Skip to main content
Version: 2.3.x.x RR

Redeem Token Service

The FIDO client uses the Redeem Token Service to trigger a FIDO UAF registration, authentication or deregistration. Therefore, the client must provide the token it previously obtained.

Base URL

All URLs referenced in this section have the following base:<operation>

The <operation> in the base URL can be registration, authentication or deregistration.

Having split endpoints allows you to protect nevisFIDO differently for each operation, by means of nevisProxy and nevisAuth. d nf you cannot guarantee a secure transmission of the token to the targeted user, you better protect the registrad deregistration endpoints. Otherwise, malicious clients might use stolen tokens to register new credentials and to deregister existing ones.

HTTP Methods

POST is the only supported HTTP method.

Request Headers

The following request headers are mandatory:

AcceptAccept header, must be application/fido+uaf.
Content-TypeContent type header, must be application/json.

Request Body

To trigger the registration, authentication or deregistration process, the Redeem Token Service requires a request body with a JSON payload containing a token (in the token attribute). The next table shows the elements of the request body (JSON payload).

tokenStringThe token previously obtained using the token creation endpoint in "/nevisfido/token/create/authentication".false

Response Headers

The following response headers will be set:

Content-TypeContent type header, fixed to application/fido+uaf;charset=UTF-8.

Response Body

The ReturnUAFRequest object has the following structure:

statusCodeNumberUAF status code for the operation.
uafRequestStringThe new UAF request message if the server decides to issue one.
opStringHint to the client regarding the operation type of the message, must be set to either one of Reg, Auth, or Dereg.
lifetimeMillisNumberHint informing the client application of the lifetime of the message in milliseconds. Absent if the operation was not successful.

The FIDO client either wants to trigger a FIDO registration, authentication or deregistration operation. Depending on the requested operation, the uafRequest part of the returned ReturnUAFRequest object will look different. If the FIDO client requested a registration operation, the uafRequest part will contain a RegistrationRequest object (see the Registration Request Service for details). In case of an authentication operation, the uafRequest part contains an AuthenticationRequest object (see the Authentication Request Service for details).

Example Request

POST /nevisfido/token/redeem/authentication HTTP/1.1
Accept: application/fido+uaf
Content-Type: application/json
Content-Length: 54

"token" : "f5afe3d8-11ef-43fb-ac67-0a72f75e4dbd"


$ curl '' -i -X POST \
-H 'Accept: application/fido+uaf' \
-H 'Content-Type: application/json' \
-d '{
"token" : "f5afe3d8-11ef-43fb-ac67-0a72f75e4dbd"

Example Response (1)

If the token provided in the token attribute of the request was created by nevisFIDO and not previously redeemed, the response will look like this:

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2022 11:30:12 GMT
Content-Type: application/fido+uaf;charset=UTF-8
Transfer-Encoding: chunked
Content-Length: 659

"lifetimeMillis" : 120000,
"uafRequest" : "[{\"header\":{\"serverData\":\"34FkwD4a8z8giOjU8Omv7TtxCq3yAZfyUXZRsU8GzQkCVg0A-gWY0hi79zkph53QMxm5SWvQxhI-H8arDnzCGA\",\"upv\":{\"major\":1,\"minor\":1},\"op\":\"Auth\",\"appID\":\"\",\"exts\":[{\"id\":\"\",\"data\":\"sessionId\",\"fail_if_unknown\":false}]},\"challenge\":\"-ghSw7i-ShbLaHSDU7XZd1idOO_dOVenL4Pa67jWUaLiyXixwPE9H3L-89bZtyuXF1Ofmnfasl0Ql7aqSSel6A\",\"policy\":{\"accepted\":[[{\"userVerification\":1023,\"authenticationAlgorithms\":[1,2,3,4,5,6,7,8,9],\"assertionSchemes\":[\"UAFV1TLV\"]}]]}}]",
"statusCode" : 1200,
"op" : "Auth"

Note that in the above sample a ReturnUAFRequest object with operation type "Auth" is returned (op = "Auth"). This indicates that the initial GetUAFRequest object coming from the FIDO client/nevisAuth requested for an authentication operation. This also means that in the above sample, the uafRequest part of the ReturnUAFRequestn abject contains an AuthenticationRequest. Furthermore, the returned UAF status code is "1200", which indicates thatn ahe operation was successful (statusCode = "1200"). For a complete list of all possible UAF status codes that can be returned by the FIDO server, see UAF Status Codes.

Example Response (2)

If the token provided in the request was not created by nevisFIDO or it had been previously redeemed, the response will look like this:

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2022 11:30:11 GMT
Content-Type: application/fido+uaf;charset=UTF-8
Transfer-Encoding: chunked
Content-Length: 25

"statusCode" : 1491

Note that in this case, the returned UAF status code is "1491". This means that the FIDO server considers the request as invalid. In such a case, the ReturnUAFRequest object does not contain a UAF request (uafRequest part), as you can see in the sample above.

HTTP Status Codes

The following HTTP status codes are returned by the Redeem Token Service:

HTTP CodeDescription
200OK The server processed the request successfully. It returns a ReturnUAFRequest JSON object containing a RegistrationRequest or an AuthenticationRequest (depending on the operation specified in the initial GetUAFRequest).
405Method Not Allowed The method of the received request was not POST.
406Not Acceptable The Accept header is not properly set to application/fido+uaf.
415Unsupported Media Type The Content-Type header is not properly set to application/json;charset=UTF-8.