POST
/
users
/
{userId}
/
actions
/
{action}
curl --request POST \
  --url https://api.authsignal.com/v1/users/{userId}/actions/{action} \
  --header 'Content-Type: application/json' \
  --data '{
  "redirectUrl": "https://yourapp.com/callback"
}'
{
  "state": "ALLOW",
  "url": "<string>",
  "token": "<string>",
  "isEnrolled": true,
  "idempotencyKey": "<string>",
  "allowedVerificationMethods": [
    "SMS"
  ],
  "enrolledVerificationMethods": [
    "SMS"
  ],
  "defaultVerificationMethod": "SMS",
  "ruleIds": [
    "<string>"
  ]
}

Path Parameters

​
userId
string
required

The ID of the user.

​
action
string
required

A short human-readable code which defines the action that the user is performing, e.g. signIn. This value will be displayed in the Authsignal Portal and can be used to configure rules for authentication events with differing risk profiles. Values are validated with the following regex: ^[a-zA-Z0-9_-]{(1, 64)}$.

Body

application/json
​
redirectUrl
string

The URL which the pre-built UI will redirect back to after the user exits Authsignal's pre-built UI. Only required when using the pre-built UI in redirect mode.

​
redirectToSettings
boolean

If set to true, the user will be shown the authentication settings screen after completing a challenge. Use this flag to allow users to manage their own authenticators through Authsignal's pre-built UI.

​
email
string

The user's email address.

​
phoneNumber
string

The user's phone number in E.164 format.

​
ipAddress
string

The user's IP address. Should be provided when using rules based on location or other IP-derived features.

​
userAgent
string

The user agent identifying a browser or app. Should be provided when using rules based on device.

​
deviceId
string

An ID which identifies the user's device. Should be provided when using rules based on device.

​
scope
string

The scopes granted to the pre-built UI and the token which can be passed to Client SDKs. By default the only scope is read:authenticators.

​
custom
object

A JSON object which can include any key/value pairs. Should be provided when using rules based on custom data points from your own app.

​
crypto
object

Response

200
application/json
OK
​
state
enum<string>

The current state of the action.

Available options:
ALLOW,
BLOCK,
CHALLENGE_REQUIRED,
CHALLENGE_FAILED,
CHALLENGE_SUCCEEDED,
REVIEW_REQUIRED,
REVIEW_FAILED,
REVIEW_SUCCEEDED
​
url
string

The URL for initiating a challenge using Authsignal's pre-built UI. You can redirect to this URL if the state determines that a challenge is required, or if you want to allow the user to enroll or to manage their existing authenticator settings.

​
token
string

A short-lived token which can be passed to Authsignal's Client SDKs (e.g. when using passkeys) or to authenticate to Authsignal's client API.

​
isEnrolled
boolean

True if the user is enrolled with at least one verification method and can be challenged.

​
idempotencyKey
string

A unique key which identifies a particular action. This key can be used to determine if the user has successfully completed a challenge.

​
allowedVerificationMethods
enum<string>[]

The list of verification methods which the user is permitted to enroll.

Available options:
SMS,
AUTHENTICATOR_APP,
EMAIL_MAGIC_LINK,
EMAIL_OTP,
PUSH,
SECURITY_KEY,
PASSKEY,
VERIFF,
IPROOV,
PALM_BIOMETRICS_RR,
IDVERSE
​
enrolledVerificationMethods
enum<string>[]

The list of verification methods which the user has enrolled.

Available options:
SMS,
AUTHENTICATOR_APP,
EMAIL_MAGIC_LINK,
EMAIL_OTP,
PUSH,
SECURITY_KEY,
PASSKEY,
VERIFF,
IPROOV,
PALM_BIOMETRICS_RR,
IDVERSE
​
defaultVerificationMethod
enum<string>
Available options:
SMS,
AUTHENTICATOR_APP,
EMAIL_MAGIC_LINK,
EMAIL_OTP,
PUSH,
SECURITY_KEY,
PASSKEY,
VERIFF,
IPROOV,
PALM_BIOMETRICS_RR,
IDVERSE
​
ruleIds
string[]

The IDs of the triggered rules.