# Create User Action Signature Challenge
`POST /auth/action/init`
Starts a user action signing session, returning a challenge that will be used to verify the user's intent to perform an action.
{% hint style="info" %}
* Request headers required. See [Request Headers](/d/advanced-topics/authentication/request-headers.md) for more information.
* Authentication required. See [Authentication Headers](/d/advanced-topics/authentication/request-headers.md#authentication-headers) for more information.
{% endhint %}
### Required Permissions
None
## Request body
| | | |
| --------------------------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `userActionPayload` \* | `String` | The JSON encoded body of the request that is being signed |
| `userActionHttpMethod` \* | `String` | The HTTP method that will be used to make the request that is being signed. Can be one of the following:
POST
PUT
DELETE
GET
|
| `userActionHttpPath` \* | `String` | The path of the request that is being signed |
| `userActionServerKind` | `String` | `Optional` indicator of which Dfns service being called. Currently, this can only be `Api` |
### Example:
```json
{
"userActionPayload": "{\"name\": \"My PAT\",\"publicKey\": \"-----BEGIN PUBLIC KEY-----\\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZQt0YI2hdsFNmKJesSkAHldyPLIV\\nFLI/AhQ5eGasA7jU8tEXOb6nGvxRaTIXrgZ2NPdk78O8zMqz5u9AekH8jA==\\n-----END PUBLIC KEY-----\",\"daysValid\": 365,\"permissionId\": \"pm-delaw-avoca-v16r37fpp8koqebc\"}",
"userActionHttpMethod": "POST",
"userActionHttpPath": "/auth/pats"
}
```
## Responses
{% hint style="info" %}
* See [Common Errors](https://github.com/dfns/dfns-api-docs/blob/m/getting-started/errors.md#common-errors) for common errors.
* See [User Action Signing Errors](https://github.com/dfns/dfns-api-docs/blob/m/getting-started/errors.md#user-action-signing-errors) for user action signing specific errors.
{% endhint %}
{% tabs %}
{% tab title="200" %}
**Success** - an object containing the user's authentication options
Format:
```json
{
// identifies the kind of credentials that can be used to sign the user action
"supportedCredentialKinds": [
{
// the kind of credental; can be `Fido2` or `Key`
"kind": "string",
// indicates if the credential can be used as a first factor, second factor, or either; can be `first`, `second`, or `either`
"factor": "string",
// when true indicates a second factor credential is required if the credential is used as a first factor
"requiresSecondFactor": "boolean"
}
],
// random value used to uniquely identify the request. This value will be included in the data that is signed and sent to the matching /signing call
"challenge": "string",
// temporary authentication token that is used to identify this signing session with the matching call to CreateUserActionSignature
"challengeIdentifier": "string",
// optional url containing a secret value that can be used to enable cross device/origin signing
"externalAuthenticationUrl": "string",
// list of credentials that the user can use to sign the user action
"allowCredentials": {
// list of keys that the user can use to sign the user action
"key":[
{
// is always `public-key`
"type": "string",
// ID that identifies the credential
"id": "string",
}
],
// list of password protected keys that the user can use to sign the login challenge.
"passwordProtectedKey": [
{
// is always `public-key`
"type": "string",
// ID that identifies the credential
"id": "string",
// Encrypted Private Key. Only the user knows the password to decrypt it and have access to the private key
"encryptedPrivateKey": "string"
}
],
// list of WebAuthn credentials that the user can use to sign the user action
"webauthn": [
{
// is always `public-key`
"type": "string",
// ID that identifies the credential
"id": "string",
// optional list of transports that are supported by the credential (used only for WebAuthn)
"transports": "string"
}
]
}
}
```
{% endtab %}
{% endtabs %}
### Examples
```json
{
"supportedCredentialKinds": [
{
"kind": "Fido2",
"factor": "first",
"requiresSecondFactor": true
}
],
"challenge": "MWM0MmY5YTQ0MDRiNzdhNTFhNzY5ODQwNWI5ZTQ4Y2RhODZiNDk3ZTYzOTE5OGYyMDcxZjBjYzk4MmQ5YzY1MA",
"challengeIdentifier": "eyJ0e...fQNA",
"allowCredentials": {
"key":[],
"passwordProtectedKey": [
{
"type": "public-key",
"id": "hIjkx5PqVxz8wbtuvOh2UYHEY1QXS8mMfKeEDGt-0Fo=",
"encryptedPrivateKey": "LsXVskHYqqrKKxBC9KvqStLEmxak5Y7NaboDDlRSIW7evUJpQTT1AYvx0EsFskmriaVb3AjTCGEv7gqUKokml1USL7+dVmrUVhV+cNWtS5AorvRuZr1FMGVKFkW1pKJhFNH2e2O661UhpyXsRXzcmksA7ZN/V37ZK7ITue0gs6I="
}
],
"webauthn": [
{
"type": "public-key",
"id": "c1QEdgnPLJargwzy3cbYKny4Q18u0hr97unXsF3DiE8"
}
]
}
}
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs-legacy.dfns.co/d/api-docs/authentication/user-action-signing/inituseractionsigning.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.