# Verify MFA using webauthn

Verify a multi-factor authentication (MFA) challenge using a WebAuthn device.

This endpoint completes MFA verification using a previously registered WebAuthn device such as a biometric sensor or hardware security key.

Path parameters:
- deviceId: The unique identifier of the registered WebAuthn device to be verified.

Request body must include:
- webauthnToken: Token received from the server to initiate the WebAuthn challenge.
- options: WebAuthn authentication response returned by the browser.
  - id: The credential ID of the WebAuthn device.
  - response: Object containing attestation data from the authenticator.
    - clientDataJSON: Base64-encoded client data.
    - authenticatorData: Base64-encoded data from the authenticator.
    - signature: Signature from the authenticator, proving user presence.
    - userHandle: The user's handle used during registration.
  - recaptchaToken (optional): Token to verify human interaction, if reCAPTCHA is enabled.
  - invitationToken (optional): Used when completing an MFA challenge as part of an invitation flow.
- mfaToken: Token issued during the initial authentication step.
- rememberDevice (optional): If set to true, this device will be remembered for future logins to reduce MFA prompts.

Use this endpoint to complete WebAuthn-based MFA verification and confirm the user's identity using a secure hardware or platform authenticator.

Endpoint: POST /resources/auth/v1/user/mfa/webauthn/{deviceId}/verify
Version: 1.0
Security: bearer

## Path parameters:

  - `deviceId` (string, required)

## Request fields (application/json):

  - `webauthnToken` (string, required)

  - `options` (object, required)

  - `options.id` (string, required)

  - `options.response` (object, required)

  - `options.response.clientDataJSON` (string, required)

  - `options.response.authenticatorData` (string, required)

  - `options.response.signature` (string, required)

  - `options.response.userHandle` (string, required)

  - `options.recaptchaToken` (string)

  - `options.invitationToken` (string)

  - `mfaToken` (string, required)

  - `rememberDevice` (boolean)

## Response 201 fields (application/json):

  - `tokenType` (string)

  - `otcToken` (string)

  - `mfaRequired` (boolean, required)

  - `mfaToken` (string)

  - `resetPasswordToken` (string)

  - `passwordExpiresIn` (number)

  - `notificationPeriod` (number)

  - `mfaEnrolled` (boolean)

  - `mfaDevices` (object)

  - `mfaDevices.webauthn` (array, required)

  - `mfaDevices.webauthn.id` (string, required)

  - `mfaDevices.webauthn.deviceType` (string, required)
    Enum: "Platform", "CrossPlatform"

  - `mfaDevices.webauthn.name` (string, required)

  - `mfaDevices.phones` (array, required)

  - `mfaDevices.phones.phoneNumber` (string, required)

  - `mfaDevices.authenticators` (array, required)

  - `mfaDevices.emails` (array, required)

  - `mfaDevices.emails.email` (string, required)

  - `mfaStrategies` (object)

  - `qrCode` (string)

  - `recoveryCode` (string)

  - `accessToken` (string, required)

  - `refreshToken` (string, required)

  - `expiresIn` (number, required)

  - `expires` (string, required)

  - `userId` (string)

  - `userEmail` (string)

  - `emailVerified` (boolean)

  - `isBreachedPassword` (boolean)