Donutwork Docs
Api Reference

Identity Provider (IDP) & MFA

Orchestrate user identities, implement multi-factor authentication (TOTP), and manage security audit trails.

Identity Provider (IDP) API

The Identity Provider (IDP) service centralizes user identity management and provides robust secondary authentication layers. It allows organizations to link external user identifiers to a secure, managed identity capable of Multi-Factor Authentication (MFA) via Time-based One-Time Passwords (TOTP) and advanced risk assessment (Sentinel).

Identity Management

Provision External User

Provision a new managed identity within the IDP ecosystem. This creates a security context linked to your platform's internal external_id.

POST
/2026-02-01/idp/user.json
Required permissionidp:writeApiAccessPermission::IDP_WRITE

Query Parameters

No query parameters required.

Request Body

JSON
{
  "user": {
    "external_id": "ORG_USR_9921_AFG"
  }
}
user.external_idstringRequired
Your system's unique identifier for the user (e.g., UUID or DB ID).

Responses

User identity successfully provisioned.

{
  "user": {
    "id": "6908bffd...",
    "external_id": "ORG_USR_9921_AFG",
    "status": "active"
  }
}

Identity already exists for the specified external_id.

{
  "error": "User with this external_id already exists for this company"
}

Retrieve Identity Profile

Fetch the security profile for a specific user. This includes authentication capabilities (MFA status), operational status (locked/active), and audit metadata.

GET
/2026-02-01/idp/{externalUserId}.json
Required permissionidp:readApiAccessPermission::IDP_READ

Query Parameters

externalUserIdstringRequired
The identifier provided during provisioning.

Responses

Identity profile retrieved.

{
  "id": "6908...",
  "external_id": "ORG_USR_9921_AFG",
  "status": "active",
  "has_otp": true,
  "has_passkeys": false,
  "is_locked": false,
  "failed_attempts": 0,
  "saas_client_id": "67c9..."
}

Multi-Factor Authentication (MFA)

Configuration of TOTP Secret

Generate a new TOTP secret and QR code payload to enable secondary authentication. Scanning this payload into an authenticator application (e.g., Microsoft/Google Authenticator) completes the setup.

POST
/2026-02-01/idp/{externalUserId}/otp.json
Required permissionidp:writeApiAccessPermission::IDP_WRITE

Query Parameters

externalUserIdstringRequired
The user identifier.

Request Body

JSON
{
  "otp": {
    "issuer_name": "Acme Enterprise",
    "account_name": "alexander@enterprise.com"
  }
}
otp.issuer_namestringRequired
The organization name displayed in the authenticator app.
otp.account_namestringRequired
The specific account identifier displayed in the app.

Responses

New MFA secret successfully generated.

{
  "user": {
    "external_id": "ORG_USR_9921_AFG",
    "new_otp_secret": "REDACTED_OTP_SECRET",
    "qrcode_payload": "otpauth://totp/Acme+Enterprise:alexander%40enterprise.com?secret=REDACTED_OTP_SECRET&issuer=Acme+Enterprise",
    "is_setup_complete": true
  }
}

Verify Authentication Code

Validate a 6-digit TOTP code (or a one-time backup code) to finalize the authentication process.

POST
/2026-02-01/idp/otp/verify.json
Required permissionidp:writeApiAccessPermission::IDP_WRITE

Query Parameters

No query parameters required.

Request Body

JSON
{
  "otp": {
    "id": "ORG_USR_9921_AFG",
    "code": "552192"
  }
}
otp.idstringRequired
The unique external user identifier.
otp.codestringRequired
The 6-digit code or numeric backup code.

Responses

Authentication successful.

{
  "status": "success",
  "id": "ORG_USR_9921_AFG",
  "message": "OTP verified successfully."
}

Invalid credentials or code expired.

{
  "error": "Invalid credentials or access denied"
}

Provision Backup Codes

Generate a collection of single-use backup codes. These allow users to regain access if the primary MFA device is unavailable.

POST
/2026-02-01/idp/{externalUserId}/backupcodes.json
Required permissionidp:writeApiAccessPermission::IDP_WRITE

Query Parameters

externalUserIdstringRequired
The user identifier.

Responses

Set of 10 backup codes generated.

{
  "user": {
    "id": "ORG_USR_9921_AFG",
    "backupCodes": [
      "ABCD-1234",
      "EFGH-5678",
      "..."
    ]
  }
}

Sentinel Risk Assessment

Sentinel provides a sophisticated analytical layer for evaluating authentication risk in real-time.

Analyze Session Integrity (Discover)

Submit session metadata to Sentinel to perform a risk assessment based on behavioral patterns, network reputation, and environmental context.

POST
/2026-02-01/sentinel/verify.json
Required permissionsentinel:writeApiAccessPermission::SENTINEL_WRITE

Query Parameters

No query parameters required.

Request Body

JSON
{
  "sentinel": {
    "id": "6908bffd...",
    "context": {
      "ip": "1.1.1.1",
      "ua": "EnterpriseAgent/1.0"
    }
  }
}
sentinel.idstringRequired
External user identifier for the risk evaluation.
sentinel.context.ipstringRequired
Source IP address of the session.
sentinel.context.uastringRequired
User-Agent value for the session.
sentinel.context.user_idstring
Optional explicit user identifier override.

Responses

Risk assessment completed.

{
  "status": "authorized",
  "risk_score": 0.05,
  "recommendation": "allow"
}

High-risk indicators detected.

{
  "error": "High risk detection",
  "risk_score": 0.95
}

Customers

Manage customer lifecycle, professional profiles, and organizational associations.

Key Management Service (KMS)

Securely orchestrate sensitive credentials, enforce network-level access controls, and maintain comprehensive audit trails for cryptographic secrets.

On this page

Identity Provider (IDP) APIIdentity ManagementProvision External UserRetrieve Identity ProfileMulti-Factor Authentication (MFA)Configuration of TOTP SecretVerify Authentication CodeProvision Backup CodesSentinel Risk AssessmentAnalyze Session Integrity (Discover)