signUpWebauthn

curl --request POST \
  --url https://{subdomain}.auth.{region}.nhost.run/v1/signup/webauthn \
  --header 'Content-Type: application/json' \
  --data '
{
  "email": "john.smith@nhost.io",
  "options": {
    "allowedRoles": [
      "me",
      "user"
    ],
    "defaultRole": "user",
    "displayName": "John Smith",
    "locale": "en",
    "metadata": {
      "firstName": "John",
      "lastName": "Smith"
    },
    "redirectTo": "https://my-app.com/catch-redirection"
  }
}
'

{
  "rp": {
    "name": "<string>",
    "id": "<string>"
  },
  "user": {
    "name": "<string>",
    "displayName": "<string>",
    "id": "<string>"
  },
  "challenge": "aSDinaTvuI8gbWludGxpZnk=",
  "pubKeyCredParams": [
    {
      "type": "public-key",
      "alg": 123
    }
  ],
  "timeout": 123,
  "excludeCredentials": [
    {
      "type": "public-key",
      "id": "aSDinaTvuI8gbWludGxpZnk=",
      "transports": [
        "usb"
      ]
    }
  ],
  "authenticatorSelection": {
    "authenticatorAttachment": "platform",
    "requireResidentKey": true,
    "residentKey": "discouraged",
    "userVerification": "preferred"
  },
  "hints": [
    "security-key"
  ],
  "attestation": "none",
  "attestationFormats": [
    "packed"
  ],
  "extensions": {}
}

POST

signup

webauthn

curl --request POST \
  --url https://{subdomain}.auth.{region}.nhost.run/v1/signup/webauthn \
  --header 'Content-Type: application/json' \
  --data '
{
  "email": "john.smith@nhost.io",
  "options": {
    "allowedRoles": [
      "me",
      "user"
    ],
    "defaultRole": "user",
    "displayName": "John Smith",
    "locale": "en",
    "metadata": {
      "firstName": "John",
      "lastName": "Smith"
    },
    "redirectTo": "https://my-app.com/catch-redirection"
  }
}
'

{
  "rp": {
    "name": "<string>",
    "id": "<string>"
  },
  "user": {
    "name": "<string>",
    "displayName": "<string>",
    "id": "<string>"
  },
  "challenge": "aSDinaTvuI8gbWludGxpZnk=",
  "pubKeyCredParams": [
    {
      "type": "public-key",
      "alg": 123
    }
  ],
  "timeout": 123,
  "excludeCredentials": [
    {
      "type": "public-key",
      "id": "aSDinaTvuI8gbWludGxpZnk=",
      "transports": [
        "usb"
      ]
    }
  ],
  "authenticatorSelection": {
    "authenticatorAttachment": "platform",
    "requireResidentKey": true,
    "residentKey": "discouraged",
    "userVerification": "preferred"
  },
  "hints": [
    "security-key"
  ],
  "attestation": "none",
  "attestationFormats": [
    "packed"
  ],
  "extensions": {}
}

Body

application/json

Email address and optional user options for WebAuthn registration

string<email>

required

A valid email

Example:

"john.smith@nhost.io"

options

object

Show child attributes

options.allowedRoles

string[]

Example:

["me", "user"]

options.defaultRole

string

Example:

"user"

options.displayName

string

Maximum string length: 32

Example:

"John Smith"

options.locale

string

A two-characters locale

Required string length: 2

Example:

"en"

options.metadata

object

Example:

{ "firstName": "John", "lastName": "Smith" }

options.redirectTo

string<uri>

Example:

"https://my-app.com/catch-redirection"

Response

Challenge sent

object

required

Show child attributes

rp.name

string

required

A human-palatable name for the entity

rp.id

string

required

A unique identifier for the Relying Party entity, which sets the RP ID

user

object

required

Show child attributes

user.name

string

required

A human-palatable name for the entity

user.displayName

string

required

A human-palatable name for the user account, intended only for display

user.id

string

required

The user handle of the user account entity

challenge

string<byte>

required

Base64url-encoded binary data

pubKeyCredParams

object[]

required

The desired credential types and their respective cryptographic parameters

Show child attributes

pubKeyCredParams.type

enum<string>

required

The valid credential types

Available options:

public-key

pubKeyCredParams.alg

integer

required

The cryptographic algorithm identifier

timeout

integer

A time, in milliseconds, that the caller is willing to wait for the call to complete

excludeCredentials

object[]

A list of PublicKeyCredentialDescriptor objects representing public key credentials that are not acceptable to the caller

Show child attributes

excludeCredentials.type

enum<string>

required

The valid credential types

Available options:

public-key

excludeCredentials.id

string<byte>

required

Base64url-encoded binary data

excludeCredentials.transports

enum<string>[]

The authenticator transports that can be used

Available options:

usb,

nfc,

ble,

smart-card,

hybrid,

internal

authenticatorSelection

object

Show child attributes

authenticatorSelection.authenticatorAttachment

enum<string>

The authenticator attachment modality

Available options:

platform,

cross-platform

authenticatorSelection.requireResidentKey

boolean

Whether the authenticator must create a client-side-resident public key credential source

authenticatorSelection.residentKey

enum<string>

default:discouraged

The resident key requirement

Available options:

discouraged,

preferred,

required

authenticatorSelection.userVerification

enum<string>

default:preferred

A requirement for user verification for the operation

Available options:

required,

preferred,

discouraged

hints

enum<string>[]

Hints to help guide the user through the experience

Available options:

security-key,

client-device,

hybrid

attestation

enum<string>

default:none

The attestation conveyance preference

Available options:

none,

indirect,

direct,

enterprise

attestationFormats

enum<string>[]

The preferred attestation statement formats

The attestation statement format

Available options:

packed,

tpm,

android-key,

android-safetynet,

fido-u2f,

apple,

none

extensions

object

Additional parameters requesting additional processing by the client and authenticator

/signup/email-password /signup/webauthn/verify

⌘I

Backend Services

Client Libraries

Client Libraries (deprecated)

CLI

Body

Response