Skip to main content
POST
/
auth
/
registration
/
delegated
Create Delegated Registration Challenge
curl --request POST \
  --url https://api.dfns.io/auth/registration/delegated \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'X-DFNS-USERACTION: <api-key>' \
  --data '
{
  "email": "<string>",
  "kind": "EndUser",
  "externalId": "<string>"
}
'
{
  "user": {
    "id": "<string>",
    "displayName": "<string>",
    "name": "<string>"
  },
  "temporaryAuthenticationToken": "<string>",
  "challenge": "<string>",
  "supportedCredentialKinds": {
    "firstFactor": [],
    "secondFactor": []
  },
  "authenticatorSelection": {
    "requireResidentKey": true
  },
  "pubKeyCredParams": [
    {
      "type": "public-key",
      "alg": 123
    }
  ],
  "excludeCredentials": [
    {
      "type": "public-key",
      "id": "cr-6uunn-bm6ja-f6rmod5kqrk5rbel"
    }
  ],
  "otpUrl": "<string>",
  "rp": {
    "id": "<string>",
    "name": "<string>"
  }
}

Authentication

❌ Organization User (CustomerEmployee)
❌ Delegated User (EndUser)
✅ Service Account

Required Permissions

Auth:Register:Delegated: Always required.

Authorizations

Authorization
string
header
required

Bearer Token: Used to authenticate API requests. More details how to generate the token: Authentication flows

X-DFNS-USERACTION
string
header
required

User Action Signature: Used to sign the change-inducing API requests. More details how to generate the token: User Action Signing flows

Body

application/json
email
string
required

Username/identifier (any unique string accepted, e.g. your internal user ID or email).

Minimum string length: 1
kind
enum<string>
required

Must be EndUser.

Available options:
EndUser
externalId
string

Optional external identifier for the user, used for cross-referencing with your own systems.

Minimum string length: 1

Response

200 - application/json

Success

user
object
required
temporaryAuthenticationToken
string
required

JWT used to identify the registration session when calling Complete User Registration.

challenge
string
required

Challenge to be signed by the credential being registered.

supportedCredentialKinds
object
required

Credential kinds that can be used to register the user.

authenticatorSelection
object
required
attestation
enum<string>
required

Identifies the information needed to verify the user's signing certificate; can be one of the following:

  • none: indicates no attestation data is required
  • indirect: indicates the attestation data should be given, but that it can be generated using an Anonymization CA
  • direct: indicates the attestation data must be given and should be generated by the authenticator
  • enterprise: indicates the attestation data should include information to uniquely identify the user's device
Available options:
none,
indirect,
direct,
enterprise
pubKeyCredParams
object[]
required

Public key credential parameters supported for the registration.

excludeCredentials
object[]
required

Credentials to exclude from the registration (already registered for the user).

otpUrl
string
required

URL to provision a TOTP credential, when applicable.

rp
object

Deprecated. Should not be used.

Last modified on June 12, 2026