Skip to content
Nhost Documentation
Support Dashboard

Initialize adding of a new webauthn security key

POST
/user/webauthn/add

Start the process of adding a new WebAuthn security key to the user’s account. Returns a challenge that must be completed by the user’s authenticator device. Requires elevated permissions.

Authorizations

Section titled “Authorizations ”

Responses

Section titled “ Responses ”

200

Section titled “200 ”

Challenge created for registering a new security key

object
rp
required
object
name
required

A human-palatable name for the entity

string
id
required

A unique identifier for the Relying Party entity, which sets the RP ID

string
user
required
object
name
required

A human-palatable name for the entity

string
displayName
required

A human-palatable name for the user account, intended only for display

string
id
required

The user handle of the user account entity

string
challenge
required

Base64url-encoded binary data

string format: byte
pubKeyCredParams
required

The desired credential types and their respective cryptographic parameters

Array<object>
object
type
required

The valid credential types

string
Allowed values: public-key
alg
required

The cryptographic algorithm identifier

integer
timeout

A time, in milliseconds, that the caller is willing to wait for the call to complete

integer
excludeCredentials

A list of PublicKeyCredentialDescriptor objects representing public key credentials that are not acceptable to the caller

Array<object>
object
type
required

The valid credential types

string
Allowed values: public-key
id
required

Base64url-encoded binary data

string format: byte
transports

The authenticator transports that can be used

Array<string>
Allowed values: usb nfc ble smart-card hybrid internal
authenticatorSelection
object
authenticatorAttachment

The authenticator attachment modality

string
Allowed values: platform cross-platform
requireResidentKey

Whether the authenticator must create a client-side-resident public key credential source

boolean
residentKey

The resident key requirement

string
default: discouraged
Allowed values: discouraged preferred required
userVerification

A requirement for user verification for the operation

string
default: preferred
Allowed values: required preferred discouraged
hints

Hints to help guide the user through the experience

Array<string>
Allowed values: security-key client-device hybrid
attestation

The attestation conveyance preference

string
default: none
Allowed values: none indirect direct enterprise
attestationFormats

The preferred attestation statement formats

Array<string>
Allowed values: packed tpm android-key android-safetynet fido-u2f apple none
extensions

Additional parameters requesting additional processing by the client and authenticator

object
key
additional properties
any

default

Section titled “default ”

An error occurred while processing the request

Standardized error response

object
status
required

HTTP status error code

integer
Example
400
message
required

Human-friendly error message

string
Example
Invalid email format
error
required

Error code identifying the specific application error

string
Allowed values: default-role-must-be-in-allowed-roles disabled-endpoint disabled-user email-already-in-use email-already-verified forbidden-anonymous internal-server-error invalid-email-password invalid-request locale-not-allowed password-too-short password-in-hibp-database redirectTo-not-allowed role-not-allowed signup-disabled unverified-user user-not-anonymous invalid-pat invalid-refresh-token invalid-ticket disabled-mfa-totp no-totp-secret invalid-totp mfa-type-not-found totp-already-active invalid-state oauth-token-echange-failed oauth-profile-fetch-failed oauth-provider-error invalid-otp cannot-send-sms provider-account-already-linked