All notable changes to the Futurae Auth API will be documented in this file. [1.40.0] - 2025-05-27 Updated endpoint POST /srv/auth/v1/user/auth with factor usernameless_qr_code to support usernameless URIs. Added: - Response extended with `mobile_auth_uri` and `mobile_auth_universal_link` [1.39.0] - 2025-05-19 Updated endpoint POST /srv/auth/v1/user/auth with factor passcode to include HOTP hardware tokens. Added: - User Allowed Factors and Device Capabilities extended with `hwtoken_hotp`. [1.38.0] - 2025-05-19 Added: - Enrollment success callbacks now include enrollment_id. [1.37.0] - 2024-11-13 Added: - Endpoint POST /srv/auth/v1/user/notifications/app_notification used to send a custom in-app message to the user's mobile device. [1.36.0] - 2024-09-12 Added: - Endpoint POST /srv/auth/v1/user/auth now returns mobile_auth_universal_link for the following factors: approve, qr_code and mobile_auth in the response. - Endpoint POST /srv/auth/v1/user/enroll now returns activation_code_universal_link in the response. - Endpoint GET /srv/auth/v1/service/pending_enrollments now returns activation_code_universal_link in the response. [1.35.0] - 2024-08-20 Added: - Endpoint POST /srv/auth/v1/binding_token now returns a 400 when device IDs belong to different app installations. [1.34.0] - 2024-07-08 Added: - Endpoint POST /srv/auth/v1/user/preauth includes enrolled_at unix timestamp field in the response. - Endpoint GET /srv/auth/v1/users/{id} includes enrolled_at unix timestamp field in the response. [1.33.0] - 2024-05-17 Added: - Endpoint GET /srv/auth/v1/users/{id} includes device integrity information in the response. - Endpoint POST /srv/auth/v1/user/preauth includes device integrity information in the response. [1.32.0] - 2024-04-05 Added: - Enroll endpoint now accepts a boolean flag to allow Trusted Session Binding for Account Recovery flow. - Endpoint GET /srv/auth/v1/users/{id} returns boolean flag regarding the state of Account Recovery flow for each User Device. - Endpoint POST /srv/auth/v1/user/devices/{id} accepts boolean flag to set Account Recovery for User Device. [1.31.0] - 2024-03-29 Added: - Enroll endpoint now accepts a boolean flag to allow Trusted Session Binding for Enrollment flow. - New endpoint to create Trusted Session Binding token at service scope. [1.30.0] - 2024-02-07 Added: - QR Code factor now supports QR easy scan feature. [1.29.0] - 2024-01-31 Added: - Optional end-to-end encryption for transaction details / extra_info. - Accept new extra_info_format field in the body of the Auth requests that accept extra_info. Changed: - The extra_info field can now also be accepted as an encrypted string. [1.28.0] - 2023-11-16 Changed: - Expose enrollment_id at user and device enrollments. - Accept enrollment_id in the body of the enroll_status endpoint. [1.27.1] - 2023-10-04 Changed: - Username or User ID are not required to abort authentication sessions with usernameless_qr_code factor. [1.27.0] - 2023-09-13 Added: - Add multi-challenge auth response [1.26.0] - 2023-07-06 Added: - Add $OTP placeholder support on sms_text field [1.25.0] - 2023-05-15 Added: - Add usernameless_qr_code authentication factor. - Changed /auth/status endpoint so the user_id is not required if the sessions is from a usernameless_qr_code factor. [1.24.0] - 2023-05-03 Added: - Add user_id to /auth/status endpoint response. [1.23.0] - 2023-04-18 Added: - Apply restrictions to device's display name. Display name can be a string with spaces and with category L letters, numbers ([0-9]), or the characters `- + / . ( )`. [1.22.0] - 2023-03-09 Added: - Support "mobile_auth" on the transaction authentication endpoint [1.21.1] - 2023-03-08 Patched: - Fix 404 response to follow the error response format [1.21.0] - 2023-02-15 Added: - New "user_presence_verification" value added: "ios_passcode_or_biometrics" [1.20.0] - 2023-02-10 Added: - New "sync" authentication factor. [1.19.0] - 2023-01-19 Added: - Add "sync" to the list of allowed factors. [1.18.0] - 2023-01-16 Added: - Added the optional "session_timeout" param in /user/auth endpoints. [1.17.0] - 2022-12-22 Added: - Limit the maximum size of values provided for the extra_info attribute in /user/auth and /user/auth/transaction. - New endpoint POST /srv/auth/v1/user/adaptive/init to initialize an adaptive session. - New adaptive_session_token parameter in /user/auth endpoint. [1.16.0] - 2022-12-16 Added: - New "trusted_phone_number" parameter in /user/enroll to enable automatic SMS device activation. [1.15.0] - 2022-12-14 Added: - New "mobile_auth" authentication factor. [1.14.0] - 2022-11-24 Changed: - Return 403 Forbidden and error code 40303 in /user/auth and /user/enroll and /user/sms_activation when no SMS sender name is set. [1.13.0] Changed: - The "trusted_days" param in /user/auth: With this change, a value of 0, means that the token will be valid for the default value number of days. Before the change, a value of 0 would mean that the token never expires. [1.12.0] Added: - Report used biometrics in auth status endpoint and callbacks when result is allow (and feature flag is enabled) [1.11.0] - 2022-09-05 Deleted: - Remove synchronous auth [1.10.0] - 2022-07-20 Added: - Automatic account recovery information fields (migrated_from_device_id, migrated_to_device_id, migrated_at) in Device resource. [1.9.0] - 2022-05-20 Deleted: - Authenticate with Zero-Touch (/user/auth with factor "soundproof") - Soundproof capability and factor, as well as relevant authentication statuses [1.8.0] - 2022-05-18 Added: - New endpoint POST /srv/auth/v1/user/auth/status (without long polling) as successor to the long polling endpoint POST /srv/auth/v1/user/auth_status - Two authentication statuses `notification_sent` and `qr_code_ready` that may be returned by POST /srv/auth/v1/user/auth/status - activation_code response field to GET /srv/auth/v1/service/pending_enrollments - activation_code response field to POST /srv/auth/v1/user/enroll Deprecated: - The endpoint POST /srv/auth/v1/user/auth_status has been deprecated. The new endpoint POST /srv/auth/v1/user/auth/status should be used instead. [1.7.0] - 2021-09-01 Added: - New passcode_type and device_id response fields in /user/auth with factor "passcode". [1.6.1] - 2021-07-23 Changed: - Return 400 Bad Request in /user/auth and /user/auth/transaction for offline QR Code with hardware token device, if extra_info payload cannot be converted to ISO 8859-15. [1.6.0] - 2021-05-28 Added: - Add callback authentication using JWS signatures. [1.5.0] - 2021-01-18 Added: - Add support for authentication using FIDO2/WebAuthn. [1.4.0] - 2020-11-23 Added: - All activation and authentication QR codes are now returned inline in data URI format as well, avoiding the need to use the public URL to retrieve the QR code. [1.3.2] - 2020-08-21 Added: - Perform One-Touch with all available devices at once, by supplying "all" in the device_id param (sends a push notification to all enrolled compatible devices of the user) - Return the device_id, if known, in /user/auth_status and in the status callback. [1.3.1] - 2020-07-17 Changed: - Introduce specific response code (40011) when calling /user/auth for a factor for which the user's available (or specified via device_id) devices don't have the respective capability to support the specified factor. [1.3.0] - 2020-07-03 Added: - Add support for TOTP and QR code hardware tokens supplied by Futurae. Introduce new endpoints and make necessary, non-breaking adjustments to existing ones. [1.2.0] - 2019-12-18 Added: - One-Touch and offline QR code can now be invoked in a combined mode, with One-Touch being the primary and offline QR code serving as the fallback. See offline_fallback input param in "Authenticate with One-Touch" and "Authenticate Transaction with One-Touch". - New endpoint "Abort Authentication" (/user/auth/abort) allows the explicit cancelation of an ongoing authentication session. [1.1.6] - 2019-12-16 Added: - The "Query Authentication Options" (/user/preauth) response now also includes an optional user_status field, which will be present if the user status is locked_out, disabled, or bypass. [1.1.5] - 2019-11-08 Changed: - Increase maximum validity of one-time codes generated via /user/one_time_code to 7 days ("valid_secs" param). [1.1.4] - 2019-08-21 Added: - Introduce Offline QR code authentication and transaction authentication; Adjust relevant endpoints (mainly /user/auth and /user/auth/transaction). [1.1.3] - 2019-08-19 Changed: - Adjust various enrollment related endpoints with the addition of the short activation code feature. [1.1.2] - 2019-07-26 Added: - mobile_auth_redirect_uri parameter in /user/auth and /user/auth/transaction, used for mobile only authentication. [1.1.1] - 2019-01-30 Added: - Include the device_id of the newly enrolled device in enroll success callback. - Enable to programmatically set the user status to locked_out. [1.1.0] - 2018-07-01 Added: - Authentication using "soundproof_jingle" factor. [1.0.12] - 2018-03-23 Added: - "extra_info parameter for "qr_code" factor in /user/auth. - Transaction signing (/user/auth/transaction) can now also be performed using the "qr_code" factor. [1.0.11] - 2018-03-02 Changed: - "extra_info parameter format in /user/auth and /user/auth/transaction. - "activation_code_uri" format as returned by the /user/enroll response. [1.0.10] - 2018-02-22 Changed: - "device_unreachable" status code in /user/auth_status is now a final state. SoundProof times outs and another authentication attempt has to be tried (e.g., TOTP fallback). [1.0.9] - 2018-02-16 Added: - Added mobile_auth_uri attribute in "approve" and "qr_code" factors of /user/auth, used for performing single device (mobile only) authentication. Removed: - Removed "mobile_auth" factor in /user/auth. Mobile only logins can now be performed via the mobile_auth_uri attribute (see above). [1.0.8] - 2018-01-04 Added: - Relaxed restrictions for user username and display_name (no strict email format validation is performed). [1.0.7] - 2017-10-30 Added: - New /user/auth/transaction dedicated endpoint for performing transaction authentication/signing. Currently, it supports the "approve" factor. [1.0.6] - 2017-09-13 Added: - New /service/logo endpoints for uploading and retrieving a service-defined logo that will be displayed in the Futurae mobile app. - Ability to specify a custom display name for the user (during new user enrollment and user modification), which is displayed in the Futurae mobile app. Changed: - In combination with the addition of a custom user display name, the user's username is no longer used as a display name. [1.0.5] - 2017-07-13 Added: - Introduced the "mobile_auth" factor and related endpoints and documentation. Changed: - Return the device ID of the newly enrolled device when /user/enroll_status reports that enrollment was successful for a given activation_code. [1.0.4] - 2017-06-15 Added: - /service/pending_enrollments endpoint that gives the ability to retrieve pending enrollments in batch mode. [1.0.3] - 2017-06-08 Added: - Ability to change a user's username via the /users/{id} endpoint. Changed: - Only one user attribute at a time can be modified when invoking the /users/{id} endpoint. [1.0.2] - 2017-05-21 Added: - Implemented the "trusted_device_token" functionality. Also, new param "trusted_days" in /user/auth defines for how many days the trusted device token will be valid. - Implemented "new_device_must_approve" feature when using SoundProof. See /user/auth endpoint doc for details. Also see the newly introduced "onNewDeviceMustApprove" callback in the SoundProof JavaScript library. - Added the ability for the customer web application to get notified about successful enrollments and status updates of authentication attempts via callback URLs. - Added "already_enrolled" result in /user/sms_activation if the endpoint is called on an already enrolled device. - Added /user/devices/{id} endpoint that can be used to modify a user device (currently can be used to set a display name). [1.0.1] - 2017-05-15 Added: - Introduced /server/api_version endpoint which retrieves the Auth API version that the Futurae server runs. Changed: - Changed the semantics of "disabled" user 2FA status. When the user has no enrolled devices, 2FA is disabled and the authentication result (e.g., in the preauth or auth endpoint) will be "deny" (previously it would have been "allow"). - Changed the "enabled_bypass" user 2FA status to "bypass". When the user status is "bypass", he is eligible to completely bypass secondary authentication regardless of whether he has enrolled devices (2FA enabled) or not (2FA disabled). In other words, when the status is "bypass", the authentication result ((e.g., in the preauth or auth endpoint) will always be "allow" for this user. [1.0.0] - Initial Futurae Auth API release