Authenticator management

FIDO authenticator credentials accumulate as users register devices. The authenticator admin API enables you to manage these credentials throughout their lifecycle.

The authenticator admin API provides operations for managing FIDO credentials throughout their lifecycle.

The authenticator admin API allows you to:

• List authenticators: Retrieve all credentials for a specific user or device.
• Get authenticator: Retrieve detailed information about a specific credential.
• Update authenticator: Modify credential properties such as friendly names.
• Delete authenticator: Remove a specific credential.
• Delete authenticators: Remove multiple credentials based on search criteria.

Authenticator lockout information

When an authenticator lockout policy is configured, the authenticator info response includes the following lockout-related fields:

• failCounter: Specifies the number of consecutive failed authentication attempts for this authenticator.
• failWindowExpiresAtTs Specifies the date and time when the current failure tracking window expires.
• blockedUntilTs: Indicates the date and time until which the authenticator is locked out (present only when the authenticator is currently blocked).

Example response when an authenticator is locked out:

{
    "failCounter": 5,
    "failWindowExpiresAtTs": "2026-04-28T14:00:00Z",
    "blockedUntilTs": "2026-04-28T15:00:00Z"
}

Authentication and authorization

All authenticator admin API operations require proper authentication:

• Operations require specific roles encoded in the JWT token passed as an HTTP Authorization request header with the Bearer authorization scheme.
• Each operation specifies the required role in its API documentation.

Next steps

• Review the authenticator admin API reference for detailed endpoint documentation.
• Learn about user management.
• Explore policy management.