/v1/auth/webauthn/update/finishAuthorization
Descope Project ID Project ID as bearer token.
In: header
Request Body
application/json
Finalize adding a new WebAuthn device
curl -X POST "https://api.descope.com/v1/auth/webauthn/update/finish" \ -H "Content-Type: application/json" \ -d '{}'{ "jwt": { "sessionJwt": "string", "refreshJwt": "string", "cookieDomain": "string", "cookiePath": "string", "cookieMaxAge": 0, "cookieExpiration": 0, "user": { "loginIds": [ "string" ], "userId": "string", "name": "string", "email": "string", "phone": "string", "verifiedEmail": true, "verifiedPhone": true, "roleNames": [ "string" ], "userTenants": [ { "tenantId": "string", "roleNames": [ "string" ], "tenantName": "string", "permissions": [ "string" ], "roleIds": [ "string" ] } ], "status": "string", "externalIds": [ "string" ], "picture": "string", "test": false, "customAttributes": { "attribute-key": "attribute-value" }, "createdTime": 0, "TOTP": false, "SAML": false, "OAuth": { "property1": false, "property2": false }, "webauthn": true, "password": true, "ssoAppIds": [ "string" ], "givenName": "string", "middleName": "string", "familyName": "string", "editable": true, "SCIM": true, "push": true, "permissions": [ "string" ], "OIDC": true, "consentExpiration": 0, "recoveryEmail": "string", "verifiedRecoveryEmail": true, "recoveryPhone": "string", "verifiedRecoveryPhone": true, "modifiedTime": 0, "roleIds": [ "string" ] }, "firstSeen": true, "idpResponse": { "samlResponse": "string", "samlGeneratedUser": "string", "samlGeneratedRoles": "string", "oidcResponse": "string", "oidcGeneratedUser": "string", "oidcGeneratedRoles": "string", "idpGroups": [ "string" ], "idpSAMLAttributes": false, "idpOIDCClaims": {} }, "sessionExpiration": 0, "externalToken": "string", "claims": {}, "tenantSSOID": "string", "trustedDeviceJwt": "string", "nextRefreshSeconds": 0, "cookieName": "string", "sessionCookieName": "string", "sessionCookieDomain": "string", "unsavedSSO": true }}export interface Response {/** * Populated only when the matching update/start set mfa and a valid refresh token was provided: * carries a session token whose amr merges the prior factors with the new passkey. * Empty for the default enrollment flow (backward compatible). */jwt?: JWTResponse}/** * NOTE: if you add a new field to this message, also add it to the OptionalJWTResponse message */export interface JWTResponse {sessionJwt?: stringrefreshJwt?: stringcookieDomain?: stringcookiePath?: stringcookieMaxAge?: numbercookieExpiration?: numberuser?: ResponseUserfirstSeen?: booleanidpResponse?: IDPResponsesessionExpiration?: numberexternalToken?: stringclaims?: {}tenantSSOID?: stringtrustedDeviceJwt?: stringnextRefreshSeconds?: numbercookieName?: stringsessionCookieName?: stringsessionCookieDomain?: stringunsavedSSO?: boolean}export interface ResponseUser {loginIds?: string[]userId?: stringname?: stringemail?: stringphone?: stringverifiedEmail?: booleanverifiedPhone?: booleanroleNames?: string[]userTenants?: UserTenants[]status?: stringexternalIds?: string[]picture?: stringtest?: boolean/** * Custom attributes as key-value pairs. Keys must be strings; values can be strings, numbers, booleans, or arrays. */customAttributes?: {[k: string]: string}createdTime?: numberTOTP?: booleanSAML?: booleanOAuth?: {[k: string]: boolean}webauthn?: booleanpassword?: booleanssoAppIds?: string[]givenName?: stringmiddleName?: stringfamilyName?: stringeditable?: booleanSCIM?: booleanpush?: booleanpermissions?: string[]OIDC?: booleanconsentExpiration?: numberrecoveryEmail?: stringverifiedRecoveryEmail?: booleanrecoveryPhone?: stringverifiedRecoveryPhone?: booleanmodifiedTime?: number/** * roleIds holds the IDs of this entry's roles. Order is NOT guaranteed to match * roleNames — do not pair them by index. Use roleIds or roleNames independently. */roleIds?: string[]}export interface UserTenants {tenantId?: stringroleNames?: string[]tenantName?: stringpermissions?: string[]/** * roleIds holds the IDs of this entry's roles. Order is NOT guaranteed to match * roleNames — do not pair them by index. Use roleIds or roleNames independently. */roleIds?: string[]}export interface IDPResponse {samlResponse?: stringsamlGeneratedUser?: stringsamlGeneratedRoles?: stringoidcResponse?: stringoidcGeneratedUser?: stringoidcGeneratedRoles?: stringidpGroups?: string[]idpSAMLAttributes?: booleanidpOIDCClaims?: {}}Exchange SSO Code POST
### Exchange SSO SAML code for Descope user session This endpoint will exchange the unique SAML code (also called a token) for the Descope session information needed for managing the end user session. Call this endpoint from your code flow that responds to the `url` that was returned by the [Sign-In](/api/oauth/sign-up-sign-in) endpoint. The unique code `<unique-code\>` is appended as a URL parameter: `code=<unique-code\>`, for example, `url = https://sso.mycompany.com/mywork.htm?code=<unique-code\>`. ### Next Steps 1. Extract the unique code `<unique-code\>` from the URL parameter. 2. Call this endpoint, passing the `<unique-code\>` as the request parameter The response object includes the session JWT (sessionJwt) and refresh JWT (refreshJwt) when this endpoint completes successfully. ### See Also - See [The User Object](/api/overview#the-user-object) for further details on how to identify users and their contact information such as email addresses and phone number.
Add WebAuthn Device POST
Add a new WebAuthn device to an existing user