Request Origins

Describes the administration of Request Origins.

Request Origins are systems that interact with Privakey CX to send challenge requests to users. They are directly associated with one App Space, although an App Space can have multiple Request Origins. To create, edit or delete Request Origins, the App Space Admin role is required. Privakey CX requires authentication from Request Origins; either Basic or HMAC schemes can be used.



Provides a quick glance at the Request Origin. Here you can edit the name of the Request Origin.

Request Origin Name

The name of the Request Origin, displayed for ease of identification


The identifier of this particular Request Origin.

Auth Type

The type of authentication scheme the Request Origin uses when it connects to Privakey CX.

Configured Callback URLs

The Callbacks white listed for this Request Origin. Callbacks can be created, edited, or deleted from here. A Callback must be white listed before it can be sent as part of a challenge request to the Auth Service. For more information on configuring Callbacks, see below. For general information on the uses of Callbacks, see Callbacks.

Generate New Credentials

New credentials of the current credential type can be regenerated here. This is the recommended action if the current credentials are lost or suspected as compromised. Note: performing this action will immediately update the Auth Service's secret for this Request Origin, requiring an update on the Request Origin's end before it can be used again.

Switch Credential Type

Toggles the Request Origin's authentication scheme between Basic and HMAC. In either case, a new secret will be generated for this Request Origin. For information on how to authenticate, see Authenticating with Request Origins below.

Revoke Credentials

Removes the credentials of the Request Origin. Doing so will prevent the Request Origin from being able to authenticate to the Auth Service, but will not delete any information related to the Request Origin. The Request Origin will be considered inactive, and can be reactivated by generating new credentials.

Deleting Request Origins

If a Request Origin has no credentials, it can be deleted. Doing so will permanently remove the Request Origin and any Callback information related to the Request Origin.

Authenticating with Request Origins

In order to instruct the Auth Service to send a challenge request to a user, the call from the Request Origin must be authenticated. There are two schemes that Privakey CX accepts: Basic and HMAC. Basic is generally easier to implement but is inherently less secure than HMAC. Basic can be used to facilitate rapid testing of integration between the Request Origin and the Auth Service, but it is recommended to move to the more secure HMAC once this process has completed. For more information on how to use either authentication scheme, please reference the API documentation.

Configuring Callbacks

When requesting a challenge be sent to a user, a Request Origin can specify a callback URL which Privakey CX will call after the challenge has been processed. These callback URLs must be registered in advance by clicking the "Add Callback" link in the Configured Callback URLs section.

Note: Callback URLs can use {*} as a wildcard to allow for simpler configuration. For example, rather than specifying both and as callbacks, you can more efficiently use{*}/example as the callback URL.

What’s Next

Manage Callbacks associated with this Request Origin.