FAQs
Frequently asked questions.
Why does track return ALLOW
when I have already configured authenticators for my tenant?
To be challenged a user needs to have enrolled at least one authenticator. Additionally, the action either needs to have its default outcome set to CHALLENGE
or have at least one rule triggered whose outcome is CHALLENGE
.
The track API call is returning a 401 HTTP status code
Please check your API secret key and base URL are correct. You can find the values for your tenant in the Authsignal Portal under Settings -> API keys. Ensure that the base URL corresponds to your tenant’s region.
The track API call is returning AUTHENTICATOR_NOT_FOUND
with a 400 HTTP status code
This error is returned when no authenticators have been configured for your tenant.
Why should I use custom domains?
Custom domains are a pre-requisite when using passkeys. Outside of this scenario, custom domains are optional but highly recommended as they help to create a more branded and trusted user experience.
Can I remove authenticators for a user?
Yes, you can do this in the Authsignal Portal by following these steps:
- Navigate to the user details page
- Click the “Remove authenticators” button
- Select which authenticators you want to remove and submit
We also offer ways to remove authenticators programmatically. For more information, get in contact with your account manager or drop us a line at support@authsignal.com.
What are the verification and sending rate limits built into the challenge flows?
In order to deter and protect challenge flows from abuse and high volume attacks, Authsignal has built in rate limit guard rails for different authenticator types.
Do note that these limits are in place to deter and stop bad actors, and typically will not be noticed by legitimate users on your platform.
Rate limits for sending
Authenticator type | Rate limit |
---|---|
Email magic link | 12 sends per 10 mins |
SMS OTP | 6 sends 10 mins |
Rate limits for verification
Authenticator type | Rate limit |
---|---|
SMS OTP | 10 failed attempts per 5 mins |
Time-based OTP (TOTP) | 10 failed attempts per 5 mins |
How do I enable WhatsApp for business to send SMS OTP codes?
Sending WhatsApp for Business OTP codes is a paid feature. Please contact your account manager to enable this feature.
How can can an action get into a CHALLENGE_FAILED
state?
There are currently only two scenarios where this can occur:
- In push notification auth when the user presses “Deny” instead of “Accept” in the in-app notification
- In SMS or email OTP auth when the number of code submission attempts exceeds rate limit thresholds
In other cases when an action is incomplete or abandoned it will remain in a CHALLENGE_REQUIRED
state.
Was this page helpful?