Why does track return ALLOW when I have already configured authenticators for my tenant?

To be challenged a user needs to have enrolled at least one authenticator. Additionally, the action either needs to have its default outcome set to CHALLENGE or have at least one rule triggered whose outcome is CHALLENGE.

The track API call is returning a 401 HTTP status code

Please check your API secret key and API URL are correct. You can find the values for your tenant in the Authsignal Portal under Settings -> API keys. Ensure that the API URL corresponds to your tenant’s region.

The track API call is returning AUTHENTICATOR_NOT_FOUND with a 400 HTTP status code

This error is returned when no authenticators have been configured for your tenant.

Why should I use custom domains?

Custom domains are a pre-requisite when using passkeys. Outside of this scenario, custom domains are optional but highly recommended as they help to create a more branded and trusted user experience.

Can I remove authenticators for a user?

Yes, you can do this in the Authsignal Portal by following these steps:

  1. Navigate to the user details page
  2. Click the “Remove authenticators” button
  3. Select which authenticators you want to remove and submit

We also offer ways to remove authenticators programmatically. For more information, get in contact with your account manager or drop us a line at support@authsignal.com.

What are the verification and sending rate limits built into the challenge flows?

In order to deter and protect challenge flows from abuse and high volume attacks, Authsignal has built-in rate limits for different authenticator types.

These limits are in place to deter and stop bad actors and typically will not be noticed by legitimate users on your platform.

Rate limits for sending

The following limits apply when sending emails or SMS to initiate a challenge.

Authenticator typeRate limit
Email magic link12 per 10 mins
Email OTP12 per 10 mins
SMS OTP6 per 10 mins

Rate limits for verification

The following limits apply when submitting OTP codes to complete a challenge.

Authenticator typeRate limit
Email OTP10 per 5 mins
SMS OTP10 per 5 mins
Time-based OTP (TOTP)10 per 5 mins

How do I enable WhatsApp for business to send SMS OTP codes?

Sending WhatsApp for Business OTP codes is a paid feature. Please contact your account manager to enable this feature.

How can can an action get into a CHALLENGE_FAILED state?

There are currently only two scenarios where this can occur:

  1. In push notification auth when the user presses “Deny” instead of “Accept” in the in-app notification
  2. In SMS or email OTP auth when the number of code submission attempts exceeds rate limit thresholds

In other cases when an action is incomplete or abandoned it will remain in a CHALLENGE_REQUIRED state.

Where can I get the deviceId?

If you’re using the Authsignal Web SDK, a cookie named __as_aid is set on the user’s browser.

When tracking an action on your server, you can extract the deviceId from this cookie:

Server
const deviceId = req.cookies["__as_aid"]; // Or however you access cookies in your framework of choice

const { url } = await authsignal.track({
  action: "signIn",
  userId,
  attributes: {
    deviceId,
  },
});

If reading the request cookie is not an option, you can use retrieve the deviceId on the client via authsignal.anonymousId and pass it it to your server in the request body:

Client
async function handleSignIn(username: string, password: string) {
  const deviceId = authsignal.anonymousId;

  const signInResponse = await fetch("/signIn", {
    method: "POST",
    body: JSON.stringify({
      deviceId,
      username,
      password,
    }),
  });
}