POST
/
users
/
{userId}
/
actions
/
{action}

Path Parameters

userId
string
required

The ID of the user.

action
string
required

A short human-readable code which defines the action that the user is performing, e.g. signIn. This value will be displayed in the Authsignal Portal and can be used to configure rules for authentication events with differing risk profiles. Values are validated with the following regex: ^[a-zA-Z0-9_-]{(1, 64)}$.

Body

application/json
crypto
object
custom
object

A JSON object which can include any key/value pairs. Should be provided when using rules based on custom data points from your own app.

deviceId
string

An ID which identifies the user's device. Should be provided when using rules based on device.

email
string

The user's email address.

ipAddress
string

The user's IP address. Should be provided when using rules based on location or other IP-derived features.

phoneNumber
string

The user's phone number in E.164 format.

redirectToSettings
boolean

If set to true, the user will be shown the authentication settings screen after completing a challenge. Use this flag to allow users to manage their own authenticators through Authsignal's pre-built UI.

redirectUrl
string

The URL which the pre-built UI will redirect back to after the user exits the Authsignal pre-built UI. Only required when using the pre-built UI in redirect mode.

scope
string

The scopes granted to the pre-built UI and the token which can be passed to Client SDKs. By default the only scope is read:authenticators.

userAgent
string

The user agent identifying a browser or app. Should be provided when using rules based on device.

Response

200 - application/json
allowedVerificationMethods
enum<string>[]

The list of verification methods which the user is permitted to enroll.

Available options:
SMS,
AUTHENTICATOR_APP,
EMAIL_MAGIC_LINK,
EMAIL_OTP,
PUSH,
SECURITY_KEY,
PASSKEY,
VERIFF,
IPROOV,
PALM_BIOMETRICS_RR,
IDVERSE
defaultVerificationMethod
enum<string>
Available options:
SMS,
AUTHENTICATOR_APP,
EMAIL_MAGIC_LINK,
EMAIL_OTP,
PUSH,
SECURITY_KEY,
PASSKEY,
VERIFF,
IPROOV,
PALM_BIOMETRICS_RR,
IDVERSE
enrolledVerificationMethods
enum<string>[]

The list of verification methods which the user has enrolled.

Available options:
SMS,
AUTHENTICATOR_APP,
EMAIL_MAGIC_LINK,
EMAIL_OTP,
PUSH,
SECURITY_KEY,
PASSKEY,
VERIFF,
IPROOV,
PALM_BIOMETRICS_RR,
IDVERSE
idempotencyKey
string

A unique key which identifies a particular action. This key can be used to determine if the user has successfully completed a challenge.

isEnrolled
boolean

True if the user is enrolled with at least one verification method and can be challenged.

ruleIds
string[]

The IDs of the triggered rules.

state
enum<string>

The current state of the action.

Available options:
ALLOW,
BLOCK,
CHALLENGE_REQUIRED,
CHALLENGE_FAILED,
CHALLENGE_SUCCEEDED,
REVIEW_REQUIRED,
REVIEW_FAILED,
REVIEW_SUCCEEDED
token
string

A short-lived token which can be passed to Authsignal's Client SDKs (e.g. when using passkeys) or to authenticate to Authsignal's client API.

url
string

The URL for initiating a challenge using Authsignal's pre-built UI. You can redirect to this URL if the state determines that a challenge is required, or if you want to allow the user to enroll or to manage their existing authenticator settings.

Was this page helpful?

OverviewGet Action