Verify #
How to verify a user #
The verify function initiates the verify process with the AppKey server for a specific user of an application. It follows the WebAuthN protocol, where the client requests a challenge from the AppKey server, which acts as the FIDO2 Relying Party. Since the Passkey is stored on the client, authentication occurs by signing the challenge using the private key securely stored in the client device’s keychain—accessible only through the user’s biometric authentication. The client then calls the verifyComplete function, returning the signed challenge to the AppKey server, which verifies it against the user’s public key stored on the server.
The client can either pass in the handle or user name for login.
URL #
/api/appuser/verify
Method #
POST
Headers #
app-token: "<App Token>"
Data Parameter #
{
handle: "<user handle>"
}
Response: #
Success: #
StatusCode: #
200 (OK)
Contents: #
{
rpId: "appkey.io",
challenge: <FIDO2 challenge>,
allowCredentials: [
{
id: <passkey id>,
transports: [
"internal"
],
type: "public-key"
}
],
timeout: 60000,
userVerification: "preferred",
user: {
id: <user uuid>,
name: <passkey name>,
displayName: <user display name>,
handle: <user handle>
}
}
Error: #
StatusCode: #
400 (BAD REQUEST)
500 (INTERNAL SERVER ERROR)
Content: #
{
code: "<internal error code>",
message: "<readable error description>"
}
The internal codes are integers:
- 400 - invalid app token
- 401 - app no longer exists
- 402 - app is suspended
- 403 - missing parameter
- 404 - user account is suspended
- 413 - app is migrated
- 500 - internal server error
- 600 - invalid login credentials
- 603 - email does not exist
- 607 - user name does not exist