WebAuthn

The MyAccount WebAuthn API provides operations to enroll, list, and delete WebAuthn enrollments.

Note: When the Passkeys Rebrand self-service Early Access feature is enabled, the FIDO2 (WebAuthn) authenticator is called Passkeys (FIDO2 WebAuthn), and there are new settings and updates to the authenticator page layout.

See Configure the FIDO2 (WebAuthn) authenticator and settings. To enable the Passkeys Rebrand feature, see Enable self-service features.

The registration for a WebAuthn authenticator (also known as the "attestation ceremony") involves a challenge request and response. When you enroll a WebAuthn authenticator, use the following endpoints in this order:

  1. Start a WebAuthn enrollment. This endpoint returns a random challenge and other data from the Relying Party (RP).
  2. Create a WebAuthn enrollment. This endpoint creates and sends a signed response that contains the challenge and other data from the RP.

API versioning

A valid API version in the Accept header is required to access the API. Current version: 1.0.0

Accept: application/json; okta-version=1.0.0

List all WebAuthn enrollments
OAuth 2.0 scopes:
  • okta.myAccount.webauthn.read

Lists all of the specified user's WebAuthn enrollments

Responses
200

Success

401

Unauthorized

406

Not Acceptable (missing header)

get/idp/myaccount/webauthn
Request samples 
Response samples 
application/json;okta-version=1.0.0
[
  • {
    • "id": "fwfn3c3rryqStmyp20g4",
    • "status": "ACTIVE",
    • "type": "security_key",
    • "key": "webauthn",
    • "name": "YubiKey 5 FIPS",
    • "credentialId": "5Ht9dBHqs8q2PbfWEuxqoDsnkO16KR_58GUju5MdSa__W_X7d5mQbkFSp273fxPX",
    • "created": "2025-04-22T17:24:27.000Z",
    • "lastUpdated": "2025-04-22T17:24:27.000Z",
    • "_links": {}
    }
]
Create a WebAuthn enrollment
OAuth 2.0 scopes: 
  • okta.myAccount.webauthn.manage
Creates a WebAuthn enrollment. Before using this endpoint, ensure that you've used the Start a WebAuthn enrollment endpoint first.


Request 
Request Body schema: application/json
attestation
required
string
JSON-serialized data that contains the authenticator data and attestation statement


 
clientData
required
string
JSON-serialized data that's passed to the WebAuthn authenticator by the client to generate the WebAuthn credentials


 
clientExtensions
string
JSON-serialized data that contains authenticator extensions


 
transports
string
JSON-serialized data that contains the transport values that the authenticator is believed to support


 
Responses 
200
Success


400
Bad Request


401
Unauthorized


404
Not Found


406
Not Acceptable (missing header)


post/idp/myaccount/webauthn
Request samples 
application/json
{
  • "clientData": "eyJjaGFsbGVuZ...",
  • "attestation": "o2NmbXRoZmlk...",
  • "clientExtensions": "{\"credProps\":{\"rk\":true}}",
  • "transports": "[\"internal\"]"
}
Response samples 
application/json;okta-version=1.0.0
{
  • "id": "fwfn3c3rryqStmyp20g4",
  • "status": "ACTIVE",
  • "type": "security_key",
  • "key": "webauthn",
  • "name": "YubiKey 5 FIPS",
  • "credentialId": "5Ht9dBHqs8q2PbfWEuxqoDsnkO16KR_58GUju5MdSa__W_X7d5mQbkFSp273fxPX",
  • "created": "2025-04-22T17:24:27.000Z",
  • "lastUpdated": "2025-04-22T17:24:27.000Z",
  • "_links": {}
}
Start a WebAuthn enrollment
OAuth 2.0 scopes: 
  • okta.myAccount.webauthn.manage
Starts the enrollment process for a WebAuthn authenticator. Complete the enrollment process by using the Create a WebAuthn enrollment endpoint.


Do not supply a request body for this operation. To start the enrollment process, send a POST request to the /idp/myaccount/webauthn/registration endpoint. The response contains the challenge and options for the WebAuthn credential creation.


Request 
Request Body schema: application/json
 Schema not provided 
Responses 
200
Success


400
Bad Request


401
Unauthorized


403
Forbidden


406
Not Acceptable (missing header)


post/idp/myaccount/webauthn/registration
Request samples 
Response samples 
application/json;okta-version=1.0.0
{
  • "options": {
    • "rp": {
      },
    • "user": {
      },
    • "pubKeyCredParams": [
      ],
    • "challenge": "vuSSUc8Nkd-8b2InKe3Y0SjEB4Nm6rdf",
    • "attestation": "direct",
    • "authenticatorSelection": {
      },
    • "u2fParams": {},
    • "excludeCredentials": [
      ]
    },
  • "expiresAt": "2025-04-30T18:04:33.000Z",
  • "_links": {}
}
Retrieve a WebAuthn enrollment
OAuth 2.0 scopes: 
  • okta.myAccount.webauthn.read
Retrieves a WebAuthn enrollment


Request 
path Parameters
id
required
string
Unique identifier of the WebAuthn enrollment


 
 Example:  fwfn3c3rryqStmyp20g4
Responses 
200
Success


401
Unauthorized


404
Not Found


406
Not Acceptable (missing header)


get/idp/myaccount/webauthn/{id}
Request samples 
Response samples 
application/json;okta-version=1.0.0
{
  • "id": "fwfn3c3rryqStmyp20g4",
  • "status": "ACTIVE",
  • "type": "security_key",
  • "key": "webauthn",
  • "name": "YubiKey 5 FIPS",
  • "credentialId": "5Ht9dBHqs8q2PbfWEuxqoDsnkO16KR_58GUju5MdSa__W_X7d5mQbkFSp273fxPX",
  • "created": "2025-04-22T17:24:27.000Z",
  • "lastUpdated": "2025-04-22T17:24:27.000Z",
  • "_links": {}
}
Delete a WebAuthn enrollment
OAuth 2.0 scopes: 
  • okta.myAccount.webauthn.manage
Deletes a specified WebAuthn enrollment


Request 
path Parameters
id
required
string
Unique identifier of the WebAuthn enrollment


 
 Example:  fwfn3c3rryqStmyp20g4
Responses 
204
No Content


401
Unauthorized


404
Not Found


406
Not Acceptable (missing header)


delete/idp/myaccount/webauthn/{id}
Request samples 
Response samples 
application/json;okta-version=1.0.0
{
  • "errorCode": "E0000015",
  • "errorSummary": "You do not have permission to access the feature you are requesting",
  • "errorLink": "E0000015",
  • "errorId": "oaeStOuPPxDRUm3PJhf-tL7bQ",
  • "errorCauses": [ ]
}