- WebAuthn (Passwordless MFA)
- a custom Key (public key of a public/private keypair) if this user will only interact programatically.
Regular users registration flow
1
Invite the user
If you are running an existing organization, then you need to invite the new user to join you. Use
POST/auth/users(Create User) to add the new users. They will receive an email from Dfns with a registration code they will need to provide in the next step.If you have done that before and the code has expired, you can use PUT/auth/registration/code(Resend Registration Code) to send a new registration code.2
Create a user registration challenge
Use
POST/auth/registration/init providing the user’s registration code.Dfns will verify the registration code sent to the user, and generate a challenge to be signed and passed to the second endpoint. A temporary authentication token is also sent back, to be passed in the Authorization: Bearer [temporary token] header of the next registration endpoint.3
Get the user to sign the challenge
Depending on the type of credentials being used, the challenge can be signed in different ways:
- passkey: the browser or the OS will handle the signing operation using WebAuthn APIs by creating a new passkey on the user device.
- personal access token: the private key associated with the token can be used to sign the challenge.
- service account token: the private key associated with the service account can be used to sign the challenge.
4
Complete the user registration
Use
POST/auth/registration : Register.Here you will register an authentication method, and send the previous challenge with a signature.The type of credentials being registered is determined by the credentialKind field in the nested objects (firstFactorCredential , secondFactorCredential and RecoveryCredential). Supported credential kinds are:Fido2: User action is signed by a user’s signing device usingWebAuthn.Key: User action is signed by a user’s, or token’s, private key.PasswordProtectedKey: User action is signed by a user’s, or token’s, private key. The encrypted version of the private key is stored by Dfns and returns during the signing flow for the user to decrypt it.RecoveryKey: Similar toPasswordProtectedKey, but this credential can only be used to recover an account not to sign an action or login. Once this credential is used all the other user’s credentials are invalidated.
Social registration flow
1
Send a registration code
Use
POST/auth/registration/social to initiate the social login process and get a challenge for the user to sign.See Create Social Registration Challenge for more details.2
Follow the next steps to complete the social registration process as explained above.
Delegated users registration flow
1
Create an End User
Use
POST/auth/registration/delegated : Create Delegated Registration Challenge to register a new User in your organization, without your user needing to receive an email from Dfns.This endpoint will:- Create a new End User attached to your organization
- Initiate a first credential registration for this user and provide you with the registration challenge.
2
Get the user to create a passkey
You then need to head to the user to register a Fido2 passkey from your frontend.The device or the browser will prompt the user to create a passkey (e.g.: using a fingerprint reader, a pin code, etc.).When the user has completed the creation, you obtain the signed challenge in return. You will need to use the returned signature in the next step.
3
Complete the registration
Finally, you can either call:
POST/auth/registration: the Register endpoint to complete the user’s registration:POST/auth/registration/enduser: the Register End User endpoint to complete the registration and create wallets for that user in one go: