Create Delegated Recovery Challenge

curl --request POST \
  --url https://api.dfns.io/auth/recover/user/delegated \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'X-DFNS-USERACTION: <api-key>' \
  --data '{
  "username": "<string>",
  "credentialId": "<string>"
}'

{
  "user": {
    "id": "<string>",
    "displayName": "<string>",
    "name": "<string>"
  },
  "temporaryAuthenticationToken": "<string>",
  "challenge": "<string>",
  "rp": {
    "id": "<string>",
    "name": "<string>"
  },
  "supportedCredentialKinds": {
    "firstFactor": [
      "Fido2"
    ],
    "secondFactor": [
      "Fido2"
    ]
  },
  "authenticatorSelection": {
    "authenticatorAttachment": "platform",
    "residentKey": "required",
    "requireResidentKey": true,
    "userVerification": "required"
  },
  "attestation": "none",
  "pubKeyCredParams": [
    {
      "type": "public-key",
      "alg": 123
    }
  ],
  "excludeCredentials": [
    {
      "type": "public-key",
      "id": "cr-6uunn-bm6ja-f6rmod5kqrk5rbel"
    }
  ],
  "otpUrl": "<string>",
  "allowedRecoveryCredentials": [
    {
      "id": "<string>",
      "encryptedRecoveryKey": "<string>"
    }
  ]
}

Create Delegated Recovery Challenge

Only a Service Account can use this endpoint.

This endpoint enables setting up a recovery workflow for Delegated Signing. Via this configuration, the end user will not receive an email from Dfns but instead can establish recovery credentials that leverage the customer’s brand for the recovery workflow.

Once the user has been verified by your auth system and this API has been called, you can call Recover User to complete the recovery process.

POST

auth

recover

user

delegated

Create Delegated Recovery Challenge

curl --request POST \
  --url https://api.dfns.io/auth/recover/user/delegated \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'X-DFNS-USERACTION: <api-key>' \
  --data '{
  "username": "<string>",
  "credentialId": "<string>"
}'

{
  "user": {
    "id": "<string>",
    "displayName": "<string>",
    "name": "<string>"
  },
  "temporaryAuthenticationToken": "<string>",
  "challenge": "<string>",
  "rp": {
    "id": "<string>",
    "name": "<string>"
  },
  "supportedCredentialKinds": {
    "firstFactor": [
      "Fido2"
    ],
    "secondFactor": [
      "Fido2"
    ]
  },
  "authenticatorSelection": {
    "authenticatorAttachment": "platform",
    "residentKey": "required",
    "requireResidentKey": true,
    "userVerification": "required"
  },
  "attestation": "none",
  "pubKeyCredParams": [
    {
      "type": "public-key",
      "alg": 123
    }
  ],
  "excludeCredentials": [
    {
      "type": "public-key",
      "id": "cr-6uunn-bm6ja-f6rmod5kqrk5rbel"
    }
  ],
  "otpUrl": "<string>",
  "allowedRecoveryCredentials": [
    {
      "id": "<string>",
      "encryptedRecoveryKey": "<string>"
    }
  ]
}

Authentication

❌ Organization User (CustomerEmployee)
❌ Delegated User (EndUser)
✅ Service Account

Required Permissions

Auth:Recover:Delegated: Always required.

Authorizations

Authorization

string

header

required

Bearer Token: Used to authenticate API requests. More details how to generate the token: Authentication flows

X-DFNS-USERACTION

string

header

required

User Action Signature: Used to sign the change-inducing API requests. More details how to generate the token: User Action Signing flows

Body

application/json

username

string

required

Minimum length: 1

credentialId

string

required

Minimum length: 1

Response

200 - application/json

Success

user

object

required

Show child attributes

temporaryAuthenticationToken

string

required

challenge

string

required

supportedCredentialKinds

object

required

Show child attributes

authenticatorSelection

object

required

Show child attributes

attestation

enum<string>

required

Identifies the information needed to verify the user's signing certificate; can be one of the following:

none: indicates no attestation data is required
indirect: indicates the attestation data should be given, but that it can be generated using an Anonymization CA
direct: indicates the attestation data must be given and should be generated by the authenticator
enterprise: indicates the attestation data should include information to uniquely identify the user's device

Available options:

none,

indirect,

direct,

enterprise

pubKeyCredParams

object[]

required

Show child attributes

excludeCredentials

object[]

required

Show child attributes

otpUrl

string

required

allowedRecoveryCredentials

object[]

required

Show child attributes

object

Show child attributes

Create Recovery Challenge

Recover User

⌘I

API Authorization

Identity & Access Management

Wallets & Transactions

Management

Webhooks

Create Delegated Recovery Challenge

Authentication

Required Permissions

Authorizations

Body

Response

API Authorization

Identity & Access Management

Wallets & Transactions

Management

Webhooks

​Authentication

​Required Permissions

Authorizations

Body

Response

Authentication

Required Permissions