/api/v1/attestations/challengeBackground-Check · mint a relay nonce (C1)
The default server→server flow. Your server calls this with its rh_sk_ secret key to mint a single-use nonce, relays the nonce to its dumb client (which quotes over it), and submits the result to /attestations/verify. No pre-enrolled RP, no client-side key.
Parameters
| Name | In | Type | Required | Description |
|---|---|---|---|---|
| Authorization | header | string | yes | Bearer rh_sk_… secret key. |
| deviceHint | body | string | no | Advisory hint identifying the device; no pre-enrolled device required. |
Response
200 with a single-use challenge (5-minute TTL). 401 on a missing/invalid secret key.
{
"challengeId": "2f9c4a1c-8b…",
"nonce": "base64…",
"expiresAt": "2026-06-18T18:09:11Z"
}