Ctrl+K

Passkey administration#

This API provides endpoints for managing passkeys registered by users in your organization. You can list and delete passkeys for users in your own organization, allowing you to support user offboarding, security audits, and helpdesk support for lost or compromised devices.

The endpoints are available at https://api.feide.no/2/passkey/<org_id>

The <org_id> parameter in all endpoints is the numeric organization ID from the Feide Customer Portal.

List Passkeys for a User#

List all passkeys registered by a specific user within an organization.

Endpoint: GET /2/passkey/<org_id>?eppn=<eppn>

Required scope: passkey.read

Parameters:

  • org_id (path, required): The organization’s numeric ID from the Customer Portal

  • eppn (query, required): The user’s eduPersonPrincipalName (e.g., user@example.no). The eppn’s realm must match the organization. Note: special characters in the URL must be URL-encoded (e.g., @ as %40).

Response:

[
  {
    "id": 1,
    "eppn": "user@example.no",
    "label": "Password Manager",
    "created_at": "2024-01-15T10:30:00+00:00",
    "last_used_at": "2024-03-10T14:22:33+00:00",
    "mfa_verified": true
  },
  {
    "id": 2,
    "eppn": "user@example.no",
    "label": "Hardware Key",
    "created_at": "2024-02-20T09:15:00+00:00",
    "last_used_at": null,
    "mfa_verified": false
  }
]

Example:

curl -H "Authorization: Bearer JWT_TOKEN" \
  "https://api.feide.no/2/passkey/1234567?eppn=user%40example.no"

List All Passkeys for your Organization#

List all passkeys for all users in your organization.

Endpoint: GET /2/passkey/<org_id>

Required scope: passkey.read

Parameters:

  • org_id (path, required): The organization’s numeric ID from the Customer Portal

Response: Array of passkey objects (same format as user listing)

Example:

curl -H "Authorization: Bearer JWT_TOKEN" \
  "https://api.feide.no/2/passkey/1234567"

Delete All Passkeys for a User#

Delete all passkeys registered by a specific user.

Endpoint: DELETE /2/passkey/<org_id>?eppn=<eppn>

Required scope: passkey.delete

Parameters:

  • org_id (path, required): The organization’s numeric ID from the Customer Portal

  • eppn (query, required): The user’s eduPersonPrincipalName. The eppn’s realm must match the organization.

Response:

{
  "deleted_count": 3,
  "eppn": "user@example.no"
}

Example:

curl -X DELETE -H "Authorization: Bearer JWT_TOKEN" \
  "https://api.feide.no/2/passkey/1234567?eppn=user%40example.no"

Delete a Single Passkey#

Delete a specific passkey by its unique ID.

Endpoint: DELETE /2/passkey/<org_id>/<id>

Required scope: passkey.delete

Parameters:

  • org_id (path, required): The organization’s numeric ID from the Customer Portal

  • id (path, required): The unique identifier of the passkey to delete

Response:

{
  "deleted": true,
  "id": 6
}

Example:

curl -X DELETE -H "Authorization: Bearer JWT_TOKEN" \
  "https://api.feide.no/2/passkey/1234567/6"

Error Responses#

The API returns standard HTTP status codes with a JSON body containing code and message:

  • 200 OK: Successful operation

  • 400 Bad Request: Invalid eppn format or missing required eppn parameter on DELETE

  • 401 Unauthorized: Missing or invalid JWT token

  • 403 Forbidden: Insufficient scopes or service not authorized for organization

  • 404 Not Found: Organization or passkey does not exist

  • 405 Method Not Allowed: Wrong HTTP method used

Example error responses:

{
  "code": 403,
  "message": "Token must have all required scopes"
}

{
  "code": 403,
  "message": "Client not authorized for organization"
}

{
  "code": 404,
  "message": "Passkey does not exist"
}

Use Cases#

Common scenarios for using the Passkey Administration API:

User offboarding

When an employee leaves the organization, automatically remove all their passkeys so they can no longer use passkey-based login. Note that this does not revoke access through other login methods.

# Delete all passkeys for departing user
curl -X DELETE -H "Authorization: Bearer JWT_TOKEN" \
  "https://api.feide.no/2/passkey/1234567?eppn=former.employee%40example.no"

Security audit

Generate reports of passkey usage across your organization.

# List all passkeys in organization
curl -H "Authorization: Bearer JWT_TOKEN" \
  "https://api.feide.no/2/passkey/1234567"

Helpdesk support

Assist users who need to remove a lost or compromised device.

# List user's passkeys to find the one to remove
curl -H "Authorization: Bearer JWT_TOKEN" \
  "https://api.feide.no/2/passkey/1234567?eppn=user%40example.no"

# Delete the specific passkey
curl -X DELETE -H "Authorization: Bearer JWT_TOKEN" \
  "https://api.feide.no/2/passkey/1234567/6"

For details on how to gain access to these endpoints see Feide login with Passkeys.

On this page