Authentication
IBM Digital Asset Haven provides several authentication flows to securely connect users and service accounts to the IBM Digital Asset Haven API. Each flow issues an authentication token that you can use to call protected endpoints.
Regular login flow
- 1. Create a user login challenge
-
Use
POST /auth/login/initto create a login challenge.- The endpoint returns a challenge that the user must sign.
- If the user has a credential of kind
PasswordProtectedKey, a temporary one time code must be passed in theloginCodefield.- Obtain this code first by calling
POST /auth/login/code. - This step is required because the login challenge endpoint is unauthenticated and returns the user’s encrypted private key.
- The one time code verifies the user’s identity before the encrypted private key is returned.
- Obtain this code first by calling
-
If the user has at least one discoverable WebAuthn credential, the
usernamefield is optional. This enables a usernameless login flow.
- 2. Get the user to sign the challenge
- The method used to sign the login challenge depends on the user’s credential type:
- Passkey (WebAuthn): The browser or operating system signs the challenge using WebAuthn APIs and the user’s device.
- Personal access token: The private key associated with the PAT signs the challenge.
- Service account token: The private key associated with the service account signs the challenge.
- 3. Complete the user login
- Use
POST /auth/loginto complete the login. This final step validates the signed challenge and returns an authentication token for the user.The credential type used during login is determined by thekindfield inside thefirstFactorandsecondFactorobjects. Supported credential kinds include:- Fido2: The challenge is signed using WebAuthn on the user’s device.
- Key: The challenge is signed using the user’s private key.
- PasswordProtectedKey: The challenge is signed using the decrypted private key that was returned during the login challenge step.
SSO login flow
- Obtain the SSO URL
-
Use
POST /auth/login/sso/initto initiate the SSO login.- The endpoint returns a URL for the user’s identity provider.
- Redirect the user to this URL so they can authenticate.
Note: After authentication, the identity provider redirects the user to the redirect URL configured in your SSO provider's dashboard.The redirect URL includes a code and state, which are required for the next step.- Ensure that this redirect URL is also whitelisted in your IBM Digital Asset Haven settings.
- See the SSO setup tutorial for details.
- 2. Log the user in
- Use
POST /auth/login/ssowith the code and state returned during the redirect.The endpoint logs the user in and returns an authentication token.
Social login flow
Use POST /auth/login/social to obtain an authentication token for users logging in through supported social identity providers.
Delegated users login flow
A service account can log in an end user by calling
POST /auth/login/delegated.
- IBM Digital Asset Haven does not handle end user authentication in this flow.
- Your application is responsible for validating the identity of the end user before requesting an authentication token on their behalf.