Recover User
Last updated
Last updated
POST /auth/recover/user
Recovers a user, using a recovery credential. After successfully recovering the user, all of the user's previous credentials and personal access tokens will be invalidated.
This flow requires cryptographic validation of newly created credential(s) using a recovery credential. The recovery.credentialAssertion.clientData field's challenge must be the base64url-encoded representation of the newCredential object.
The process is as follows:
Construct the newCredential object, using the challenge obtained from either the or API.
Serialize the newCredential object to JSON and then base64url-encode the resulting JSON string. This base64url-encoded string will serve as the challenge for the recovery.credentialAssertion object.
Construct the recovery.credentialAssertion object, using the base64url-encoded string generated in step 2 as its challenge.
Auth:Users:Create
Always Required
Auth:Types:Employee
When kind is CustomerEmployee
Auth:Types:EndUser
When kind is EndUser
recovery *
Object
a signature of the user's new credentials, using the user's recovery credential, that proves the user initiated the recovery request
recovery.kind *
String
will always be RecoveryKey
recovery.credentialAssertion *
Object
recovery.credentialAssertion.credId *
String
base64url encoded id of the recovery credential
recovery.credentialAssertion.clientData *
String
recovery.credentialAssertion.signature *
String
base64url encoded signature generated by signing the clientData JSON string object
newCredentials *
Object
the new credentials being assigned to the user
newCredentials.firstFactorCredential *
Object
new first factor credential that the user is registering
newCredentials.secondFactorCredential
Object
Optional new second factor credential that the user is registering
newCredentials.recoveryCredential
Object
Optional new recovery credential that can be used to recover the user's account
credentialKind *
String
will always be Fido2
credentialInfo *
Object
credentialInfo.credId *
String
base64url encoded id of the credential
credentialInfo.clientData *
String
base64url encoded client data object. The underlying object is the clientData object returned by the user's WebAuthn client
credentialInfo.attestationData *
String
base64url encoded attestation data object. The underlying object is the attestationData object returned by the user's WebAuthn client
credentialKind *
String
will always be Key
credentialInfo *
Object
credentialInfo.credId *
String
base64url encoded id of the credential
credentialInfo.clientData *
String
credentialInfo.attestationData *
String
credentialKind *
String
will always be RecoveryKey
credentialInfo *
Object
credentialInfo.credId *
String
base64url encoded id of the credential
credentialInfo.clientData *
String
credentialInfo.attestationData *
String
encryptedPrivateKey
String
Optional encrypted private key. The user should hold the secret to decrypting this value, and that secret should never be transmitted to Dfns
Success - an object describing the user
base64url encoded JSON string object that was signed with the user's private key
base64url encoded JSON string object that was signed with the user's private key
base64url encoded JSON string object with the user's signature and public key
base64url encoded JSON string object that was signed with the user's private key
base64url encoded JSON string object with the user's signature and public key
See for common errors.
See for user recovery specific errors.