Programmatic authenticator management allows you to automatically enroll or remove authenticators on behalf of users without requiring their direct interaction. This is useful for:
  • Registration flows - Auto-enroll users with verified email/SMS during signup
  • Admin operations - Remove compromised or outdated authenticators
  • Account migrations - Transfer existing verified contact methods to Authsignal
  • Bulk operations - Manage authenticators for multiple users programmatically
Use with caution: Programmatic management bypasses normal user verification flows. Only use these methods when you’ve already verified user contact information in your own system.

Adding authenticators

When to use programmatic enrollment

Programmatic enrollment is ideal when:
  • You’ve already verified a user’s email/phone in your registration flow
  • You’re migrating users from another authentication system
  • You want to streamline onboarding by pre-enrolling verified methods

Supported methods

You can programmatically enroll the following verification methods:
MethodRequired FieldDescription
EMAIL_OTPemailEmail-based one-time passwords
EMAIL_MAGIC_LINKemailEmail magic links
SMSphoneNumberSMS-based one-time passwords

Implementation

const request = {
  userId: "dc58c6dc-a1fd-4a4f-8e2f-846636dd4833",
  attributes: {
    verificationMethod: VerificationMethod.SMS,
    phoneNumber: "+64270000000",
  },
};

const response = authsignal.enrollVerifiedAuthenticator(request);
This method assumes the user’s contact information has already been verified in your system. Never enroll unverified email addresses or phone numbers.

Removing authenticators

When to use programmatic removal

Administrative removal is appropriate for:
  • Security incidents - Remove compromised authenticators immediately
  • User support - Help users who’ve lost access to their methods
  • Account cleanup - Remove outdated or duplicate authenticators
  • Compliance - Ensure users only have approved authentication methods

Implementation

const request = {
  userId: "dc58c6dc-a1fd-4a4f-8e2f-846636dd4833",
  userAuthenticatorId: "bf287470-24d9-4aa4-8b29-85683bea703f",
};

await authsignal.deleteAuthenticator(request);
Getting authenticator IDs: To remove an authenticator, you need its userAuthenticatorId. Get this via: 
// Get all authenticators for a user
const authenticators = await authsignal.getAuthenticators({
  userId: "user-id"
});

// Find the specific authenticator to remove
const emailAuthenticator = authenticators.find(
  auth => auth.verificationMethod === "EMAIL_OTP"
);

// Remove it
await authsignal.deleteAuthenticator({
  userId: "user-id",
  userAuthenticatorId: emailAuthenticator.userAuthenticatorId
});
Account lockout risk: Removing all of a user’s authenticators will prevent them from completing authentication challenges. Always ensure users have at least one working authenticator or a way to re-enroll.

Next steps