Skip to main content
POST
/
auth
/
credentials
/
code
/
init
Create Credential Challenge With Code
curl --request POST \
  --url https://api.dfns.io/auth/credentials/code/init \
  --header 'Content-Type: application/json' \
  --data '
{
  "code": "<string>"
}
'
{
  "kind": "Fido2",
  "user": {
    "id": "<string>",
    "displayName": "<string>",
    "name": "<string>"
  },
  "challengeIdentifier": "<string>",
  "challenge": "<string>",
  "authenticatorSelection": {
    "requireResidentKey": true
  },
  "pubKeyCredParams": [
    {
      "type": "public-key",
      "alg": 123
    }
  ],
  "excludeCredentials": [
    {
      "type": "public-key",
      "id": "cr-6uunn-bm6ja-f6rmod5kqrk5rbel"
    }
  ],
  "temporaryAuthenticationToken": "<string>",
  "rp": {
    "id": "<string>",
    "name": "<string>"
  }
}

Authentication

No authentication required.

Required Permissions

No authentication required.

Body

application/json
credentialKind
enum<string>
required
Available options:
Fido2,
Key,
Password,
Totp,
RecoveryKey,
PasswordProtectedKey
code
string
required

One-time code obtained from the create credential code endpoint.

Minimum string length: 1

Response

200 - application/json

Success

Fido2 Credential, also known as Passkeys or WebauthN credential.

kind
enum<string>
required
Available options:
Fido2
user
object
required
challengeIdentifier
string
required

Challenge identifier to be used in the subsequent create credential request.

challenge
string
required

Challenge value to be signed by the credential.

authenticatorSelection
object
required
attestation
enum<string>
required

Identifies the information needed to verify the user's signing certificate; can be one of the following:

  • none: indicates no attestation data is required
  • indirect: indicates the attestation data should be given, but that it can be generated using an Anonymization CA
  • direct: indicates the attestation data must be given and should be generated by the authenticator
  • enterprise: indicates the attestation data should include information to uniquely identify the user's device
Available options:
none,
indirect,
direct,
enterprise
pubKeyCredParams
object[]
required
excludeCredentials
object[]
required
temporaryAuthenticationToken
string
required

@deprecated use challengeIdentifier instead

rp
object
Last modified on June 8, 2026