Verify WebAuthn registration verification

POST /api/experience/verification/web-authn/registration/verify

Verify the WebAuthn registration response against the user's WebAuthn registration challenge. If the response is valid, the WebAuthn registration record will be marked as verified.

application/json

Body Required

verificationId string Required

The verification ID of the WebAuthn registration record.
payload object Required

The WebAuthn attestation response from the user's WebAuthn credential.
Hide payload attributes Show payload attributes object
- type string("WebAuthn") Required
- id string Required
- rawId string Required
- response object Required
  Hide response attributes Show response attributes object
  
  clientDataJSON string Required
  
  attestationObject string Required
  
  authenticatorData string
  
  transports array[string]
  
  Values are usb, nfc, ble, internal, cable, hybrid, or smart-card.
  
  publicKeyAlgorithm number
  
  publicKey string
- authenticatorAttachment string
  
  Values are cross-platform or platform.
- clientExtensionResults object Required
  Hide clientExtensionResults attributes Show clientExtensionResults attributes object
  
  appid boolean
  
  crepProps object
  
  Hide crepProps attribute Show crepProps attribute object
  
  rk boolean
  
  hmacCreateSecret boolean

Responses

200 application/json

The WebAuthn registration has been successfully verified.
Hide response attribute Show response attribute object
- verificationId string Required
  
  The unique verification ID of the WebAuthn registration record. This verificationId is required to bind the WebAuthn credential to the user account via the Profile API.
400

Invalid request.
- session.mfa.pending_info_not_found: The WebAuthn registration challenge is missing from the current verification record.
- session.mfa.webauthn_verification_failed: The WebAuthn attestation response is invalid or cannot be verified.
404

Verification record not found.

POST /api/experience/verification/web-authn/registration/verify

curl \
 -X POST https://[tenant_id].logto.app/api/experience/verification/web-authn/registration/verify \
 -H "Content-Type: application/json" \
 -d '{"verificationId":"string","payload":{"type":"string","id":"string","rawId":"string","response":{"clientDataJSON":"string","attestationObject":"string","authenticatorData":"string","transports":["usb"],"publicKeyAlgorithm":42.0,"publicKey":"string"},"authenticatorAttachment":"cross-platform","clientExtensionResults":{"appid":true,"crepProps":{"rk":true},"hmacCreateSecret":true}}}'

Request examples

{
  "verificationId": "string",
  "payload": {
    "type": "string",
    "id": "string",
    "rawId": "string",
    "response": {
      "clientDataJSON": "string",
      "attestationObject": "string",
      "authenticatorData": "string",
      "transports": [
        "usb"
      ],
      "publicKeyAlgorithm": 42.0,
      "publicKey": "string"
    },
    "authenticatorAttachment": "cross-platform",
    "clientExtensionResults": {
      "appid": true,
      "crepProps": {
        "rk": true
      },
      "hmacCreateSecret": true
    }
  }
}

Response examples (200)

{
  "verificationId": "string"
}