Skip to main content
Version: 8.2511.x.x RR

Cancel Service

This chapter describes the Cancel Service. The Cancel Service is not a standard FIDO service but a proprietary nevisFIDO functionality. It allows cancelling a registration or authentication operation that has been initiated but not yet completed by the mobile client. The operation is identified by its session ID.

Security notice

The Cancel Service endpoint is unauthenticated by default. Secure this endpoint at the network or proxy layer (for example, by restricting access to trusted internal callers) before enabling it in production.

info

The Cancel Service is disabled by default. Enable it by setting fido-uaf.cancel.enabled: true in nevisfido.yml. See FIDO UAF Configuration for details.

Base URL

All URLs referenced in this chapter have the following base:

https://fido.siven.ch/nevisfido/cancel

The path can be overridden via the fido-uaf.endpoints.cancel configuration property.

HTTP Methods

POST is the only supported HTTP method.

Request Headers

The following request headers are mandatory:

HeaderValue
Content-Typeapplication/json;charset=UTF-8
Acceptapplication/json

Request Body

The Cancel Service requires a JSON payload identifying the session to cancel:

FieldTypeDescription
sessionIdstringThe session ID of the ongoing UAF operation.

Example:

{
  "sessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

Response Body

The Cancel Service returns a JSON payload with the following fields:

FieldTypeDescription
statusstringThe resulting status of the session. See the Status values section below.
timestampstring (ISO 8601)The timestamp at which the session reached its current status. Absent when status is unknown.

Status values

ValueDescription
cancelledThe operation was successfully cancelled by this request.
unknownThe provided session ID is not known to nevisFIDO. This occurs when the session ID does not correspond to any active session, or when nevisFIDO has already purged the session information.
succeededThe operation has already succeeded. Returned with HTTP 409.
failedThe operation has already failed. Returned with HTTP 409. This also covers a token session that timed out before the client redeemed it.
cancelled (409)The operation was already cancelled by a previous request. Returned with HTTP 409.

Example Request (Cancel)

POST /nevisfido/cancel HTTP/1.1
Host: fido.siven.ch
Content-Type: application/json;charset=UTF-8
Accept: application/json

{
  "sessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

Example Response (Cancelled)

HTTP/1.1 200 OK
Content-Type: application/json

{
  "status": "cancelled",
  "timestamp": "2026-04-09T10:15:30Z"
}

Example Response (Already in Terminal State — session had already succeeded)

When the operation has already finished before the cancel request arrives, nevisFIDO returns HTTP 409 with the current terminal status. The example below shows a session that completed successfully:

HTTP/1.1 409 Conflict
Content-Type: application/json

{
  "status": "succeeded",
  "timestamp": "2026-04-09T10:14:55Z"
}

Example Response (Unknown Session)

HTTP/1.1 200 OK
Content-Type: application/json

{
  "status": "unknown"
}

Effect on the FIDO UAF Client

Cancelling a session only marks it server-side. If the mobile client has already started the authorization gesture and subsequently sends a RegistrationResponse or AuthenticationResponse to nevisFIDO for the cancelled session, nevisFIDO will reject it with UAF status code 1404 ("Not Found"). This is the only scenario in which nevisFIDO returns it. See UAF Status Codes for the full list.

HTTP Status Codes

HTTP CodeDescription
200OK — The server processed the request. The operation was cancelled (status: cancelled) or was already unknown (status: unknown).
400Bad Request — The provided JSON payload does not match the defined structure.
405Method Not Allowed — The method of the received request was not POST.
406Not Acceptable — The Accept header is not properly set to application/json.
409Conflict — The operation identified by the session ID is already in a terminal state (succeeded, failed, or already cancelled). The current status is returned in the response body.
415Unsupported Media Type — The Content-Type header is not properly set to application/json;charset=UTF-8.