Init attestation
Creates a new attestation session and returns the server nonce that the Relying Party forwards to the device. Used in the session approach; not used in the sessionless approach.
POST /api/v1/attestation/init
Authentication
Requires a valid API key in the X-Api-Key header. See Authentication.
Request
The endpoint takes no request body and no query parameters. A request body, if sent, is ignored.
Sample request
curl https://attestation.example.com/api/v1/attestation/init \
--request POST \
--header 'Accept: application/json' \
--header 'X-Api-Key: xma_SampleKey'
Response
Success — 200 OK
Sample success response
{
"sessionReference": "019dd9b7-6c0f-755d-be98-2e82a6d067a0",
"serverNonce": "8wY7WRuvpD8CtNuMuQeJV6nt9ToZxn9JQ2NBD8GEo8A=",
"expiresAtUtc": "2026-04-30T14:54:29.8712178Z",
"statusCode": 0
}
| Field | Type | Description |
|---|---|---|
sessionReference | string | Opaque session identifier. The RP must persist this value and pass it to POST /attestation/verify when validating the resulting attestation token. |
serverNonce | string (base64) | The server-side nonce part. Forwarded to the device; the RP does not need to store it. |
expiresAtUtc | string (ISO 8601, UTC) | Absolute time after which the session is considered expired. A verify call against an expired session is rejected. |
statusCode | uint | 0 on success. |
Error responses
| HTTP status | Cause | Body |
|---|---|---|
401 Unauthorized | X-Api-Key header missing. | Empty / framework default. |
403 Forbidden | Header present but key is invalid, unknown, or revoked. | Empty / framework default. |
500 Internal Server Error | Unexpected failure (database, configuration). | { "statusCode": 0x10011000, "errorMessage": "..." } when surfaced via the structured error handler; framework default otherwise. |
Sample error body
{
"statusCode": 268505088,
"errorMessage": "Internal error"
}
statusCode values are issued by the Attestation API independently of HTTP status. A non-zero statusCode always indicates failure; the same code may be reported alongside different HTTP statuses depending on whether the framework surfaces a structured response.
statusCode (hex) | statusCode (decimal) | Meaning |
|---|---|---|
0x00000000 | 0 | Success. |
0x10011000 | 268505088 | Internal error. |