Skip to content

identity-gateway API

Internet Identity integration canister for passwordless authentication and device management.

Candid file: identity-gateway/src/identity_gateway.did

Types

SessionTokens

candid
type SessionTokens = record {
  access_token: text;
  refresh_token: text;
};

DeviceRecord

candid
type DeviceRecord = record {
  device_id: text;
  device_name: text;
  registered_at: nat64;
  last_used_at: nat64;
  is_active: bool;
};

Result Types

candid
type IILoginBeginResult = variant {
  Ok: text;   // Challenge/nonce
  Err: text;
};

type IILoginCompleteResult = variant {
  Ok: SessionTokens;
  Err: text;
};

type LinkResult = variant {
  Ok;
  Err: text;
};

Internet Identity Authentication

ii_login_begin

Start Internet Identity login flow.

candid
"ii_login_begin": () -> (IILoginBeginResult);

Returns a challenge/nonce for the II delegation.

ii_login_complete

Complete II login with delegation chain.

candid
"ii_login_complete": (delegation_chain: text) -> (IILoginCompleteResult);

TypeScript Example:

typescript
import { AuthClient } from '@dfinity/auth-client';

// Initialize auth client
const authClient = await AuthClient.create();

// Start II flow
const beginResult = await identityGatewayActor.ii_login_begin();
if ('Err' in beginResult) throw new Error(beginResult.Err);

// User authenticates with II
await authClient.login({
  identityProvider: 'https://identity.ic0.app',
  onSuccess: async () => {
    const identity = authClient.getIdentity();
    const delegation = identity.getDelegation().toJSON();

    // Complete login
    const completeResult = await identityGatewayActor.ii_login_complete(
      JSON.stringify(delegation)
    );

    if ('Ok' in completeResult) {
      const { access_token, refresh_token } = completeResult.Ok;
      // Store tokens
    }
  }
});

Account Linking

Link II to existing email/password account.

candid
"link_internet_identity": (session_token: text, ii_delegation: text) -> (LinkResult);

Requirements:

  • Valid session token from email/password login
  • II must not be linked to another account

Remove II link from account.

candid
"unlink_internet_identity": (session_token: text) -> (LinkResult);

Self-Custody Verification

For governance participation, members must verify they control their own wallet.

begin_self_custody_verification

Start verification flow.

candid
"begin_self_custody_verification": (session_token: text) -> (IILoginBeginResult);

Returns a message to sign.

complete_self_custody_verification

Complete verification with signature.

candid
"complete_self_custody_verification": (session_token: text, signature: text) -> (LinkResult);

Flow:

  1. Call begin_self_custody_verification to get message
  2. User signs message with their II
  3. Submit signature to complete_self_custody_verification
  4. Verification valid for 1 year

Device Management

get_user_devices (query)

Get all registered devices for a user.

candid
"get_user_devices": (user_id: text) -> (GetDevicesResult) query;

type GetDevicesResult = variant {
  Ok: vec DeviceRecord;
  Err: text;
};

revoke_device

Revoke a specific device.

candid
"revoke_device": (session_token: text, device_id: text) -> (LinkResult);

revoke_all_devices_except

Revoke all devices except current one (security lockout).

candid
"revoke_all_devices_except": (session_token: text, current_device_id: text) -> (LinkResult);

Configuration (Controller Only)

set_auth_service

Configure auth-service canister.

candid
"set_auth_service": (principal) -> (SetAuthServiceResult);

set_user_service

Configure user-service canister.

candid
"set_user_service": (principal) -> (SetUserServiceResult);

Health Check

health (query)

candid
"health": () -> (text) query;

sessions_count (query)

candid
"sessions_count": () -> (nat64) query;

Error Messages

ErrorCauseResolution
Invalid delegationDelegation chain invalidRe-authenticate with II
II already linkedThis II linked to another accountUse different II anchor
Account not foundSession doesn't map to accountCheck session valid
Device not foundDevice ID doesn't existCheck device registered
Verification expiredSelf-custody verification too oldRe-verify

Hello World Co-Op DAO