Create Delegated Registration Challenge

curl --request POST \
  --url https://api.dfns.io/auth/registration/delegated \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'X-DFNS-USERACTION: <api-key>' \
  --data '
{
  "email": "<string>",
  "kind": "EndUser",
  "externalId": "<string>"
}
'

{
  "user": {
    "id": "<string>",
    "displayName": "<string>",
    "name": "<string>"
  },
  "temporaryAuthenticationToken": "<string>",
  "challenge": "<string>",
  "supportedCredentialKinds": {
    "firstFactor": [
      "Fido2"
    ],
    "secondFactor": [
      "Fido2"
    ]
  },
  "authenticatorSelection": {
    "residentKey": "required",
    "requireResidentKey": true,
    "userVerification": "required",
    "authenticatorAttachment": "platform"
  },
  "attestation": "none",
  "pubKeyCredParams": [
    {
      "type": "public-key",
      "alg": 123
    }
  ],
  "excludeCredentials": [
    {
      "type": "public-key",
      "id": "cr-6uunn-bm6ja-f6rmod5kqrk5rbel"
    }
  ],
  "otpUrl": "<string>",
  "rp": {
    "id": "<string>",
    "name": "<string>"
  }
}

Create Delegated Registration Challenge

Only a Service Account can use this endpoint.

If you want to use your own authentication system, while still using Delegated Signing, you can use this endpoint to register a new End User in your organization, without your user needing to receive an email from Dfns.

This endpoint will:

Create a new User attached to your organization
Initiates a User Registration Challenge and returns the registration challenge.

On successful creation, the user’s registration challenge will be returned. You will then need to call Complete User Registration or Complete End User Registration with Wallets to complete the user’s registration.

POST

auth

registration

delegated

Create Delegated Registration Challenge

curl --request POST \
  --url https://api.dfns.io/auth/registration/delegated \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'X-DFNS-USERACTION: <api-key>' \
  --data '
{
  "email": "<string>",
  "kind": "EndUser",
  "externalId": "<string>"
}
'

{
  "user": {
    "id": "<string>",
    "displayName": "<string>",
    "name": "<string>"
  },
  "temporaryAuthenticationToken": "<string>",
  "challenge": "<string>",
  "supportedCredentialKinds": {
    "firstFactor": [
      "Fido2"
    ],
    "secondFactor": [
      "Fido2"
    ]
  },
  "authenticatorSelection": {
    "residentKey": "required",
    "requireResidentKey": true,
    "userVerification": "required",
    "authenticatorAttachment": "platform"
  },
  "attestation": "none",
  "pubKeyCredParams": [
    {
      "type": "public-key",
      "alg": 123
    }
  ],
  "excludeCredentials": [
    {
      "type": "public-key",
      "id": "cr-6uunn-bm6ja-f6rmod5kqrk5rbel"
    }
  ],
  "otpUrl": "<string>",
  "rp": {
    "id": "<string>",
    "name": "<string>"
  }
}

Authentication

❌ Organization User (CustomerEmployee)
❌ Delegated User (EndUser)
✅ Service Account

Required Permissions

Auth:Register:Delegated: Always required.

Authorizations

Authorization

string

header

required

Bearer Token: Used to authenticate API requests. More details how to generate the token: Authentication flows

X-DFNS-USERACTION

string

header

required

User Action Signature: Used to sign the change-inducing API requests. More details how to generate the token: User Action Signing flows

Body

application/json

string

required

Minimum string length: 1

kind

enum<string>

required

Available options:

EndUser

externalId

string

Minimum string length: 1

Response

200 - application/json

Success

user

object

required

Show child attributes

user.id

string

required

user.displayName

string

required

user.name

string

required

temporaryAuthenticationToken

string

required

challenge

string

required

supportedCredentialKinds

object

required

Show child attributes

supportedCredentialKinds.firstFactor

enum<string>[]

required

Available options:

Fido2,

Key,

Password,

Totp,

RecoveryKey,

PasswordProtectedKey

supportedCredentialKinds.secondFactor

enum<string>[]

required

Available options:

Fido2,

Key,

Password,

Totp,

RecoveryKey,

PasswordProtectedKey

authenticatorSelection

object

required

Show child attributes

authenticatorSelection.residentKey

enum<string>

required

Available options:

required,

preferred,

discouraged

authenticatorSelection.requireResidentKey

boolean

required

authenticatorSelection.userVerification

enum<string>

required

Value indicating if the user should be prompted for a second factor. Can be one of the following values:

required to indicate the user must be prompted for their pin, biometrics, or another second factor option
preferred to indicate the user should be prompted for a second factor if it is supported
discouraged to indicate the user should not be prompted for their second factor unless the device requires it

Available options:

required,

preferred,

discouraged

authenticatorSelection.authenticatorAttachment

enum<string>

Available options:

platform,

cross-platform

attestation

enum<string>

required

Identifies the information needed to verify the user's signing certificate; can be one of the following:

none: indicates no attestation data is required
indirect: indicates the attestation data should be given, but that it can be generated using an Anonymization CA
direct: indicates the attestation data must be given and should be generated by the authenticator
enterprise: indicates the attestation data should include information to uniquely identify the user's device

Available options:

none,

indirect,

direct,

enterprise

pubKeyCredParams

object[]

required

Show child attributes

pubKeyCredParams.type

enum<string>

required

Available options:

public-key

pubKeyCredParams.alg

number

required

excludeCredentials

object[]

required

Show child attributes

excludeCredentials.type

enum<string>

required

Is always public-key.

Available options:

public-key

excludeCredentials.id

string

required

ID that identifies the credential.

Required string length: 1 - 64

Example:

"cr-6uunn-bm6ja-f6rmod5kqrk5rbel"

otpUrl

string

required

object

Show child attributes

rp.id

string

required

rp.name

string

required

Create Registration Challenge

Create Social Registration Challenge

⌘I

API Authorization

Identity & Access Management

Wallets & Transactions

Management

Webhooks

Create Delegated Registration Challenge

Authentication

Required Permissions

Authorizations

Body

Response

API Authorization

Identity & Access Management

Wallets & Transactions

Management

Webhooks

​Authentication

​Required Permissions

Authorizations

Body

Response

Authentication

Required Permissions