Approval endpoint

Use this endpoint to start an authentication or approval operation.

HTTP request

POST https://{instance}.mauth.nevis.cloud/api/v1/approval

Request body parameters

Parameter	Type	Required/Optional	Description
`username`	string	required if `userIds` is not provided not required for FIDO2 autofill UI and for usernameless authentication with a mobile app	Represents the user that is the subject of this approval operation.
`userId`	UUID	required if `username` is not provided not required for FIDO2 autofill UI and for usernameless authentication with a mobile app	Represents the user that is the subject of this approval operation.
`authenticatorId`	string	optional	ID of the authenticator to which an approval is sent. The default is the `last registered device`. The parameter can be set to `*` to allow any authenticator if channel is set to `app`.
`channel`	enum	required	Represents the authentication channel. You can set it to the following values: `app`, `push`, `sms`, or `fido2`. For authentication with a mobile app, the default value is `push`. Set the parameter to `app` if push is not available or in mobile-only cases.
`prompt`	boolean	optional	Flag to request the user to actively accept or deny the approval. The default value is `false`. Applicable for authentication with a mobile app.
`message`	string	required when the `channel` is `push` or `app`, and `prompt` is set to `true` optional when the `channel` is `sms`	When used with `push` or `app` channel, the `message` is displayed in the mobile app. When used with `sms` channel, the `message` is sent in the SMS. In this case, only GSM-7 character set is supported. The string must contain `{{CODE}}` as a placeholder for the authentication code. The code is generated by Authentication Cloud. Without the `message` parameter, a default message is sent.
`notificationMessage`	string	optional	Notification message that is displayed on the notification drawer or notification center. The `message` is only displayed in the mobile app. The parameter is only applicable on `push` channel.
`fido2Options`	DICT	optional	Provides customization for the FIDO2 authentication parameters.
`fido2Options.userVerification`	enum	optional	Provides customization for the user verification requirements. Provides customization `preferred`, which is the default option, `required`, or `discouraged`. For more information, see UserVerificationRequirement.
`uafOptions`	DICT	optional	Customizes the authentication parameters for FIDO UAF authentication.
`uafOptions.visualChannelLinking`	enum	optional	Set the parameter to `required` to enable number matching for push authentication.

Example HTTP requests

Example requests with a mobile app

QR code
Push
In-app user confirmation
Any authenticator
Usernameless

cURL code sample for approval using QR code or deep link
  curl "https://$instance.mauth.nevis.cloud/api/v1/approval" \
    -XPOST \
    -H "Authorization: Bearer $access_key" \
    -H 'Content-Type: application/json' \
    -d "{ \"channel\":\"app\",
          \"username\":\"$username\" }"

Python 3 code sample for approval using QR code or deep link
  data = { 'channel': 'app', 'username': username }
  resp = requests.post(f'https://{instance}.mauth.nevis.cloud/api/v1/approval',
                       headers = {'authorization': f'Bearer {access_key}'},
                     json = data)
  print(resp.json())

cURL code sample for approval using push with number matching
curl "https://$instance.mauth.nevis.cloud/api/v1/approval" \
  -XPOST \
  -H "Authorization: Bearer $access_key" \
  -H 'Content-Type: application/json' \
  -d "{ \"message\":\"$message\",
        \"channel\":\"push\",
        \"prompt\":\"false\",
        \"uafOptions\": {
          \"visualChannelLinking\":\"required\"
        },
        \"username\": \"$username\" }"

Python code sample for approval using push
  data = { 'channel': 'push', 'username': username,
           'message': message }
  resp = requests.post(f'https://{instance}.mauth.nevis.cloud/api/v1/approval',
                       headers = {'authorization': f'Bearer {access_key}'},
                       json = data)
  print(resp.json())

cURL code sample for in-app user confirmation request
  curl "https://$instance.mauth.nevis.cloud/api/v1/approval" \
    -XPOST \
    -H "Authorization: Bearer $access_key" \
    -H 'Content-Type: application/json' \
    -d "{ \"channel\":\"app\",
          \"prompt\":\"true\",
          \"username\": \"$username\",
          \"message\":\"$message\" }"

Code sample for in-app user confirmation request
  data = { 'channel': 'app', 'prompt': True, 'username': username,
           'message': message }
  resp = requests.post(f'https://{instance}.mauth.nevis.cloud/api/v1/approval',
                       headers = {'authorization': f'Bearer {access_key}'},
                       json = data)
  print(resp.json())

cURL code sample for an approval that allows any authenticator for QR code or deep link
  curl "https://$instance.mauth.nevis.cloud/api/v1/approval" \
    -XPOST \
    -H "Authorization: Bearer $access_key" \
    -H 'Content-Type: application/json' \
    -d "{ \"channel\":\"app\",
          \"username\":\"$username\",
          \"authenticatorId\":\"*\" }"

cURL code sample for usernameless approval request
  curl "https://$instance.mauth.nevis.cloud/api/v1/approval" \
    -XPOST \
    -H "Authorization: Bearer $access_key" \
    -H 'Content-Type: application/json' \
    -d '{ "channel": "app" }'

Example requests with FIDO2

FIDO2
FIDO2 with autofill UI

cURL code sample for approval with custom FIDO2 options
curl "https://$instance.mauth.nevis.cloud/api/v1/approval"  \
  -XPOST \
  -H "Authorization: Bearer $access_key"    \
  -H 'Content-Type: application/json;charset=utf-8'     \
  -d "{ \"username\":\"$username\",
        \"channel\":\"fido2\",
        \"fido2Options\": {
            \"userVerification\":\"required\"
        }
     }"

cURL code sample for approval with autofill UI
curl "https://$instance.mauth.nevis.cloud/api/v1/approval" \
  -XPOST \
  -H "Authorization: Bearer $access_key" \
  -H 'Content-Type: application/json;charset=utf-8' \
  -d '{ "channel": "fido2"}'

Example requests with SMS

cURL code sample for authenticating a transaction with SMS
curl -v -X POST https://$instance.mauth.nevis.cloud/api/v1/approval \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $access_key" \
  -d "{ \"username\":\"$username\",
        \"channel\":\"sms\",
        \"message\":\"SMS Transaction Approval Test, code: {{CODE}}\" }"

HTTP response

Field	Type	Description
`transactionId`	UUID	Unique identifier of this approval operation.
`userId`	UUID	Represents the user that is the subject of this approval operation.
`statusToken`	string	Publishable token that is used to get the status of this approval operation. For more information, see Status endpoint.
`qrCode`	DICT	Contains data of the QR code that is used for this approval operation.
`qrCode.type`	string	The type of the QR code image which is `image/png`.
`qrCode.size`	number	The size of the QR code image in pixels so that it can be displayed correctly.
`qrCode.dataUri`	URI	The PNG image of the QR code to display for the mobile app to scan. The image can be directly displayed with an `<img src="data:image/png..."/>` tag. This field is only applicable to QR codes.
`appLinkUri`	URI	The URI for mobile-only approval operations using deep links. This field is only applicable to QR codes.
`rateLimitInfo`	DICT	Contains data about the number of push notifications sent within a time frame. This field is only present if push rate limiting is enabled for your instance.
`rateLimitInfo.push`	DICT	Contains the number of push notifications sent and the time frame for the rate limiting.
`rateLimitInfo.push.sent`	string	The number of push notifications sent in a set `timeframe`.
`rateLimitInfo.push.timeframe`	ISO 8601 duration	The time frame in which the number of `sent` push notifications are counted. The time frame is relative to the current time.
`uafData`	DICT	Contains data related to UAF authentication.
`uafData.visualLinkingContent`	string	Randomly generated two-digit number (`01`-`99`) that is displayed on your front end. The two-digit code is used for number matching at push authentication. After the code is displayed, the user can enter it into a mobile app.
`credentialRequestOptions`	DICT	Contains options required to authenticate with the WebAuthn credential. Applicable for FIDO2. For more information, see PublicKeyCredentialRequestOptions.
`credentialRequestOptions.allowCredentials`	array	Contains a list of PublicKeyCredentialDescriptor objects representing public key credentials used for authentication. Applicable for FIDO2.
`credentialRequestOptions.allowCredentials.id`	string	Contains the Base64-URL-encoded credential identifier of the public key credential. Applicable for FIDO2.
`credentialRequestOptions.allowCredentials.type`	string	Contains the type of the public key credential. Applicable for FIDO2.
`credentialRequestOptions.challenge`	string	Contains the Base64-URL-encoded challenge that the selected authenticator must sign when producing an authentication assertion. Applicable for FIDO2.
`credentialRequestOptions.rpId`	string	Identifier of the relying party. Applicable for FIDO2.
`credentialRequestOptions.timeout`	long	Defines in milliseconds how much time the call has to complete. Applicable for FIDO2.
`credentialRequestOptions.userVerification`	enum	Describes the requirements for user verification for authentication. Applicable for FIDO2.

Example HTTP response

QR code or deep link
Push
Push
FIDO2
SMS

201 Created: Approval with QR Code or deep link

{
  "transactionId": "9ede8ca8-bb5f-47f1-9d3e-f14500a3cab6",
  "userId": "7e16ba00-92e2-4fcb-b30e-1af8fdc843aa",
  "statusToken": "eyJhb...lc3g",
  "qrCode": {
    "type": "image/png",
    "size": 300,
    "dataUri": "data:image/png;base64,iVBORw0...U5ErkJggg"
  },
  "appLinkUri": "https://{instance}-app.mauth.nevis.cloud/open?dispatchTokenResponse=eyJub...AQIn3"
}

201 Created: Approval using push with number matching

{
  "transactionId": "d0fbe420-90c2-43f4-8fdc-b442f63a087d",
  "userId": "7e16ba00-92e2-4fcb-b30e-1af8fdc843aa",
  "statusToken": "eyJh...gS7w",
  "uafData": {
    "visualLinkingContent": "28"
  }
}

201 Created: Approval using push with number matching and push rate limiting

{
  "transactionId": "d0fbe420-90c2-43f4-8fdc-b442f63a087d",
  "userId": "7e16ba00-92e2-4fcb-b30e-1af8fdc843aa",
  "statusToken": "eyJh...gS7w",
  "rateLimitInfo": {
    "push": {
      "sent": "8",
      "timeframe": "PT24H"
    }
   },
  "uafData": {
    "visualLinkingContent": "28"
  }
}

201 Created: Approval using a FIDO2 device

{
  "statusToken": "eyJ...iJ9.ey...fVag0LMfTMX5kQ",
  "transactionId": "8b2373-...-9698e35e",
  "userId": "d517-...-7cb4521b3",
  "credentialRequestOptions": {
    "allowCredentials": [
      {
        "id": "hZAe...aNBS7rX8jBY",
        "type": "public-key"
      }
    ],
    "challenge": "2LpI-1C...drA",
    "rpId": "nevis-latest-dev-cbbc98.mauth.nevis.cloud",
    "timeout": 60000,
    "userVerification": "required"
  }
}

201 Created: Approval using SMS

{
  "statusToken": "eyJhbGciOiJIUzUxMiJ9.eyJhd...hInHRfSw",
  "transactionId": "d9db4760-...-5cbe533389e3",
  "userId": "7a342fb4-...-bb837ed32d9d"
}

Approval endpoint

HTTP request​

Request body parameters​

Example HTTP requests​

Example requests with a mobile app​

Example requests with FIDO2​

Example requests with SMS​

HTTP response​

Example HTTP response​