Request Signing
All mutating requests need to be signed with a user/token credential.
Private Key Credentials
When signing with a private key you need to:
Get a signing challenge from the Dfns API
Sign the challenge
Exchange the signed challenge for a user action signature with the Dfns API
Complete the original request
The Signing Challenge
A signing challenge is returned from a call to:
/auth/action/init
You will recieve an object with the following properties (additional properties exist for signing with WebAuthn):
challenge
A string that will be signed with your private key
challengeIdentifier
A JWT that identifies the signing session
allowCredentials.key
The list of private key credentials that are enabled for the user
How to Sign the Challenge with the Private Key
The user signs the challenge to verify they want to perform the requested action.
The user needs to format the challenge into a Client Data object.
After creating this object, the user will convert the object to a JSON string and sign the string.
When returning the signature to the server, the user will base64url encode the signature and the client data along with the ID of the credential that was used.
Signing Example
Last updated