Complete WebAuthn factor enrollment
/v1/identity/auth/mfa/webauthn/enroll/verifyAuthentication
- Bearer Token
AuthorizationJWT access token
Request body
enrollment_tokenstringThe sealed enrollment_token returned by /mfa/webauthn/enroll/options. Carries the WebAuthn challenge nonce server-side.
responseany objectThe PublicKeyCredential JSON returned by `navigator.credentials.create()` — id, rawId, type, response { clientDataJSON, attestationObject, transports }, clientExtensionResults.
labelstringUser-facing nickname for the factor ("YubiKey 5C", "MacBook passkey").
Code samples
curl -X POST "https://api.canopy.dev/v1/identity/auth/mfa/webauthn/enroll/verify" \
-H "Authorization: Bearer $CANOPY_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"enrollment_token": "string",
"response": {},
"label": "MacBook passkey"
}'const response = await fetch("https://api.canopy.dev/v1/identity/auth/mfa/webauthn/enroll/verify", {
method: "POST",
headers: {
"Authorization": "Bearer $CANOPY_TOKEN",
"Content-Type": "application/json"
},
body: JSON.stringify({
"enrollment_token": "string",
"response": {},
"label": "MacBook passkey"
}),
});
const data = await response.json();import requests
response = requests.post(
"https://api.canopy.dev/v1/identity/auth/mfa/webauthn/enroll/verify",
headers={
"Authorization": "Bearer $CANOPY_TOKEN",
"Content-Type": "application/json"
},
json={
"enrollment_token": "string",
"response": {},
"label": "MacBook passkey",
},
)
data = response.json()package main
import (
"bytes"
"encoding/json"
"net/http"
)
func main() {
payload := map[string]interface{}{
"enrollment_token": "string",
"response": map[string]interface{}{},
"label": "MacBook passkey",
}
body, _ := json.Marshal(payload)
req, _ := http.NewRequest("POST", "https://api.canopy.dev/v1/identity/auth/mfa/webauthn/enroll/verify", bytes.NewBuffer(body))
req.Header.Set("Authorization", "Bearer $CANOPY_TOKEN")
req.Header.Set("Content-Type", "application/json")
resp, _ := http.DefaultClient.Do(req)
defer resp.Body.Close()
}Responses
200 Verifies the attestation against the stored challenge nonce, persists the WebAuthn factor (credential id, public key, counter, transports, aaguid), and returns the 10 single-use recovery codes when this is the identity's first factor.
{
"factor": {
"id": "00000000-0000-0000-0000-000000000000",
"type": "totp",
"label": "iPhone 15",
"enrolled_at": "2026-04-20T12:00:00.000Z",
"last_used_at": "2026-04-20T12:00:00.000Z"
},
"recovery_codes": [
"ABCD-EFGH-IJKL-MNOP",
"QRST-UVWX-YZ23-4567",
"..."
],
"recovery_codes_generation": 0
}application/json
factorMfaFactorResponseDtorecovery_codesstring[]Ten freshly-minted single-use recovery codes — **only present on the first factor enrollment**. Subsequent enrollments return `null` here because the prior batch is still valid; the user already saw it the first time around.
recovery_codes_generationnumberGeneration number of the active batch — `null` when no codes were issued from this enrollment (subsequent factor).
400 WebAuthn attestation failed to verify (challenge mismatch, RP-ID mismatch, signature invalid, or credential ineligible)
401 Invalid or expired token
403 This token is not authorized for this endpoint (wrong principal type — e.g., admin token on identity-only endpoint, or vice versa)