Send an AAGUID or a WebAuthn attestation and get back an enriched posture profile: is the credential hardware-bound or a synced cloud passkey, its FIDO Alliance MDS certification, and which advanced extensions (largeBlob, PRF, credProtect) it supports — without building your own MDS cache, signature-chain verification, and parsing.
X-Auth fetches the FIDO Alliance Metadata Service (MDS3) blob, verifies its signature against the FIDO root via the x5c chain, and keeps a fresh in-memory index. You query it by AAGUID or by posting an attestation; we fold the metadata statement and status reports into one opinionated risk shape. Every /v1/* call needs an X-Tenant-Id header (used for rate limiting) and is rate limited per tenant.
GET /v1/authenticators/{aaguid} — returns the risk profile, or 404 if the AAGUID is not in the MDS.
curl -H "X-Tenant-Id: acme" \
https://fido.x-auth.com/v1/authenticators/ee882879-721c-4913-9775-3dfcce97072a{
"aaguid": "ee882879-721c-4913-9775-3dfcce97072a",
"description": "YubiKey 5 Series with NFC",
"protocolFamily": "fido2",
"binding": "hardware",
"hardwareBound": true,
"keyProtection": ["hardware", "secure_element"],
"certification": {
"fidoCertified": true,
"status": "FIDO_CERTIFIED_L2",
"level": "L2",
"latestEffectiveDate": "2021-05-12"
},
"extensions": {
"largeBlob": true,
"prf": true,
"credProtect": true,
"credBlob": false,
"minPinLength": true,
"supported": ["credProtect", "hmac-secret", "largeBlobKey", "minPinLength"]
},
"riskTier": "low",
"riskScore": 0,
"signals": ["hardware-bound key protection", "FIDO certified (FIDO_CERTIFIED_L2)"],
"source": "mds"
}POST /v1/attestation — send a bare attestationObject (base64url or base64) or a full WebAuthn registration response under credential. We read the AAGUID and the authenticator-data flags. The backup-eligible (BE) flag is authoritative for synced credentials.
curl -X POST -H "X-Tenant-Id: acme" \
-H "Content-Type: application/json" \
-d '{"attestationObject":"o2NmbXRkbm9uZ..."}' \
https://fido.x-auth.com/v1/attestation{
"aaguid": "fbfc3007-154e-4ecc-8c0b-6e020557d7bd",
"description": "iCloud Keychain",
"binding": "synced",
"hardwareBound": false,
"certification": { "fidoCertified": false, "status": "NOT_FIDO_CERTIFIED" },
"extensions": { "largeBlob": false, "prf": true },
"attestation": {
"userPresent": true,
"userVerified": true,
"backupEligible": true,
"backupState": true,
"attestedCredentialData": true
},
"riskTier": "medium",
"riskScore": 50,
"signals": ["synced / multi-device credential", "credential is backup-eligible (synced / multi-device)"],
"source": "mds+attestation"
}GET /v1/authenticators?offset=0&limit=50 pages through every known authenticator. GET /v1/mds/status reports snapshot freshness and the last refresh outcome — handy as a deep health check.
{ "loaded": true, "blobNumber": 71, "entryCount": 312,
"nextUpdate": "2026-07-01", "fetchedAt": "2026-06-19T09:00:00Z", "source": "network" }Every profile carries a riskScore (0–100, higher = riskier) and a tier. Security advisories (revoked, key compromise, UV bypass) always force high.
| Tier | Typical signals |
|---|---|
| low | Hardware-bound key protection, FIDO certified (L2+). |
| medium | Synced/software credential, not certified, or AAGUID absent from MDS. |
| high | Revoked / attestation-key compromise / user-verification bypass advisories. |
Paste an AAGUID and query the live API.
// response appears hereCalls https://fido.x-auth.com with a demo tenant header. Cross-origin browser access requires CORS on the service; from a server you can call it directly today.
Score device posture dynamically alongside the rest of the platform.