curl --request POST \
  --url https://api.dfns.io/auth/action \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "challengeIdentifier": "eyJ0e...fQNA",
  "firstFactor": {
    "kind": "Fido2",
    "credentialAssertion": {
      "credId": "c1QEdgnPLJargwzy3cbYKny4Q18u0hr97unXsF3DiE8",
      "clientData": "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiTVdNME1tWTVZVFEwTURSaU56ZGhOVEZoTnpZNU9EUXdOV0k1WlRRNFkyUmhPRFppTkRrM1pUWXpPVEU1T0dZeU1EY3haakJqWXprNE1tUTVZelkxTUEiLCJvcmlnaW4iOiJodHRwczovL2FwcC5kZm5zLm5pbmphIiwiY3Jvc3NPcmlnaW4iOmZhbHNlfQ",
      "authenticatorData": "WT-zFZUBbJHfBkmhzTlPf49LTn7asLeTQKhm_riCvFgFAAAAAA",
      "signature": "MEUCIQDJ8G9J1NTjdoKx0yloYw45bpn6fJhcqCoUGiZuOU1IAQIgAtPt7S8FHFYW9OMHh3S5FVAxk-lhli-2lX22bBNSDog",
      "userHandle": "dXMtMmJhMGgtbHZwMnEtOHYxODYwcGNqMWJoNWlyaQ"
    }
  }
}
'

{
  "userAction": "eyJ0eX...bzrQakA"
}

Create User Action Signature

Completes the user action signing process and provides a signing token that can be used to verify the user intended to perform the action.

This is the first step of the User Action Signing flow.

The type of credentials used to sign the action is determined by the kind field in the nested objects (firstFactor and secondFactor). Supported credential kinds are:

Fido2: User action is signed by a user’s signing device using WebAuthn.
Key: User action is signed by a user’s, or token’s, private key.
PasswordProtectedKey: Login challenge is signed by the decrypted user’s private key that was sent during Create User Action Signature Challenge step.

POST

auth

action

curl --request POST \
  --url https://api.dfns.io/auth/action \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "challengeIdentifier": "eyJ0e...fQNA",
  "firstFactor": {
    "kind": "Fido2",
    "credentialAssertion": {
      "credId": "c1QEdgnPLJargwzy3cbYKny4Q18u0hr97unXsF3DiE8",
      "clientData": "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiTVdNME1tWTVZVFEwTURSaU56ZGhOVEZoTnpZNU9EUXdOV0k1WlRRNFkyUmhPRFppTkRrM1pUWXpPVEU1T0dZeU1EY3haakJqWXprNE1tUTVZelkxTUEiLCJvcmlnaW4iOiJodHRwczovL2FwcC5kZm5zLm5pbmphIiwiY3Jvc3NPcmlnaW4iOmZhbHNlfQ",
      "authenticatorData": "WT-zFZUBbJHfBkmhzTlPf49LTn7asLeTQKhm_riCvFgFAAAAAA",
      "signature": "MEUCIQDJ8G9J1NTjdoKx0yloYw45bpn6fJhcqCoUGiZuOU1IAQIgAtPt7S8FHFYW9OMHh3S5FVAxk-lhli-2lX22bBNSDog",
      "userHandle": "dXMtMmJhMGgtbHZwMnEtOHYxODYwcGNqMWJoNWlyaQ"
    }
  }
}
'

{
  "userAction": "eyJ0eX...bzrQakA"
}

Authentication

✅ Organization User (CustomerEmployee)
✅ Delegated User (EndUser)
✅ Service Account

Required Permissions

No permission required.

Authorizations

Authorization

string

header

required

Bearer Token: Used to authenticate API requests. More details how to generate the token: Authentication flows

Body

application/json

challengeIdentifier

string

required

Temporary authentication token returned by the Create Challenge endpoint.

firstFactor

Fido2/Passkeys · object

required

First factor credential used to sign the challenge.

Fido2/Passkeys
Public/Private key pair
Password-protected Key
<Deprecated> Password

Show child attributes

firstFactor.kind

enum<string>

required

Available options:

Fido2

firstFactor.credentialAssertion

object

required

Show child attributes

firstFactor.credentialAssertion.credId

string

required

Base64url-encoded id of the credential returned by the user's WebAuthn client.

Minimum string length: 1

firstFactor.credentialAssertion.clientData

string

required

Base64url-encoded, stringified JSON client data object returned by the user's WebAuthn client.

Minimum string length: 1

firstFactor.credentialAssertion.signature

string

required

Base64url-encoded signature returned by the user's WebAuthn client.

Minimum string length: 1

firstFactor.credentialAssertion.authenticatorData

string

required

Base64url encoded authenticator data object returned by the user's WebAuthn client.

Minimum string length: 1

firstFactor.credentialAssertion.algorithm

string

The algorithm/digest that the credential will use to sign data. If the algoritm is not specified then the algorithm will be determined by the key.

firstFactor.credentialAssertion.userHandle

string

Base64url encoded userHandle returned by the user's WebAuthn client.

secondFactor

Fido2/Passkeys · object

Second factor credential used to authenticate a user.

Fido2/Passkeys
Public/Private key pair
Password-protected Key
<Deprecated> TOTP

Show child attributes

secondFactor.kind

enum<string>

required

Available options:

Fido2

secondFactor.credentialAssertion

object

required

Show child attributes

secondFactor.credentialAssertion.credId

string

required

Base64url-encoded id of the credential returned by the user's WebAuthn client.

Minimum string length: 1

secondFactor.credentialAssertion.clientData

string

required

Base64url-encoded, stringified JSON client data object returned by the user's WebAuthn client.

Minimum string length: 1

secondFactor.credentialAssertion.signature

string

required

Base64url-encoded signature returned by the user's WebAuthn client.

Minimum string length: 1

secondFactor.credentialAssertion.authenticatorData

string

required

Base64url encoded authenticator data object returned by the user's WebAuthn client.

Minimum string length: 1

secondFactor.credentialAssertion.algorithm

string

The algorithm/digest that the credential will use to sign data. If the algoritm is not specified then the algorithm will be determined by the key.

secondFactor.credentialAssertion.userHandle

string

Base64url encoded userHandle returned by the user's WebAuthn client.

Response

200 - application/json

Success

userAction

string

required

Create User Action Challenge

List Audit Logs

⌘I

API Authorization

Identity & Access Management

Wallets & Transactions

Management

Webhooks

Create User Action Signature

Authentication

Required Permissions

Authorizations

Body

Response

API Authorization

Identity & Access Management

Wallets & Transactions

Management

Webhooks

​Authentication

​Required Permissions

Authorizations

Body

Response

Authentication

Required Permissions