WebAuthnv1.0.0/webauthnOpenAPI
1Kosmos · FIDO2 / WebAuthn

WebAuthn API

FIDO2 / WebAuthn passkey registration and authentication.

Authentication → All products

The WebAuthn service implements FIDO2 passkey registration and authentication. Register authenticators, run assertion ceremonies, link and de-register passkeys, and read authenticator vendor metadata — standards-based, phishing-resistant login.

21 endpoints

across 11 resource groups.

ECDSA-signed

every request is signed with your key pair.

JSON over HTTPS

predictable REST, conventional status codes.

OpenAPI 3.0

Download the spec →

Reference

Base URL

All WebAuthn endpoints are relative to your environment host. Examples on this page use the 1Kosmos pilot environment — swap in your production root when you go live.

Pilot /webauthn

Content type

Requests and responses use application/json.

GET/webauthn/healthz
curl -X GET '/webauthn/healthz' \
  -H 'privateKey: YOUR_PRIVATE_KEY' \
  -H 'publicKey: YOUR_PUBLIC_KEY' \
  -H 'licensekey: YOUR_LICENSE_KEY'
Security

Authentication

WebAuthn uses ECDSA key-pair authentication. Each request carries your credentials as HTTP headers; verification-grade calls additionally sign the request body. Retrieve the system signing key from /publickeys.

Credentials
privateKeyAuthentication headerheader
publicKeyAuthentication headerheader
licensekeyAuthentication headerheader
GET/webauthn/healthz
cURL
Node.js
Python
curl -X GET '/webauthn/healthz' \
  -H 'privateKey: YOUR_PRIVATE_KEY' \
  -H 'publicKey: YOUR_PUBLIC_KEY' \
  -H 'licensekey: YOUR_LICENSE_KEY'
Reference

Errors

WebAuthn uses conventional HTTP status codes: 2xx success, 4xx a problem with the request, 5xx a service-side error.

StatusMeaningDescription
200 / 204OKThe request succeeded.
400Bad RequestValidation failed.
401UnauthorizedMissing or invalid credentials.
403ForbiddenAuthenticated, but not permitted.
404Not FoundThe resource does not exist.
500Server ErrorSomething went wrong on our side.
4XXerror response
{
  "statusCode": 400,
  "error": "Bad Request",
  "message": "Validation error"
}
WebAuthn

Web Auth N Linking and De-Registration

Web Auth N Linking and De-Registration endpoints.

DELETE/unregister/community/{communityId}/did_or_fidokey/{identifier}

/unregister/community/{communityId}/did_or_fidokey/{identifier}

Path parameters
NameTypeDescription
communityIdrequiredstring
identifierrequiredstring
DELETE/webauthn/unregister/community/{communityId}/did_or_fidokey/{identifier}
cURL
Node.js
Python
curl -X DELETE '/webauthn/unregister/community/<communityId>/did_or_fidokey/<identifier>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'publicKey: YOUR_PUBLIC_KEY' \
  -H 'privateKey: YOUR_PRIVATE_KEY'
RESPONSE
400
200
Bad Request
// no response body
DELETE/unregister/community/{communityId}/user/{userId}/did_or_fidokey/{identifier}

/unregister/community/{communityId}/user/{userId}/did_or_fidokey/{identifier}

Path parameters
NameTypeDescription
communityIdrequiredstring
userIdrequiredstring
identifierrequiredstring
DELETE/webauthn/unregister/community/{communityId}/user/{userId}/did_or_fidokey/{identifier}
cURL
Node.js
Python
curl -X DELETE '/webauthn/unregister/community/<communityId>/user/<userId>/did_or_fidokey/<identifier>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'publicKey: YOUR_PUBLIC_KEY' \
  -H 'privateKey: YOUR_PRIVATE_KEY'
RESPONSE
400
200
Bad Request
// no response body
WebAuthn

Vendor Meta Data

Vendor Meta Data endpoints.

POST/vendormetadata/{communityId}/fetch

Fetch vendor metadata records that match communityId (Note: load all records matching special communityId 'any' need system or service license)

Path parameters
NameTypeDescription
communityIdrequiredstring
Headers
NameTypeDescription
licensekeyrequiredstring
Request body

If aaguids is not given or empty, the fetch all records.

FieldTypeDescription
aaguidsarray<string>
POST/webauthn/vendormetadata/{communityId}/fetch
cURL
Node.js
Python
curl -X POST '/webauthn/vendormetadata/<communityId>/fetch' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"aaguids": ["string"]}'
RESPONSE
400
200
Bad Request
// no response body
PUT/vendormetadata/{communityId}

Create vendor metadata record)

Path parameters
NameTypeDescription
communityIdrequiredstring
Headers
NameTypeDescription
licensekeyrequiredstring
Request body

Create vendor metadata record

FieldTypeDescription
aaguidrequiredstring
metadatarequiredstring
namerequiredstring
disabledboolean
updatedByrequiredstring
PUT/webauthn/vendormetadata/{communityId}
cURL
Node.js
Python
curl -X PUT '/webauthn/vendormetadata/<communityId>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"aaguid": "string", "metadata": "string", "name": "string", "disabled": true, "updatedBy": "string"}'
RESPONSE
400
200
Bad Request
// no response body
PATCH/vendormetadata/{communityId}/aaguid/{aaguid}

Update vendor metadata record)

Path parameters
NameTypeDescription
communityIdrequiredstring
aaguidrequiredstring
Headers
NameTypeDescription
licensekeyrequiredstring
Request body

Update vendor metadata record

FieldTypeDescription
metadatastring
namestring
disabledboolean
updatedByrequiredstring
PATCH/webauthn/vendormetadata/{communityId}/aaguid/{aaguid}
cURL
Node.js
Python
curl -X PATCH '/webauthn/vendormetadata/<communityId>/aaguid/<aaguid>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"metadata": "string", "name": "string", "disabled": true, "updatedBy": "string"}'
RESPONSE
400
200
Bad Request
// no response body
WebAuthn

Fido Auth N Authenticator

Fido Auth N Authenticator endpoints.

POST/assertion/options

/assertion/options

Request Body

Please add ECDSA encrypted string of below json in request

{

"dns": string

"username": string

"displayName": string

"communityId": string

"tenantId": string

}

Request body
FieldTypeDescription
datastring
POST/webauthn/assertion/options
cURL
Node.js
Python
curl -X POST '/webauthn/assertion/options' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'publicKey: YOUR_PUBLIC_KEY' \
  -H 'privateKey: YOUR_PRIVATE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": "string"}'
RESPONSE
400
200
Bad Request
// no response body
POST/assertion/result

/assertion/result

Request Body

Please add ECDSA encrypted string of below json in request

{

"rawId": string

"getClientExtensionResults": {}

"id": string

"type": string

"dns": string

"communityId": string

"tenantId": string

"response": {

"authenticatorData": {}

"signature": {}

"userHandle": {}

"clientDataJSON": {}

}

}

Request body
FieldTypeDescription
datastring
POST/webauthn/assertion/result
cURL
Node.js
Python
curl -X POST '/webauthn/assertion/result' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'publicKey: YOUR_PUBLIC_KEY' \
  -H 'privateKey: YOUR_PRIVATE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": "string"}'
RESPONSE
400
200
Bad Request
// no response body
WebAuthn

Fido Registration

Fido Registration endpoints.

POST/attestation/options

/attestation/options

Request Body

Please add ECDSA encrypted string of below json in request

{

"dns": string

"username": string

"displayName": string

"communityId": string

"tenantId": string

"attestation": string

}

Request body
FieldTypeDescription
datastring
POST/webauthn/attestation/options
cURL
Node.js
Python
curl -X POST '/webauthn/attestation/options' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'publicKey: YOUR_PUBLIC_KEY' \
  -H 'privateKey: YOUR_PRIVATE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": "string"}'
RESPONSE
400
200
Bad Request
// no response body
POST/attestation/result

/attestation/result

Request Body

Please add ECDSA encrypted string of below json in request

{

"rawId": string

"authenticatorAttachment": string

"getClientExtensionResults": {}

"id": string

"type": string

"dns": string

"communityId": string

"tenantId": string

"response": {

"getAuthenticatorData": {}

"getPublicKey": {}

"getPublicKeyAlgorithm": {}

"getTransports": {}

"clientDataJSON": string

}

}

Request body
FieldTypeDescription
datastring
POST/webauthn/attestation/result
cURL
Node.js
Python
curl -X POST '/webauthn/attestation/result' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'publicKey: YOUR_PUBLIC_KEY' \
  -H 'privateKey: YOUR_PRIVATE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"data": "string"}'
RESPONSE
400
200
201
Bad Request
// no response body
WebAuthn

U 1 Fido Auth N Authenticator

U 1 Fido Auth N Authenticator endpoints.

POST/u1/assertion/options

/u1/assertion/options

Header parameter can be passed without ecdsa encryption

Headers
NameTypeDescription
licensekeyrequiredstring
Request body
FieldTypeDescription
usernamestring
displayNamestring
dnsstring
communityIdstring
tenantIdstring
dguidstring
POST/webauthn/u1/assertion/options
cURL
Node.js
Python
curl -X POST '/webauthn/u1/assertion/options' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"username": "string", "displayName": "string", "dns": "string", "communityId": "string", "tenantId": "string", "dguid": "string"}'
RESPONSE
400
200
Bad Request
// no response body
POST/u1/assertion/result

/u1/assertion/result

Header parameter can be passed without ecdsa encryption

Headers
NameTypeDescription
sessionInforequiredstring
licensekeyrequiredstring
Request body
FieldTypeDescription
rawIdstring
responseobject
getClientExtensionResultsobject
idstring
typestring
tenantIdstring
communityIdstring
dnsstring
POST/webauthn/u1/assertion/result
cURL
Node.js
Python
curl -X POST '/webauthn/u1/assertion/result' \
  -H 'sessionInfo: <value>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"rawId": "string", "response": {"authenticatorData": "string", "signature": "string", "userHandle": "string", "clientDataJSON": "string"}, "getClientExtensionResults": {}, "id": "string", "type": "string", "tenantId": "string", "communityId": "string", "dns": "string"}'
RESPONSE
400
200
Bad Request
// no response body
WebAuthn

U 1 Fido Registration

U 1 Fido Registration endpoints.

POST/u1/attestation/options

/u1/attestation/options

Header parameter can be passed without ecdsa encryption

Headers
NameTypeDescription
licensekeyrequiredstring
Request body
FieldTypeDescription
dnsstring
usernamestring
displayNamestring
communityIdstring
tenantIdstring
attestationstring
POST/webauthn/u1/attestation/options
cURL
Node.js
Python
curl -X POST '/webauthn/u1/attestation/options' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"dns": "string", "username": "string", "displayName": "string", "communityId": "string", "tenantId": "string", "attestation": "string"}'
RESPONSE
400
200
Bad Request
// no response body
POST/u1/attestation/result

/u1/attestation/result

Header parameter can be passed without ecdsa encryption

Headers
NameTypeDescription
sessionInforequiredstring
licensekeyrequiredstring
Request body
FieldTypeDescription
rawIdstring
responseobject
authenticatorAttachmentstring
getClientExtensionResultsobject
idstring
typestring
dnsstring
communityIdstring
tenantIdstring
POST/webauthn/u1/attestation/result
cURL
Node.js
Python
curl -X POST '/webauthn/u1/attestation/result' \
  -H 'sessionInfo: <value>' \
  -H 'licensekey: YOUR_LICENSE_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"rawId": "string", "response": {"attestationObject": "string", "getAuthenticatorData": {}, "getPublicKey": {}, "getPublicKeyAlgorithm": {}, "getTransports": {}, "clientDataJSON": "string"}, "authenticatorAttachment": "string", "getClientExtensionResults": {}, "id": "string", "type": "string", "dns": "string", "communityId": "string", "tenantId": "string"}'
RESPONSE
400
200
201
Bad Request
// no response body
WebAuthn

U 1 Web Auth N Linking

U 1 Web Auth N Linking endpoints.

WebAuthn

Environment

Environment endpoints.

GET/environment

Fetch Environment

Headers
NameTypeDescription
licensekeystring
GET/webauthn/environment
cURL
Node.js
Python
curl -X GET '/webauthn/environment' \
  -H 'licensekey: YOUR_LICENSE_KEY'
RESPONSE
400
200
Bad Request
// no response body
WebAuthn

Healthz

Healthz endpoints.

GET/healthz

This is Health endpoint

GET/webauthn/healthz
cURL
Node.js
Python
curl -X GET '/webauthn/healthz' \
  -H 'privateKey: YOUR_PRIVATE_KEY' \
  -H 'publicKey: YOUR_PUBLIC_KEY' \
  -H 'licensekey: YOUR_LICENSE_KEY'
RESPONSE
400
200
Bad Request
// no response body
WebAuthn

Public Key

Public Key endpoints.

GET/publickeys

/publickeys

GET/webauthn/publickeys
cURL
Node.js
Python
curl -X GET '/webauthn/publickeys' \
  -H 'privateKey: YOUR_PRIVATE_KEY' \
  -H 'publicKey: YOUR_PUBLIC_KEY' \
  -H 'licensekey: YOUR_LICENSE_KEY'
RESPONSE
400
200
Bad Request
// no response body
WebAuthn

Service Directory

Service Directory endpoints.

GET/sd

Get all service directories.

Returns all service directories.

GET/webauthn/sd
cURL
Node.js
Python
curl -X GET '/webauthn/sd' \
  -H 'privateKey: YOUR_PRIVATE_KEY' \
  -H 'publicKey: YOUR_PUBLIC_KEY' \
  -H 'licensekey: YOUR_LICENSE_KEY'
RESPONSE
400
200
Bad Request
// no response body
© 2026 1Kosmos · Web AuthN v1.0.0Generated from the OpenAPI spec · webauthn.json