Cancel Service
This chapter describes the FIDO2 Cancel Service. The Cancel Service is not a standard FIDO2 / WebAuthn / Conformance API service but a proprietary nevisFIDO functionality. It allows cancelling a registration or authentication ceremony that has been initiated but not yet completed by the client. The ceremony is identified by its FIDO2 session ID.
FIDO2 and FIDO UAF sessions are completely independent and share no relation.
The Cancel Service endpoint is unauthenticated by default. Secure this endpoint at the network or proxy layer (for example, by restricting access to trusted internal callers) before enabling it in production.
The Cancel Service is disabled by default. Enable it by setting fido2.cancel.enabled: true in nevisfido.yml. See FIDO2 Configuration for details.
Base URL
All URLs referenced in this chapter have the following base:
https://fido.siven.ch/nevisfido/fido2/cancel
HTTP Methods
POST is the only supported HTTP method.
Request Headers
The following request headers are mandatory:
| Header | Value |
|---|---|
Content-Type | application/json;charset=UTF-8 |
Accept | application/json |
Request Body
The Cancel Service requires a JSON payload identifying the ceremony to cancel:
| Field | Type | Description |
|---|---|---|
fido2SessionId | string | The FIDO2 session ID of the ongoing ceremony. |
Example:
{
"fido2SessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}
Response Body
The Cancel Service returns a JSON payload with the following fields:
| Field | Type | Description |
|---|---|---|
status | string | The resulting status of the session. See the Status values section below. |
timestamp | string (ISO 8601) | The timestamp at which the session reached its current status. Absent when status is unknown. |
Status values
| Value | Description |
|---|---|
cancelled | The ceremony was successfully cancelled by this request. |
unknown | The provided session ID is not known to nevisFIDO. This occurs when the session ID does not correspond to any active session, or when nevisFIDO has already purged the session information. |
succeeded | The ceremony has already succeeded. Returned with HTTP 409. |
failed | The ceremony has already failed. Returned with HTTP 409. |
cancelled (409) | The ceremony was already cancelled by a previous request. Returned with HTTP 409. |
Example Request (Cancel)
POST /nevisfido/fido2/cancel HTTP/1.1
Host: fido.siven.ch
Content-Type: application/json;charset=UTF-8
Accept: application/json
{
"fido2SessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}
Example Response (Cancelled)
HTTP/1.1 200 OK
Content-Type: application/json
{
"status": "cancelled",
"timestamp": "2026-04-09T10:15:30Z"
}
Example Response (Already in Terminal State — ceremony had already succeeded)
When the ceremony has already finished before the cancel request arrives, nevisFIDO returns HTTP 409 with the current terminal status. The example below shows a ceremony that completed successfully:
HTTP/1.1 409 Conflict
Content-Type: application/json
{
"status": "succeeded",
"timestamp": "2026-04-09T10:14:55Z"
}
Example Response (Unknown Session)
HTTP/1.1 200 OK
Content-Type: application/json
{
"status": "unknown"
}
HTTP Status Codes
| HTTP Code | Description |
|---|---|
| 200 | OK — The server processed the request. The ceremony was cancelled (status: cancelled) or was already unknown (status: unknown). |
| 400 | Bad Request — The provided JSON payload does not match the defined structure. |
| 405 | Method Not Allowed — The method of the received request was not POST. |
| 406 | Not Acceptable — The Accept header is not properly set to application/json. |
| 409 | Conflict — The ceremony identified by the session ID is already in a terminal state (succeeded, failed, or already cancelled). The current status is returned in the response body. |
| 415 | Unsupported Media Type — The Content-Type header is not properly set to application/json;charset=UTF-8. |