1
Request a User Action Challenge
Use
POST/auth/action/init. Refer to Create User Action Challenge for endpoint details.Starts a user action signing session, returning a challenge that will be used to verify the user’s intent to perform an action.2
Get the user to sign the challenge
Depending on the type of credentials being used, the challenge can be signed in different ways:
- passkey: the browser or the OS will handle the signing operation using WebAuthn APIs.
- personal access token: the private key associated with the token can be used to sign the challenge.
- service account token: the private key associated with the service account can be used to sign the challenge.
3
Request a User Action token
Use
POST/auth/action. Refer to Create User Action Signature for endpoint details.Completes the user action signing process and provides a signing token that can be used to verify the user intended to perform the action.The type of credentials used to sign the action is determined by the kind field in the nested objects (firstFactor and secondFactor). Supported credential kinds are:Fido2: User action is signed by a user’s signing device using WebAuthn.Key: User action is signed by a user’s, or token’s, private key.PasswordProtectedKey: Login challenge is signed by the decrypted user’s private key that was sent during Create User Action Signature Challenge step.
4
Use the User Action token
Add the User Action token to the
X-DFNS-USERACTION header of the original API call that requires user action signing.