FAQs
Frequently asked questions.
Why does track return ALLOW
when I have already configured authenticators for my tenant?
To be challenged a user needs to have enrolled at least one authenticator. Additionally, the action either needs to have its default outcome set to CHALLENGE
or have at least one rule triggered whose outcome is CHALLENGE
.
The track API call is returning a 401 HTTP status code
Please check your API secret key and API URL are correct. You can find the values for your tenant in the Authsignal Portal under Settings -> API keys. Ensure that the API URL corresponds to your tenant’s region.
The track API call is returning AUTHENTICATOR_NOT_FOUND
with a 400 HTTP status code
This error is returned when no authenticators have been configured for your tenant.
Why should I use custom domains?
Custom domains are a pre-requisite when using passkeys. Outside of this scenario, custom domains are optional but highly recommended as they help to create a more branded and trusted user experience.
Can I remove authenticators for a user?
Yes, you can do this in the Authsignal Portal by following these steps:
- Navigate to the user details page
- Click the “Remove authenticators” button
- Select which authenticators you want to remove and submit
We also offer ways to remove authenticators programmatically. For more information, get in contact with your account manager or drop us a line at support@authsignal.com.
What are the verification and sending rate limits built into the challenge flows?
In order to deter and protect challenge flows from abuse and high volume attacks, Authsignal has built-in rate limits for different authenticator types.
These limits are in place to deter and stop bad actors and typically will not be noticed by legitimate users on your platform.
Rate limits for sending
The following limits apply when sending emails or SMS to initiate a challenge.
Authenticator type | Rate limit |
---|---|
Email magic link | 12 per 10 mins |
Email OTP | 12 per 10 mins |
SMS OTP | 6 per 10 mins |
Rate limits for verification
The following limits apply when submitting OTP codes to complete a challenge.
Authenticator type | Rate limit |
---|---|
Email OTP | 10 per 5 mins |
SMS OTP | 10 per 5 mins |
Time-based OTP (TOTP) | 10 per 5 mins |
How do I enable WhatsApp for business to send SMS OTP codes?
Sending WhatsApp for Business OTP codes is a paid feature. Please contact your account manager to enable this feature.
How can can an action get into a CHALLENGE_FAILED
state?
There are currently only two scenarios where this can occur:
- In push notification auth when the user presses “Deny” instead of “Accept” in the in-app notification
- In SMS or email OTP auth when the number of code submission attempts exceeds rate limit thresholds
In other cases when an action is incomplete or abandoned it will remain in a CHALLENGE_REQUIRED
state.
Where can I get the deviceId
?
If you’re using the Authsignal Web SDK, a cookie named __as_aid
is set on the user’s browser.
When tracking an action on your server, you can extract the deviceId
from this cookie:
If reading the request cookie is not an option, you can use retrieve the deviceId
on the client via authsignal.anonymousId
and pass it it to your server in the request body:
Was this page helpful?