Registration endpoint

This endpoint initiates the registration flow, which creates a new authenticator, and if the user does not exists yet, a new user as well.

HTTP request

POST https://{instance}.mauth.nevis.cloud/api/v1/users/enroll

Request body parameters

Parameter	Type	Required/Optional	Description
username	string	required if userId is not provided, or if channel is set to fido2	External static identifier to link a user to your systems. The parameter can only contain a-z, A-Z, 0-9, _-.@, and is limited to a maximum of 300 characters.
userId	UUID	required if username is not provided	Represents the user that is the subject of this registration operation.
channel	string	required if the channel is not app	Represents the authentication channel. You can set it to the following values: app, push, sms, fido2, or recovery. If the parameter is omitted, it defaults to app.
message	string	optional	A message of your choice sent in the SMS. Only GSM-7 character set is supported. The string must contain {{CODE}} as a placeholder for the authentication code. The code is generated by Authentication Cloud. Without the message parameter, a default message is sent. This parameter is only applicable when the channel is sms.
phone	string	required if channel is set to sms	The phone number that the message is sent to. The number must conform to the international format: [+][country code][area code][local phone number].
displayName	string	required if the channel is fido2	The human-readable name of the user. The length is limited to 64 bytes.
fido2Options	DICT	optional	Provides customization for the FIDO2 registration parameters.
fido2Options.authenticatorSelection	DICT	optional	Restricts the authenticators for registration. For more information, see Authenticator Selection Criteria.
fido2Options.authenticatorSelection.userVerification	enum	optional	Provides customization for the user verification requirements. The parameter values can be preferred, which is the default option, required, or discouraged. For more information, see the UserVerificationRequirement.
fido2Options.authenticatorSelection.authenticatorAttachment	enum	optional	Restricts authenticators based on their attachment modality. The parameter values can be platform or cross-platform. For more information, see Authenticator Attachment.
fido2Options.authenticatorSelection.requireResidentKey	boolean	optional	Provides backwards compatibility with WebAuthn Level 1. The parameter values can be true or false. For more information, see requireResidentKey in Authenticator Selection Criteria.
fido2Options.authenticatorSelection.residentKey	enum	optional	Specifies if client-side discoverable credential is to be created. The parameter values can be required, preferred, or the default discouraged. To enable autofill UI for passkeys, use the required value. For more information, see Resident Key Requirement Enumeration.
fido2Options.attestation	enum	optional	Specifies preference regarding attestation conveyance. The parameter values can be none, which is the default option, direct, or indirect. For more information, see Attestation Conveyance Preference Enumeration.

Example HTTP requests

Mobile app

cURL code sample to register a user with a username for two-way linking

curl "https://$instance.mauth.nevis.cloud/api/v1/users/enroll" \
  -XPOST \
  -H "Authorization: Bearer $access_key" \
  -H 'Content-Type: application/json' \
  -d "{ \"username\":\"$username\" }"

FIDO2

cURL code sample to register an authenticator using custom FIDO2 options

curl "https://$instance.mauth.nevis.cloud/api/v1/users/enroll" \
  -XPOST \
  -H "Authorization: Bearer $access_key"  \
  -H 'Content-Type: application/json;charset=utf-8'   \
  -d "{ \"username\":\"$username\",
        \"channel\":\"fido2\",
        \"displayName\":\"$displayName\",
        \"fido2Options\": {
            \"authenticatorSelection\": {
                \"userVerification\":\"required\",
                \"authenticatorAttachment\":\"platform\",
                \"requireResidentKey\":false,
                \"residentKey\":\"discouraged\"
            },
            \"attestation\":\"none\"
        }
      }"

Phone number

cURL code sample for requesting an SMS code for phone number registration

curl -X POST https://$instance.mauth.nevis.cloud/api/v1/users/enroll \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $access_key" \
  -d "{ \"username\":\"$username\",
        \"channel\":\"sms\",
        \"message\":\"SMS Registration Test, code: {{CODE}}\",
        \"phone\":\"$phone\"
      }"

Recovery codes

cURL code sample requesting recovery codes for registration

curl -v -X POST https://$instance.mauth.nevis.cloud/api/v1/users/enroll \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $access_key" \
  -d "{ \"username\":\"$recovery_username\",
        \"channel\":\"recovery\"
      }"

HTTP response

Field	Type	Description
userId	UUID	Unique identifier of the user.
username	string	The internal customer ID or unique identifier to link a user to your internal systems. This field can be null.
status	enum	The current status of the user, either new: The user has no confirmed authenticator yet; or active: The user has registered at least one authenticator and is able to log in.
createdAt	string	The date when the authenticator was registered.
updatedAt	string	The date when the authenticator was last updated.
authenticators	array	List of the already registered authenticators.
enrollment	DICT	Contains data of the registration.
enrollment.transactionId	UUID	Unique identifier of this registration operation.
enrollment.statusToken	string	Publishable token that can be used to get the status of this registration operation. For more information, see Status endpoint.
enrollment.qrCode	DICT	Contains data of the QR code that is used for this registration operation.
enrollment.qrCode.type	string	The type of the QR code image which is image/png.
enrollment.qrCode.size	number	The size of the QR code image in pixels so that it can be displayed correctly.
enrollment.qrCode.dataUri	URI	The PNG image of the QR code to display for the mobile app to scan. The image can be directly displayed with an <img src="data:image/png..."> tag.
enrollment.appLinkUri	URI	The URI for mobile-only registration using deep links.
credentialCreationOptions	DICT	The PublicKeyCredentialCreationOptions object, which contains options required to create a WebAuthn credential.
credentialCreationOptions.attestation	string	Used by the relying party to express preference for attestation conveyance.
credentialCreationOptions.authenticatorSelection	DICT	Used by the relying party to select an appropriate authenticator.
credentialCreationOptions.authenticatorSelection.authenticatorAttachment	string	Describes the attachment modalities of the authenticators. The value of the field can be platform or cross-platform.
credentialCreationOptions.authenticatorSelection.requireResidentKey	boolean	In the WebAuthn specification Level 1, the field describes the requirements of the relying party regarding resident credentials. Retained for backwards compatibility.
credentialCreationOptions.authenticatorSelection.residentKey	string	Specifies the extent to which the relying party desires to create a client-side discoverable credential.
credentialCreationOptions.authenticatorSelection.userVerification	string	Describes the requirements for user verification for authentication. Applicable for FIDO2.
credentialCreationOptions.challenge	string	Contains the Base64-URL-encoded challenge for generating the attestation credentials.
credentialCreationOptions.excludeCredentials	array	Indicates whether the creation of multiple credentials for the account on a single authenticator is limited. By default, this field is empty.
credentialCreationOptions.pubKeyCredParams	array	Contains information about the desired properties of the credential to be created.
credentialCreationOptions.rp	DICT	Describes the relying party responsible for the request.
credentialCreationOptions.timeout	long	Defines in milliseconds how much time the call has to complete.
credentialCreationOptions.user	DICT	Stores data about the user account for which the relying party requests attestation.
enrollment.recoveryCodes	array	Array of the 16, newly registered recovery codes.
phones	array	List of the already registered phone numbers.
recoveryCodes	DICT	Contains information about the already registered recovery codes.

Example HTTP response

Mobile app

201 Created: Register a mobile app

JSON code sample of a mobile app registration

{
  "userId": "7e16ba00-92e2-4fcb-b30e-1af8fdc843aa",
  "username": "u12345",
  "status": "new",
  "createdAt": "2020-10-09T12:13:11.845958Z",
  "updatedAt": "2020-10-09T12:13:11.845958Z",
  "authenticators": [],
  "enrollment": {
    "transactionId": "67cae36e-e3d5-4d67-9aa6-ab7ae3050576",
    "statusToken": "eyJhbGciO...PxOZZYow",
    "qrCode": {
      "type": "image/png",
      "size": 300,
      "dataUri": "data:image/png;base64,iVBO...YII"
    },
    "appLinkUri": "https://{instance}.mauth.nevis.cloud/open?dispatchTokenResponse=eyJub...IxIn0"
  }
}

FIDO2

201 Created: Register FIDO2 device

JSON code sample of a FIDO2 device registration

{
  "authenticators": [],
  "createdAt": "2022-03-04T11:04:51.523566769Z",
  "enrollment": {
      "credentialCreationOptions": {
          "attestation": "none",
          "authenticatorSelection": {
              "authenticatorAttachment": "platform",
              "requireResidentKey": false,
              "residentKey": "discouraged",
              "userVerification": "required"
          },
          "challenge": "h6U-j...PUrw",
          "excludeCredentials": [],
          "pubKeyCredParams": [
              {
                  "alg": -65535,
                  "type": "public-key"
              },
              ...
              {
                  "alg": -36,
                  "type": "public-key"
              }
          ],
          "rp": {
              "id": "your-nevis-dev.mauth.nevis.cloud",
              "name": "NEVIS Authentication Cloud: your-nevis-dev"
          },
          "timeout": 60000,
          "user": {
              "displayName": "John Doe",
              "id": "ZmY0Mj...1YTky",
              "name": "u_12654"
          }
      },
      "statusToken": "eyJh...9.eyJh...ZQI-MuCQ",
      "transactionId": "e7bf20-...-56b6683"
  },
  "phones": [],
  "recoveryCodes": null,
  "status": "new",
  "updatedAt": "2022-03-04T11:04:51.523567669Z",
  "userId": "ff4-a...d5a92",
  "username": "u_12654"
}

Phone number

201 Created: Register phone number

JSON code sample of phone number registration

{
  "authenticators": [],
  "createdAt": "2021-06-28T11:53:33.312492Z",
  "enrollment": {
      "statusToken": "eyJhbGciiJ9.ey..._ZQ6D8tw",
      "transactionId": "4bb078e1-...-20ee97eaca2d"},
  "phones": [],
  "recoveryCodes": null,
  "status": "new",
  "updatedAt": "2021-06-28T11:53:33.312493Z",
  "userId": "02c14dba-bdb2-...-9474c59a40d1",
  "username": "TestUser"
}

Recovery codes

201 Created: Request recovery codes

A set of sixteen recovery codes is returned as part of the registration data. Each code can be used only once. If a new batch is requested, all previous codes become invalid.

JSON code sample of requested recovery codes

{
  "authenticators": [],
  "createdAt": "2021-07-05T07:57:12.184902Z",
  "enrollment": {
      "recoveryCodes": [
          "3YL2-...-PnZh",
          "4B90-...-fgF2",
          ...
          "YTbB-...-lCI0"
      ],
      "transactionId": "bec412cc-...-d2cb24bac64b"
  },
  "phones": [],
  "recoveryCodes": null,
  "status": "new",
  "updatedAt": "2021-07-05T07:57:12.184904Z",
  "userId": "2eda9f3c-...-a897e3bf0b7c",
  "username": "testUser20210702C"
}