16.1.1.25. Tokentype endpoints

The /ttype/ endpoint is a generic dispatcher for token-type-specific API calls. A token class may declare a classmethod api_endpoint and will then be reachable at /ttype/<tokentype> without having to register its own routes.

Authentication is not enforced by this dispatcher — it is the responsibility of each token class to validate the request, typically through cryptographic means (signed challenges, registered public keys, shared secrets). The dispatcher only sets up the audit, policy and event context.

Token classes that currently use this endpoint include TiQR (TiQR Token), push, U2F and Yubikey.

POST /ttype/(ttype)

Dispatch a token-type-specific API call to the matching token class. The path component selects the token type; the request body / query string is forwarded verbatim to the token class’ api_endpoint classmethod, which is responsible for both validation and the response.

Authentication is not enforced by the dispatcher — token classes authenticate the request themselves (signed payloads, registered keys, shared secrets). The response shape depends on what the token class returns: JSON, HTML, plain text, or arbitrary binary data with custom headers.

If the policy action hide_specific_error_message_for_ttype is active, exceptions raised by the token class are converted into a generic error response instead of propagating the underlying message.

For the push token type, the dispatcher additionally evaluates the push_code_to_phone_message policy and forwards its value to the token class.

Parameters:

  • ttype – path component naming the token type (e.g. tiqr, push, u2f, yubikey).

Status Codes:

  • 200 OK – token-type-dependent response.

  • 400 Bad Request – the ttype does not match any registered token class.

GET /ttype/(ttype)

Dispatch a token-type-specific API call to the matching token class. The path component selects the token type; the request body / query string is forwarded verbatim to the token class’ api_endpoint classmethod, which is responsible for both validation and the response.

Authentication is not enforced by the dispatcher — token classes authenticate the request themselves (signed payloads, registered keys, shared secrets). The response shape depends on what the token class returns: JSON, HTML, plain text, or arbitrary binary data with custom headers.

If the policy action hide_specific_error_message_for_ttype is active, exceptions raised by the token class are converted into a generic error response instead of propagating the underlying message.

For the push token type, the dispatcher additionally evaluates the push_code_to_phone_message policy and forwards its value to the token class.

Parameters:

  • ttype – path component naming the token type (e.g. tiqr, push, u2f, yubikey).

Status Codes:

  • 200 OK – token-type-dependent response.

  • 400 Bad Request – the ttype does not match any registered token class.