The registration for a WebAuthn authenticator (also known as the "attestation ceremony") involves a challenge request and response. When you enroll a WebAuthn authenticator, use the following endpoints in this order:
A valid API version in the Accept header is required to access the API. Current version: 1.0.0
Accept: application/json; okta-version=1.0.0
Lists all of the specified user's WebAuthn enrollments
Success
Unauthorized
Not Acceptable (missing header)
[- {
- "id": "fwfn3c3rryqStmyp20g4",
- "status": "ACTIVE",
- "type": "security_key",
- "key": "webauthn",
- "name": "YubiKey 5 FIPS",
- "credentialId": "5Ht9dBHqs8q2PbfWEuxqoDsnkO16KR_58GUju5MdSa__W_X7d5mQbkFSp273fxPX",
- "created": "2025-04-22T17:24:27.000Z",
- "lastUpdated": "2025-04-22T17:24:27.000Z",
- "_links": {
- "self": {
- "hints": {
- "allow": [
- "GET",
- "DELETE"
]
}
}
}
}
]Creates a WebAuthn enrollment. Before using this endpoint, ensure that you've used the Start a WebAuthn enrollment endpoint first.
| attestation required | string JSON-serialized data that contains the authenticator data and attestation statement |
| clientData required | string JSON-serialized data that's passed to the WebAuthn authenticator by the client to generate the WebAuthn credentials |
| clientExtensions | string JSON-serialized data that contains authenticator extensions |
| transports | string JSON-serialized data that contains the transport values that the authenticator is believed to support |
Success
Bad Request
Unauthorized
Not Found
Not Acceptable (missing header)
{- "clientData": "eyJjaGFsbGVuZ...",
- "attestation": "o2NmbXRoZmlk...",
- "clientExtensions": "{\"credProps\":{\"rk\":true}}",
- "transports": "[\"internal\"]"
}{- "id": "fwfn3c3rryqStmyp20g4",
- "status": "ACTIVE",
- "type": "security_key",
- "key": "webauthn",
- "name": "YubiKey 5 FIPS",
- "credentialId": "5Ht9dBHqs8q2PbfWEuxqoDsnkO16KR_58GUju5MdSa__W_X7d5mQbkFSp273fxPX",
- "created": "2025-04-22T17:24:27.000Z",
- "lastUpdated": "2025-04-22T17:24:27.000Z",
- "_links": {
- "self": {
- "hints": {
- "allow": [
- "GET",
- "DELETE"
]
}
}
}
}Starts the enrollment process for a WebAuthn authenticator. Complete the enrollment process by using the Create a WebAuthn enrollment endpoint.
Do not supply a request body for this operation. To start the enrollment process, send a POST request to the /idp/myaccount/webauthn/registration endpoint. The response contains the challenge and options for the WebAuthn credential creation.
Success
Bad Request
Unauthorized
Forbidden
Not Acceptable (missing header)
{- "options": {
- "rp": {
- "name": "example"
}, - "user": {
- "displayName": "display name",
- "name": "displayname@okta.com",
- "id": "00ule5sHbd9kmYHtw0g4"
}, - "pubKeyCredParams": [
- {
- "type": "public-key",
- "alg": -7
}, - {
- "type": "public-key",
- "alg": -257
}
], - "challenge": "vuSSUc8Nkd-8b2InKe3Y0SjEB4Nm6rdf",
- "attestation": "direct",
- "authenticatorSelection": {
- "userVerification": "discouraged",
- "requireResidentKey": false,
- "residentKey": "preferred"
}, - "excludeCredentials": [
- {
- "type": "public-key",
- "id": "5Ht9dBHqs8q2PbfWEuxqoDsnkO16KR_58GUju5MdSa__W_X7d5mQbkFSp273fxPX"
}
]
}, - "expiresAt": "2025-04-30T18:04:33.000Z",
- "_links": {
}
}Retrieves a WebAuthn enrollment
Success
Unauthorized
Not Found
Not Acceptable (missing header)
{- "id": "fwfn3c3rryqStmyp20g4",
- "status": "ACTIVE",
- "type": "security_key",
- "key": "webauthn",
- "name": "YubiKey 5 FIPS",
- "credentialId": "5Ht9dBHqs8q2PbfWEuxqoDsnkO16KR_58GUju5MdSa__W_X7d5mQbkFSp273fxPX",
- "created": "2025-04-22T17:24:27.000Z",
- "lastUpdated": "2025-04-22T17:24:27.000Z",
- "_links": {
- "self": {
- "hints": {
- "allow": [
- "GET",
- "DELETE"
]
}
}
}
}Deletes a specified WebAuthn enrollment
No Content
Unauthorized
Not Found
Not Acceptable (missing header)
{- "errorCode": "E0000015",
- "errorSummary": "You do not have permission to access the feature you are requesting",
- "errorLink": "E0000015",
- "errorId": "oaeStOuPPxDRUm3PJhf-tL7bQ",
- "errorCauses": [ ]
}