--- title: Create FIDO Policy - all FIDO-certified authenticators description: Use POST {{apiPath}}/v1/environments/{{envID}}/fido2Policies to create a new FIDO policy for an environment. component: pingone-api page_id: pingone-api:mfa:fido-policies/create_fido_policy_certified canonical_url: https://developer.pingidentity.com/pingone-api/mfa/fido-policies/create_fido_policy_certified.html section_ids: prerequisites: Prerequisites headers: Headers body: Body example-request: Example Request example-response: Example Response --- # Create FIDO Policy - all FIDO-certified authenticators ## ```none POST {{apiPath}}/v1/environments/{{envID}}/fido2Policies ``` Use `POST {{apiPath}}/v1/environments/{{envID}}/fido2Policies` to create a new FIDO policy for an environment. This example sets `attestationRequirements` to CERTIFIED to allow only FIDO-certified authenticators. ### Prerequisites * Refer to [FIDO Policies](#fido-policies) for important overview information. > **Collapse: Request Model** > > | Property | Type | Required? | > | ------------------------------ | ------- | --------- | > | `attestationRequirements` | String | Required | > | `default` | Boolean | Optional | > | `description` | String | Optional | > | `enforceDuringAuthentication` | Boolean | Optional | > | `name` | String | Required | > | `publicKeyCredentialHints` | Array | Optional | > | `residentKeyRequirement` | String | Required | > | `userPresenceTimeout` | Object | Optional | > | `userPresenceTimeout.duration` | Integer | Optional | > | `userPresenceTimeout.timeUnit` | String | Optional | > > Refer to the [FIDO Policies](#fido-policies) data model for full property descriptions. ### Headers Authorization      Bearer {{accessToken}} Content-Type      application/json ### Body raw ( application/json ) ```json { "name": "FIDO Policy - allow only FIDO-certified authenticators", "description": "FIDO Policy that specifies that only FIDO-certified authenticators can be used", "deviceDisplayName": "Fido2 device", "discoverableCredentials": "REQUIRED", "authenticatorAttachment": "BOTH", "userVerification": { "enforceDuringAuthentication": true, "option": "REQUIRED" }, "userPresenceTimeout" : { "duration" : 4, "timeUnit" : "MINUTES" }, "backupEligibility": { "enforceDuringAuthentication": true, "allow": true }, "userDisplayNameAttributes": { "attributes": [ { "name": "username" }, { "name": "email" } ] }, "attestationRequirements": "DIRECT", "mdsAuthenticatorsRequirements": { "allowedAuthenticators": null, "option": "CERTIFIED", "enforceDuringAuthentication": true }, "publicKeyCredentialHints" : [ "SECURITY_KEY", "CLIENT_DEVICE","HYBRID" ], "relyingPartyId": "relyingpartydomain.example.com", "default": false } ``` ## ### Example Request * cURL * C# * Go * HTTP * Java * jQuery * NodeJS * Python * PHP * Ruby * Swift ```shell curl --location --globoff '{{apiPath}}/v1/environments/{{envID}}/fido2Policies' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer {{accessToken}}' \ --data '{ "name": "FIDO Policy - allow only FIDO-certified authenticators", "description": "FIDO Policy that specifies that only FIDO-certified authenticators can be used", "deviceDisplayName": "Fido2 device", "discoverableCredentials": "REQUIRED", "authenticatorAttachment": "BOTH", "userVerification": { "enforceDuringAuthentication": true, "option": "REQUIRED" }, "userPresenceTimeout" : { "duration" : 4, "timeUnit" : "MINUTES" }, "backupEligibility": { "enforceDuringAuthentication": true, "allow": true }, "userDisplayNameAttributes": { "attributes": [ { "name": "username" }, { "name": "email" } ] }, "attestationRequirements": "DIRECT", "mdsAuthenticatorsRequirements": { "allowedAuthenticators": null, "option": "CERTIFIED", "enforceDuringAuthentication": true }, "publicKeyCredentialHints" : [ "SECURITY_KEY", "CLIENT_DEVICE","HYBRID" ], "relyingPartyId": "relyingpartydomain.example.com", "default": false }' ``` ```csharp var options = new RestClientOptions("{{apiPath}}/v1/environments/{{envID}}/fido2Policies") { MaxTimeout = -1, }; var client = new RestClient(options); var request = new RestRequest("", Method.Post); request.AddHeader("Content-Type", "application/json"); request.AddHeader("Authorization", "Bearer {{accessToken}}"); var body = @"{" + "\n" + @" ""name"": ""FIDO Policy - allow only FIDO-certified authenticators""," + "\n" + @" ""description"": ""FIDO Policy that specifies that only FIDO-certified authenticators can be used""," + "\n" + @" ""deviceDisplayName"": ""Fido2 device""," + "\n" + @" ""discoverableCredentials"": ""REQUIRED""," + "\n" + @" ""authenticatorAttachment"": ""BOTH""," + "\n" + @" ""userVerification"": {" + "\n" + @" ""enforceDuringAuthentication"": true," + "\n" + @" ""option"": ""REQUIRED""" + "\n" + @" }," + "\n" + @" ""userPresenceTimeout"" : {" + "\n" + @" ""duration"" : 4," + "\n" + @" ""timeUnit"" : ""MINUTES""" + "\n" + @" }," + "\n" + @" ""backupEligibility"": {" + "\n" + @" ""enforceDuringAuthentication"": true," + "\n" + @" ""allow"": true" + "\n" + @" }," + "\n" + @" ""userDisplayNameAttributes"": {" + "\n" + @" ""attributes"": [" + "\n" + @" {" + "\n" + @" ""name"": ""username""" + "\n" + @" }," + "\n" + @" {" + "\n" + @" ""name"": ""email""" + "\n" + @" }" + "\n" + @" ]" + "\n" + @" }," + "\n" + @" ""attestationRequirements"": ""DIRECT""," + "\n" + @" ""mdsAuthenticatorsRequirements"": {" + "\n" + @" ""allowedAuthenticators"": null," + "\n" + @" ""option"": ""CERTIFIED""," + "\n" + @" ""enforceDuringAuthentication"": true" + "\n" + @" }," + "\n" + @" ""publicKeyCredentialHints"" : [" + "\n" + @" ""SECURITY_KEY"", ""CLIENT_DEVICE"",""HYBRID""" + "\n" + @" ]," + "\n" + @" ""relyingPartyId"": ""relyingpartydomain.example.com""," + "\n" + @" ""default"": false" + "\n" + @"}"; request.AddStringBody(body, DataFormat.Json); RestResponse response = await client.ExecuteAsync(request); Console.WriteLine(response.Content); ``` ```golang package main import ( "fmt" "strings" "net/http" "io" ) func main() { url := "{{apiPath}}/v1/environments/{{envID}}/fido2Policies" method := "POST" payload := strings.NewReader(`{ "name": "FIDO Policy - allow only FIDO-certified authenticators", "description": "FIDO Policy that specifies that only FIDO-certified authenticators can be used", "deviceDisplayName": "Fido2 device", "discoverableCredentials": "REQUIRED", "authenticatorAttachment": "BOTH", "userVerification": { "enforceDuringAuthentication": true, "option": "REQUIRED" }, "userPresenceTimeout" : { "duration" : 4, "timeUnit" : "MINUTES" }, "backupEligibility": { "enforceDuringAuthentication": true, "allow": true }, "userDisplayNameAttributes": { "attributes": [ { "name": "username" }, { "name": "email" } ] }, "attestationRequirements": "DIRECT", "mdsAuthenticatorsRequirements": { "allowedAuthenticators": null, "option": "CERTIFIED", "enforceDuringAuthentication": true }, "publicKeyCredentialHints" : [ "SECURITY_KEY", "CLIENT_DEVICE","HYBRID" ], "relyingPartyId": "relyingpartydomain.example.com", "default": false }`) client := &http.Client { } req, err := http.NewRequest(method, url, payload) if err != nil { fmt.Println(err) return } req.Header.Add("Content-Type", "application/json") req.Header.Add("Authorization", "Bearer {{accessToken}}") res, err := client.Do(req) if err != nil { fmt.Println(err) return } defer res.Body.Close() body, err := io.ReadAll(res.Body) if err != nil { fmt.Println(err) return } fmt.Println(string(body)) } ``` ```http POST /v1/environments/{{envID}}/fido2Policies HTTP/1.1 Host: {{apiPath}} Content-Type: application/json Authorization: Bearer {{accessToken}} { "name": "FIDO Policy - allow only FIDO-certified authenticators", "description": "FIDO Policy that specifies that only FIDO-certified authenticators can be used", "deviceDisplayName": "Fido2 device", "discoverableCredentials": "REQUIRED", "authenticatorAttachment": "BOTH", "userVerification": { "enforceDuringAuthentication": true, "option": "REQUIRED" }, "userPresenceTimeout" : { "duration" : 4, "timeUnit" : "MINUTES" }, "backupEligibility": { "enforceDuringAuthentication": true, "allow": true }, "userDisplayNameAttributes": { "attributes": [ { "name": "username" }, { "name": "email" } ] }, "attestationRequirements": "DIRECT", "mdsAuthenticatorsRequirements": { "allowedAuthenticators": null, "option": "CERTIFIED", "enforceDuringAuthentication": true }, "publicKeyCredentialHints" : [ "SECURITY_KEY", "CLIENT_DEVICE","HYBRID" ], "relyingPartyId": "relyingpartydomain.example.com", "default": false } ``` ```java OkHttpClient client = new OkHttpClient().newBuilder() .build(); MediaType mediaType = MediaType.parse("application/json"); RequestBody body = RequestBody.create(mediaType, "{\n \"name\": \"FIDO Policy - allow only FIDO-certified authenticators\",\n \"description\": \"FIDO Policy that specifies that only FIDO-certified authenticators can be used\",\n \"deviceDisplayName\": \"Fido2 device\",\n \"discoverableCredentials\": \"REQUIRED\",\n \"authenticatorAttachment\": \"BOTH\",\n \"userVerification\": {\n \"enforceDuringAuthentication\": true,\n \"option\": \"REQUIRED\"\n },\n \"userPresenceTimeout\" : {\n \"duration\" : 4,\n \"timeUnit\" : \"MINUTES\"\n },\n \"backupEligibility\": {\n \"enforceDuringAuthentication\": true,\n \"allow\": true\n },\n \"userDisplayNameAttributes\": {\n \"attributes\": [\n {\n \"name\": \"username\"\n },\n {\n \"name\": \"email\"\n }\n ]\n },\n \"attestationRequirements\": \"DIRECT\",\n \"mdsAuthenticatorsRequirements\": {\n \"allowedAuthenticators\": null,\n \"option\": \"CERTIFIED\",\n \"enforceDuringAuthentication\": true\n },\n \"publicKeyCredentialHints\" : [\n \"SECURITY_KEY\", \"CLIENT_DEVICE\",\"HYBRID\"\n ],\n \"relyingPartyId\": \"relyingpartydomain.example.com\",\n \"default\": false\n}"); Request request = new Request.Builder() .url("{{apiPath}}/v1/environments/{{envID}}/fido2Policies") .method("POST", body) .addHeader("Content-Type", "application/json") .addHeader("Authorization", "Bearer {{accessToken}}") .build(); Response response = client.newCall(request).execute(); ``` ```javascript var settings = { "url": "{{apiPath}}/v1/environments/{{envID}}/fido2Policies", "method": "POST", "timeout": 0, "headers": { "Content-Type": "application/json", "Authorization": "Bearer {{accessToken}}" }, "data": JSON.stringify({ "name": "FIDO Policy - allow only FIDO-certified authenticators", "description": "FIDO Policy that specifies that only FIDO-certified authenticators can be used", "deviceDisplayName": "Fido2 device", "discoverableCredentials": "REQUIRED", "authenticatorAttachment": "BOTH", "userVerification": { "enforceDuringAuthentication": true, "option": "REQUIRED" }, "userPresenceTimeout": { "duration": 4, "timeUnit": "MINUTES" }, "backupEligibility": { "enforceDuringAuthentication": true, "allow": true }, "userDisplayNameAttributes": { "attributes": [ { "name": "username" }, { "name": "email" } ] }, "attestationRequirements": "DIRECT", "mdsAuthenticatorsRequirements": { "allowedAuthenticators": null, "option": "CERTIFIED", "enforceDuringAuthentication": true }, "publicKeyCredentialHints": [ "SECURITY_KEY", "CLIENT_DEVICE", "HYBRID" ], "relyingPartyId": "relyingpartydomain.example.com", "default": false }), }; $.ajax(settings).done(function (response) { console.log(response); }); ``` ```javascript var request = require('request'); var options = { 'method': 'POST', 'url': '{{apiPath}}/v1/environments/{{envID}}/fido2Policies', 'headers': { 'Content-Type': 'application/json', 'Authorization': 'Bearer {{accessToken}}' }, body: JSON.stringify({ "name": "FIDO Policy - allow only FIDO-certified authenticators", "description": "FIDO Policy that specifies that only FIDO-certified authenticators can be used", "deviceDisplayName": "Fido2 device", "discoverableCredentials": "REQUIRED", "authenticatorAttachment": "BOTH", "userVerification": { "enforceDuringAuthentication": true, "option": "REQUIRED" }, "userPresenceTimeout": { "duration": 4, "timeUnit": "MINUTES" }, "backupEligibility": { "enforceDuringAuthentication": true, "allow": true }, "userDisplayNameAttributes": { "attributes": [ { "name": "username" }, { "name": "email" } ] }, "attestationRequirements": "DIRECT", "mdsAuthenticatorsRequirements": { "allowedAuthenticators": null, "option": "CERTIFIED", "enforceDuringAuthentication": true }, "publicKeyCredentialHints": [ "SECURITY_KEY", "CLIENT_DEVICE", "HYBRID" ], "relyingPartyId": "relyingpartydomain.example.com", "default": false }) }; request(options, function (error, response) { if (error) throw new Error(error); console.log(response.body); }); ``` ```python import requests import json url = "{{apiPath}}/v1/environments/{{envID}}/fido2Policies" payload = json.dumps({ "name": "FIDO Policy - allow only FIDO-certified authenticators", "description": "FIDO Policy that specifies that only FIDO-certified authenticators can be used", "deviceDisplayName": "Fido2 device", "discoverableCredentials": "REQUIRED", "authenticatorAttachment": "BOTH", "userVerification": { "enforceDuringAuthentication": True, "option": "REQUIRED" }, "userPresenceTimeout": { "duration": 4, "timeUnit": "MINUTES" }, "backupEligibility": { "enforceDuringAuthentication": True, "allow": True }, "userDisplayNameAttributes": { "attributes": [ { "name": "username" }, { "name": "email" } ] }, "attestationRequirements": "DIRECT", "mdsAuthenticatorsRequirements": { "allowedAuthenticators": None, "option": "CERTIFIED", "enforceDuringAuthentication": True }, "publicKeyCredentialHints": [ "SECURITY_KEY", "CLIENT_DEVICE", "HYBRID" ], "relyingPartyId": "relyingpartydomain.example.com", "default": False }) headers = { 'Content-Type': 'application/json', 'Authorization': 'Bearer {{accessToken}}' } response = requests.request("POST", url, headers=headers, data=payload) print(response.text) ``` ```php setUrl('{{apiPath}}/v1/environments/{{envID}}/fido2Policies'); $request->setMethod(HTTP_Request2::METHOD_POST); $request->setConfig(array( 'follow_redirects' => TRUE )); $request->setHeader(array( 'Content-Type' => 'application/json', 'Authorization' => 'Bearer {{accessToken}}' )); $request->setBody('{\n "name": "FIDO Policy - allow only FIDO-certified authenticators",\n "description": "FIDO Policy that specifies that only FIDO-certified authenticators can be used",\n "deviceDisplayName": "Fido2 device",\n "discoverableCredentials": "REQUIRED",\n "authenticatorAttachment": "BOTH",\n "userVerification": {\n "enforceDuringAuthentication": true,\n "option": "REQUIRED"\n },\n "userPresenceTimeout" : {\n "duration" : 4,\n "timeUnit" : "MINUTES"\n },\n "backupEligibility": {\n "enforceDuringAuthentication": true,\n "allow": true\n },\n "userDisplayNameAttributes": {\n "attributes": [\n {\n "name": "username"\n },\n {\n "name": "email"\n }\n ]\n },\n "attestationRequirements": "DIRECT",\n "mdsAuthenticatorsRequirements": {\n "allowedAuthenticators": null,\n "option": "CERTIFIED",\n "enforceDuringAuthentication": true\n },\n "publicKeyCredentialHints" : [\n "SECURITY_KEY", "CLIENT_DEVICE","HYBRID"\n ],\n "relyingPartyId": "relyingpartydomain.example.com",\n "default": false\n}'); try { $response = $request->send(); if ($response->getStatus() == 200) { echo $response->getBody(); } else { echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' . $response->getReasonPhrase(); } } catch(HTTP_Request2_Exception $e) { echo 'Error: ' . $e->getMessage(); } ``` ```ruby require "uri" require "json" require "net/http" url = URI("{{apiPath}}/v1/environments/{{envID}}/fido2Policies") http = Net::HTTP.new(url.host, url.port); request = Net::HTTP::Post.new(url) request["Content-Type"] = "application/json" request["Authorization"] = "Bearer {{accessToken}}" request.body = JSON.dump({ "name": "FIDO Policy - allow only FIDO-certified authenticators", "description": "FIDO Policy that specifies that only FIDO-certified authenticators can be used", "deviceDisplayName": "Fido2 device", "discoverableCredentials": "REQUIRED", "authenticatorAttachment": "BOTH", "userVerification": { "enforceDuringAuthentication": true, "option": "REQUIRED" }, "userPresenceTimeout": { "duration": 4, "timeUnit": "MINUTES" }, "backupEligibility": { "enforceDuringAuthentication": true, "allow": true }, "userDisplayNameAttributes": { "attributes": [ { "name": "username" }, { "name": "email" } ] }, "attestationRequirements": "DIRECT", "mdsAuthenticatorsRequirements": { "allowedAuthenticators": "__RUBY\#%0NULL__", "option": "CERTIFIED", "enforceDuringAuthentication": true }, "publicKeyCredentialHints": [ "SECURITY_KEY", "CLIENT_DEVICE", "HYBRID" ], "relyingPartyId": "relyingpartydomain.example.com", "default": false }) response = http.request(request) puts response.read_body ``` ```swift let parameters = "{\n \"name\": \"FIDO Policy - allow only FIDO-certified authenticators\",\n \"description\": \"FIDO Policy that specifies that only FIDO-certified authenticators can be used\",\n \"deviceDisplayName\": \"Fido2 device\",\n \"discoverableCredentials\": \"REQUIRED\",\n \"authenticatorAttachment\": \"BOTH\",\n \"userVerification\": {\n \"enforceDuringAuthentication\": true,\n \"option\": \"REQUIRED\"\n },\n \"userPresenceTimeout\" : {\n \"duration\" : 4,\n \"timeUnit\" : \"MINUTES\"\n },\n \"backupEligibility\": {\n \"enforceDuringAuthentication\": true,\n \"allow\": true\n },\n \"userDisplayNameAttributes\": {\n \"attributes\": [\n {\n \"name\": \"username\"\n },\n {\n \"name\": \"email\"\n }\n ]\n },\n \"attestationRequirements\": \"DIRECT\",\n \"mdsAuthenticatorsRequirements\": {\n \"allowedAuthenticators\": null,\n \"option\": \"CERTIFIED\",\n \"enforceDuringAuthentication\": true\n },\n \"publicKeyCredentialHints\" : [\n \"SECURITY_KEY\", \"CLIENT_DEVICE\",\"HYBRID\"\n ],\n \"relyingPartyId\": \"relyingpartydomain.example.com\",\n \"default\": false\n}" let postData = parameters.data(using: .utf8) var request = URLRequest(url: URL(string: "{{apiPath}}/v1/environments/{{envID}}/fido2Policies")!,timeoutInterval: Double.infinity) request.addValue("application/json", forHTTPHeaderField: "Content-Type") request.addValue("Bearer {{accessToken}}", forHTTPHeaderField: "Authorization") request.httpMethod = "POST" request.httpBody = postData let task = URLSession.shared.dataTask(with: request) { data, response, error in guard let data = data else { print(String(describing: error)) return } print(String(data: data, encoding: .utf8)!) } task.resume() ``` ### Example Response 201 Created ```json { "_links": { "self": { "href": "https://api.pingone.eu/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/fido2Policies/916195d3-1039-42b2-a4fa-8cabab16b86f" }, "environment": { "href": "https://api.pingone.eu/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" } }, "id": "916195d3-1039-42b2-a4fa-8cabab16b86f", "environment": { "id": "abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "updatedAt": "2024-12-09T12:19:56.814Z", "createdAt": "2024-12-09T12:19:56.814Z", "name": "FIDO Policy - allow only FIDO-certified authenticators", "description": "FIDO Policy that specifies that only FIDO-certified authenticators can be used", "deviceDisplayName": "Fido2 device", "discoverableCredentials": "REQUIRED", "authenticatorAttachment": "BOTH", "userVerification": { "enforceDuringAuthentication": true, "option": "REQUIRED" }, "userPresenceTimeout": { "duration": 2, "timeUnit": "MINUTES" }, "backupEligibility": { "enforceDuringAuthentication": true, "allow": true }, "userDisplayNameAttributes": { "attributes": [ { "name": "username" }, { "name": "email" } ] }, "attestationRequirements": "DIRECT", "mdsAuthenticatorsRequirements": { "enforceDuringAuthentication": true, "option": "CERTIFIED" }, "relyingPartyId": "relyingpartydomain.example.com", "publicKeyCredentialHints": [ "SECURITY_KEY", "CLIENT_DEVICE", "HYBRID" ], "aggregateDevices": false, "default": false } ```