POST /v1/auth/trusted-browsers
Mark the current browser as trusted. Sets an identsphere_trust cookie that lets
future logins skip MFA on this device.
::: tip Auth Required: cookie or Bearer. :::
Request
POST /v1/auth/trusted-browsers
| Header | Required | Notes |
|---|---|---|
Cookie: identsphere_at=... OR Authorization: Bearer ... | yes | — |
Content-Type: application/json | yes | — |
Body
{ "label": "MacBook at home" }
| Field | Type | Required | Notes |
|---|---|---|---|
label | string | null | no | User-friendly label, shown in the trusted-browsers list. |
Response
200 OK
{
"trusted_browser": {
"id": "c3f1d4e2-...",
"label": "MacBook at home",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 14_5)...",
"ip_address": "203.0.113.42",
"created_at": "2026-05-28T12:00:00+00:00",
"last_seen_at": "2026-05-28T12:00:00+00:00",
"expires_at": "2026-06-27T12:00:00+00:00"
}
}
Cookie set:
identsphere_trust— opaque token,HttpOnly, scoped toroute_prefix, 30-day TTL.
Error responses
| Status | Code | When |
|---|---|---|
| 401 | authentication_required | No valid auth credential. |
Notes
- The cookie value is the raw random token; the database stores a SHA-256
hash of
token + ":" + user_agentso a replayed cookie from a different browser fails to match. - Trusted browsers ONLY skip the MFA login challenge — they have no effect
on step-up endpoints (
/v1/auth/mfa/verify). - 30-day TTL is hardcoded in v0.1.