Initiate Re-identification
Initiates or completes a re-identification flow for a returning customer, reconnecting them to their existing Identity Record without re-collecting all their details.
Three methods are supported:
magic-link — requires email to be stored on the Identity Record.
The register dispatches a short-lived signed URL to the stored email address.
The link expires after 15 minutes and is single-use.
Supply an optional redirect-url (pre-registered for the Data User’s DUID)
to send the customer back to the Data User’s application after clicking —
the register appends ?dar-reid-token={token-ref} so the application can
confirm re-identification with a single call rather than polling.
Without redirect-url, the customer lands on a confirmation page at
central.consent and the Data User polls
GET /identity-records/{ir}/re-identify/{token-ref} for confirmation.
passkey-assert — requires at least one credential registered on the
Identity Record. The register returns a WebAuthn assertion challenge. The
Data User passes this to navigator.credentials.get(), then submits the
signed assertion response back to this endpoint with method: passkey-assert-complete
to verify and confirm re-identification.
passkey-register — used when the customer has no existing passkey
on the record (e.g. new device). Returns a WebAuthn registration challenge.
The Data User completes the ceremony via POST /identity-records/{ir}/credentials
to store the new public key, then the re-identification is confirmed.
Re-identification does not modify the core Identity Record fields. It is a verification step confirming the returning individual is the same principal as originally recorded.
Authorizations
JWT from GET /auth/token. Pass as Authorization: Bearer <token>. Expires after 7200s.
Path Parameters
The identity record key for the returning principal.
Unique opaque identifier for an Identity Record, issued by the register on creation. Referenced from record-metadata.identity-record-ref on an AccessRecord to link the two resources.
^ir_[0-9a-f]{24}$"ir_a3c5e7f9b1d3a3c5e7f9b1d3"
Body
Request body for POST /identity-records/{ir}/re-identify.
The re-identification method to use.
magic-link — single-step. The register dispatches a signed link to
the stored email address. Optionally supply redirect-url to send the
customer back to the Data User's app after clicking; otherwise the customer
lands on central.consent. Poll or check
GET /identity-records/{ir}/re-identify/{token-ref} to confirm.
passkey-assert — two-step redirect. The response contains a
passkey-redirect with a short-lived URL to id.central.consent. Redirect
the customer there; the register runs the WebAuthn assertion against the
stored public key on its own origin, then redirects back with
?dar-passkey-token={token-ref}. Call
GET /identity-records/{ir}/re-identify/{token-ref} once to confirm.
passkey-register — two-step redirect for new device enrolment. Same
flow as passkey-assert but runs a registration ceremony instead of
assertion. Stores a new public key credential on the Identity Record and
confirms re-identification on success.
magic-link, passkey-assert, passkey-register Optional. Only valid when method is magic-link. A URL to redirect the customer to after they click the magic link and the register has confirmed their identity. Must exactly match a URL pre-registered for the Data User's DUID.
When supplied, the register appends ?dar-reid-token={token-ref} to the URL before redirecting. The Data User reads dar-reid-token from the query string and calls GET /identity-records/{ir}/re-identify/{token-ref} once to confirm status: confirmed — no polling required.
When omitted, the customer lands on a confirmation page at central.consent after clicking the link. The Data User must poll GET /identity-records/{ir}/re-identify/{token-ref} to detect confirmation.
"https://app.bright-energy.com/renew/confirmed"
Optional. Only valid when method is passkey-assert or passkey-register. The URL the register redirects the customer back to after the WebAuthn ceremony completes on id.central.consent. Must exactly match a URL pre-registered for the Data User's DUID. The register appends ?dar-passkey-token={token-ref} on success.
When omitted, the customer lands on a completion page at id.central.consent.
"https://app.bright-energy.com/renew/confirmed"
Response
Re-identification flow initiated.
- For
magic-link: link dispatched,magic-linkobject populated. - For
passkey-assertorpasskey-register:passkeyredirect object populated — redirect the customer topasskey.redirect-urlimmediately.
The re-identification method to use.
magic-link — single-step. The register dispatches a signed link to
the stored email address. Optionally supply redirect-url to send the
customer back to the Data User's app after clicking; otherwise the customer
lands on central.consent. Poll or check
GET /identity-records/{ir}/re-identify/{token-ref} to confirm.
passkey-assert — two-step redirect. The response contains a
passkey-redirect with a short-lived URL to id.central.consent. Redirect
the customer there; the register runs the WebAuthn assertion against the
stored public key on its own origin, then redirects back with
?dar-passkey-token={token-ref}. Call
GET /identity-records/{ir}/re-identify/{token-ref} once to confirm.
passkey-register — two-step redirect for new device enrolment. Same
flow as passkey-assert but runs a registration ceremony instead of
assertion. Stores a new public key credential on the Identity Record and
confirms re-identification on success.
magic-link, passkey-assert, passkey-register Populated for magic-link method; null otherwise.
Populated for passkey-assert and passkey-register methods; null for magic-link. Contains the redirect URL to id.central.consent where the WebAuthn ceremony takes place.