Complete a WebAuthn step-up ceremony

POST

/v1/identity/auth/mfa/step-up/webauthn/verify

Authentication

Bearer Token Authorization
JWT access token

Request body

transit_tokenstring*
Sealed transit_token from /mfa/step-up/webauthn/options. Carries the WebAuthn challenge nonce server-side.
responseany object*
The PublicKeyCredential JSON returned by `navigator.credentials.get()`.

Code samples

cURL

JavaScript

Python

curl -X POST "https://api.canopy.dev/v1/identity/auth/mfa/step-up/webauthn/verify" \
  -H "Authorization: Bearer $CANOPY_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "transit_token": "string",
    "response": {}
  }'

const response = await fetch("https://api.canopy.dev/v1/identity/auth/mfa/step-up/webauthn/verify", {
  method: "POST",
  headers: {
    "Authorization": "Bearer $CANOPY_TOKEN",
    "Content-Type": "application/json"
  },
  body: JSON.stringify({
    "transit_token": "string",
    "response": {}
  }),
});

const data = await response.json();

import requests

response = requests.post(
    "https://api.canopy.dev/v1/identity/auth/mfa/step-up/webauthn/verify",
    headers={
    "Authorization": "Bearer $CANOPY_TOKEN",
    "Content-Type": "application/json"
    },
    json={
        "transit_token": "string",
        "response": {},
    },
)

data = response.json()

package main

import (
	"bytes"
	"encoding/json"
	"net/http"
)

func main() {
	payload := map[string]interface{}{
		"transit_token": "string",
		"response": map[string]interface{}{},
	}
	body, _ := json.Marshal(payload)

	req, _ := http.NewRequest("POST", "https://api.canopy.dev/v1/identity/auth/mfa/step-up/webauthn/verify", bytes.NewBuffer(body))
	req.Header.Set("Authorization", "Bearer $CANOPY_TOKEN")
	req.Header.Set("Content-Type", "application/json")

	resp, _ := http.DefaultClient.Do(req)
	defer resp.Body.Close()
}

Responses

200 Verifies the assertion against the stored nonce + the factor row's credential and returns the same `step_up_token` shape that POST /mfa/step-up produces. The factor row's signature counter is bumped to defeat replay.

{
  "step_up_token": "string",
  "expires_at": "2026-04-20T12:00:00.000Z"
}

application/json

step_up_tokenstring*
Opaque sealed token (AES-256-GCM, base64url). Pass back on the next mutation via the `X-Mfa-Step-Up-Token` header. Valid for 5 minutes.
expires_atstring (date-time)*
After this timestamp the token is rejected and the caller must POST /mfa/step-up again.

401 Invalid or expired token

403 This token is not authorized for this endpoint (wrong principal type — e.g., admin token on identity-only endpoint, or vice versa)

Returned object

The MfaStepUpResponseDto object View all properties on this resource

On this page

GETList enrolled MFA factors for the caller
POSTBegin TOTP factor enrollment
POSTComplete TOTP factor enrollment
POSTBegin WebAuthn factor enrollment
POSTComplete WebAuthn factor enrollment
POSTProve a fresh factor to authorise a sensitive MFA mutation
POSTBegin a WebAuthn-backed step-up ceremony
DELETERemove an enrolled MFA factor
POSTRegenerate the identity's single-use recovery codes
GETList the identity's active 'remember this device' records
DELETERevoke every trusted device for the caller
DELETERevoke a single trusted device