Identity Provider (IDP) & MFA
Orchestrate user identities, implement multi-factor authentication (TOTP), and manage security audit trails.
Identity Provider (IDP) API
The Identity Provider (IDP) service centralizes user identity management and provides robust secondary authentication layers. It allows organizations to link external user identifiers to a secure, managed identity capable of Multi-Factor Authentication (MFA) via Time-based One-Time Passwords (TOTP) and advanced risk assessment (Sentinel).
Identity Management
Provision External User
Provision a new managed identity within the IDP ecosystem. This creates a security context linked to your platform's internal external_id.
idp:writeApiAccessPermission::IDP_WRITEQuery Parameters
No query parameters required.
Request Body
{
"user": {
"external_id": "ORG_USR_9921_AFG"
}
}user.external_idstringRequiredResponses
User identity successfully provisioned.
{
"user": {
"id": "6908bffd...",
"external_id": "ORG_USR_9921_AFG",
"status": "active"
}
}Identity already exists for the specified external_id.
{
"error": "User with this external_id already exists for this company"
}Retrieve Identity Profile
Fetch the security profile for a specific user. This includes authentication capabilities (MFA status), operational status (locked/active), and audit metadata.
idp:readApiAccessPermission::IDP_READQuery Parameters
externalUserIdstringRequiredResponses
Identity profile retrieved.
{
"id": "6908...",
"external_id": "ORG_USR_9921_AFG",
"status": "active",
"has_otp": true,
"has_passkeys": false,
"is_locked": false,
"failed_attempts": 0,
"saas_client_id": "67c9..."
}Multi-Factor Authentication (MFA)
Configuration of TOTP Secret
Generate a new TOTP secret and QR code payload to enable secondary authentication. Scanning this payload into an authenticator application (e.g., Microsoft/Google Authenticator) completes the setup.
idp:writeApiAccessPermission::IDP_WRITEQuery Parameters
externalUserIdstringRequiredRequest Body
{
"otp": {
"issuer_name": "Acme Enterprise",
"account_name": "alexander@enterprise.com"
}
}otp.issuer_namestringRequiredotp.account_namestringRequiredResponses
New MFA secret successfully generated.
{
"user": {
"external_id": "ORG_USR_9921_AFG",
"new_otp_secret": "REDACTED_OTP_SECRET",
"qrcode_payload": "otpauth://totp/Acme+Enterprise:alexander%40enterprise.com?secret=REDACTED_OTP_SECRET&issuer=Acme+Enterprise",
"is_setup_complete": true
}
}Verify Authentication Code
Validate a 6-digit TOTP code (or a one-time backup code) to finalize the authentication process.
idp:writeApiAccessPermission::IDP_WRITEQuery Parameters
No query parameters required.
Request Body
{
"otp": {
"id": "ORG_USR_9921_AFG",
"code": "552192"
}
}otp.idstringRequiredotp.codestringRequiredResponses
Authentication successful.
{
"status": "success",
"id": "ORG_USR_9921_AFG",
"message": "OTP verified successfully."
}Provision Backup Codes
Generate a collection of single-use backup codes. These allow users to regain access if the primary MFA device is unavailable.
idp:writeApiAccessPermission::IDP_WRITEQuery Parameters
externalUserIdstringRequiredResponses
Set of 10 backup codes generated.
{
"user": {
"id": "ORG_USR_9921_AFG",
"backupCodes": [
"ABCD-1234",
"EFGH-5678",
"..."
]
}
}Passkey (WebAuthn) Delegation
For architecture, benefits and production integration pattern (backend relay S2S), see:
Create Registration Options
Generate challenge and WebAuthn options used by the client to create a passkey credential.
idp:writeApiAccessPermission::IDP_WRITEQuery Parameters
externalUserIdstringRequiredRequest Body
{
"passkey": {
"display_name": "Alexander",
"account_name": "alexander@enterprise.com"
}
}passkey.display_namestringpasskey.account_namestringResponses
Registration options generated.
{
"status": "success",
"passkey": {
"challenge_id": "ch_01J...",
"options": {
"challenge": "BASE64_CHALLENGE",
"rp": {
"id": "example.com",
"name": "Donutwork"
}
}
}
}Confirm Registration
Confirm passkey registration by submitting the credential payload generated by the WebAuthn client.
idp:writeApiAccessPermission::IDP_WRITEQuery Parameters
externalUserIdstringRequiredRequest Body
{
"passkey": {
"challenge_id": "ch_01J...",
"payload": "{\"id\":\"...\",\"rawId\":\"...\",\"response\":{...}}",
"device": "Chrome 125 / macOS"
}
}passkey.challenge_idstringRequiredpasskey.payloadstring|objectRequiredpasskey.devicestringResponses
Passkey registered successfully.
{
"status": "success",
"passkey": {
"id": "pk_01J...",
"external_id": "ORG_USR_9921_AFG",
"registered": true
}
}Create Authentication Challenge
Generate a passkey challenge for login verification.
idp:writeApiAccessPermission::IDP_WRITEQuery Parameters
No query parameters required.
Request Body
{
"passkey": {
"id": "ORG_USR_9921_AFG"
}
}passkey.idstringRequiredResponses
Authentication challenge generated.
{
"status": "success",
"passkey": {
"challenge_id": "ch_01J...",
"options": {
"challenge": "BASE64_CHALLENGE",
"rpId": "example.com"
}
}
}Verify Passkey Authentication
Validate the assertion payload generated by the authenticator.
idp:writeApiAccessPermission::IDP_WRITEQuery Parameters
No query parameters required.
Request Body
{
"passkey": {
"id": "ORG_USR_9921_AFG",
"challenge_id": "ch_01J...",
"payload": "{\"id\":\"...\",\"rawId\":\"...\",\"response\":{...}}"
}
}passkey.idstringRequiredpasskey.challenge_idstringRequiredpasskey.payloadstring|objectRequiredResponses
Passkey authentication successful.
{
"status": "success",
"id": "ORG_USR_9921_AFG",
"message": "Passkey verified successfully."
}Revoke Passkey Credential
Delete one registered passkey credential for the user.
idp:writeApiAccessPermission::IDP_WRITEQuery Parameters
externalUserIdstringRequiredcredentialIdstringRequiredResponses
Credential removed successfully.
{
"status": "success",
"id": "ORG_USR_9921_AFG",
"message": "Passkey removed successfully."
}Sentinel Risk Assessment
Sentinel provides a sophisticated analytical layer for evaluating authentication risk in real-time.
Analyze Session Integrity (Discover)
Submit session metadata to Sentinel to perform a risk assessment based on behavioral patterns, network reputation, and environmental context.
sentinel:writeApiAccessPermission::SENTINEL_WRITEQuery Parameters
No query parameters required.
Request Body
{
"sentinel": {
"id": "ORG_USR_9921_AFG",
"context": {
"ip": "1.1.1.1",
"ua": "EnterpriseAgent/1.0"
}
}
}sentinel.idstringRequiredsentinel.context.ipstringRequiredsentinel.context.uastringRequiredsentinel.context.user_idstringResponses
Risk assessment completed.
{
"success": true,
"event_id": "67f4...",
"user_id": "ORG_USR_9921_AFG",
"ip": "1.1.1.1",
"geo_country": "US",
"risk_score": 0.62,
"risk_band": "high",
"decision_advice": "challenge_mfa",
"decision": "challenge_mfa",
"recommended_factor": "passkey_or_otp",
"reasons": [
"High source IP velocity detected."
],
"verification_cost_ms": 18
}Missing input fields.
{
"success": false,
"message": "Missing required parameters: user_id, ip, or user_agent."
}Sentinel also accepts the legacy envelope:
{
"event": {
"user_id": "ORG_USR_9921_AFG",
"ip": "1.1.1.1",
"user_agent": "EnterpriseAgent/1.0",
"sentinel_session": "sess_123"
}
}