Method: challenge.verify
Stay organized with collections
Save and categorize content based on your preferences.
HTTP request
POST https://verifiedaccess.googleapis.com/v1/challenge:verify
The URL uses gRPC Transcoding syntax.
Request body
The request body contains data with the following structure:
| JSON representation |
{
"challengeResponse": {
object (SignedData)
},
"expectedIdentity": string
} |
| Fields |
challengeResponse |
object (SignedData)
The generated response to the challenge
|
expectedIdentity |
string
Service can optionally provide identity information about the device or user associated with the key. For an EMK, this value is the enrolled domain. For an EUK, this value is the user's email address. If present, this value will be checked against contents of the response, and verification will fail if there is no match.
|
Response body
Result message for VerifiedAccess.VerifyChallengeResponse.
If successful, the response body contains data with the following structure:
| JSON representation |
{
"verificationOutput": string,
"devicePermanentId": string,
"signedPublicKeyAndChallenge": string,
"deviceEnrollmentId": string,
"attestedDeviceId": string
} |
| Fields |
verificationOutput
(deprecated) |
string
For EMCert check, device permanent id is returned here. For EUCert check, signedPublicKeyAndChallenge [base64 encoded] is returned if present, otherwise empty string is returned. This field is deprecated, please use devicePermanentId or signedPublicKeyAndChallenge fields.
|
devicePermanentId |
string
Device permanent id is returned in this field (for the machine response only).
|
signedPublicKeyAndChallenge |
string
Certificate Signing Request (in the SPKAC format, base64 encoded) is returned in this field. This field will be set only if device has included CSR in its challenge response. (the option to include CSR is now available for both user and machine responses)
|
deviceEnrollmentId |
string
Device enrollment id is returned in this field (for the machine response only).
|
attestedDeviceId |
string
Attested device id (ADID) of the device, read from the verified data.
|
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/verifiedaccess
For more information, see the OAuth 2.0 Overview.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-03-20 UTC.
[null,null,["Last updated 2025-03-20 UTC."],[[["\u003cp\u003eThe challenge.verify API is used to verify a challenge response from a device or user, typically involving cryptographic signatures.\u003c/p\u003e\n"],["\u003cp\u003eThe request body requires the challenge response and optionally the expected identity of the device or user.\u003c/p\u003e\n"],["\u003cp\u003eUpon successful verification, the response body provides device identifiers, a certificate signing request (if applicable), and other relevant data.\u003c/p\u003e\n"],["\u003cp\u003eThis API requires the \u003ccode\u003ehttps://www.googleapis.com/auth/verifiedaccess\u003c/code\u003e OAuth scope for authorization.\u003c/p\u003e\n"]]],[],null,["# Method: challenge.verify\n\n- [HTTP request](#body.HTTP_TEMPLATE)\n- [Request body](#body.request_body)\n - [JSON representation](#body.request_body.SCHEMA_REPRESENTATION)\n- [Response body](#body.response_body)\n - [JSON representation](#body.VerifyChallengeResponseResult.SCHEMA_REPRESENTATION)\n- [Authorization scopes](#body.aspect)\n\nchallenge.verify API\n\n### HTTP request\n\n`POST https://verifiedaccess.googleapis.com/v1/challenge:verify`\n\nThe URL uses [gRPC Transcoding](https://google.aip.dev/127) syntax.\n\n### Request body\n\nThe request body contains data with the following structure:\n\n| JSON representation |\n|--------------------------------------------------------------------------------------------------------------------------------|\n| ``` { \"challengeResponse\": { object (/chrome/verified-access/reference/rest/v1/SignedData) }, \"expectedIdentity\": string } ``` |\n\n| Fields ||\n|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `challengeResponse` | `object (`[SignedData](/chrome/verified-access/reference/rest/v1/SignedData)`)` The generated response to the challenge |\n| `expectedIdentity` | `string` Service can optionally provide identity information about the device or user associated with the key. For an EMK, this value is the enrolled domain. For an EUK, this value is the user's email address. If present, this value will be checked against contents of the response, and verification will fail if there is no match. |\n\n### Response body\n\nResult message for VerifiedAccess.VerifyChallengeResponse.\n\nIf successful, the response body contains data with the following structure:\n\n| JSON representation |\n|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| ``` { \"verificationOutput\": string, \"devicePermanentId\": string, \"signedPublicKeyAndChallenge\": string, \"deviceEnrollmentId\": string, \"attestedDeviceId\": string } ``` |\n\n| Fields ||\n|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `verificationOutput` **(deprecated)** | `string` | This item is deprecated! For EMCert check, device permanent id is returned here. For EUCert check, signedPublicKeyAndChallenge \\[base64 encoded\\] is returned if present, otherwise empty string is returned. This field is deprecated, please use devicePermanentId or signedPublicKeyAndChallenge fields. |\n| `devicePermanentId` | `string` Device permanent id is returned in this field (for the machine response only). |\n| `signedPublicKeyAndChallenge` | `string` Certificate Signing Request (in the SPKAC format, base64 encoded) is returned in this field. This field will be set only if device has included CSR in its challenge response. (the option to include CSR is now available for both user and machine responses) |\n| `deviceEnrollmentId` | `string` Device enrollment id is returned in this field (for the machine response only). |\n| `attestedDeviceId` | `string` Attested device id (ADID) of the device, read from the verified data. |\n\n### Authorization scopes\n\nRequires the following OAuth scope:\n\n- `https://www.googleapis.com/auth/verifiedaccess`\n\nFor more information, see the [OAuth 2.0 Overview](/identity/protocols/OAuth2)."]]