Manage login identifiers (email, phone, username) attached to a user, including create, update, delete, and list operations across the project.
openapi: 3.0.1
info:
title: Corbado Backend API
description: >-
The Corbado Backend API is a server-to-server REST API for the Corbado
passkey-first authentication platform. It manages users, login identifiers,
sessions, passkeys (WebAuthn credentials), passkey events, Connect tokens,
and project data exports. Requests authenticate with HTTP Basic auth using
the project ID as username and the API secret as password (both obtained
from the Corbado Developer Panel).
termsOfService: https://www.corbado.com/legal/terms
contact:
name: Corbado Support
url: https://docs.corbado.com
email: support@corbado.com
version: 2.0.0
servers:
- url: https://backendapi.corbado.io/v2
description: Corbado Backend API v2
security:
- basicAuth: []
tags:
- name: Users
description: Create and manage end users and their social logins and credentials.
- name: Identifiers
description: Manage login identifiers (email, phone, username) attached to a user.
- name: Sessions
description: List and revoke authenticated sessions.
- name: Passkeys
description: WebAuthn passkey registration and login ceremonies and verification.
- name: PasskeyEvents
description: Record and query passkey lifecycle events for a user.
- name: ConnectTokens
description: Short-lived tokens authorizing Corbado Connect frontend flows.
- name: Exports
description: Project data exports and download links.
paths:
/users:
post:
operationId: userCreate
tags:
- Users
summary: Create a new user
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UserCreateReq'
responses:
'200':
description: The created user.
content:
application/json:
schema:
$ref: '#/components/schemas/User'
'400':
$ref: '#/components/responses/ErrorRsp'
'401':
$ref: '#/components/responses/ErrorRsp'
get:
operationId: userList
tags:
- Users
summary: List users
parameters:
- $ref: '#/components/parameters/Sort'
- $ref: '#/components/parameters/Filter'
- $ref: '#/components/parameters/Page'
- $ref: '#/components/parameters/PageSize'
responses:
'200':
description: A paged list of users.
content:
application/json:
schema:
$ref: '#/components/schemas/UserList'
'401':
$ref: '#/components/responses/ErrorRsp'
/users/{userID}:
parameters:
- $ref: '#/components/parameters/UserID'
get:
operationId: userGet
tags:
- Users
summary: Retrieve a user
responses:
'200':
description: The requested user.
content:
application/json:
schema:
$ref: '#/components/schemas/User'
'404':
$ref: '#/components/responses/ErrorRsp'
patch:
operationId: userUpdate
tags:
- Users
summary: Update a user
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UserUpdateReq'
responses:
'200':
description: The updated user.
content:
application/json:
schema:
$ref: '#/components/schemas/User'
'404':
$ref: '#/components/responses/ErrorRsp'
delete:
operationId: userDelete
tags:
- Users
summary: Delete a user
responses:
'200':
description: The user was deleted.
content:
application/json:
schema:
$ref: '#/components/schemas/GenericRsp'
'404':
$ref: '#/components/responses/ErrorRsp'
/users/{userID}/credentials:
parameters:
- $ref: '#/components/parameters/UserID'
get:
operationId: userCredentialList
tags:
- Users
summary: List passkeys for user
responses:
'200':
description: The user's passkey credentials.
content:
application/json:
schema:
$ref: '#/components/schemas/CredentialList'
'404':
$ref: '#/components/responses/ErrorRsp'
/users/{userID}/credentials/{credentialID}:
parameters:
- $ref: '#/components/parameters/UserID'
- name: credentialID
in: path
required: true
schema:
type: string
delete:
operationId: userCredentialDelete
tags:
- Users
summary: Delete passkey
responses:
'200':
description: The passkey credential was deleted.
content:
application/json:
schema:
$ref: '#/components/schemas/GenericRsp'
'404':
$ref: '#/components/responses/ErrorRsp'
/users/{userID}/identifiers:
parameters:
- $ref: '#/components/parameters/UserID'
post:
operationId: identifierCreate
tags:
- Identifiers
summary: Create login identifier
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/IdentifierCreateReq'
responses:
'200':
description: The created login identifier.
content:
application/json:
schema:
$ref: '#/components/schemas/Identifier'
'400':
$ref: '#/components/responses/ErrorRsp'
/users/{userID}/identifiers/{identifierID}:
parameters:
- $ref: '#/components/parameters/UserID'
- name: identifierID
in: path
required: true
schema:
type: string
patch:
operationId: identifierUpdate
tags:
- Identifiers
summary: Update identifier
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/IdentifierUpdateReq'
responses:
'200':
description: The updated identifier.
content:
application/json:
schema:
$ref: '#/components/schemas/Identifier'
'404':
$ref: '#/components/responses/ErrorRsp'
delete:
operationId: identifierDelete
tags:
- Identifiers
summary: Delete identifier
responses:
'200':
description: The identifier was deleted.
content:
application/json:
schema:
$ref: '#/components/schemas/GenericRsp'
'404':
$ref: '#/components/responses/ErrorRsp'
/identifiers:
get:
operationId: identifierList
tags:
- Identifiers
summary: List all login identifiers
parameters:
- $ref: '#/components/parameters/Sort'
- $ref: '#/components/parameters/Filter'
- $ref: '#/components/parameters/Page'
- $ref: '#/components/parameters/PageSize'
responses:
'200':
description: A paged list of login identifiers.
content:
application/json:
schema:
$ref: '#/components/schemas/IdentifierList'
'401':
$ref: '#/components/responses/ErrorRsp'
/sessions:
get:
operationId: sessionList
tags:
- Sessions
summary: List all sessions
parameters:
- $ref: '#/components/parameters/Sort'
- $ref: '#/components/parameters/Filter'
- $ref: '#/components/parameters/Page'
- $ref: '#/components/parameters/PageSize'
responses:
'200':
description: A paged list of sessions.
content:
application/json:
schema:
$ref: '#/components/schemas/SessionList'
'401':
$ref: '#/components/responses/ErrorRsp'
/sessions/{sessionID}/revoke:
parameters:
- name: sessionID
in: path
required: true
schema:
type: string
post:
operationId: sessionRevoke
tags:
- Sessions
summary: Revoke a session
responses:
'200':
description: The session was revoked.
content:
application/json:
schema:
$ref: '#/components/schemas/GenericRsp'
'404':
$ref: '#/components/responses/ErrorRsp'
/passkey/append/start:
post:
operationId: passkeyAppendStart
tags:
- Passkeys
summary: Start creating passkey
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/PasskeyAppendStartReq'
responses:
'200':
description: WebAuthn credential creation options.
content:
application/json:
schema:
$ref: '#/components/schemas/PasskeyStartRsp'
'400':
$ref: '#/components/responses/ErrorRsp'
/passkey/append/finish:
post:
operationId: passkeyAppendFinish
tags:
- Passkeys
summary: Finish creating passkey
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/PasskeyFinishReq'
responses:
'200':
description: The newly registered passkey.
content:
application/json:
schema:
$ref: '#/components/schemas/PasskeyData'
'400':
$ref: '#/components/responses/ErrorRsp'
/passkey/login/start:
post:
operationId: passkeyLoginStart
tags:
- Passkeys
summary: Start passkey login
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/PasskeyLoginStartReq'
responses:
'200':
description: WebAuthn credential request options.
content:
application/json:
schema:
$ref: '#/components/schemas/PasskeyStartRsp'
'400':
$ref: '#/components/responses/ErrorRsp'
/passkey/login/finish:
post:
operationId: passkeyLoginFinish
tags:
- Passkeys
summary: Finish passkey login
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/PasskeyFinishReq'
responses:
'200':
description: The authenticated passkey and user.
content:
application/json:
schema:
$ref: '#/components/schemas/PasskeyLoginFinishRsp'
'400':
$ref: '#/components/responses/ErrorRsp'
/passkey/mediation/start:
post:
operationId: passkeyMediationStart
tags:
- Passkeys
summary: Start passkey login (Conditional UI)
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/PasskeyLoginStartReq'
responses:
'200':
description: WebAuthn credential request options for conditional UI.
content:
application/json:
schema:
$ref: '#/components/schemas/PasskeyStartRsp'
'400':
$ref: '#/components/responses/ErrorRsp'
/passkey/mediation/finish:
post:
operationId: passkeyMediationFinish
tags:
- Passkeys
summary: Finish passkey login (Conditional UI)
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/PasskeyFinishReq'
responses:
'200':
description: The authenticated passkey and user.
content:
application/json:
schema:
$ref: '#/components/schemas/PasskeyLoginFinishRsp'
'400':
$ref: '#/components/responses/ErrorRsp'
/passkey/verifySignedData:
post:
operationId: passkeyVerifySignedData
tags:
- Passkeys
summary: Verify signed passkey data
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/PasskeyVerifySignedDataReq'
responses:
'200':
description: The verification result.
content:
application/json:
schema:
$ref: '#/components/schemas/PasskeyVerifySignedDataRsp'
'400':
$ref: '#/components/responses/ErrorRsp'
/users/{userID}/passkeyEvents:
parameters:
- $ref: '#/components/parameters/UserID'
post:
operationId: passkeyEventCreate
tags:
- PasskeyEvents
summary: Create passkey event
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/PasskeyEventCreateReq'
responses:
'200':
description: The created passkey event.
content:
application/json:
schema:
$ref: '#/components/schemas/PasskeyEvent'
'400':
$ref: '#/components/responses/ErrorRsp'
get:
operationId: passkeyEventList
tags:
- PasskeyEvents
summary: List passkey events
responses:
'200':
description: A list of passkey events for the user.
content:
application/json:
schema:
$ref: '#/components/schemas/PasskeyEventList'
'404':
$ref: '#/components/responses/ErrorRsp'
/users/{userID}/passkeyEvents/{passkeyEventID}:
parameters:
- $ref: '#/components/parameters/UserID'
- name: passkeyEventID
in: path
required: true
schema:
type: string
delete:
operationId: passkeyEventDelete
tags:
- PasskeyEvents
summary: Delete passkey event
responses:
'200':
description: The passkey event was deleted.
content:
application/json:
schema:
$ref: '#/components/schemas/GenericRsp'
'404':
$ref: '#/components/responses/ErrorRsp'
/connectTokens:
post:
operationId: connectTokenCreate
tags:
- ConnectTokens
summary: Create ConnectToken
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectTokenCreateReq'
responses:
'200':
description: The created Connect token, including its secret.
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectToken'
'400':
$ref: '#/components/responses/ErrorRsp'
get:
operationId: connectTokenList
tags:
- ConnectTokens
summary: List ConnectTokens
parameters:
- $ref: '#/components/parameters/Sort'
- $ref: '#/components/parameters/Filter'
- $ref: '#/components/parameters/Page'
- $ref: '#/components/parameters/PageSize'
responses:
'200':
description: A paged list of Connect tokens.
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectTokenList'
'401':
$ref: '#/components/responses/ErrorRsp'
/connectTokens/{connectTokenID}:
parameters:
- name: connectTokenID
in: path
required: true
schema:
type: string
patch:
operationId: connectTokenUpdate
tags:
- ConnectTokens
summary: Update ConnectToken
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectTokenUpdateReq'
responses:
'200':
description: The updated Connect token.
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectToken'
'404':
$ref: '#/components/responses/ErrorRsp'
delete:
operationId: connectTokenDelete
tags:
- ConnectTokens
summary: Delete ConnectToken
responses:
'200':
description: The Connect token was deleted.
content:
application/json:
schema:
$ref: '#/components/schemas/GenericRsp'
'404':
$ref: '#/components/responses/ErrorRsp'
/exports/{exportType}:
parameters:
- name: exportType
in: path
required: true
schema:
type: string
enum:
- users
- passkeyEvents
get:
operationId: exportList
tags:
- Exports
summary: List project exports
responses:
'200':
description: A list of available export files.
content:
application/json:
schema:
$ref: '#/components/schemas/ExportList'
'404':
$ref: '#/components/responses/ErrorRsp'
/exports/{exportType}/{filename}/downloadLink:
parameters:
- name: exportType
in: path
required: true
schema:
type: string
- name: filename
in: path
required: true
schema:
type: string
get:
operationId: exportDownloadLink
tags:
- Exports
summary: Get export download link
responses:
'200':
description: A time-limited download link for the export file.
content:
application/json:
schema:
$ref: '#/components/schemas/ExportDownloadLink'
'404':
$ref: '#/components/responses/ErrorRsp'
components:
securitySchemes:
basicAuth:
type: http
scheme: basic
description: >-
HTTP Basic authentication. The username is the project ID
(e.g. pro-1234567890) and the password is the API secret, both
issued from the Corbado Developer Panel.
parameters:
UserID:
name: userID
in: path
required: true
description: The Corbado user ID (e.g. usr-4693224802260150919).
schema:
type: string
Sort:
name: sort
in: query
required: false
description: Field and direction to sort by, e.g. created:desc.
schema:
type: string
Filter:
name: filter
in: query
required: false
description: Repeatable filter expressions, e.g. status:eq:active.
schema:
type: array
items:
type: string
Page:
name: page
in: query
required: false
schema:
type: integer
format: int32
default: 1
PageSize:
name: pageSize
in: query
required: false
schema:
type: integer
format: int32
default: 10
responses:
ErrorRsp:
description: An error response.
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorRsp'
schemas:
User:
type: object
required:
- userID
- status
- updated
- updatedMs
properties:
userID:
type: string
example: usr-4693224802260150919
status:
type: string
enum:
- pending
- active
- disabled
fullName:
type: string
example: Jane Doe
explicitWebauthnID:
type: string
updated:
type: string
format: date-time
updatedMs:
type: integer
format: int64
UserCreateReq:
type: object
required:
- status
properties:
status:
type: string
enum:
- pending
- active
- disabled
fullName:
type: string
explicitWebauthnID:
type: string
UserUpdateReq:
type: object
properties:
status:
type: string
enum:
- pending
- active
- disabled
fullName:
type: string
UserList:
type: object
required:
- users
- paging
properties:
users:
type: array
items:
$ref: '#/components/schemas/User'
paging:
$ref: '#/components/schemas/Paging'
Identifier:
type: object
required:
- identifierID
- userID
- identifierType
- identifierValue
- status
properties:
identifierID:
type: string
example: emai-2398470283402934
userID:
type: string
identifierType:
type: string
enum:
- email
- phone
- username
identifierValue:
type: string
example: jane.doe@example.com
status:
type: string
enum:
- primary
- verified
- pending
created:
type: string
format: date-time
IdentifierCreateReq:
type: object
required:
- identifierType
- identifierValue
- status
properties:
identifierType:
type: string
enum:
- email
- phone
- username
identifierValue:
type: string
status:
type: string
enum:
- primary
- verified
- pending
IdentifierUpdateReq:
type: object
properties:
status:
type: string
enum:
- primary
- verified
- pending
IdentifierList:
type: object
required:
- identifiers
- paging
properties:
identifiers:
type: array
items:
$ref: '#/components/schemas/Identifier'
paging:
$ref: '#/components/schemas/Paging'
Session:
type: object
required:
- sessionID
- userID
properties:
sessionID:
type: string
userID:
type: string
expiresMs:
type: integer
format: int64
created:
type: string
format: date-time
SessionList:
type: object
required:
- sessions
- paging
properties:
sessions:
type: array
items:
$ref: '#/components/schemas/Session'
paging:
$ref: '#/components/schemas/Paging'
PasskeyData:
type: object
properties:
credentialID:
type: string
userID:
type: string
attestationType:
type: string
transports:
type: array
items:
type: string
backupEligible:
type: boolean
backupState:
type: boolean
aaguid:
type: string
created:
type: string
format: date-time
CredentialList:
type: object
required:
- credentials
properties:
credentials:
type: array
items:
$ref: '#/components/schemas/PasskeyData'
PasskeyAppendStartReq:
type: object
required:
- userID
properties:
userID:
type: string
clientInformation:
$ref: '#/components/schemas/ClientInformation'
PasskeyLoginStartReq:
type: object
properties:
identifierValue:
type: string
clientInformation:
$ref: '#/components/schemas/ClientInformation'
PasskeyFinishReq:
type: object
required:
- signedChallenge
properties:
signedChallenge:
type: string
description: The serialized WebAuthn attestation or assertion response from the browser.
clientInformation:
$ref: '#/components/schemas/ClientInformation'
PasskeyStartRsp:
type: object
properties:
challenge:
type: string
description: The serialized PublicKeyCredentialCreationOptions or PublicKeyCredentialRequestOptions JSON.
PasskeyLoginFinishRsp:
type: object
properties:
userID:
type: string
passkey:
$ref: '#/components/schemas/PasskeyData'
PasskeyVerifySignedDataReq:
type: object
required:
- signedData
properties:
userID:
type: string
signedData:
type: string
PasskeyVerifySignedDataRsp:
type: object
properties:
valid:
type: boolean
userID:
type: string
PasskeyEvent:
type: object
required:
- passkeyEventID
- userID
- passkeyEventType
properties:
passkeyEventID:
type: string
userID:
type: string
passkeyEventType:
type: string
enum:
- login-success
- login-error
- registration-success
- registration-error
- login-error-untrusted
created:
type: string
format: date-time
PasskeyEventCreateReq:
type: object
required:
- passkeyEventType
properties:
passkeyEventType:
type: string
enum:
- login-success
- login-error
- registration-success
- registration-error
- login-error-untrusted
clientInformation:
$ref: '#/components/schemas/ClientInformation'
PasskeyEventList:
type: object
required:
- passkeyEvents
properties:
passkeyEvents:
type: array
items:
$ref: '#/components/schemas/PasskeyEvent'
ConnectToken:
type: object
required:
- connectTokenID
- connectTokenType
properties:
connectTokenID:
type: string
connectTokenType:
type: string
enum:
- passkey-append
- passkey-delete
- passkey-list
secret:
type: string
description: The token secret returned only on creation, passed to the Corbado Connect frontend component.
identifierValue:
type: string
status:
type: string
created:
type: string
format: date-time
ConnectTokenCreateReq:
type: object
required:
- connectTokenType
properties:
connectTokenType:
type: string
enum:
- passkey-append
- passkey-delete
- passkey-list
identifierValue:
type: string
data:
type: string
description: Opaque application-specific data carried with the token.
ConnectTokenUpdateReq:
type: object
properties:
status:
type: string
ConnectTokenList:
type: object
required:
- connectTokens
- paging
properties:
connectTokens:
type: array
items:
$ref: '#/components/schemas/ConnectToken'
paging:
$ref: '#/components/schemas/Paging'
ExportList:
type: object
required:
- exports
properties:
exports:
type: array
items:
type: object
properties:
filename:
type: string
sizeBytes:
type: integer
format: int64
created:
type: string
format: date-time
ExportDownloadLink:
type: object
properties:
url:
type: string
format: uri
expiresMs:
type: integer
format: int64
ClientInformation:
type: object
description: Client/browser context captured for passkey intelligence and risk analysis.
properties:
bluetoothAvailable:
type: boolean
userAgent:
type: string
clientEnvHandle:
type: string
javaScriptHighEntropy:
type: string
Paging:
type: object
properties:
page:
type: integer
format: int32
totalPages:
type: integer
format: int32
totalItems:
type: integer
format: int32
GenericRsp:
type: object
properties:
httpStatusCode:
type: integer
format: int32
message:
type: string
requestData:
$ref: '#/components/schemas/RequestData'
runtime:
type: number
format: float
ErrorRsp:
type: object
required:
- httpStatusCode
- message
properties:
httpStatusCode:
type: integer
format: int32
message:
type: string
requestData:
$ref: '#/components/schemas/RequestData'
runtime:
type: number
format: float
error:
type: object
properties:
type:
type: string
details:
type: string
validation:
type: array
items:
type: object
properties:
field:
type: string
message:
type: string
RequestData:
type: object
properties:
requestID:
type: string
link:
type: string