Create Verification Flow for Native Apps
GET/auth/self-service/verification/api
This endpoint initiates a verification flow for API clients such as mobile devices, smart TVs, and so on.
To fetch an existing verification flow call /verification/flows?flow=<flow_id>
.
You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make you vulnerable to a variety of CSRF attacks.
This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).
Request
Responses
- 200
- 400
- default
verificationFlow
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- ]
- Array [
- uiNodeInputAttributes
- TextAttributes represents the attributes of a text node.
- ImageAttributes represents the attributes of an image node.
- AnchorAttributes represents the attributes of an anchor node.
- ScriptAttributes represent script nodes which load javascript.
- Array [
- ]
- ]
Active, if set, contains the registration method that is being used. It is initially not set.
ExpiresAt is the time (UTC) when the request expires. If the user still wishes to verify the address, a new request has to be initiated.
ID represents the request's unique ID. When performing the verification flow, this
represents the id in the verify ui's query parameter: http://<selfservice.flows.verification.ui_url>?request=
type: string format: uuid
IssuedAt is the time (UTC) when the request occurred.
RequestURL is the initial URL that was requested. It can be used to forward information contained in the URL's path or query for example.
ReturnTo contains the requested return_to URL.
State represents the state of this request:
choose_method: ask the user to choose a method (e.g. verify your email) sent_email: the email has been sent to the user passed_challenge: the request was successful and the verification challenge was passed.
The flow type can either be api
or browser
.
ui objectrequired
Container represents a HTML Form. The container can work with both HTTP Form and JSON requests
Action should be used as the form action URL <form action="{{ .Action }}" method="post">
.
messages object[]
The message's context. Useful when customizing messages.
The message text. Written in american english.
Possible values: [info
, error
, success
]
The message type. info Info error Error success Success
Method is the form method (e.g. POST)
nodes object[]required
attributes objectrequired
Possible values: [email
, tel
, url
, current-password
, new-password
, one-time-code
]
The autocomplete attribute for the input. email InputAttributeAutocompleteEmail tel InputAttributeAutocompleteTel url InputAttributeAutocompleteUrl current-password InputAttributeAutocompleteCurrentPassword new-password InputAttributeAutocompleteNewPassword one-time-code InputAttributeAutocompleteOneTimeCode
Sets the input's disabled field to true or false.
label object
The message's context. Useful when customizing messages.
The message text. Written in american english.
Possible values: [info
, error
, success
]
The message type. info Info error Error success Success
The input's element name.
NodeType represents this node's types. It is a mirror of node.type
and
is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "input".
OnClick may contain javascript which should be executed on click. This is primarily used for WebAuthn.
The input's pattern.
Mark this input field as required.
Possible values: [text
, password
, number
, checkbox
, hidden
, email
, tel
, submit
, button
, datetime-local
, date
, url
]
The input's element type. text InputAttributeTypeText password InputAttributeTypePassword number InputAttributeTypeNumber checkbox InputAttributeTypeCheckbox hidden InputAttributeTypeHidden email InputAttributeTypeEmail tel InputAttributeTypeTel submit InputAttributeTypeSubmit button InputAttributeTypeButton datetime-local InputAttributeTypeDateTimeLocal date InputAttributeTypeDate url InputAttributeTypeURI
The input's value.
A unique identifier
NodeType represents this node's types. It is a mirror of node.type
and
is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "text".
text objectrequired
The message's context. Useful when customizing messages.
The message text. Written in american english.
Possible values: [info
, error
, success
]
The message type. info Info error Error success Success
Height of the image
A unique identifier
NodeType represents this node's types. It is a mirror of node.type
and
is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "img".
The image's source URL.
format: uri
Width of the image
The link's href (destination) URL.
format: uri
A unique identifier
NodeType represents this node's types. It is a mirror of node.type
and
is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "a".
title objectrequired
The message's context. Useful when customizing messages.
The message text. Written in american english.
Possible values: [info
, error
, success
]
The message type. info Info error Error success Success
The script async type
The script cross origin policy
A unique identifier
The script's integrity hash
NodeType represents this node's types. It is a mirror of node.type
and
is primarily used to allow compatibility with OpenAPI 3.0. In this struct it technically always is "script".
Nonce for CSP
A nonce you may want to use to improve your Content Security Policy. You do not have to use this value but if you want to improve your CSP policies you may use it. You can also choose to use your own nonce value!
The script referrer policy
The script source
The script MIME type
Possible values: [default
, password
, oidc
, profile
, link
, code
, totp
, lookup_secret
, webauthn
]
Group specifies which group (e.g. password authenticator) this node belongs to. default DefaultGroup password PasswordGroup oidc OpenIDConnectGroup profile ProfileGroup link LinkGroup code CodeGroup totp TOTPGroup lookup_secret LookupGroup webauthn WebAuthnGroup
messages object[]required
The message's context. Useful when customizing messages.
The message text. Written in american english.
Possible values: [info
, error
, success
]
The message type. info Info error Error success Success
meta objectrequired
This might include a label and other information that can optionally be used to render UIs.
label object
The message's context. Useful when customizing messages.
The message text. Written in american english.
Possible values: [info
, error
, success
]
The message type. info Info error Error success Success
Possible values: [text
, input
, img
, a
, script
]
The node's type text Text input Input img Image a Anchor script Script
{
"active": "string",
"expires_at": "2024-03-30T07:38:31.805Z",
"id": "3fa85f64-5717-4562-b3fc-2c963f66afa6",
"issued_at": "2024-03-30T07:38:31.805Z",
"request_url": "string",
"return_to": "string",
"type": "string",
"ui": {
"action": "string",
"messages": [
{
"context": {},
"id": 0,
"text": "string",
"type": "info"
}
],
"method": "string",
"nodes": [
{
"attributes": {},
"group": "default",
"messages": [
{
"context": {},
"id": 0,
"text": "string",
"type": "info"
}
],
"meta": {
"label": {
"context": {},
"id": 0,
"text": "string",
"type": "info"
}
},
"type": "text"
}
]
}
}
errorGeneric
- application/json
- Schema
- Example (from schema)
Schema
error objectrequired
The status code
Debug information
This field is often not exposed to protect against leaking sensitive information.
details object
Further error details
The error ID
Useful when trying to identify various errors in application logic.
Error message
The error's message.
A human-readable reason for the error
The request ID
The request ID is often exposed internally in order to trace errors across service architectures. This is often a UUID.
The status description
{
"error": {
"code": 404,
"debug": "SQL field \"foo\" is not a bool.",
"details": {},
"id": "string",
"message": "The resource could not be found",
"reason": "User with ID 1234 does not exist.",
"request": "d7ef54b1-ec15-46e6-bccb-524b82c035e6",
"status": "Not Found"
}
}
errorGeneric
- application/json
- Schema
- Example (from schema)
Schema
error objectrequired
The status code
Debug information
This field is often not exposed to protect against leaking sensitive information.
details object
Further error details
The error ID
Useful when trying to identify various errors in application logic.
Error message
The error's message.
A human-readable reason for the error
The request ID
The request ID is often exposed internally in order to trace errors across service architectures. This is often a UUID.
The status description
{
"error": {
"code": 404,
"debug": "SQL field \"foo\" is not a bool.",
"details": {},
"id": "string",
"message": "The resource could not be found",
"reason": "User with ID 1234 does not exist.",
"request": "d7ef54b1-ec15-46e6-bccb-524b82c035e6",
"status": "Not Found"
}
}