Skip to main content
In order to login, or sign their Actions, users need to sign “challenges” using their Credentials. A Credential is essentially a public/private cryptographic keypair. The private key is held by the user, while the public key is provided to Dfns to register the credential for the user. The first time you registered on Dfns dashboard, you created a Passkey credential (see how here). You can also register additional credentials later on (see how here). Different kinds of Credentials can be created, depending on your use case, and how you prefer to manage them:
  • Fido2 Credentials (aka “Passkeys” / “WebAuthn”) -> Uses WebAuthn standard to create/manage passkeys on your device (see more about that below). You can use passkeys if you need a client-side User signature (eg. in a web app / native app).
  • Key Credentials -> “manually” generate keypairs yourself, and store them however you see fit (see How to generate a keypair). You can use Key Credential if you need a Service Account sitting in your server to also be the signer for example.
Depending on the Identity you are using, the Credentials supported are such:
IdentityWebAuthn CredentialsKey Credentials
User
PAT (Personal Access Token)🛑
Service Account🛑

User Credentials - Passkeys

Users can register with a WebAuthn Credential (aka “Passkey”) or with a raw Public/Private Key Passkeys is the common term used to describe the Fido2 standard called “WebAuthn”. It is a web authentication standard supported by most modern browsers, phones and devices, which leverages your devices key-management features (like touch ID on a mac, a phone authenticator, a yubikey, some password managers support creating and storing passkeys, etc). Those passkeys can then be used by the user to sign payloads when needed. Here’s some screenshots with some examples of WebAuthn prompts shown in your browser during Credential creation, or during Signing using those Credentials. Below is an example of the promps a user can see on a web app, when a challenge needs to be signed with the passkey: it’s asking the user for his biometrics (fingerprint) before using the passkey to sign.
You can read more about WebAuthn on webauthn.guide, and if you want you can test a WebAuthn demo on webauthn.io

Machine Credentials - Asymetric Keys

When registering a new long-lived access token (Service Account or Personal Access Token) to be used by a backend, you need to link a public-private key pair to your token. This is done by passing a public key with the API call. See Generate a Key Pair for information about how to generate a key pair.

Public Key Format

Public Keys need to be formated with PEM encoding.

PEM Encoding

PEM encoding base64 encodes the public key data and places it between a header and footer. The header and footer can be slightly different depending on the crypto library you use, but it will always have the same basic format: 
-----BEGIN <OPTIONAL_VALUE> PUBLIC KEY-----
-----END <OPTIONAL_VALUE> PUBLIC KEY-----
For example 
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYsHwe62PxDXIXjvSd0/ZdndtvenLqZ6u62pp2/SejCs4NuJ5fOCsUDzqFXxBNJpA9CkFnqASaKP9n4N3XgQ1mQ==
-----END PUBLIC KEY-----

Converting from raw to PEM

Some crypto libraries do not support PEM format. If your library supports exporting to SPKI you can export the key into SPKI format, base64 encode that value, and place it inside the header and footer. 
function arrayBufferToBase64(buffer) {
  const bytes = new Uint8Array(buffer)
  return btoa(String.fromCharCode(...bytes))
}

async function exportPublicKeyInPemFormat(key) {
  const exported = await crypto.subtle.exportKey('spki', key)
  const pem = `-----BEGIN PUBLIC KEY-----\n${arrayBufferToBase64(exported)}\n-----END PUBLIC KEY-----`
  return pem
}

Registering a key pair

When registering a user with a private key, you need to:
  1. Get a registration challenge from the Dfns API
  2. Create the key pair locally
  3. Sign the registration challenge and public key
  4. Return the signed challenge to the Dfns API

The Registration Challenge

A registration challenge is returned from calls to:
  • /auth/registration/init
  • /auth/registration/delegated
  • /auth/credentials/init
In all cases the challenge format is the same. You will recieve an object with the following properties (additional properties exist for managing credentials with WebAuthn):
fielddescription
challengeA string that will be signed with the new credential
temporaryAuthenticationTokenA JWT that is passed to the registration endpoint to identify the registration session
supportedCredentialKindsThe list of credential types that are supported, should always contain “Key”

How to Sign the Challenge with the Private Key

The user signs the challenge to prove they are in possession of the key being registered. The user will also sign the public key to ensure the key is not replaced when transmitted to Dfns.
Client Data
The user needs to format the challenge into a Client Data object.
Attestation Data
The client data object is then used to build the Attestation Data object.
Signing Example: First factor and Recovery credentials:
recoveryClientData = {
  type: 'key.get',
  challenge: base64url(JSON.stringify({
    "firstFactorCredential":{
      "credentialKind":"Key",
      "credentialInfo":{
        "credId":"6Ca6tAOFTx2odyJBnCoRO-gPvfpfy0EOoOcEaxfxIOk",
        "clientData":"eyJ0eXBlIjoia2V5LmNyZWF0ZSIsImNoYWxsZW5nZSI6...",
        "attestationData":"eyJwdWJsaWNLZXkiOiAiLS0tLS1CRUdJTiBQVUJMSU..."
      }
    },
    "recoveryCredential":{
      "credentialKind":"RecoveryKey",
      "credentialInfo":{
        "credId":"GMkW0zlmcoMxI1OX0Z96LL_Mz7dgeu6vOH5_TOeGyNk",
        "clientData":"eyJ0eXBlIjoia2V5LmNyZWF0ZSIsImNoYWxsZW5nZSI6...",
        "attestationData":"eyJwdWJsaWNLZXkiOiItLS0tLUJFR0lOIFBVQkxJQ..."
      },
      "encryptedPrivateKey":"LsXVskHYqqrKKxBC9KvqStLEmxak5Y7NaboDDlRSIW7..."
    }
  })),
  origin: this.appOrigin,
  crossOrigin: false,
}

const clientData = Buffer.from(JSON.stringify(recoveryClientData))
const signature = crypto.sign(undefined, clientData, newKey.privateKey)