REST API Operations

The following API operations are available:

• Register - Create token
• Sign in - Verify token
• Alias
• List Credentials for user
• Delete credentials for user
• Others
  • Delete your account at passwordless.dev

Register - Create token

To register a credential for a user, your backend calls the passwordless api:

Required information:

POST https://apiv2.passwordless.dev/register/token HTTP/1.1
ApiSecret: demo:secret:yyy
Content-Type: application/json

{ "userId: "123, "username": "[email protected]", "displayName": "Anders Åberg" }

Response:

"wWdDh02ItIvnCKT_02ItIvn..."

This token is used to begin a registration event.

Additional parameters available in the POST request body:

{
  userId: "123", // WebAuthn userHandle. Maxium 64 bytes. Used to identify a user after succesfull login.
  displayname: "Anders Åberg", // WebAuthn displayname, used in UI. Never stored in database.
  username: "[email protected]", // WebAuthn username, used in UI. Never stored in database.
  attType: "None", // WebAuthn AttestationType, can be "direct", "indirect" and "none. Default is none.
  authType: "platform", // Webauthn AuthenticationType, can be "platform" (triggers faceid/touchid/windows hello) or "cross-platform" (triggers security-key). Default is platform.
  userVerification: "preferred" // Webauhtn UserVerification. Can be "required", "preferred" or "discourage" . Default is preferred".
  expiresAt: "2021-08-01T14:43:03Z", // Datetime when token is set to expire encoded using UTC ISO 8601-1:2019. Defaults to curren time in utc + 120seconds. 
}

Sign in - Verify token

POST https://apiv2.passwordless.dev/signin/verify HTTP/1.1
ApiSecret: demo:secret:yyy
Content-Type: application/json

{ "token": "zzz" }

response:

{
  "success": true,
  "username": "[email protected]",
  "timestamp": "2021-05-19T13:12:20.4691748Z",
  "rpid": "localhost",
  "origin": "http://localhost:3000",
  "device": "Firefox, Windows 10",
  "country": "SE",
  "nickname": null,
  "expiresAt": "2021-05-19T13:14:20.4691749Z"
}

Alias

Sets aliases for the userid, so that a sign in can be initiated with a username or email. Any existing aliases for that user are overwritten. Alias are only stored as a hash to ensure user privacy. They are never returned in any API respones.

Rules:

• Alias has to be unique to the specified userId.
• Alias can be maxium 250 chars long
• Maximum of 10 alias

• JavaScript
• HTTP

// your backend app.js
const payload = {
    userId: "123",
    aliases: ["[email protected]"] // Allow signin to be initiated without knowing userid
};

// Make a HTTPS POST to `/register/token` with the UserId (using your ApiSecret)...
var token = await fetch(apiurl + "/alias", {
    method: "POST",
    body: JSON.stringify(payload),
    headers: { ApiSecret: API_SECRET, 'Content-Type': 'application/json'}
});

POST https://apiv2.passwordless.dev/alias
ApiSecret: demo:secret:yyy
Content-Type: application/json

{ "UserId": "123", "aliases": ["[email protected]"]} 

List Credentials for user

List all credentials for a certain userId

• JavaScript
• HTTP

// your backend app.js
const payload = {
    userId: "123"
};

// Make a HTTPS POST to `/register/token` with the UserId (using your ApiSecret)...
var credentials = await fetch(apiurl + "/credentials/list", {
    method: "POST",
    body: JSON.stringify(payload),
    headers: { ApiSecret: API_SECRET, 'Content-Type': 'application/json'}
});

GET /credentials/list?userId=USERID HTTP/1.1
ApiSecret: demo:secret:yyy

Response 200 ok:

[
    {
        "aaGuid": "08987058-cadc-4b81-b6e1-30de50dcbe96",
        "country": "",
        "createdAt": "2021-08-01T01:29:49.7492687Z",
        "credType": "none",
        "descriptor": {
            "id": "qgB2ZetBhi0rIcaQK8_HrLQzXXfwKia46_PNjUC2L_w",
            "type": "public-key"
        },
        "device": "Firefox, Windows 10",
        "lastUsedAt": "2021-08-01T01:30:01.7528872Z",
        "origin": "http://example.com:3000",
        "publicKey": "pAEDAzkBACBZAQDK7vyAAihWxVR7lT0nlhfzVtcnlTUNRynJvUxbdu0C+R57G51MlSYhJhhv9UTx5qkyiz2nanvDX14cSqbAsCu7DjgXVVxLQT5C0QbrI8ZSdWv00Hkp5HGXpdmTTy5hHzTywaz4QwBJG92u5bwpVRkzH3C3JFI6uLt5QW5XdIG/bTqYozP8f+Gxh33ecyS9Vr4v56E3vl1+/E/dlTU8utCuoFBNjcQzocWX9XzPBMr5YfWuH2BBuiVo75US52GOIT6UQHth58Bq3ja2+E746dcCFJQoi1GN5xYru5jBQtGkBebgnmgz10QI5/a3I8MZSg7NFljccG+6nY++LY92OO6zIUMBAAE=",
        "rpid": "example.com",
        "signatureCounter": 1,
        "userHandle": "ODIzMzI2OTk2",
        "userId": "123",
        "nickname": "Home laptop"
    }
]

Delete credentials for user

Delete a certain credential for a user

POST /credentials/delete HTTP/1.1
ApiSecret: demo:secret:yyy
Content-Type: application/json

{
    "CredentialId":"qgB2ZetBhi0rIcaQK8_HrLQzXXfwKia46_PNjUC2L_w"
}

Returns 200 OK

Others

These API endpoints are secondary and/or internal.

Delete your account at passwordless.dev

If you want to delete your account and all data stored.

Please note: This will not delete your data immediately. All admin emails connected to the account will receive a warning email with a link to abort the deletion process. After 24 hours your API keys will be frozen. After 14 days your data will be permanently deleted.

POST /account/delete HTTP/1.1
ApiSecret: demo:secret:yyy

Returns 200 OK