Create Credential Challenge

curl --request POST \
  --url https://api.dfns.io/auth/credentials/init \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "kind": "Fido2"
}
'

{
  "kind": "Fido2",
  "user": {
    "id": "<string>",
    "displayName": "<string>",
    "name": "<string>"
  },
  "challengeIdentifier": "<string>",
  "challenge": "<string>",
  "authenticatorSelection": {
    "residentKey": "required",
    "requireResidentKey": true,
    "userVerification": "required",
    "authenticatorAttachment": "platform"
  },
  "attestation": "none",
  "pubKeyCredParams": [
    {
      "type": "public-key",
      "alg": 123
    }
  ],
  "excludeCredentials": [
    {
      "type": "public-key",
      "id": "cr-6uunn-bm6ja-f6rmod5kqrk5rbel"
    }
  ],
  "temporaryAuthenticationToken": "<string>",
  "rp": {
    "id": "<string>",
    "name": "<string>"
  }
}

POST

auth

credentials

init

Create Credential Challenge

curl --request POST \
  --url https://api.dfns.io/auth/credentials/init \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "kind": "Fido2"
}
'

{
  "kind": "Fido2",
  "user": {
    "id": "<string>",
    "displayName": "<string>",
    "name": "<string>"
  },
  "challengeIdentifier": "<string>",
  "challenge": "<string>",
  "authenticatorSelection": {
    "residentKey": "required",
    "requireResidentKey": true,
    "userVerification": "required",
    "authenticatorAttachment": "platform"
  },
  "attestation": "none",
  "pubKeyCredParams": [
    {
      "type": "public-key",
      "alg": 123
    }
  ],
  "excludeCredentials": [
    {
      "type": "public-key",
      "id": "cr-6uunn-bm6ja-f6rmod5kqrk5rbel"
    }
  ],
  "temporaryAuthenticationToken": "<string>",
  "rp": {
    "id": "<string>",
    "name": "<string>"
  }
}

Authentication

❌ Account User (AccountUser)
✅ Organization User (CustomerEmployee)
✅ Delegated User (EndUser)
❌ Personal Access Token not allowed
❌ Service Account

Required Permissions

No permission required.

Authorizations

Authorization

string

header

required

Bearer Token: Used to authenticate API requests. More details how to generate the token: Authentication flows

Body

application/json

kind

enum<string>

required

The kind of credential.

Available options:

Fido2,

Key,

RecoveryKey,

PasswordProtectedKey

Response

200 - application/json

Success

Fido2 Credential, also known as Passkeys or WebauthN credential.

kind

enum<string>

required

Available options:

Fido2

user

object

required

Show child attributes

user.id

string

required

user.displayName

string

required

user.name

string

required

challengeIdentifier

string

required

challenge

string

required

authenticatorSelection

object

required

Show child attributes

authenticatorSelection.residentKey

enum<string>

required

Available options:

required,

preferred,

discouraged

authenticatorSelection.requireResidentKey

boolean

required

authenticatorSelection.userVerification

enum<string>

required

Value indicating if the user should be prompted for a second factor. Can be one of the following values:

required to indicate the user must be prompted for their pin, biometrics, or another second factor option
preferred to indicate the user should be prompted for a second factor if it is supported
discouraged to indicate the user should not be prompted for their second factor unless the device requires it

Available options:

required,

preferred,

discouraged

authenticatorSelection.authenticatorAttachment

enum<string>

Available options:

platform,

cross-platform

attestation

enum<string>

required

Identifies the information needed to verify the user's signing certificate; can be one of the following:

none: indicates no attestation data is required
indirect: indicates the attestation data should be given, but that it can be generated using an Anonymization CA
direct: indicates the attestation data must be given and should be generated by the authenticator
enterprise: indicates the attestation data should include information to uniquely identify the user's device

Available options:

none,

indirect,

direct,

enterprise

pubKeyCredParams

object[]

required

Show child attributes

pubKeyCredParams.type

enum<string>

required

Available options:

public-key

pubKeyCredParams.alg

number

required

excludeCredentials

object[]

required

Show child attributes

excludeCredentials.type

enum<string>

required

Is always public-key.

Available options:

public-key

excludeCredentials.id

string

required

ID that identifies the credential.

Required string length: 1 - 64

Example:

"cr-6uunn-bm6ja-f6rmod5kqrk5rbel"

temporaryAuthenticationToken

string

required

@deprecated use challengeIdentifier instead

object

Show child attributes

rp.id

string

required

rp.name

string

required

List Credentials

Create Credential

⌘I

API Authorization

Identity & Access Management

Wallets & Transactions

Management

Webhooks

Create Credential Challenge

Authentication

Required Permissions

Authorizations

Body

Response

API Authorization

Identity & Access Management

Wallets & Transactions

Management

Webhooks

​Authentication

​Required Permissions

Authorizations

Body

Response

Authentication

Required Permissions