Start 2FA Verification

This page provides information on how to request 2FA verification through the HyperID API, including the required parameters, possible response codes, and example requests and responses.

To request user confirm specific 2FA method, services need to send a POST request to the HyperID API. This request requires the 'second-factor-auth-client' scope, which must be explicitly granted by the user during the authorization process.

Request

POST /2fa/verification/start HTTP/1.1
Host: api.hypersecureid.com
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFjZDc0NGMzLWFlZDMtNGQxMC04ODZhLTcyYjU0MGY4NmU5YSJ9.eyJleHAiOjE2Nzk4MjM1NTEsImlhdCI6MTY3OTgxOTk1MSwiYXV0aF90aW1lIjoxNjc5ODE5OTUxLCJqdGkiOiIzM2ZlNzI2Ni1kOTY2LTRlNDgtYjU2My05ZWNhZTdjMWU3NTEiLCJpc3MiOiJodHRwczovL2xvZ2luLmh5cGVyc2VjdXJlaWQuY29tL2F1dGgvcmVhbG1zL0h5cGVySUQiLCJzdWIiOiI5MTZlMGUyZS00NmQ5LTRiODAtODg1Ni1kZDlmZWRiMWI3MjMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJjbGllbnQtc2VydmljZS1hcHAiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBrZXlzIGF1dGgiLCJzaWQiOiI5OTVjNzhhZC1lYmFjLTRhYWYtOTdiZC0xOTQ4ZWMxOWQzNzEiLCJ3YWxsZXRfYWRkcmVzcyI6IjB44oCmIiwid2FsbGV0X2NoYWluX2lkIjoiMSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJlbWFpbCI6InVzZXJAZ21haWwuY29tIn0.h9GusuxDPX8VOjPoZHD73XzktOkVtd1qEz6C8AuBybw
Content-Length: 45

{
    "auth_type": 1,
    "locale": "en"
}

The authorization header should include a valid and non-expired bearer (access) token.

The request content should include auth_type (integer, required), which specifies the type of 2FA method to verify. This method should be configured by the users in their account. See Request Available 2FA Methods for details on how to retrieve the list of available 2FA types and a table with possible values.

Optionally, the application can include a preferred locale parameter with a string value containing a two-symbol locale (ISO 639-1 standard). HyperID will utilize the specified locale if supported; otherwise, the default 'en' locale will be used.

HyperID responds with a JSON object containing the information about 2FA confirmation request:

Response

HTTP/1.1 200 OK
Content-Type: application/json
{
    "result":          0,
    "auth_type":       3,
    "auth_code_point": "+1204****89",
    "action_id":       15,
    "expiration_dt":   1679315049,
    "next_check_dt":   1679314049,
}

The result field is an integer representation of request result, with various possible values as listed in the table below:

Result Value	Meaning
0	Success
-1	Failure because the service is temporarily unavailable
-2	Failure due to invalid request parameters
-3	Failure due to access denial
-4	Failure due to an expired token
-5	Failure due to an invalid token
-6	Failure due to unavailability of the specified 2FA type
-7	2FA check requested before the 'next_check_dt' timeframe

The auth_type should match the requested 2FA method.

The auth_code_point depends on auth_type and is designed to provide information to the user about where the code is sent:

• In the case of the HyperID Authenticator App, the 'auth_code_point' serves as a reference value, ensuring alignment between the client app's display and the value presented to the user within the HyperID Authenticator;

• It is empty for TOTP;

• it contains the masked phone number or email in the case of SMS or alternative email, respectively.

The action_id is a unique identifier that should be used to complete this specific 2FA verification check.

The expiration_dt indicates the datetime when the request will expire, and next_check_dt shows when it becomes available to make another 2FA verification request for this user.

Below, you can find examples of 'Start 2FA Verification' request implemented:

cURL

curl --location 'http://api.hypersecureid.com/2fa/verification/start' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFjZDc0NGMzLWFlZDMtNGQxMC04ODZhLTcyYjU0MGY4NmU5YSJ9.eyJleHAiOjE2Nzk4MjM1NTEsImlhdCI6MTY3OTgxOTk1MSwiYXV0aF90aW1lIjoxNjc5ODE5OTUxLCJqdGkiOiIzM2ZlNzI2Ni1kOTY2LTRlNDgtYjU2My05ZWNhZTdjMWU3NTEiLCJpc3MiOiJodHRwczovL2xvZ2luLmh5cGVyc2VjdXJlaWQuY29tL2F1dGgvcmVhbG1zL0h5cGVySUQiLCJzdWIiOiI5MTZlMGUyZS00NmQ5LTRiODAtODg1Ni1kZDlmZWRiMWI3MjMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJjbGllbnQtc2VydmljZS1hcHAiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBrZXlzIGF1dGgiLCJzaWQiOiI5OTVjNzhhZC1lYmFjLTRhYWYtOTdiZC0xOTQ4ZWMxOWQzNzEiLCJ3YWxsZXRfYWRkcmVzcyI6IjB44oCmIiwid2FsbGV0X2NoYWluX2lkIjoiMSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJlbWFpbCI6InVzZXJAZ21haWwuY29tIn0.h9GusuxDPX8VOjPoZHD73XzktOkVtd1qEz6C8AuBybw' \
--data '{
    "auth_type": 2,
    "locale": "en"
}'

JavaScript

var myHeaders = new Headers();
myHeaders.append("Content-Type", "application/json");
myHeaders.append("Authorization", "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFjZDc0NGMzLWFlZDMtNGQxMC04ODZhLTcyYjU0MGY4NmU5YSJ9.eyJleHAiOjE2Nzk4MjM1NTEsImlhdCI6MTY3OTgxOTk1MSwiYXV0aF90aW1lIjoxNjc5ODE5OTUxLCJqdGkiOiIzM2ZlNzI2Ni1kOTY2LTRlNDgtYjU2My05ZWNhZTdjMWU3NTEiLCJpc3MiOiJodHRwczovL2xvZ2luLmh5cGVyc2VjdXJlaWQuY29tL2F1dGgvcmVhbG1zL0h5cGVySUQiLCJzdWIiOiI5MTZlMGUyZS00NmQ5LTRiODAtODg1Ni1kZDlmZWRiMWI3MjMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJjbGllbnQtc2VydmljZS1hcHAiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBrZXlzIGF1dGgiLCJzaWQiOiI5OTVjNzhhZC1lYmFjLTRhYWYtOTdiZC0xOTQ4ZWMxOWQzNzEiLCJ3YWxsZXRfYWRkcmVzcyI6IjB44oCmIiwid2FsbGV0X2NoYWluX2lkIjoiMSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJlbWFpbCI6InVzZXJAZ21haWwuY29tIn0.h9GusuxDPX8VOjPoZHD73XzktOkVtd1qEz6C8AuBybw");

var raw = JSON.stringify({
  "auth_type": 2,
  "locale": "en"
});

var requestOptions = {
  method: 'POST',
  headers: myHeaders,
  body: raw,
  redirect: 'follow'
};

fetch("http://api.hypersecureid.com/2fa/verification/start", requestOptions)
  .then(response => response.text())
  .then(result => console.log(result))
  .catch(error => console.log('error', error));

NodeJS

const axios = require('axios');
let data = JSON.stringify({
  "auth_type": 2,
  "locale": "en"
});

let config = {
  method: 'post',
  maxBodyLength: Infinity,
  url: 'http://api.hypersecureid.com/2fa/verification/start',
  headers: { 
    'Content-Type': 'application/json', 
    'Authorization': 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFjZDc0NGMzLWFlZDMtNGQxMC04ODZhLTcyYjU0MGY4NmU5YSJ9.eyJleHAiOjE2Nzk4MjM1NTEsImlhdCI6MTY3OTgxOTk1MSwiYXV0aF90aW1lIjoxNjc5ODE5OTUxLCJqdGkiOiIzM2ZlNzI2Ni1kOTY2LTRlNDgtYjU2My05ZWNhZTdjMWU3NTEiLCJpc3MiOiJodHRwczovL2xvZ2luLmh5cGVyc2VjdXJlaWQuY29tL2F1dGgvcmVhbG1zL0h5cGVySUQiLCJzdWIiOiI5MTZlMGUyZS00NmQ5LTRiODAtODg1Ni1kZDlmZWRiMWI3MjMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJjbGllbnQtc2VydmljZS1hcHAiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBrZXlzIGF1dGgiLCJzaWQiOiI5OTVjNzhhZC1lYmFjLTRhYWYtOTdiZC0xOTQ4ZWMxOWQzNzEiLCJ3YWxsZXRfYWRkcmVzcyI6IjB44oCmIiwid2FsbGV0X2NoYWluX2lkIjoiMSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJlbWFpbCI6InVzZXJAZ21haWwuY29tIn0.h9GusuxDPX8VOjPoZHD73XzktOkVtd1qEz6C8AuBybw'
  },
  data : data
};

axios.request(config)
.then((response) => {
  console.log(JSON.stringify(response.data));
})
.catch((error) => {
  console.log(error);
});

Python

import http.client
import json

conn = http.client.HTTPSConnection("api.hypersecureid.com")
payload = json.dumps({
  "auth_type": 2,
  "locale": "en"
})
headers = {
  'Content-Type': 'application/json',
  'Authorization': 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFjZDc0NGMzLWFlZDMtNGQxMC04ODZhLTcyYjU0MGY4NmU5YSJ9.eyJleHAiOjE2Nzk4MjM1NTEsImlhdCI6MTY3OTgxOTk1MSwiYXV0aF90aW1lIjoxNjc5ODE5OTUxLCJqdGkiOiIzM2ZlNzI2Ni1kOTY2LTRlNDgtYjU2My05ZWNhZTdjMWU3NTEiLCJpc3MiOiJodHRwczovL2xvZ2luLmh5cGVyc2VjdXJlaWQuY29tL2F1dGgvcmVhbG1zL0h5cGVySUQiLCJzdWIiOiI5MTZlMGUyZS00NmQ5LTRiODAtODg1Ni1kZDlmZWRiMWI3MjMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJjbGllbnQtc2VydmljZS1hcHAiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBrZXlzIGF1dGgiLCJzaWQiOiI5OTVjNzhhZC1lYmFjLTRhYWYtOTdiZC0xOTQ4ZWMxOWQzNzEiLCJ3YWxsZXRfYWRkcmVzcyI6IjB44oCmIiwid2FsbGV0X2NoYWluX2lkIjoiMSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJlbWFpbCI6InVzZXJAZ21haWwuY29tIn0.h9GusuxDPX8VOjPoZHD73XzktOkVtd1qEz6C8AuBybw'
}
conn.request("POST", "/2fa/verification/start", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))

C#

var client = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Post, "http://api.hypersecureid.com/2fa/verification/start");
request.Headers.Add("Authorization", "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFjZDc0NGMzLWFlZDMtNGQxMC04ODZhLTcyYjU0MGY4NmU5YSJ9.eyJleHAiOjE2Nzk4MjM1NTEsImlhdCI6MTY3OTgxOTk1MSwiYXV0aF90aW1lIjoxNjc5ODE5OTUxLCJqdGkiOiIzM2ZlNzI2Ni1kOTY2LTRlNDgtYjU2My05ZWNhZTdjMWU3NTEiLCJpc3MiOiJodHRwczovL2xvZ2luLmh5cGVyc2VjdXJlaWQuY29tL2F1dGgvcmVhbG1zL0h5cGVySUQiLCJzdWIiOiI5MTZlMGUyZS00NmQ5LTRiODAtODg1Ni1kZDlmZWRiMWI3MjMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJjbGllbnQtc2VydmljZS1hcHAiLCJzY29wZSI6Im9wZW5pZCBlbWFpbCBrZXlzIGF1dGgiLCJzaWQiOiI5OTVjNzhhZC1lYmFjLTRhYWYtOTdiZC0xOTQ4ZWMxOWQzNzEiLCJ3YWxsZXRfYWRkcmVzcyI6IjB44oCmIiwid2FsbGV0X2NoYWluX2lkIjoiMSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJlbWFpbCI6InVzZXJAZ21haWwuY29tIn0.h9GusuxDPX8VOjPoZHD73XzktOkVtd1qEz6C8AuBybw");
var content = new StringContent("{\r\n    \"auth_type\": 2,\r\n    \"locale\": \"en\"\r\n}", null, "application/json");
request.Content = content;
var response = await client.SendAsync(request);
response.EnsureSuccessStatusCode();
Console.WriteLine(await response.Content.ReadAsStringAsync());