Resource: Authentication Info
These endpoints return information about the server’s authentication configuration. They require no authentication token and are intended to be called before login to allow clients to adapt their login UI accordingly.
Method: Get Enabled Login Types
Description
Returns a list of which multi-factor authentication methods are enabled on this particular StoredSafe appliance. Call this endpoint before presenting a login form to determine which options to offer the user.
URL Syntax
/api/{version}/authinfo/logintypes
HTTP Method
GET
Successful HTTP Response
200
Parameters
No parameters required. No authentication token needed.
Response Attributes
Attribute |
Description |
Type |
|---|---|---|
CALLINFO.status |
SUCCESS or FAIL |
String |
CALLINFO.handler |
Handler used |
String |
CALLINFO.errors |
Number of errors |
Integer |
CALLINFO.errorcodes |
Number of error codes |
Integer |
CALLINFO.enabled_login_types |
Array containing one list of enabled login type strings |
Array |
Possible login type strings in CALLINFO.enabled_login_types[0]:
Value |
Description |
|---|---|
|
Time-based OTP (Google Authenticator etc.) |
|
|
|
X.509 client certificate (TLS smartcard) |
Example
Request
GET /api/1.0/authinfo/logintypes
Response
HTTP/2 200
Content-Type: application/json
{
"CALLINFO": {
"errorcodes": 0,
"errors": 0,
"general": [],
"handler": "AuthInfoHandler",
"status": "SUCCESS",
"enabled_login_types": [
["totp", "yubikey_otp"]
]
},
"DATA": [],
"HEADERS": { ... },
"PARAMS": []
}
Method: Get Smartcard User
Description
Looks up which StoredSafe user is associated with the TLS client certificate
presented by the caller. Intended for smartcard login flows where the client
certificate is passed by the TLS layer (via nginx $ssl_client_cert).
Returns the matching username and the certificate’s subject fields. Returns HTTP 401 if no valid client certificate is found or if it is not registered to any active user.
Note
This endpoint requires the TLS layer (nginx) to be configured to request and
forward client certificates. The certificate must have been registered on a
user account using the /usercert endpoint.
URL Syntax
/api/{version}/authinfo/smcuser
HTTP Method
GET
Successful HTTP Response
200
Parameters
No query parameters. The client certificate is passed transparently by the TLS
layer — no X-Http-Token header is needed or accepted.
Response Attributes
Attribute |
Description |
Type |
|---|---|---|
CALLINFO.status |
SUCCESS or FAIL |
String |
CALLINFO.handler |
Handler used |
String |
CALLINFO.errors |
Number of errors |
Integer |
CALLINFO.errorcodes |
Number of error codes |
Integer |
CALLINFO.username |
StoredSafe username matching the certificate, or absent if no match found |
String |
CALLINFO.subject |
Certificate subject fields (CN, O, OU, C, etc.) |
Object |
Example
Request
GET /api/1.0/authinfo/smcuser
(TLS client certificate presented)
Response (certificate matched to a user)
HTTP/2 200
Content-Type: application/json
{
"CALLINFO": {
"errorcodes": 0,
"errors": 0,
"general": [],
"handler": "AuthInfoHandler",
"status": "SUCCESS",
"username": "alice",
"subject": {
"CN": "Alice Example",
"O": "Example AB",
"C": "SE"
}
},
"DATA": [],
"HEADERS": { ... },
"PARAMS": []
}
Response (no matching certificate)
HTTP/2 401
Content-Type: application/json
{
"CALLINFO": {
"errorcodes": 1,
"errors": 1,
"general": ["No valid certificate found"],
"handler": "AuthInfoHandler",
"status": "FAIL"
}
}