Token API

Token API is a special API for requesting and getting one-time tokens for different operations regarding user's profile.

Unauthorized user

Operations:

• Login | switchable, depends on MFA
  • get email/phone number OTT (MFA) – "api/v1/token/login" + requestBody: {"destination": "email/phoneNumber", "processingId": UUID}
    
    
• Reset password
  • get OTT (email or phone number, depending on which option has been chosen by user) – "api/v1/token/password/recovery/processingId" + responseBody: {"destination": ..., "expiration": ...}
    
    
• MFA recovery | switchable, depends on MFA 
  
  • get email/phone number OTT for verification – "api/v1/token/mfa/recovery/verification" + requestBody: {"destination": "email/phoneNumber", "processingId": UUID} + responseBody: {"destination": ..., "expiration": UUID} + validate if recovered type not passed as OTT
  • get email/phone number OTT for changing user key – "api/v1/token/mfa/recovery/newKey" + responseBody: {"destination": ..., "expiration": UUID}
    
    
• Registration
  • registration OTT (email or phone number, depending on which option has been chosen by user) – "api/v1/token/registration/processingId" + responseBody: {"destination": ..., "expiration": UUID}

Authorized user

Operations:

• Change password
  • get OTT (email by default, if there is no email, then phone number) – "api/v1/token/password/changing" + responseBody: {"destination": ..., "expiration": UUID}
    
    

• User key management (TO BE DISCUSSED)
  • get OTT passing required operation: change/remove email/phoneNumber – "api/v1/token/userKeys" +  requestBody: {"operation": ..., "userKeyType": ...} + responseBody: {"destination": ..., "expiration": UUID}
  • get OTT for new user key – "api/v1/token/newKey" + requestBody: {"destination": ..., "ott": ...} + responseBody: {"destination": ..., "expiration": UUID}
  • add OTT for new user key – "api/v1/token/newKey/adding" + requestBody: {"destination": ...}
    
    
• Anti-phising code | switchable, depends on anti-phishing
  • "api/v1/token/antiPhishing/changing"
    
    
• Disable MFA | switchable, depends on MFA
  • get email/phone number OTT – "api/v1/token/mfa/disabling" + requestBody: {"destination": ...} + reject if destination MFA is disabled