Skip to content

Read login challenge metadata.

GET
/auth/login-challenge
Code sample: Shell / cURL
curl --request GET \
--url 'https://auth.example.com/auth/login-challenge?challenge_id=example'

Returns client display metadata, OIDC prompt metadata, session mode, handoff methods, and web-origin policy for a login or re-auth challenge.

challenge_id
required
string

Challenge id returned by the authorization flow.

Login challenge metadata for Login UI rendering.

Media type application/json
object
challenge_id
required
string
client
required
object
client_id
required
string
client_name
required
string
logo_uri
string format: uri
client_uri
string format: uri
policy_uri
string format: uri
tos_uri
string format: uri
scope
string
login_hint
string
oidc
object
prompt
string
max_age
integer
acr_values
Array<string>
nonce_present
boolean
claims_present
boolean
session_mode
required
string
Allowed values: managed_browser_session cookie_session token_session
handoff_methods
required
Array<string>
Allowed values: cookie_session_finalize dpop_token_verify
web_origin_registry
required
object
origins
required
Array<object>
object
origin
required
string format: uri
client_ids
required
Array<string>
cors
required
object
allowed
boolean
csp
required
object
frame_ancestors
Array<string>
handoff_allowed
required
boolean
iframe_allowed
required
boolean
environment
string
Example
{
"challenge_id": "chal_123",
"client": {
"client_id": "client_123",
"client_name": "Example App",
"logo_uri": "https://app.example.com/logo.png",
"client_uri": "https://app.example.com/",
"policy_uri": "https://app.example.com/privacy",
"tos_uri": "https://app.example.com/terms"
},
"scope": "openid profile email",
"login_hint": "[email protected]",
"oidc": {
"prompt": "login",
"max_age": 3600,
"acr_values": [
"urn:mace:incommon:iap:bronze"
],
"nonce_present": true,
"claims_present": false
},
"session_mode": "managed_browser_session",
"handoff_methods": [
"cookie_session_finalize"
],
"web_origin_registry": {
"origins": [
{
"origin": "https://app.example.com",
"client_ids": [
"client_123"
],
"cors": {
"allowed": true
},
"csp": {
"frame_ancestors": [
"https://app.example.com"
]
},
"handoff_allowed": true,
"iframe_allowed": false,
"environment": "production"
}
]
}
}

Error response.

Media type application/json
object
error
string
error_description
string
message
string
webauthn_signal

Optional browser-side WebAuthn Signal API hint. When unknown_credential is true, clients that just received a WebAuthn credential assertion may call PublicKeyCredential.signalUnknownCredential() for that credential ID.

object
unknown_credential
boolean
key
additional properties
Example generated
{
"error": "example",
"error_description": "example",
"message": "example",
"webauthn_signal": {
"unknown_credential": true
}
}

Error response.

Media type application/json
object
error
string
error_description
string
message
string
webauthn_signal

Optional browser-side WebAuthn Signal API hint. When unknown_credential is true, clients that just received a WebAuthn credential assertion may call PublicKeyCredential.signalUnknownCredential() for that credential ID.

object
unknown_credential
boolean
key
additional properties
Example generated
{
"error": "example",
"error_description": "example",
"message": "example",
"webauthn_signal": {
"unknown_credential": true
}
}

Error response.

Media type application/json
object
error
string
error_description
string
message
string
webauthn_signal

Optional browser-side WebAuthn Signal API hint. When unknown_credential is true, clients that just received a WebAuthn credential assertion may call PublicKeyCredential.signalUnknownCredential() for that credential ID.

object
unknown_credential
boolean
key
additional properties
Example generated
{
"error": "example",
"error_description": "example",
"message": "example",
"webauthn_signal": {
"unknown_credential": true
}
}