Complete a WebAuthn Passkey Assertion
This API is used to validate a WebAuthn authentication ceremony by providing the values returned from the WebAuthn JavaScript API call, but it does not authenticate the user. This API can be used to confirm that a user has access to a particular passkey without authenticating them.
Request#
OpenAPI Spec
Request Headers#
X-FusionAuth-TenantIdStringoptionalThe unique Id of the tenant used to scope this API request.
The tenant Id is not required on this request even when more than one tenant has been configured because the tenant can be identified based upon the request parameters or it is otherwise not required.
Specify a tenant Id on this request when you want to ensure the request is scoped to a specific tenant. The tenant Id may be provided through this header or by using a tenant locked API key to achieve the same result.
See Making an API request using a Tenant Id for additional information.
Request Body#
The credential in the request body contains data returned by the WebAuthn JavaScript API call. The credential.response.authenticatorData, credential.response.clientDataJSON, credential.response.signature, and credential.response.userHandle fields must be converted to base64url-encoded strings for the FusionAuth API request. See WebAuthn JavaScript API Binary Format for details.
credential.clientExtensionResultsObjectoptionalThe results for WebAuthn extensions requested during authentication. FusionAuth does not currently support any WebAuthn authentication extensions.
credential.idStringrequiredA base64url-encoded version of the credential Id used by the authenticator for this ceremony.
credential.rpIdStringoptionalIf the tenant configuration overrides the Relying Party Id, this parameter should match tenant.webAuthnConfiguration.relyingPartyId, otherwise the value should be omitted from the request object.
credential.response.authenticatorDataStringrequiredThe base64url-encoded authenticator data from the WebAuthn JavaScript API response, which includes information on the passkey used to complete the ceremony and other data important for validation. See Converting ArrayBuffer to base64url-encoded String for details on converting this value for the FusionAuth API request.
credential.response.clientDataJSONStringrequiredThe base64url-encoded client data from the WebAuthn JavaScript API response. This contains important information for the WebAuthn authentication validation process, including the one-time challenge generated when the registration ceremony began. See Converting ArrayBuffer to base64url-encoded String for details on converting this value for the FusionAuth API request.
credential.response.signatureStringrequiredThe base64url-encoded signature from the WebAuthn JavaScript API response. The authenticator generates the signature using the selected passkey's private key by signing over the binary concatenation of credential.response.authenticatorData and the SHA-256 hash of credential.response.clientDataJSON before they are converted to base64url-encoded strings. See Converting ArrayBuffer to base64url-encoded String for details on converting this value for the FusionAuth API request.
credential.response.userHandleStringoptionalThe base64url-encoded user handle from the WebAuthn JavaScript API response. This field is only required when the user was not identified prior to the authentication ceremony through the use of a client-side discoverable passkey. See Converting ArrayBuffer to base64url-encoded String for details on converting this value for the FusionAuth API request.
credential.typeStringrequiredThe credential type of the passkey. The only value supported by WebAuthn is public-key.
originStringrequiredThe browser request origin during the authentication ceremony. For example, example.com.
rpIdStringrequiredIf the tenant configuration overrides the Relying Party Id, this parameter should match tenant.webAuthnConfiguration.relyingPartyId, otherwise the value should be the browser request origin's effective domain during the ceremony.
twoFactorTrustIdStringoptionalThe Multi-Factor Trust identifier returned by the Multi-Factor Login API response. This value may be provided to bypass the Multi-Factor challenge when a User has Multi-Factor enabled.
Example Request JSON
{
"credential": {
"id": "HdN9wqP9mqOonacmiM2gIjASFYg",
"response": {
"authenticatorData": "mPsv4VW-wth0V9gzsxWRFn-1SyC9gM4-QC4ptMFDNhUFAAAAKQ==",
"clientDataJSON": "eyJjaGFsbGVuZ2UiOiJTeTYzQldla285blFsYzVOQmVWcE1BWjFtQ0hvdzBXUXVFeDRJU2xuQzR3IiwiY3Jvc3NPcmlnaW4iOmZhbHNlLCJvcmlnaW4iOiJodHRwczovL2Z1c2lvbmF1dGguaW8iLCJ0eXBlIjoid2ViYXV0aG4uZ2V0In0=",
"signature": "MEUCIQDUwlDp9aNcYQmvpVGLJ35H8lRWjWsfjVsfPf_5HhY3GwIgahBhISBxv82ZS4ll8TZiJp5bIN2CGx_-VjUymfzKqGA=",
"userHandle": "NzAzZmUyZDItMmQzOS00Y2I3LWI3NmQtMGI5OTE4ZWQyNDU3"
},
"type": "public-key"
},
"origin": "https://auth.piedpiper.com",
"rpId": "piedpiper.com"
}
Response#
The response for this API contains the WebAuthn passkey used to complete the assertion.
Response Codes| Code | Description |
|---|---|
| 200 | The request was successful. The response will contain a JSON body. |
| 400 | The request was invalid and/or malformed. The response will contain an Errors JSON Object with the specific errors. This status will also be returned if a paid FusionAuth license is required and is not present. |
| 500 | There was an internal error. A stack trace is provided and logged in the FusionAuth log files. The response will be empty. |
| 503 | The search index is not available or encountered an exception so the request cannot be completed. The response will contain a JSON body. |
Response Body#
credential.algorithmLongThe identifier for the signing algorithm used with the passkey. These values are defined by the IANA COSE Algorithms registry. FusionAuth supports a subset of these algorithms.
Supported algorithms
| Name | Value | Description |
|---|---|---|
| RS256 | -257 | RSASSA-PKCS1-v1_5 using SHA-256 |
| RS384 | -258 | RSASSA-PKCS1-v1_5 using SHA-384 |
| RS512 | -259 | RSASSA-PKCS1-v1_5 using SHA-512 |
| PS256 | -37 | RSASSA-PSS w/ SHA-256 |
| PS384 | -38 | RSASSA-PSS w/ SHA-384 |
| PS512 | -39 | RSASSA-PSS w/ SHA-512 |
| ES256 | -7 | ECDSA w/ SHA-256 |
| ES384 | -35 | ECDSA w/ SHA-384 |
| ES512 | -36 | ECDSA w/ SHA-512 |
credential.attestationTypeStringThe type of attestation provided when the passkey was registered. Passkeys registered in FusionAuth will have a value of none. Imported passkeys may have another value.
credential.authenticatorSupportsUserVerificationBooleanIndicates whether this authenticator supports user verification. User verification ensures that the user is authorized to use the authenticator.
This value is currently determined by whether user verification occurred during the registration of this passkey rather than by other means, such as examining FIDO authenticator metadata.
credential.credentialIdStringThe credential Id generated by the authenticator is stored as a base64url-encoded string. This value is used by authenticators to look up a passkey during an authentication ceremony and to prevent multiple passkeys from being registered on the same authenticator for a single user.
credential.dataObjectAn object that can hold any information about the passkey that should be persisted.
credential.discoverableBooleanIndicates whether the passkey is "client-side discoverable." Discoverable passkeys can be used in authentication ceremonies without first identifying the user (e.g. by requiring the user to complete a form field).
credential.displayNameStringThe display name for the passkey selected during registration. This value should have been selected by the user.
credential.idUUIDThe unique identifier for this passkey.
credential.insertInstantLongThe instant that the passkey was added to the FusionAuth database.
credential.lastUseInstantLongThe instant that the passkey was last used to complete a WebAuthn ceremony.
credential.nameStringA unique name meant to disambiguate passkeys with the same credential.displayName.
credential.publicKeyStringThe passkey's public key, encoded in PEM format.
credential.relyingPartyIdStringThe Relying Party Id used at the time the passkey was registered.
credential.signCountIntegerA signature counter for the passkey. The signature count can be used by a Relying Party to identify a cloned or malfunctioning authenticator.
credential.tenantIdUUIDThe Id of the tenant to which this passkey belongs.
credential.transportsArray<String>A list of transport types supported by the authenticator that generated the passkey. This value is used as a hint to help identify eligible authenticators during a WebAuthn ceremony.
FusionAuth treats the list of transports as strings to maximize authenticator compatibility. These values are used as hints during WebAuthn ceremonies and missing, extra, or unexpected values should not cause a ceremony to fail. Some common values are:
internal- the authenticator is integrated with the client deviceusb- the authenticator can be contacted over USBnfc- the authenticator can be contacted over Near Field Communication (NFC)ble- the authenticator can be contacted over Bluetooth Smart (Bluetooth Low Energy, or BLE)cable- "cloud-assisted" BLE. This transport is used for Android devices acting as an authenticator connected to the computer over Bluetoothhybrid- replacement for thecabletransport
credential.userAgentStringThe user agent at the time the passkey was registered. This can be useful for troubleshooting purposes.
credential.userIdUUIDThe Id of the user that this passkey belongs to.
Example Response JSON
{
"credential": {
"algorithm": -7,
"attestationType": "none",
"authenticatorSupportsUserVerification": true,
"credentialId": "HdN9wqP9mqOonacmiM2gIjASFYg",
"data": {},
"displayName": "Chrome Touch ID",
"name": "richard@fusionauth.io",
"id": "c664318a-2384-4c35-9475-9a200e1d3b72",
"insertInstant": 1668011701792,
"discoverable": false,
"lastUseInstant": 1668021630599,
"publicKey": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEz9DI9AQfZn1aDJG5sw3Ckl7SoQ7E\nLPElDoJMijphvVigTcNMTc8H9Xptl8B20QHMOXGTzaUxLGNY1c8yhw9VVA==\n-----END PUBLIC KEY-----",
"relyingPartyId": "piedpiper.com",
"signCount": 41,
"tenantId": "30663132-6464-6665-3032-326466613934",
"transports": [
"internal"
],
"userId": "703fe2d2-2d39-4cb7-b76d-0b9918ed2457"
}
}