Skip to main content
POST
/
auth
/
credentials
/
init
Create Credential Challenge
curl --request POST \
  --url https://api.dfns.io/auth/credentials/init \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{}'
{
  "kind": "Fido2",
  "user": {
    "id": "<string>",
    "displayName": "<string>",
    "name": "<string>"
  },
  "challengeIdentifier": "<string>",
  "challenge": "<string>",
  "authenticatorSelection": {
    "requireResidentKey": true
  },
  "pubKeyCredParams": [
    {
      "type": "public-key",
      "alg": 123
    }
  ],
  "excludeCredentials": [
    {
      "type": "public-key",
      "id": "cr-6uunn-bm6ja-f6rmod5kqrk5rbel"
    }
  ],
  "temporaryAuthenticationToken": "<string>",
  "rp": {
    "id": "<string>",
    "name": "<string>"
  }
}

Authentication

✅ Organization User (CustomerEmployee)
✅ Delegated User (EndUser)
❌ Personal Access Token not allowed
❌ Service Account

Required Permissions

No permission required.

Authorizations

Authorization
string
header
required

Bearer Token: Used to authenticate API requests. More details how to generate the token: Authentication flows

Body

application/json
kind
enum<string>
required

The kind of credential.

Available options:
Fido2,
Key,
RecoveryKey,
PasswordProtectedKey

Response

200 - application/json

Success

Fido2 Credential, also known as Passkeys or WebauthN credential.

kind
enum<string>
required
Available options:
Fido2
user
object
required
challengeIdentifier
string
required

Challenge identifier to be used in the subsequent create credential request.

challenge
string
required

Challenge value to be signed by the credential.

authenticatorSelection
object
required
attestation
enum<string>
required

Identifies the information needed to verify the user's signing certificate; can be one of the following:

  • none: indicates no attestation data is required
  • indirect: indicates the attestation data should be given, but that it can be generated using an Anonymization CA
  • direct: indicates the attestation data must be given and should be generated by the authenticator
  • enterprise: indicates the attestation data should include information to uniquely identify the user's device
Available options:
none,
indirect,
direct,
enterprise
pubKeyCredParams
object[]
required
excludeCredentials
object[]
required
temporaryAuthenticationToken
string
required

@deprecated use challengeIdentifier instead

rp
object
Last modified on June 18, 2026