> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dfns.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Registration flows

> How Dfns handles user, employee, and end-user registration, including standard registration, delegated registration, and social signup flows.

export const Put = props => {
  return <code style={{
    paddingLeft: 0,
    paddingTop: 0
  }}>
      <span class="px-1 py-0.5 rounded-md text-[0.875em] leading-tight bg-yellow-400/20 dark:bg-yellow-400/20 text-yellow-700 dark:text-yellow-400">
        PUT
      </span>
      <span style={{
    marginLeft: '0.5em'
  }}>{props.children}</span>
    </code>;
};

export const Post = props => {
  return <code style={{
    paddingLeft: 0,
    paddingTop: 0
  }}>
      <Badge color="blue" size="sm">POST</Badge>
      <span style={{
    marginLeft: '0.5em'
  }}>{props.children}</span>
    </code>;
};

When new users are created within your organization, they will receive a registration email containing a registration code. These endpoints allow this user to complete the registration process.

This registration process includes registering the user's authentication method. Either:

* WebAuthn (Passwordless MFA)
* a custom Key (public key of a public/private keypair) if this user will only interact programatically.

## Regular users registration flow

<Steps>
  <Step title="Invite the user">
    If you are running an existing organization, then you need to invite the new user to join you. Use <Post>/auth/users</Post>([Create User](/api-reference/auth/create-user)) to add the new users. They will receive an email from Dfns with a registration code they will need to provide in the next step.

    If you have done that before and the code has expired, you can use <Put>/auth/registration/code</Put>([Resend Registration Code](/api-reference/auth/resend-registration-code)) to send a new registration code.
  </Step>

  <Step title="Create a user registration challenge">
    Use <Post>/auth/registration/init</Post> providing the user's registration code.

    Dfns will verify the registration code sent to the user, and generate a challenge to be signed and passed to the second endpoint. A temporary authentication token is also sent back, to be passed in the `Authorization: Bearer [temporary token]` header of the next registration endpoint.
  </Step>

  <Step title="Get the user to sign the challenge">
    Depending on the type of credentials being used, the challenge can be signed in different ways:

    * passkey: the browser or the OS will handle the signing operation using WebAuthn APIs by creating a new passkey on the user device.
    * personal access token: the private key associated with the token can be used to sign the challenge.
    * service account token: the private key associated with the service account can be used to sign the challenge.
  </Step>

  <Step title="Complete the user registration">
    Use <Post>/auth/registration</Post>  : [Register](/api-reference/auth/complete-user-registration).

    Here you will register an authentication method, and send the previous challenge with a signature.

    The type of credentials being registered is determined by the `credentialKind` field in the nested objects (`firstFactorCredential`, `secondFactorCredential` and `RecoveryCredential`). Supported credential kinds are:

    * `Fido2`: User action is signed by a user's signing device using `WebAuthn`.
    * `Key`: User action is signed by a user's, or token's, private key.
    * `PasswordProtectedKey`: User action is signed by a user's, or token's, private key. The encrypted version of the private key is stored by Dfns and returns during the signing flow for the user to decrypt it.
    * `RecoveryKey` : Similar to `PasswordProtectedKey`, but this credential can only be used to recover an account not to sign an action or login. Once this credential is used all the other user's credentials are invalidated.
  </Step>
</Steps>

## Social registration flow

<Steps>
  <Step title="Send a registration code">
    Use <Post>/auth/registration/social</Post> to initiate the social login process and get a challenge for the user to sign.

    See [Create Social Registration Challenge](/api-reference/auth/create-social-registration-challenge) for more details.
  </Step>

  <Step>
    Follow the next steps to complete the social registration process as explained above.
  </Step>
</Steps>

## Delegated users registration flow

<Steps>
  <Step title="Create an End User">
    Use <Post>/auth/registration/delegated</Post> : [Create Delegated Registration Challenge](/api-reference/auth/create-delegated-registration-challenge)  to register a new User in your organization, without your user needing to receive an email from Dfns.

    This endpoint will:

    1. Create a new End User attached to your organization

    2. Initiate a first credential registration for this user and provide you with the registration challenge.
  </Step>

  <Step title="Get the user to create a passkey">
    Send the registration challenge to your frontend so the user can create a Fido2 passkey.

    The device or the browser will prompt the user to create a passkey (e.g.: using a fingerprint reader, a pin code, etc.).

    When the user has completed the creation, you obtain the signed challenge in return. You will need to use the returned signature in the next step.
  </Step>

  <Step title="Complete the registration">
    Finally, you can either call:

    * <Post>/auth/registration</Post> : the [Register](/api-reference/auth/complete-user-registration) endpoint to complete the user's registration:
    * <Post>/auth/registration/enduser</Post> : the [Register End User](/api-reference/auth/complete-end-user-registration-with-wallets) endpoint to complete the registration and create wallets for that user in one go:
  </Step>
</Steps>

<Tip>
  For a complete implementation guide with code examples, see [Implementing delegated wallets](/guides/developers/delegated-wallets).
</Tip>