SurePassID Server API

The SurePassID Application Programming Interface (API) consists of a series of methods that allow you to request services from the SurePassID Authentication Server. The API provides following APIs services:
  • User Management & Provisioning
  • Token Management & Provisioning
  • User Authentication
  • User Session Management
  • FIDO (U2F, UAF, and FIDO2) authentication

The API is delivered in two interfaces that between them can enable any application (from your desktop applications,  web sites, and mobile apps (via proxy), etc.), any software development language, on any platform  to instantly support two-factor authentication.
The API is meant for server to server communications and NOT meant to be directly integrated into JavaScript based technologies such Angular and Single Page Apps (SPA).  JavaScript apps shoud be make authenticated calls to endpoints located in their origin and then user server side endpoints tp communicate with the SurePassID MFA server. 
The API is offered in two versions: 
  • Windows WCF Service - Primarily for any native Windows client apps. Although this interface is still supported it is not longer being enhanced. We recommend using the REST/Json interface.
  • REST/JSON interface -  All other systems

Transaction State

To maintain the utmost level of efficiency and throughput, the API interface is a stateless interface. Each API request has no relationship to a previous request and you must maintain application state in your application.

Return Codes

Each API method returns at a minimum a return code and message.  Some methods return additional information and the format of that information is described in subsequent sections.

Whitelisting Client Apps

The SurePassID cloud server allows you to whitelist IP's that can use the API to make requests to your account (tenant).  Additionally, you can also whitelist IPs that can access the SurePassID portal.   We strongly recommend you implement this capability and whitelist any IP's that will make requests to you account.

This feature is also available for on-premises installations but it is usually not required because the SurePassID MFA server should not be accessible in the DMZ and be behind firewalls, WAFs, etc. and any access to the server should be behind a load balancer and/or reverse proxy. 

Developer Support

For developers we offer a Postman collection that contains all the SurePassID API calls. You can download the Postman collection from your SurePassID account. 

What you need to get started

Before you can start using the APIs you need (1) the account activation letter that was emailed to your company when you requested your account and (2) download sample code that are referenced in this document.  The source code libraries are located in the SurePassID Git repositories, Confluence, and maven repositories. More on his later.

Account Activation

The activation letter contains your SAS id and password. These two pieces of information are required for almost all of the methods in the API. If you do not have a SurePassID account, you can request an account at the SurePassID web site ( or email