Skip to main content
Version: 2.2

Registration Request Service

By calling the Registration Request Service and requesting a RegistrationRequest object from the FIDO server, the user/FIDO client initiates the FIDO registration process. This chapter describes the request and response messages between the FIDO client and Server when calling the Registration Request Service.


It is recommended to protect this service using a SecToken.

Base URL

All URLs referenced in this section have the following base:

HTTP Methods

POST is the only supported HTTP method.

Request Headers

The following request headers are mandatory:

AcceptAccept header, must be application/fido+uaf.
Content-TypeContent type header, must be application/fido+uaf;charset=UTF-8.

Request Body

The Registration Request Service requires from the FIDO client a JSON payload with a GetUAFRequest structure:

GetUAFRequest object - Registration Request Service

opStringThe request operation, must be set to Reg.false
previousRequestStringIf the application is requesting a new UAF request message because the previous one expired, the previous one could be sent to the server.true
contextStringThe contextual information must be a stringified JSON object that conforms to the Registration Context.false

The previousRequest parameter is ignored and not handled by nevisFIDO.


The Context dictionary contains all attributes that can be included in the context part of the request body.

usernameStringIdentity information regarding the user on whose behalf the FIDO client is operating. In the case of the idm credential repository, the accepted type of username (loginId, email, etc.) depends on how the username mapper of the credential repository is configured.false

Response Headers

The following response headers will be set:

Content-TypeContent type header, fixed to application/fido+uaf;charset=UTF-8.

Response Body

e Registration Request Service returns a JSON body with a ReturnUAFRequest object as defined in the FIDO UAF HTTP Transport Specification . The ReturnUAFRequest object has the following structure:

statusCodeNumberUAF status code for the operation.
uafRequestStringThe new UAF request message if the server decides to issue one.
opStringHint to the client regarding the operation type of the message, must be set to Reg.
lifetimeMillisNumberHint informing the client application of the lifetime of the message in milliseconds. Absent if the operation was not successful.

The uafRequest part of the ReturnUAFRequest object contains the RegistrationRequest object. The RegistrationRequest dictionary includes the attributes that define a RegistrationRequest object. The following table describes the RegistrationRequest dictionary:

headerOperationHeaderThe header defines the operation header of the UAF messages coming from the Registration Request Service. Within the header, the operation header attributes are specified. For a description of these attributes, see Operation Header. Note that the attribute header.op must be set to "Reg".false
challengeStringServer-provided challenge value.false
usernameStringA human-readable username intended to allow the user to distinguish and select from among different accounts at the same relying party.false
policyPolicyDescribes which types of authenticators are acceptable for this registration operation.false

Example Request

POST /nevisfido/uaf/1.1/request/registration HTTP/1.1
Accept: application/fido+uaf
Content-Type: application/fido+uaf;charset=UTF-8
Content-Length: 59

"context" : "{\"username\":\"jeff\"}",
"op" : "Reg"


$ curl '' -i -X POST \
-H 'Accept: application/fido+uaf' \
-H 'Content-Type: application/fido+uaf;charset=UTF-8' \
-d '{
"context" : "{\"username\":\"jeff\"}",
"op" : "Reg"

Example Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2022 11:30:57 GMT
Content-Type: application/fido+uaf;charset=UTF-8
Transfer-Encoding: chunked
Content-Length: 750

"lifetimeMillis" : 300000,
"uafRequest" : "[{\"header\":{\"serverData\":\"Cs9wyAKco_XEnd1WvJ7KzEtdaMzxyQrgX8Qp1mUycLFTm_J0fPwab2l1q188-NhpbXYSS07ltP8WFnBwZdCCDw\",\"upv\":{\"major\":1,\"minor\":1},\"op\":\"Reg\",\"appID\":\"\",\"exts\":[{\"id\":\"\",\"data\":\"887ae70b-7498-4de0-b0aa-bb1e4f4425a6\",\"fail_if_unknown\":false}]},\"challenge\":\"3FK8D9j4w-TfKNUf_bRrBbRrzEbhuQ6nm94KldbPxuoG__ZzQ-68t2Cc03c9uAgRAFXxDuOZAu1E-c3UGSAhaA\",\"username\":\"jeff\",\"policy\":{\"accepted\":[[{\"userVerification\":1023,\"authenticationAlgorithms\":[1,2,3,4,5,6,7,8,9],\"assertionSchemes\":[\"UAFV1TLV\"]}]],\"disallowed\":[{\"aaid\":[\"ABCD#1234\"]}]}}]",
"statusCode" : 1200,
"op" : "Reg"

Note that nevisFIDO includes a proprietary extension in the header part of the RegistrationRequest object. This extension provides the session ID that can be used to retrieve the registration status. The following JSON snippet represents the session ID extension. Refer to Extensions and Proprietary Extensions for details.

"id": "",
"data": "d61e461e-c597-4ed3-9d71-12d1c0e3556c",
"fail_if_unknown": false

HTTP Status Codes

The following HTTP status codes are returned by the Registration Request Service:

HTTP CodeDescription
200OK The server processed the request successfully. A ReturnUAFRequest JSON object containing a RegistrationRequest object is returned.
405Method Not Allowed The method of the received request was not POST.
406Not Acceptable The Accept header is not properly set to application/fido+uaf.
415Unsupported Media Type The Content-Type header is not properly set to application/fido+uaf;charset=UTF-8.