Request recovery codes
Providing recovery codes for your users enables a fallback authentication method in case they lose or damage their mobile phone. Recovery codes are sets of static 16-digit, alphanumeric, case-sensitive codes. Each can be used once for emergency authentication.
The following diagram shows the end-to-end sequence of an operation to request recovery codes. The steps that must be performed to integrate the Authentication Cloud into your application are in bold.
Send an HTTP request to the registration endpoint
For detailed information on the HTTP request parameters and response fields, see the Registration endpoint page of the API reference documentation.
Send the POST https://{instance}.mauth.nevis.cloud/api/v1/users/enroll
call with your instance
ID, and configure the HTTP request as follows:
- Send your access key or intent token in the Authorization Bearer token header. For more information on the intent token, see Intent endpoint.
- Set the
channel
parameter torecovery
. - Set the
username
andrecovery_username
parameters. Both are the username of the user who requires emergency authentication.Use unique static information for the
username
parameter. To link a user to your internal systems, you might use, for example, an internal customer ID or employee ID, and provide that as ausername
in the user registration request. It is important to use information that does not change over the life cycle of a user.Do not use a username with any Personally Identifiable Information (PII). For example, an email address is not recommended because it is not only PII data, but it also might change over the lifecycle of a user.
Preventing User ImpersonationTo prevent impersonation, ensure you only link users to your backend records after strongly authenticating them first.
HTTP request example
curl -v -X POST https://$instance.mauth.nevis.cloud/api/v1/users/enroll \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $access_key" \
-d "{ \"username\":\"$recovery_username\",
\"channel\":\"recovery\"
}"
HTTP response example
A set of sixteen recovery codes is returned as part of the registration data. Each code can be used only once. If a new batch is requested, all previous codes become invalid.
{
"authenticators": [],
"createdAt": "2021-07-05T07:57:12.184902Z",
"enrollment": {
"recoveryCodes": [
"3YL2-...-PnZh",
"4B90-...-fgF2",
...
"YTbB-...-lCI0"
],
"transactionId": "bec412cc-...-d2cb24bac64b"
},
"phones": [],
"recoveryCodes": null,
"status": "new",
"updatedAt": "2021-07-05T07:57:12.184904Z",
"userId": "2eda9f3c-...-a897e3bf0b7c",
"username": "testUser20210702C"
}
Display recovery codes
The recovery codes are returned in the registration response in the enrollment.recoveryCodes
field. Once received, ensure that you display the recovery codes on your frontend, and notify the user to save the codes. The user will not be able to see the codes later.