Required Endpoints
The reference app exposes a small set of server endpoints.
POST /api/biometric-session
- Requires an authenticated session
- Mints a
BSTfor the requested biometric operation - Can include bound user context when the user is already enrolled
POST /api/biometric-results
- Accepts the completed
BRT - Verifies the token signature and session integrity
- Runs operation-specific processing after verification
Business Endpoints
Operation-specific endpoints, such as password update flows, should require a verified biometric result before completing the protected action.