Profile Authentication Methods Management 🆕¶

Overview¶

Profile authentication methods endpoints allow users to manage their own authentication methods after successful reauthentication.

Note

These endpoints require an active API session and prior confirmation via the /profile/authentication/confirm endpoint which provides a temporary token.

Authentication Flow¶

  1. Reauthenticate to obtain a confirmation token

  2. Use the token in the X-Auth-Confirm header for all subsequent operations

  3. Token validity: 10 minutes, extended with each use

Data Structures¶

AuthenticationMethodModel¶

Attribute

Type

Required

Description

id

string

Read-only. Unique authentication method identifier.

type

string {password, oath, extauth, sshkey, certificate, duo, sms, apikey, fido2}

yes

Immutable. Authentication method type.

user_id

string

Read-only. Protected. Uniqueness is required in the combination with position.

description

string

Optional description of the authentication method.

position

number

Uniqueness is required in the combination with user_id.

external_sync

boolean

Read-only.

secret

string

If type == password | sshkey

Protected. Authentication secret.

needs_change

boolean

Read-only.

apikey_device_id

string

If type == apikey

Read-only; expensive to use.

apikey_device_platform

string

If type == apikey

Read-only; expensive to use.

apikey_device_pushid

string

If type == apikey

Read-only; expensive to use.

apikey_key

string

If type == apikey

Protected.

apikey_hint

string

If type == apikey

Read-only; expensive to use. First four and last four characters of the API key.

apikey_expires_at

datetime

If type == apikey

Expiration date and time for the API key. NULL means the key never expires.

certificate_subject

string

If type == certificate

Read-only.

duo_user_id

string

If type == duo

Read-only.

duo_username

string

If type == duo

Read-only.

oath_type

string {HOTP, TOTP}

If type == oath

Immutable. OATH type.

oath_initialized

boolean

If type == oath

Default value true.

oath_secret

string

Protected. Value-regexp: ^[A-Z2-7]+$

oath_tokenlen

number

If type == oath

Immutable. Value-range: [4, 16].

oath_timestep

number {30, 45, 60, 90, 120, 180, 300}

If type == oath & oath_type == TOTP

Immutable.

oath_counter

number

If type == oath

Read-only. Default value 0.

oath_timeshift

number

If type == oath & oath_type == TOTP

Read-only. Default value 0.

oath_reuse

boolean

If type == oath & oath_type == TOTP

Default value false. Allow reuse of TOTP tokens.

oath_url

string

If type == oath

Read-only. Protected.

oath_qrcode

string

If type == oath

Read-only. Protected.

sms_token

string

If type == sms

Protected.

sshkey_user_presence_required

boolean

If type == sshkey

Default value true.

sshkey_verification_required

boolean

If type == sshkey

Default value false.

sshkey_counter

number

If type == sshkey

sshkey_publickey

string

If type == sshkey

Read-only; expensive to use. User’s SSH public key.

fido2_credential_id

string

If type == fido2

Read-only. Base64url-encoded FIDO2 credential ID.

fido2_public_key

string

If type == fido2

Read-only. Base64url-encoded COSE public key.

fido2_counter

number

If type == fido2

Read-only. Signature counter for clone detection.

fido2_aaguid

string

If type == fido2

Read-only. Authenticator Attestation GUID.

fido2_transports

string

If type == fido2

Read-only. Supported transports: usb, nfc, ble, internal, hybrid, smart-card.

created_at

datetime

Read-only.

modified_at

datetime

Read-only.

removed

boolean

Read-only.

Retrieve Available Attributes of the Authentication MethodModel¶

Request

Method

GET

Path

/api/v2/objspec/authentication_method

To check allowed methods, available URL parameters and possible responses please refer to the API Overview section.


Step 1: Obtain Reauthentication Token¶

Before accessing authentication methods, you must reauthenticate and obtain a confirmation token.

Request

Method

POST

Path

/api/v2/profile/authentication/confirm

Body

ConfirmModel

Note

See section Authentication Confirmation 🆕 for the list of available ConfirmModel attributes.

POST /api/v2/profile/authentication/confirm

Example Request

curl -s -k -X POST \
  -H 'Authorization: <token>' \
  -H 'Content-Type: application/json' \
  -d '{
    "method": "password",
    "password": "your_password"
  }' \
  'https://10.33.2.133/api/v2/profile/authentication/confirm'

Response

{
    "userid": "5980780305148018689",
    "username": "admin",
    "user-domain": null,
    "methodid": "5980780305148018690",
    "user-privs": ["account-create", "account-read", ...],
    "result": "success",
    "token": "22d05aff6c39f9de8bdba340c31873edaaa6390dcff30137e91bbe0f23161179"
}

Note

Save the token value for use in subsequent requests. The token is valid for 10 minutes and its validity is extended with each use.

Step 2: List User’s Authentication Methods¶

Request

Method

GET

Path

/api/v2/profile/authentication

GET /api/v2/profile/authentication

Example Request

curl -s -k -X GET \
  -H 'Authorization: <token>' \
  -H 'X-Auth-Confirm: 22d05aff6c39f9de8bdba340c31873edaaa6390dcff30137e91bbe0f23161179' \
  'https://10.33.2.133/api/v2/profile/authentication'

Response

{
    "result": "success",
    "authentication_method": [
        {
            "id": "5980780305148018689",
            "type": "password",
            "position": 0,
            "external_sync": false,
            "needs_change": false,
            "created_at": "2026-06-03 12:11:03.338262-07",
            "modified_at": "2026-06-03 12:11:15.629025-07"
        },
        {
            "id": "5980780305148018691",
            "type": "apikey",
            "position": 2,
            "external_sync": false,
            "needs_change": false,
            "created_at": "2026-06-03 12:11:16.0128-07",
            "modified_at": "2026-06-03 12:11:16.0128-07"
        },
        {
            "id": "5980780305148018698",
            "type": "oath",
            "position": 3,
            "external_sync": false,
            "needs_change": false,
            "oath_type": "TOTP",
            "oath_initialized": true,
            "oath_tokenlen": 6,
            "oath_timestep": 30,
            "oath_counter": 0,
            "oath_timeshift": 0,
            "oath_reuse": true,
            "created_at": "2026-06-05 00:37:05.628794-07",
            "modified_at": "2026-06-05 00:37:05.629827-07"
        }
    ]
}

Create Authentication Method¶

Request

Method

POST

Path

/api/v2/profile/authentication

Body

AuthenticationMethodModel

POST /api/v2/profile/authentication

Example Request - Create OATH/TOTP

curl -s -k -X POST \
  -H 'Authorization: <token>' \
  -H 'X-Auth-Confirm: 22d05aff6c39f9de8bdba340c31873edaaa6390dcff30137e91bbe0f23161179' \
  -H 'Content-Type: application/json' \
  -d '{
    "type": "oath",
    "description": "Test OATH TOTP",
    "oath_type": "TOTP",
    "oath_initialized": true,
    "oath_tokenlen": 6,
    "oath_timestep": 30,
    "oath_reuse": false,
    "secret": "JBSWY3DPEHPK3PXP"
  }' \
  'https://10.33.2.133/api/v2/profile/authentication'

Response

{
    "result": "success",
    "authentication_method": {
        "id": "5980780305148018705",
        "oath_url": "otpauth://totp/admin?secret=XWHOXB6YRLMBPMWM5MG4FUHIHVX3SYSI&issuer=Fudo%20Security",
        "oath_qrcode": "Qk1kbyUy..."
    }
}

Note

When creating an OATH method, the response includes oath_url for authenticator apps and oath_qrcode as a base64-encoded QR code image.

Get Authentication Method by ID¶

Request

Method

GET

Path

/api/v2/profile/authentication/<id>

GET /api/v2/profile/authentication/<id>

Example Request

curl -s -k -X GET \
  -H 'Authorization: <token>' \
  -H 'X-Auth-Confirm: 22d05aff6c39f9de8bdba340c31873edaaa6390dcff30137e91bbe0f23161179' \
  'https://10.33.2.133/api/v2/profile/authentication/5980780305148018705'

Response

{
    "result": "success",
    "authentication_method": {
        "id": "5980780305148018705",
        "type": "oath",
        "description": "Test OATH TOTP",
        "position": 4,
        "external_sync": false,
        "needs_change": false,
        "oath_type": "TOTP",
        "oath_initialized": true,
        "oath_tokenlen": 6,
        "oath_timestep": 30,
        "oath_counter": 0,
        "oath_timeshift": 0,
        "oath_reuse": false,
        "created_at": "2026-06-08 06:32:32.470217-07",
        "modified_at": "2026-06-08 06:32:32.470217-07"
    }
}

Update Authentication Method¶

Request

Method

PATCH

Path

/api/v2/profile/authentication/<id>

Body

AuthenticationMethodModel

PATCH /api/v2/profile/authentication/<id>

Example Request

curl -s -k -X PATCH \
  -H 'Authorization: <token>' \
  -H 'X-Auth-Confirm: 22d05aff6c39f9de8bdba340c31873edaaa6390dcff30137e91bbe0f23161179' \
  -H 'Content-Type: application/json' \
  -d '{
    "description": "Updated OATH Description",
    "oath_reuse": true
  }' \
  'https://10.33.2.133/api/v2/profile/authentication/5980780305148018705'

Response

{
    "result": "success"
}

Delete Authentication Method¶

Request

Method

DELETE

Path

/api/v2/profile/authentication/<id>

DELETE /api/v2/profile/authentication/<id>

Example Request

curl -s -k -X DELETE \
  -H 'Authorization: <token>' \
  -H 'X-Auth-Confirm: 22d05aff6c39f9de8bdba340c31873edaaa6390dcff30137e91bbe0f23161179' \
  'https://10.33.2.133/api/v2/profile/authentication/5980780305148018705'

Response

{
    "result": "success"
}

Invalidate Reauthentication Token¶

Request

Method

POST

Path

/api/v2/profile/authentication/invalidate

Body

ConfirmModel

POST /api/v2/profile/authentication/invalidate

Example Request

curl -s -k -X POST \
  -H 'Authorization: <token>' \
  -H 'Content-Type: application/json' \
  -d '{
    "method": "password",
    "password": "user_password"
  }' \
  'https://10.33.2.133/api/v2/profile/authentication/invalidate'

Response

{
    "result": "success"
}