Request Headers
Last updated
Last updated
All requests to the Dfns API need to include at least these headers:
X-DFNS-APPID: <appid>
Most requests to the Dfns API need to be authenticated, and will need to include the following additional headers:
Authorization: Bearer <token>
Most requests that change the state within the Dfns system need to be signed (see User Action Signing), and require the following additional header:
X-DFNS-USERACTION: <user-action-signature>
Similar to authenticated endpoints, the Complete User Registration
endpoint needs an authentication token. This token is passed in the Authentication
header:
Authorization: Bearer <token>
This is not a common scenario. Dfns recommends using a default for most use cases
Server-signed applications can be used to ensure that all requests going to the Dfns API must originate from your servers. This is enforced by the caller providing an additional signature and an application secret (token) for the request, using the following additional headers:
X-DFNS-APPSECRET: <app-token>
A secret token that identifies the application that is calling the API
X-DFNS-APISIGNATURE: <api-signature>
The signature of the normalized request being made to the Dfns API
X-DFNS-NONCE: <nonce>
Random value used to prevent replay attacks. It must be a base64url-encoded JSON string with the following fields:
- uuid
- Random value of at least 13 characters
- date
- Current time of the request in ISO String format
See below for a code example
The following Typescript code can be used to generate the nonce:
ID of an Application created in your organization (see )
An authentication token (see )
A one time token you got after the flow
The temporary authentication token returned from