Confirm
471
edits
Changes
m
Most The following keyserver APIs require a HAWK-protected request that uses the sessionToken. In addition, most (but not all) some require that the account be in the "verified" state:
* POST /certificate/sign* GET /account/recovery_methods (does not require verification)* POST /account/recovery_methods/send_code* GET /accountrecovery_email/devicesstatus* POST /password/change/authrecovery_email/startresend_code* POST /passwordcertificate/change/auth/finishsign (requires "verified" account)
→Signing Certificates
For /certificate/sign, it is critical to enable payload verification by setting options.payload=true (on both client and server). Otherwise a man-in-the-middle could submit their own public key, get it signed, and then delete the user's data on the storage servers.
* GET /sessionaccount/statusdevices
* POST /session/destroy
= Resetting The Account =
