Demo: API Routes
Biometric Session Route
POST /api/biometric-session
- requires an authenticated session
- issues
BST - can bind an enrolled user to the session
Biometric Results Route
POST /api/biometric-results
- accepts
BRT - validates signature and replay/session state
- performs per-operation work
Protected Business Route
Example: POST /api/update-password
- requires a verified biometric result
- uses biometric authentication as a gate before the business mutation runs