API Reference

Base URL & Headers

https://<your-auth-service-domain>

All requests and responses use JSON:

Content-Type: application/json

Method	Endpoint	Auth	Description
POST	`/auth/users/register`	JWT	Register new user
GET	`/auth/devices/challenge/:device_verifying_key`	JWT	Get challenge for device registration
POST	`/auth/devices/register`	JWT + Device Signature + Face (conditional)	Register device verifying key
POST	`/auth/face/register`	JWT	Register face biometric
GET	`/v2/keys`	JWT	List user's MPC keys
GET	`/v2/devices`	JWT	List user's devices
POST	`/v2/keyshare/backup`	JWT	Save encrypted keyshares
POST	`/v2/keyshare/recover`	JWT + Face	Fetch encrypted keyshares
GET	`/transactions`	JWT	Get transaction history
GET	`/v2/face`	JWT	Get face registration status

All endpoints require a valid Access Token (JWT) from the External Auth Service (e.g., Auth0).

Authorization: Bearer <access_token>

JWT Claims Used:

Device registration endpoints require an additional Device Signature to prove possession of the device's private key (stored in Secure Enclave).

Signature Generation:

Create JSON_MESSAGE containing request body fields
Canonicalize JSON_MESSAGE (sort keys alphabetically, remove whitespace) per RFC 8785
Compute: M = SHA256(bytes(canonicalize(JSON_MESSAGE)))
Generate: DER-encoded ECDSA signature of M (NIST P-256 curve)
Hex-encode the signature

Sensitive operations require JWT + Face Biometric verification:

FaceTec Fields:

Field	Type	Description
`face_scan`	string	Base64-encoded face scan from FaceTec SDK
`audit_trail_image`	string	Base64-encoded high-quality audit image
`low_quality_audit_trail_image`	string	Base64-encoded low-quality audit image
`user_agent`	string	Client's user-agent string (required by FaceTec)

All errors follow this format:

{
  "error": {
    "code": 100101,
    "message": "Human-readable error description"
  }
}