Skip to main content

Register the device

On your server backend, start the registration with the following:

  • A username that uniquely identifies the user.
  • A displayName that is a human-readable name for the user.

The following code example has two variables that you need to substitute for your own Authentication Cloud instance.

  • ACCESS_KEY is the server-side Access Key that you generated in your Authentication Cloud management console.
  • APIBASE is the URL domain of your Authentication Cloud instance.

Running the following curl call starts the authenticator registration.

curl -XPOST \
  -H "Authorization: Bearer $ACCESS_KEY"\
  -H 'Content-Type: application/json;charset=utf-8' \
  -d '{ "username": "u_1654", "channel": "fido2", "displayName": "John Doe" }' \
${APIBASE}/users/enroll | python -m json.tool

Example FIDO2 registration response:

{
  "userId": "31567ae2-2fb1-466e-84af-4dafa8f9ca78",
  "username": "u_1654",
  "status": "new",
  "createdAt": "2021-09-06T13:06:33.773981Z",
  "updatedAt": "2021-09-06T13:06:33.773992Z",
  "authenticators": [],
  "phones": [],
  "recoveryCodes": null,
  "enrollment": {
    "transactionId": "ac46d9aa-9ae1-4d96-88c5-625fbf1fce76",
    "statusToken": "eyJhbG...iJ9.eyJh...fQ.tcv...1jRRw",
    "credentialCreationOptions": {
      "relyingParty": {
        "id": "example.com",
        "name": "Example Customer Portal"
      },
      "user": {
        "id": "MzE1NjdhZTItMmZiMS00NjZlLTg0YWYtNGRhZmE4ZjljYTc4",
        "displayName": "John Doe",
        "name": "31567ae2-2fb1-466e-84af-4dafa8f9ca78"
      },
      "challenge": "GVeXqotfQOWSaaWZuWj94Q",
      "pubKeyCredParams": [
        {
          "alg": -7,
          "type": "public-key"
        }
      ],
      "timeout": 10000,
      "authenticatorSelection": {
        "requireResidentKey": true,
        "authenticatorAttachment": "platform",
        "userVerification": "preferred"
      },
      "attestation": "direct"
    }
  }
}

The response contains the statusToken and the credentialCreationOptions, which are needed by the Web Authentication API to create a new credential.

As a next step to register a new FIDO2 authenticator, from the response received, forward the following attributes to the frontend where you need to invoke a function in the fido2-client.js script with them:

  • credentialCreationOptions
  • statusToken
Last updated on