Enroll User Privacy Key

🚧

Enroll Privacy Key from Proof

If you've already done user onboarding and implemented Enroll Privacy Key from Proof you can skip this section and request Privacy Key based Authentication Transaction via API.

Start User Privacy Key Enrollment

In the backend, call the Create New Operation Endpoint with the following request body (example):

{
    "AccountNumber": "AccountV2",
    "Codeword": "",
    "Name": "EnrollFido2Credential",
    "Timeout": 3600,
    "TransportType": 0,
    "Tag": "",
    "Payload": {
        "Fido2Policy": {
            "CustomData": {
                "PrivacyKey": true
            }
        }
    }
}

The AccountNumber must match the value you specified during Account Creation.

EnrollFido2Credential can be used more than once per account, i.e. user can have more than one Privacy Key. Only the last enrollment is active and in use.

A transport type of 0 returns an OperationId and OneTimeSecret.

Example Response Body:

{  
   "OperationId": "113e838b-be34-53e9-c52f-3cc45b2d10ce",
   "OneTimeSecret": "TbAeETwpOxbvKy7rWCeOcQ=="  
}

Display the User Interface

Save these values from the response and use it to display the capture experience to the user.

The other options for TransportType parameter usage are described in the Out-of-band Transactions section.

Wait for the Enrollment Completion

When the user completes Enrollment, the status changes from 0 - Pending to 1 - Accepted. Refer to the Transaction Statuses section for more details.

📘

Common Transaction Status

The Transaction Statuses are common between Enrollment and Authentication workflows.

The application has several ways to detect when the status changes.

  • Periodic poll of backend for Enrollment operation status change using Operation Status Endpoint
  • Embedded Integration can listen to Web Component Events for web integration or to JavaScript bridge events for WebView integration. The UI emits the signal that the user has reached the "final page" of the experience.

Please refer to the Web Component Events section for more details.

The best strategy from both a UX transition reaction time and system load perspective is to:

  • Listen to events from the Web Component / WebView.
  • When the user reaches the final page, pass the signal from your application frontend to your application's backend.
  • Confirm the status change via the backend Operation Status Endpoint.
  • As a backup, poll status changes periodically using Operation Status Endpoint, for example, once every 5 seconds.

Both Out-of-band and Embedded integrations can use Webhook to receive notifications when the status changes. Note that webhooks are not queued and do not have guaranteed delivery, so the periodic polling backup strategy still applies.

Managing Multiple Privacy Keys

Each account supports enrolling up to two active Privacy Keys. This allows for greater flexibility in authentication while maintaining system integrity.

Enrollment

Accounts can have a maximum of two active Privacy Keys at a time. If an enrollment attempt would cause this limit to be exceeded, the attempt will be blocked, and an appropriate error message will be returned.

To enroll a second Privacy Key, follow the standard process using Proof, Selfie, or Device Enrollment. If one Privacy Key is already enrolled, the system will proceed to enroll the second.

📘

Note:

You can only have two Privacy Keys per account, even if the enrollment method is different.

🚧

Warning:

When a Selfie/Proof transaction is executed for the third time using the same account, the transaction will complete successfully, but a PrivacyKey will not be generated. Instead, a pop-up message will be displayed stating the limit for maximum number of credentials.

Authentication

During authentication, the system will first attempt to use the most recently enrolled Privacy Key. If that key is unavailable or does not result in a match, authentication will automatically fall back to the second enrolled Privacy Key, if available.

Privacy Key Management

You may delete Privacy Keys as needed. When a Privacy Key is deleted, the system will adjust automatically and use the remaining key for future authentication attempts.

This approach ensures consistent and predictable authentication behavior, even when managing multiple Privacy Keys.


What’s Next