User Credentials
Users can register with a WebAuthn Credential (aka "Passkey") or with a raw Public/Private Key
Private Key Credentials
When registering a user with a private key, you need to:
Get a registration challenge from the Dfns API
Create the key pair locally
Sign the registration challenge and public key
Return the signed challenge to the Dfns API
The Registration Challenge
A registration challenge is returned from calls to:
/auth/registration/init
/auth/registration/delegated
/auth/credentials/init
In all cases the challenge format is the same. You will recieve an object with the following properties (additional properties exist for managing credentials with WebAuthn):
challenge
A string that will be signed with the new credential
temporaryAuthenticationToken
A JWT that is passed to the registration endpoint to identify the registration session
supportedCredentialKinds
The list of credential types that are supported, should always contain "Key"
How to Sign the Challenge with the Private Key
The user signs the challenge to prove they are in possession of the key being registered. The user will also sign the public key to ensure the key is not replaced when transmitted to Dfns.
Client Data
The user needs to format the challenge into a Client Data object.
Attestation Data
The client data object is then used to build the Attestation Data object.
Signing Example: First factor and Recovery credentials:
Last updated