Frequently asked questions.
What's the difference between MFA, adaptive MFA, and step-up authentication?
What are actions and rules in Authsignal?
ALLOW
, CHALLENGE
, REVIEW
, or BLOCK
What are the four action outcomes and what do they mean?
ALLOW
- Action is permitted without additional authentication. Proceed with the user’s request.CHALLENGE_REQUIRED
- User must complete an authentication challenge before proceeding.BLOCK
- Action is blocked for security reasons. Deny the user’s request.REVIEW
- Action requires manual review before proceeding.CHALLENGE_REQUIRED
is returned.Why should I use custom domains?
What are the different ways to use WhatsApp OTP with Authsignal?
How can I determine if a device has a passkey available?
How do passkeys make sign-in easier than other methods?
What is passkey uplift and when should I use it?
Why aren't passkeys always available, and how should I handle this?
Should I use passkey autofill or a dedicated sign-in button?
How should I handle passkeys for MFA vs. primary authentication?
allowCredentials
parameter to restrict passkeys to the specific user’s credentialsHow can I increase passkey adoption among my users?
webauthnCredential.aaguidMapping
dataShould I create passkeys before or after other authentication methods on mobile?
What is `preferImmediatelyAvailableCredentials` and when should I use it?
true
(recommended):false
:true
for most mobile apps to ensure users aren’t presented with QR codes when they don’t have passkeys available locally.Does Authsignal push authentication rely on push notifications?
Can I use my own push notification provider?
Can I customize the push message content and branding?
Are there limits on how many OTP codes users can send or verify?
Authenticator type | Rate limit |
---|---|
Email magic link | 12 per 10 mins |
Email OTP | 12 per 10 mins |
SMS OTP | 6 per 10 mins |
Authenticator type | Rate limit |
---|---|
Email OTP | 10 per 5 mins |
SMS OTP | 10 per 5 mins |
Time-based OTP (TOTP) | 10 per 5 mins |
Can I remove authenticators for a user?
The track API call is returning a 401 HTTP status code
The track API call is returning `AUTHENTICATOR_NOT_FOUND` with a 400 HTTP status code
Where can I get the `deviceId`?
__as_aid
is set on the user’s browser.When tracking an action on your server, you can extract the deviceId
from this cookie:deviceId
on the client via authsignal.anonymousId
and pass it to your server in the request body:Why is my webhook signature verification failing?
Which IP addresses do Authsignal webhooks come from?
Region | IP Addresses |
---|---|
US (Oregon) | 44.224.97.232 44.230.210.235 44.236.208.22 52.33.85.88 |
AU (Sydney) | 13.210.81.243 3.105.80.107 54.252.129.142 |
EU (Dublin) | 34.247.148.106 34.253.116.90 54.171.116.55 |
How can an action get into a `CHALLENGE_FAILED` state?
CHALLENGE_FAILED
state.What are the common SDK error codes and what do they mean?
invalid_configuration
: Your tenant configuration is invalid. Check that authenticators are properly configured in the Authsignal Portal.invalid_credential
: The credential (e.g., passkey) is invalid for the user. This may happen if the credential was deleted or is being used on the wrong device.invalid_request
: Request failed due to invalid parameters. Check your request payload and ensure all required fields are provided.too_many_requests
: Rate limit exceeded. Implement back-off and retry logic.unauthorized
: Invalid tenant credentials or wrong region. Verify your API secret key and API URL match your tenant’s region.See our error handling documentation for implementation examples.How do I know which region my tenant is in?
https://api.authsignal.com/v1
https://au.api.authsignal.com/v1
https://eu.api.authsignal.com/v1
unauthorized
errors.Why am I getting CORS errors with the Authsignal APIs?