> ## Documentation Index > Fetch the complete documentation index at: https://docs.dfns.co/llms.txt > Use this file to discover all available pages before exploring further. # Complete End User Registration with Wallets > Completes the end user registration process and creates the user's initial credentials along with delegated wallets for the new end user. All credentials submitted in this call (`firstFactorCredential`, `secondFactorCredential`, `recoveryCredential`) sign the same challenge returned by the registration init endpoint ([Create Delegated Registration Challenge](https://docs.dfns.co/api-reference/auth/create-delegated-registration-challenge) or [Create Social Registration Challenge](https://docs.dfns.co/api-reference/auth/create-social-registration-challenge)). Always include a `recoveryCredential` for end users. Without one, a user who loses their device cannot recover access and you must initiate a delegated recovery manually. See [Implement end-user recovery](https://docs.dfns.co/guides/developers/end-user-recovery). The type of credentials being registered is determined by the `credentialKind` field in the nested objects (`firstFactorCredential` , `secondFactorCredential` and `recoveryCredential`). Supported credential kinds are: * `Fido2`: User action is signed by a user's signing device using `WebAuthn`. * `Key`: User action is signed by a user's, or token's, private key. * `PasswordProtectedKey`: User action is signed by a user's, or token's, private key. The encrypted version of the private key is stored by Dfns and returns during the signing flow for the user to decrypt it. * `RecoveryKey`: Similar to `PasswordProtectedKey`, but this credential can only be used to recover an account, not to sign an action or login. Once this credential is used, all the other user's credentials are invalidated. The number of delegated wallets created and the wallet types are determined by the `wallets` specifications. The end user is automatically assigned `ManagedDefaultEndUserAccess` managed permission that grants the end user full access to the wallets. #### Authentication ❌ Organization User (`CustomerEmployee`)\ ❌ Delegated User (`EndUser`)\ ❌ Service Account\ ✅ Registration Code #### Required Permissions No permission required. ## OpenAPI ````yaml /openapi.yaml post /auth/registration/enduser openapi: 3.1.0 info: version: 1.880.1 title: Dfns servers: - url: https://api.dfns.io description: Default - Europe - url: https://api.uae.dfns.io description: UAE - url: https://api.dfns.ninja description: Staging security: [] paths: /auth/registration/enduser: post: tags: - Auth summary: Complete End User Registration with Wallets description: >- Completes the end user registration process and creates the user's initial credentials along with delegated wallets for the new end user. All credentials submitted in this call (`firstFactorCredential`, `secondFactorCredential`, `recoveryCredential`) sign the same challenge returned by the registration init endpoint ([Create Delegated Registration Challenge](https://docs.dfns.co/api-reference/auth/create-delegated-registration-challenge) or [Create Social Registration Challenge](https://docs.dfns.co/api-reference/auth/create-social-registration-challenge)). Always include a `recoveryCredential` for end users. Without one, a user who loses their device cannot recover access and you must initiate a delegated recovery manually. See [Implement end-user recovery](https://docs.dfns.co/guides/developers/end-user-recovery). The type of credentials being registered is determined by the `credentialKind` field in the nested objects (`firstFactorCredential` , `secondFactorCredential` and `recoveryCredential`). Supported credential kinds are: * `Fido2`: User action is signed by a user's signing device using `WebAuthn`. * `Key`: User action is signed by a user's, or token's, private key. * `PasswordProtectedKey`: User action is signed by a user's, or token's, private key. The encrypted version of the private key is stored by Dfns and returns during the signing flow for the user to decrypt it. * `RecoveryKey`: Similar to `PasswordProtectedKey`, but this credential can only be used to recover an account, not to sign an action or login. Once this credential is used, all the other user's credentials are invalidated. The number of delegated wallets created and the wallet types are determined by the `wallets` specifications. The end user is automatically assigned `ManagedDefaultEndUserAccess` managed permission that grants the end user full access to the wallets. requestBody: content: application/json: schema: type: object properties: firstFactorCredential: $ref: '#/components/schemas/FirstFactorAttestation' secondFactorCredential: $ref: '#/components/schemas/SecondFactorAttestation' recoveryCredential: $ref: '#/components/schemas/RecoveryKeyAttestation' wallets: type: array items: type: object properties: network: type: string enum: - Algorand - AlgorandTestnet - Aptos - AptosTestnet - ArbitrumOne - ArbitrumSepolia - ArcTestnet - AvalancheC - AvalancheCFuji - BabylonGenesis - BabylonTestnet5 - Base - BaseSepolia - Berachain - BerachainBepolia - Bitcoin - BitcoinSignet - BitcoinTestnet3 - BitcoinTestnet4 - BitcoinCash - Bob - BobSepolia - Bsc - BscTestnet - Canton - CantonTestnet - Cardano - CardanoPreprod - Concordium - ConcordiumTestnet - Celo - CeloAlfajores - Codex - CodexSepolia - CosmosHub4 - CosmosIcsTestnet - Dogecoin - DogecoinTestnet - Ethereum - EthereumClassic - EthereumClassicMordor - EthereumSepolia - EthereumHolesky - EthereumHoodi - FantomOpera - FantomTestnet - FlareC - FlareCCoston2 - FlowEvm - FlowEvmTestnet - Hedera - HederaTestnet - Ink - InkSepolia - InternetComputer - Ion - IonTestnet - Iota - IotaTestnet - Kusama - KusamaAssetHub - Litecoin - LitecoinTestnet - Movement - MovementTestnet - Near - NearTestnet - Optimism - OptimismSepolia - Origyn - Plasma - PlasmaTestnet - Plume - PlumeSepolia - Paseo - PaseoAssetHub - Polkadot - PolkadotAssetHub - Polygon - PolygonAmoy - Polymesh - PolymeshTestnet - Race - RaceSepolia - SeiAtlantic2 - SeiPacific1 - Solana - SolanaDevnet - Starknet - StarknetSepolia - Stellar - StellarTestnet - Sui - SuiTestnet - Tezos - TezosGhostnet - TezosShadownet - Tempo - TempoModerato - Tsc - TscTestnet1 - Ton - TonTestnet - Tron - TronNile - Westend - WestendAssetHub - Xdc - XdcApothem - XLayer - XLayerSepolia - XrpLedger - XrpLedgerTestnet name: type: string maxLength: 100 description: Wallet nickname. required: - network additionalProperties: false minItems: 1 required: - firstFactorCredential - wallets additionalProperties: false responses: '200': description: Success content: application/json: schema: type: object properties: credential: type: object properties: uuid: type: string description: UUID of the credential that was registered. kind: type: string enum: - Fido2 - Key - Password - Totp - RecoveryKey - PasswordProtectedKey description: Kind of credential that was registered. name: type: string description: Human-readable name of the credential. required: - uuid - kind - name user: type: object properties: id: type: string minLength: 1 maxLength: 64 pattern: ^us-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$ description: User id. example: us-6b58p-r53sr-rlrd3l5cj3uc4ome username: type: string description: Username/identifier of the user. orgId: type: string minLength: 1 maxLength: 64 pattern: ^or-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$ description: Organization id. example: or-30tnh-itmjs-s235s5ontr3r23h2 tenantId: type: string minLength: 1 maxLength: 64 pattern: ^acct-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$ description: Tenant id. example: acct-24hka-dhili-9hgvdlvr1ohpibp4 required: - id - username authentication: type: object properties: token: type: string description: Authentication token issued to the user. required: - token wallets: type: array items: $ref: '#/components/schemas/Wallet' required: - credential - user - authentication - wallets security: - authenticationToken: [] components: schemas: FirstFactorAttestation: oneOf: - $ref: '#/components/schemas/Fido2Attestation' - $ref: '#/components/schemas/KeyAttestation' - $ref: '#/components/schemas/PasswordAttestation' - $ref: '#/components/schemas/PasswordProtectedKeyAttestation' discriminator: propertyName: credentialKind mapping: Fido2: $ref: '#/components/schemas/Fido2Attestation' Key: $ref: '#/components/schemas/KeyAttestation' Password: $ref: '#/components/schemas/PasswordAttestation' PasswordProtectedKey: $ref: '#/components/schemas/PasswordProtectedKeyAttestation' SecondFactorAttestation: oneOf: - $ref: '#/components/schemas/Fido2Attestation' - $ref: '#/components/schemas/KeyAttestation' - $ref: '#/components/schemas/TotpAttestation' - $ref: '#/components/schemas/PasswordProtectedKeyAttestation' discriminator: propertyName: credentialKind mapping: Fido2: $ref: '#/components/schemas/Fido2Attestation' Key: $ref: '#/components/schemas/KeyAttestation' Totp: $ref: '#/components/schemas/TotpAttestation' PasswordProtectedKey: $ref: '#/components/schemas/PasswordProtectedKeyAttestation' RecoveryKeyAttestation: type: object properties: credentialKind: type: string enum: - RecoveryKey credentialInfo: type: object properties: credId: type: string minLength: 1 description: Base64url-encoded id of the recovery credential. clientData: type: string minLength: 1 description: >- Base64url-encoded, stringified JSON [client data](https://docs.dfns.co/api-reference/auth/credentials-data#client-data) object. attestationData: type: string minLength: 1 description: Base64url-encoded public key. required: - credId - clientData - attestationData additionalProperties: false encryptedPrivateKey: type: string minLength: 1 description: User-encrypted private key for the recovery credential. credentialName: type: string minLength: 1 description: Human-readable name to assign to the credential. required: - credentialKind - credentialInfo additionalProperties: false description: >- Register a recovery key. See [Account Recovery](https://docs.dfns.co/api-reference/auth/account-recovery) for more details. title: Recovery Key Wallet: type: object properties: id: type: string minLength: 1 maxLength: 64 pattern: ^wa-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$ description: ID of the wallet. example: wa-5pfuu-9euek-h0odgb6snva8ph3k network: type: string description: Network this wallet is bound to. enum: - Algorand - AlgorandTestnet - Aptos - AptosTestnet - ArbitrumOne - ArbitrumSepolia - ArcTestnet - AvalancheC - AvalancheCFuji - BabylonGenesis - BabylonTestnet5 - Base - BaseSepolia - Berachain - BerachainBepolia - Bitcoin - BitcoinSignet - BitcoinTestnet3 - BitcoinTestnet4 - BitcoinCash - Bob - BobSepolia - Bsc - BscTestnet - Canton - CantonTestnet - Cardano - CardanoPreprod - Concordium - ConcordiumTestnet - Celo - CeloAlfajores - Codex - CodexSepolia - CosmosHub4 - CosmosIcsTestnet - Dogecoin - DogecoinTestnet - Ethereum - EthereumClassic - EthereumClassicMordor - EthereumSepolia - EthereumHolesky - EthereumHoodi - FantomOpera - FantomTestnet - FlareC - FlareCCoston2 - FlowEvm - FlowEvmTestnet - Hedera - HederaTestnet - Ink - InkSepolia - InternetComputer - Ion - IonTestnet - Iota - IotaTestnet - Kusama - KusamaAssetHub - Litecoin - LitecoinTestnet - Movement - MovementTestnet - Near - NearTestnet - Optimism - OptimismSepolia - Origyn - Plasma - PlasmaTestnet - Plume - PlumeSepolia - Paseo - PaseoAssetHub - Polkadot - PolkadotAssetHub - Polygon - PolygonAmoy - Polymesh - PolymeshTestnet - Race - RaceSepolia - SeiAtlantic2 - SeiPacific1 - Solana - SolanaDevnet - Starknet - StarknetSepolia - Stellar - StellarTestnet - Sui - SuiTestnet - Tezos - TezosGhostnet - TezosShadownet - Tempo - TempoModerato - Tsc - TscTestnet1 - Ton - TonTestnet - Tron - TronNile - Westend - WestendAssetHub - Xdc - XdcApothem - XLayer - XLayerSepolia - XrpLedger - XrpLedgerTestnet address: type: string description: Wallet address on its corresponding network. signingKey: type: object properties: id: type: string minLength: 1 maxLength: 64 pattern: ^key-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$ description: Key id. example: key-01snl-t56gb-j8tsok0vn802p80i scheme: $ref: '#/components/schemas/KeyScheme' curve: $ref: '#/components/schemas/KeyCurve' publicKey: type: string description: Hex-encoded value of the public key. example: >- e2375c8c9e87bfcd0be8f29d76c818cabacd51584f72cb2222d49a13b036d84d3d delegatedTo: type: string minLength: 1 maxLength: 64 pattern: ^us-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$ description: The end user ID the key (and wallet) is delegated to. example: us-6b58p-r53sr-rlrd3l5cj3uc4ome required: - id - scheme - curve - publicKey description: Details about the key underlying the wallet. status: type: string enum: - Active - Inactive - Archived description: Wallet status. dateCreated: type: string description: >- [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) date string when wallet was created. example: '2023-04-14T20:41:28.715Z' dateDeleted: type: string description: >- [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) date string when wallet was deleted. example: '2023-04-14T20:41:28.715Z' name: type: string maxLength: 100 description: Wallet nickname. custodial: type: boolean description: >- Whether the wallet is owned by an end user (non-custodial), or by your organization (custodial). externalId: type: string maxLength: 100 description: >- User-defined value that can be used to correlate the entity with an external system. tags: type: array items: type: string pattern: ^[a-zA-Z0-9_.:/+-]{1,100}$ description: Wallet Tag. maxItems: 10 description: List of tags. validatorId: type: string minLength: 1 maxLength: 64 pattern: ^cv-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$ description: >- Id of the validator on which the wallet is created for Canton networks example: cv-7jeof-m584r-p35ucm37ko3cqgts required: - id - network - signingKey - status - dateCreated - custodial - tags example: id: wa-1f04s-lqc9q-xxxxxxxxxxxxxxxx network: Ethereum address: '0x00e3495cf6af59008f22ffaf32d4c92ac33dac47' name: trading hot wallet signingKey: id: key-6ece3-9l565-xxxxxxxxxxxxxxxx scheme: ECDSA curve: secp256k1 publicKey: e2375c8c9e87bfcd0be8f29d76c818cabacd51584f72cb2222d49a13b036d84d3d status: Active dateCreated: '2023-04-14T20:41:28.715Z' custodial: true tags: [] Fido2Attestation: type: object properties: credentialKind: type: string enum: - Fido2 credentialInfo: type: object properties: credId: type: string minLength: 1 description: >- Base64url-encoded id of the credential returned by the user's WebAuthn client. clientData: type: string minLength: 1 description: >- Base64url-encoded, stringified JSON [client data](https://docs.dfns.co/api-reference/auth/credentials-data#client-data) object returned by the user's WebAuthn client. attestationData: type: string minLength: 1 description: >- Base64url-encoded attestation data returned by the user's WebAuthn client. required: - credId - clientData - attestationData additionalProperties: false credentialName: type: string minLength: 1 description: Human-readable name to assign to the credential. required: - credentialKind - credentialInfo additionalProperties: false description: >- Register a Fido2 Credential, also known as Passkeys or WebauthN credential. title: Fido2/Passkeys KeyAttestation: type: object properties: credentialKind: type: string enum: - Key credentialInfo: type: object properties: credId: type: string minLength: 1 description: Base64url-encoded id of the credential. clientData: type: string minLength: 1 description: >- Base64url-encoded, stringified JSON [client data](https://docs.dfns.co/api-reference/auth/credentials-data#client-data) object. attestationData: type: string minLength: 1 description: Base64url-encoded public key. required: - credId - clientData - attestationData additionalProperties: false credentialName: type: string minLength: 1 description: Human-readable name to assign to the credential. required: - credentialKind - credentialInfo additionalProperties: false description: >- Register a "raw" public/private keypair, mostly meant to be used by Service Accounts. See [Generate a Key Pair](https://docs.dfns.co/developers/guides/generate-a-key-pair) for more details. title: Public/Private key pair PasswordAttestation: type: object properties: credentialKind: type: string enum: - Password credentialInfo: type: object properties: password: type: string minLength: 1 description: User password. required: - password additionalProperties: false credentialName: type: string minLength: 1 description: Human-readable name to assign to the credential. required: - credentialKind - credentialInfo additionalProperties: false description: Not supported, will be removed in a future release. title: Password PasswordProtectedKeyAttestation: type: object properties: credentialKind: type: string enum: - PasswordProtectedKey credentialInfo: type: object properties: credId: type: string minLength: 1 description: Base64url-encoded id of the credential. clientData: type: string minLength: 1 description: >- Base64url-encoded, stringified JSON [client data](https://docs.dfns.co/api-reference/auth/credentials-data#client-data) object. attestationData: type: string minLength: 1 description: Base64url-encoded public key. required: - credId - clientData - attestationData additionalProperties: false encryptedPrivateKey: type: string minLength: 1 description: >- User-encrypted private key. Dfns does not have the password to decrypt it. credentialName: type: string minLength: 1 description: Human-readable name to assign to the credential. required: - credentialKind - credentialInfo - encryptedPrivateKey additionalProperties: false description: >- Register an encrypted private key. Note that Dfns only stores the encrypted private key and should not have access to the password to decrypt it! title: Password-protected Key TotpAttestation: type: object properties: credentialKind: type: string enum: - Totp credentialInfo: type: object properties: otpCode: type: string minLength: 1 description: TOTP one-time code. required: - otpCode additionalProperties: false credentialName: type: string minLength: 1 description: Human-readable name to assign to the credential. required: - credentialKind - credentialInfo additionalProperties: false description: Not supported, will be removed in a future release. title: TOTP KeyScheme: type: string description: The cryptographic scheme for the key. enum: - ECDSA - EdDSA - Schnorr KeyCurve: type: string enum: - ed25519 - secp256k1 - stark description: The elliptic curve for the key. securitySchemes: authenticationToken: type: http scheme: bearer bearerFormat: JWT description: >- **Bearer Token:** Used to authenticate API requests. More details how to generate the token: [Authentication flows](https://docs.dfns.co/api-reference/auth/login-flows) ````