Skip to main content

Server API

Endpoint: https://signal.authsignal.com

The Authsignal Server API can be used to lookup users and track actions to initiate challenges.

Libraries

Authentication

The Authsignal Server API uses your secret key to authenticate requests. You should only ever call the Authsignal Server API from your server where your secret key can be stored securely. Your secret key should never be exposed to any public client.

You can find your secret key in the API Keys section of the Authsignal Portal settings page.

curl -u "YOUR_SECRET_KEY:" https://signal.authsignal.com

Region selection

Authsignal's server SDKs defaults to the US (Oregon) region. If your tenant is in a different region, a different base URL must be configured.

RegionBase URL
US (Oregon)https://signal.authsignal.com/v1
AU (Sydney)https://au.signal.authsignal.com/v1
EU (Dublin)https://eu.signal.authsignal.com/v1

Here are examples of different SDKs setting the base URL to use our AU endpoint.

import { Authsignal } from "@authsignal/node";

const authsignal = new Authsignal({ secret: "YOUR_SECRET_KEY", apiBaseUrl: "https://au.signal.authsignal.com/v1" });

Retrieve user

The GET /users/:userId endpoint retrieves a user and their MFA enrollment status. A user is considered to be enrolled if they have set up at least one authenticator which can be used to issue a challenge.

curl https://signal.authsignal.com/v1/users/usr_123 \
  -u YOUR_SECRET_KEY:

Request

Response

GET /users/:userId

{
  "isEnrolled": true,
  "enrolledVerificationMethods": [
    "EMAIL_MAGIC_LINK",
    "PASSKEY"
  ],
  "allowedVerificationMethods": [
    "AUTHENTICATOR_APP",
    "EMAIL_MAGIC_LINK",
    "PASSKEY",
    "PUSH",
    "SMS"
  ],
  "defaultVerificationMethod": "EMAIL_MAGIC_LINK",
  "email": "user-123@gmail.com",
  "phoneNumber": "+64271234567"
}

Track action

The POST /users/:userId/actions/:action endpoint lets you record actions performed by users and initiate challenges.

curl https://signal.authsignal.com/v1/users/usr_123/actions/withdrawal \
  -u YOUR_SECRET_KEY: \
  -H "Content-Type: application/json" \
  -d '{"redirectUrl": "https://example.com/finalize-withdrawal"}'

Request

  • userIdstring

    The unique ID for this user in your database.

  • actionstring

    The code of the action as defined in the Authsignal Portal.

  • idempotencyKeystring | undefined

    A unique key which identifies the instance of the action that the user is performing. This can be an ID in your own app domain, such as a transaction ID or shopping cart ID, or if not provided one is generated automatically. Use this to lookup the status of the action after a challenge.

  • redirectUrlstring | undefined

    The URL for the user to get redirected back to when exiting from the Challenge UI. Only required when using Authsignal's hosted challenge flows with redirects.

  • ipAddressstring | undefined

    The IP address of the user performing the action.

  • emailstring | undefined

    The email address of the user performing the action.

  • userAgentstring | undefined

    The user agent of the user performing the action

  • deviceIdstring | undefined

    The ID of user's device. This could be a mobile device ID or the anonymousId returned by the Authsignal Browser web client.

  • customobject | undefined

    A custom JSON object. Use this attribute to send a list of custom data points. Rules can be used to match against these data points.

  • cryptoobject | undefined

    A crypto object. Use this attribute to send crypto related metadata and Know Your Transaction (KYT) use cases.

  • redirectToSettingsboolean | undefined

    The flag to indicate if you want to redirect the user to their settings page after a challenge. Use this if you want to allow users to manage their authenticators. Only relevant when using Authsignal's hosted challenge UI.

POST /users/:userId/actions/:action

{
  "idempotencyKey":"d44e68c9-d20c-4bdb-874a-fab5da5f997e",
  "email": "test@example.com",
  "deviceId": "XXX-XXX",
  "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0",
  "ipAddress": "1.1.1.1",
  "redirectUrl": "https://www.example.com/redirect-back",
  "custom":{
    "yourCustomBoolean": true,
    "yourCustomString": "walletAddress",
    "yourCustomNumber": 10.00
  },
  "crypto": {
    "asset": "ETH",
    "address": "0x71C7656EC7ab88b098defB751B7401B5f6d8976F",
    "txnHash": "0x01994f9ee1b415a81f096ad20da8ecb3ae40b076eb486bb4191d62ae71b7ad0d",
    "assetAmount": 0.01,
    "assetAmountUsd": 17.96
  },
  "redirectToSettings": false
}

Response

  • stateenum

    The current state of the action. The possible values are: CHALLENGE_REQUIRED, CHALLENGE_FAILED, CHALLENGE_SUCCEEDED, ALLOW, or BLOCK.

  • urlstring

    The URL for intiating a challenge using Authsignal's hosted UI. You can redirect to this URL if the state determines that a challenge is required, or if you want to allow the user to enroll or to manage their existing authenticator settings.

  • tokenstring

    A short-lived token which can be used to call the Authsignal Client API directly to perform challenges. Use this if you're building your own UI rather than using Authsignal's hosted UI.

  • isEnrolledboolean

    Whether or not the user is enrolled with at least one authentication method and can be challenged.

  • idempotencyKeystring

    A unique key which identifies the instance of the action that the user is performing.

POST /users/:userId/actions/:action

{
  "state": "CHALLENGE_REQUIRED",
  "idempotencyKey": "d44e68c9-d20c-4bdb-874a-fab5da5f997e",
  "url": "https://mfa.authsignal.com/challenge",
  "token": "123",
  "isEnrolled": true
}

Get action status

The GET /users/:userId/actions/:action/:idempotencyKey endpoint lets you determine the result of a challenge after the user has been redirected back from the Challenge UI (or after the popup has been closed, if showing the page in a modal).

curl https://signal.authsignal.com/v1/users/usr_123/actions/withdrawal/ik_123 \
-u YOUR_SECRET_KEY:

Request

  • userIdstring

    The unique ID for this user in your database.

  • actionstring

    The name of the action as defined in the Authsignal Portal.

  • idempotencyKeystring | undefined

    A unique key which identifies the instance of the action that the user is performing. This can be an ID in your own app domain, such as a transaction ID or shopping cart ID, or if not provided one is generated automatically.

Response

  • stateenum

    The current state of the action. The possible values are: CHALLENGE_REQUIRED, CHALLENGE_FAILED, CHALLENGE_SUCCEEDED, ALLOW, or BLOCK.

  • stateUpdatedAttimestamp

    The time in ISO 8061 format when the state of the action was last updated.

  • createdAttimestamp

    The time in ISO 8061 format when the action was first created via track.

GET /users/:userId/actions/:action/:idempotencyKey

{
	"state": "CHALLENGE_REQUIRED",
  "stateUpdatedAt": "2022-07-25T03:19:00.316Z",
	"createdAt": "2022-07-25T03:19:00.317Z",
	"ruleIds": []
}

Enroll verified authenticator

The POST /users/:userId/authenticators endpoint can be used to enroll an authenticator on behalf of a user if it has already been verified.

curl https://signal.authsignal.com/v1/users/usr_123/authenticators \
  -u YOUR_SECRET_KEY: \
  -H "Content-Type: application/json" \
  -d '{"oobChannel": "SMS", "phoneNumber": "+64271234567"}'

Request

POST /users/:userId/authenticators

{
	"oobChannel": "SMS",
	"phoneNumber": "+130912341234"
}