FAQs

Why does track return `ALLOW` when I have already configured authenticators for my tenant?

To be challenged a user needs to have enrolled at least one authenticator. Additionally, the action either needs to have its default outcome set to CHALLENGE or have at least one rule triggered whose outcome is CHALLENGE.

Learn more about enrollment
Learn more about configuring rules

The track API call is returning a 401 HTTP status code

Please check your API secret key and base URL are correct. You can find the values for your tenant in the Authsignal Portal under Settings -> API keys. Ensure that the base URL corresponds to your tenant's region.

The track API call is returning `AUTHENTICATOR_NOT_FOUND` with a 400 HTTP status code

This error is returned when no authenticators have been configured for your tenant.

Learn more about enabling authenticators

Why should I use custom domains?

Custom domains are a pre-requisite when using passkeys. Outside of this scenario, custom domains are optional but highly recommended as they help to create a more branded and trusted user experience.

Can I remove authenticators for a user?

Yes, you can do this in the Authsignal Portal by following these steps:

Navigate to the user details page
Click the "Remove authenticators" button
Select which authenticators you want to remove and submit

We also offer ways to remove authenticators programmatically. For more information, get in contact with your account manager or drop us a line at support@authsignal.com.

What are the verification and sending rate limits built into the challenge flows?

In order to deter and protect challenge flows from abuse and high volume attacks, Authsignal has built in rate limit guard rails for different authenticator types.

Do note that these limits are in place to deter and stop bad actors, and typically will not be noticed by legitimate users on your platform.

Rate limits for sending

Authenticator type	Rate limit
Email magic link	12 sends per 10 mins
SMS OTP	6 sends 10 mins

Rate limits for verification

Authenticator type	Rate limit
SMS OTP	10 failed attempts per 5 mins
Time-based OTP (TOTP)	10 failed attempts per 5 mins

How do I enable WhatsApp for business to send SMS OTP codes?

Sending WhatsApp for Business OTP codes is a paid feature. Please contact your account manager to enable this feature.

How can can an action get into a `CHALLENGE_FAILED` state?

There are currently only two scenarios where this can occur:

In push notification auth when the user presses "Deny" instead of "Accept" in the in-app notification
In SMS or email OTP auth when the number of code submission attempts exceeds rate limit thresholds

In other cases when an action is incomplete or abandoned it will remain in a CHALLENGE_REQUIRED state.

Why does track return ALLOW when I have already configured authenticators for my tenant?​

The track API call is returning a 401 HTTP status code​

The track API call is returning AUTHENTICATOR_NOT_FOUND with a 400 HTTP status code​

Why should I use custom domains?​

Can I remove authenticators for a user?​

What are the verification and sending rate limits built into the challenge flows?​

How do I enable WhatsApp for business to send SMS OTP codes?​

How can can an action get into a CHALLENGE_FAILED state?​