength: 1 credentialName: type: string minLength: 1 required: - credentialKind - credentialInfo - encryptedPrivateKey discriminator: propertyName: credentialKind mapping: Fido2: $ref: '#/components/schemas/Fido2Attestation' Key: $ref: '#/components/schemas/KeyAttestation' Password: $ref: '#/components/schemas/PasswordAttestation' PasswordProtectedKey: $ref: '#/components/schemas/PasswordProtectedKeyAttestation' SecondFactorAttestation: oneOf: - allOf: - $ref: '#/components/schemas/Fido2Attestation' - properties: credentialKind: type: string enum: - Fido2 credentialInfo: type: object properties: credId: type: string minLength: 1 clientData: type: string minLength: 1 attestationData: type: string minLength: 1 required: - credId - clientData - attestationData additionalProperties: false credentialName: type: string minLength: 1 required: - credentialKind - credentialInfo - allOf: - $ref: '#/components/schemas/KeyAttestation' - properties: credentialKind: type: string enum: - Key credentialInfo: type: object properties: credId: type: string minLength: 1 clientData: type: string minLength: 1 attestationData: type: string minLength: 1 required: - credId - clientData - attestationData additionalProperties: false credentialName: type: string minLength: 1 required: - credentialKind - credentialInfo - allOf: - $ref: '#/components/schemas/TotpAttestation' - properties: credentialKind: type: string enum: - Totp credentialInfo: type: object properties: otpCode: type: string minLength: 1 required: - otpCode additionalProperties: false credentialName: type: string minLength: 1 required: - credentialKind - credentialInfo - allOf: - $ref: '#/components/schemas/PasswordProtectedKeyAttestation' - properties: credentialKind: type: string enum: - PasswordProtectedKey credentialInfo: type: object properties: credId: type: string minLength: 1 clientData: type: string minLength: 1 attestationData: type: string minLength: 1 required: - credId - clientData - attestationData additionalProperties: false encryptedPrivateKey: type: string minLength: 1 credentialName: type: string minLength: 1 required: - credentialKind - credentialInfo - encryptedPrivateKey discriminator: propertyName: credentialKind mapping: Fido2: $ref: '#/components/schemas/Fido2Attestation' Key: $ref: '#/components/schemas/KeyAttestation' Totp: $ref: '#/components/schemas/TotpAttestation' PasswordProtectedKey: $ref: '#/components/schemas/PasswordProtectedKeyAttestation' RecoveryKeyAttestation: type: object properties: credentialKind: type: string enum: - RecoveryKey credentialInfo: type: object properties: credId: type: string minLength: 1 clientData: type: string minLength: 1 attestationData: type: string minLength: 1 required: - credId - clientData - attestationData additionalProperties: false encryptedPrivateKey: type: string minLength: 1 credentialName: type: string minLength: 1 challengeIdentifier: type: string minLength: 1 required: - credentialKind - credentialInfo - credentialName - challengeIdentifier additionalProperties: false description: >- Register a recovery key. See [Account Recovery](https://docs.dfns.co/api-reference/auth/account-recovery) for more details. title: Recovery Key Fido2Attestation: type: object properties: credentialKind: type: string enum: - Fido2 credentialInfo: type: object properties: credId: type: string minLength: 1 clientData: type: string minLength: 1 attestationData: type: string minLength: 1 required: - credId - clientData - attestationData additionalProperties: false credentialName: type: string minLength: 1 challengeIdentifier: type: string minLength: 1 required: - credentialKind - credentialInfo - credentialName - challengeIdentifier additionalProperties: false description: >- Register a Fido2 Credential, also known as Passkeys or WebauthN credential. title: Fido2/Passkeys KeyAttestation: type: object properties: credentialKind: type: string enum: - Key credentialInfo: type: object properties: credId: type: string minLength: 1 clientData: type: string minLength: 1 attestationData: type: string minLength: 1 required: - credId - clientData - attestationData additionalProperties: false credentialName: type: string minLength: 1 challengeIdentifier: type: string minLength: 1 required: - credentialKind - credentialInfo - credentialName - challengeIdentifier additionalProperties: false description: >- Register a "raw" public/private keypair, mostly meant to be used by Service Accounts. See [Generate a Key Pair](https://docs.dfns.co/developers/guides/generate-a-key-pair) for more details. title: Public/Private key pair PasswordAttestation: type: object properties: credentialKind: type: string enum: - Password credentialInfo: type: object properties: password: type: string minLength: 1 required: - password additionalProperties: false credentialName: type: string minLength: 1 challengeIdentifier: type: string minLength: 1 required: - credentialKind - credentialInfo - credentialName - challengeIdentifier additionalProperties: false description: Not supported, will be removed in a future release. title: Password PasswordProtectedKeyAttestation: type: object properties: credentialKind: type: string enum: - PasswordProtectedKey credentialInfo: type: object properties: credId: type: string minLength: 1 clientData: type: string minLength: 1 attestationData: type: string minLength: 1 required: - credId - clientData - attestationData additionalProperties: false encryptedPrivateKey: type: string minLength: 1 credentialName: type: string minLength: 1 challengeIdentifier: type: string minLength: 1 required: - credentialKind - credentialInfo - encryptedPrivateKey - credentialName - challengeIdentifier additionalProperties: false description: >- Register an encrypted private key. Note that Dfns only stores the encrypted private key and should not have access to the password to decrypt it! title: Password-protected Key TotpAttestation: type: object properties: credentialKind: type: string enum: - Totp credentialInfo: type: object properties: otpCode: type: string minLength: 1 required: - otpCode additionalProperties: false credentialName: type: string minLength: 1 challengeIdentifier: type: string minLength: 1 required: - credentialKind - credentialInfo - credentialName - challengeIdentifier additionalProperties: false description: Not supported, will be removed in a future release. title: TOTP securitySchemes: authenticationToken: type: http scheme: bearer bearerFormat: JWT description: >- **Bearer Token:** Used to authenticate API requests. More details how to generate the token: [Authentication flows](https://docs.dfns.co/api-reference/auth/login-flows) ````