Create User Action Signature

POST /auth/action

Completes the user action signing process and provides a signing token that can be used to verify the user intended to perform the action.

The type of credentials used to sign the action is determined by the kind field in the nested objects (firstFactor and secondFactor). Supported credential kinds are:

Fido2: User action is signed by a user's signing device using WebAuthn.
Key: User action is signed by a user's, or token's, private key.

Request headers required. See Request Headers for more information.
Authentication required. See Authentication Headers for more information.

Required Permissions

The permissions apply to the application only.

Name Conditions

Name	Conditions
`Auth:Action:Sign`	Always Required

Auth:Action:Sign

Always Required

Request body

challengeIdentifier *

String

temporary authentication token returned by the Create User Action Signature Challenge

firstFactor *

Object

first factor credential used to sign the user action

secondFactor

Object

Optional second factor credential used to authenticate a user

Fido2 Credential

kind *

String

will always be Fido2

credentialAssertion *

Object

credentialAssertion.credId *

String

base64url encoded id of the credential returned by the user's WebAuthn client

credentialAssertion.clientData *

String

base64url encoded client data object returned by the user's WebAuthn client

credentialAssertion.authenticatorData *

String

base64url encoded authenticator data object returned by the user's WebAuthn client

credentialAssertion.signature *

String

base64url encoded signature returned by the user's WebAuthn client

credentialAssertion.userHandle *

String

base64url encoded userHandle returned by the user's WebAuthn client

Example:

{
  "challengeIdentifier":"eyJ0e...fQNA",
  "firstFactor":{
    "kind":"Fido2",
    "credentialAssertion":{
      "credId":"c1QEdgnPLJargwzy3cbYKny4Q18u0hr97unXsF3DiE8",
      "clientData":"eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiTVdNME1tWTVZVFEwTURSaU56ZGhOVEZoTnpZNU9EUXdOV0k1WlRRNFkyUmhPRFppTkRrM1pUWXpPVEU1T0dZeU1EY3haakJqWXprNE1tUTVZelkxTUEiLCJvcmlnaW4iOiJodHRwczovL2FwcC5kZm5zLm5pbmphIiwiY3Jvc3NPcmlnaW4iOmZhbHNlfQ",
      "authenticatorData":"WT-zFZUBbJHfBkmhzTlPf49LTn7asLeTQKhm_riCvFgFAAAAAA",
      "signature":"MEUCIQDJ8G9J1NTjdoKx0yloYw45bpn6fJhcqCoUGiZuOU1IAQIgAtPt7S8FHFYW9OMHh3S5FVAxk-lhli-2lX22bBNSDog",
      "userHandle":"dXMtMmJhMGgtbHZwMnEtOHYxODYwcGNqMWJoNWlyaQ"
    }
  }
}

Key Credential

kind *

String

will always be Key

credentialAssertion *

Object

credentialAssertion.credId *

String

base64url encoded id of the credential

credentialAssertion.clientData *

String

Client Data JSON object, stringified and base64url-encoded

credentialAssertion.signature *

String

base64url encoded signature generated by signing the clientData JSON string object

Example:

{
  "challengeIdentifier":"eyJ0e...fQNA",
  "firstFactor":{
    "kind":"Key",
    "credentialAssertion":{
      "credId":"6Ca6tAOFTx2odyJBnCoRO-gPvfpfy0EOoOcEaxfxIOk",
      "clientData":"eyJ0eXBlIjoia2V5LmdldCIsImNoYWxsZW5nZSI6Ik1XTTBNbVk1WVRRME1EUmlOemRoTlRGaE56WTVPRFF3TldJNVpUUTRZMlJoT0RaaU5EazNaVFl6T1RFNU9HWXlNRGN4WmpCall6azRNbVE1WXpZMU1BIiwib3JpZ2luIjoiaHR0cHM6Ly9hcHAuZGZucy5uaW5qYSIsImNyb3NzT3JpZ2luIjpmYWxzZX0",
      "signature":"owt8WtpJT_6eEuw4UwdIX2HMMwENgk0SrI-RoCMPhx_9YMVpNKJGmJfHUusf_R1Mor9a_hinQVuXj4_XRdeJFSY2AySXSUk",
    }
  }
}

Responses

See Common Errors for common errors.
See User Action Signing Errors for user action signing specific errors.

Success - a token that will be passed in the X-DFNS-USERACTION header

{
  "userAction": "eyJ0eX...bzrQakA"
}

Last updated 2 months ago