CardSwap APIAppearance
/auth/step
When create auth requires additional security, the system will send out a webhook asking for answers to questions based, code based, or prompt based style security.
Use the auth step endpoint to respond to security webhook events to progress through the realtime credential validation process.
HTTP Request
POST https://api.q2open.io/v1/auth/step
Arguments
| Parameter | Description |
|---|---|
token | ID provided by webhooks for correlation to the auth validation process. |
method | String of the type of response this correlates to: 'questions', 'code', 'prompt' |
security | Object containing the response to the webhook request for security information. |
didNotReceiveCode | Boolean used if the user never received the code that was requested. |
Example Request
shell
curl "https://api.q2open.io/v1/auth/step" \
-H "Authorization: Bearer dc220490-e6ee-11e5-8a94-e7385a8d929e" \
-H "Content-Type: application/json" \
-d '{
"token": "6218f231494a186f08983d89",
"method": "code",
"security": {
"identifier": "P4erF9C__n73GY",
"answer": "44555"
}
}'Example Response
json
{
"success": "true",
"message": "Auth security response has been queued and will respond via webhooks."
}Example Auth Webhooks and Steps
Questions Based MFA
Questions Based MFA example Webhook
json
{
"resource": {
"id": "6217deda4c94a9f552489392",
"type": "client"
},
"data": {
"auth": {...},
"method": "questions",
"input": [
{
"identifier": "ibY1g2PC4wrc6q",
"question": "What is your mother's maiden name?"
},
{
"identifier": "P4erF9C__n73GY",
"question": "What is your favorite color?"
}
],
"token": "6218f985494a186f08983ec2"
}
}Auth Step for Questions Based MFA
json
{
"token": "6218f985494a186f08983ec2",
"method": "questions",
"security": [
{
"identifier": "ibY1g2PC4wrc6q",
"answer": "Smith"
},
{
"identifier": "P4erF9C__n73GY",
"answer": "White"
}
]
}Security questions that are required to verify user. If these are not answered by the client in realtime, they can be answered with Answer Questions
Code Based MFA
Code Based MFA example Webhook
json
{
"resource" : {
"type" : "client",
"id" : "5d9b819aacffca301b076958"
},
"data" : {
"company" : {...},
"method" : "code",
"input" : [
{
"type" : "text",
"mask" : "xxx-xxx-1234",
"identifier" : "Xf9DWrxK_",
"label" : "Text: xxx-xxx-1234"
},
{
"type" : "email",
"mask" : "e..e@example.com",
"identifier" : "fWaGHa00al",
"label" : "Email: e..e@example.com"
}
],
"token" : "5d9ca25aa71f7c94d0fad1b1"
}
}Auth Step for Code Based MFA
json
{
"token": "5d9ca25aa71f7c94d0fad1b1",
"method": "code",
"security": {
"identifier": "Xf9DWrxK_"
}
}Follow up question for Code Bade MFA
json
{
"resource": {
"id": "6217deda4c94a9f552489392",
"type": "client"
},
"data": {
"auth": {...},
"method": "questions",
"input": [
{
"identifier": "QMbuXxBKqnDvYC",
"question": "What is the code sent to xxx-xxx-1234?"
}
],
"showRetry": true,
"token": "6218f985494a186f08983ec2"
}
}Security that asks where the client wants the code sent to. Typically either email, phone number, or a device. This will then be followed up with a webhook asking what is the code that was sent. The field showRetry true means the client can use the didNotReceiveCode for the auth step to try to get another code sent. It should be designed to wait at least 30 seconds before allowing the client to send the try again request.
Prompt Based MFA
Prompt Based MFA example Webhook
json
{
"resource": {
"id": "6217deda4c94a9f552489392",
"type": "client"
},
"data": {
"auth": {...},
"method": "prompt",
"input": [
{ "request": "Verify your login with your mobile device" }
],
"token": "6218f231494a186f08983d89"
}
}Auth Step for Prompt Based MFA
json
{
"token": "6218f231494a186f08983d89",
"method": "prompt"
}Security measure that requires the user to click a prompt sent to a device or email. The response does not need a security payload as this is just an acknowledgement that the prompt was pressed.