> ## Documentation Index
> Fetch the complete documentation index at: https://developer.z-api.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Complete the Challenge

> Sends the result of the passkey resolution (WebAuthn assertion) to complete the instance connection

## Overview

<Warning>
  On some devices, WhatsApp has started requiring an additional verification step when attempting to connect to WhatsApp Web, called **[Passkey](/en/tips/extension-guide)**. Because of this, devices that try to read the QR Code via the API may receive a **Challenge** in return.
</Warning>

This method is part of the instance connection flow via **[Passkey (WebAuthn)](/en/tips/extension-guide)**, being the final step of this process:

1. The QR Code endpoint is called and returns a `challenge`.
2. This challenge is resolved on the device / [authenticator](/en/tips/extension-guide) (a procedure performed outside of Z-API, and that does not depend on our API).
3. The result of this resolution (the **WebAuthn assertion**) is sent to this endpoint, so the instance can complete the connection.

<Note>
  The challenge resolution happens directly between the user's device and the authenticator (Passkey), outside the Z-API ecosystem. This endpoint only receives the already processed result.

  With this new WhatsApp authentication in mind, Z-API created an extension called **[Z-API Connector](/en/tips/extension-guide)**, specifically to make this Passkey validation easier.
</Note>

***

## Attributes

### Required

<ParamField path="instanceId" type="string" required>
  Your instance ID. Available in the Z-API panel under **Instances**.
</ParamField>

<ParamField path="token" type="string" required>
  Your Z-API instance token.
</ParamField>

### Required

<ParamField body="id" type="string" required>
  Identifier of the credential generated by the authenticator
</ParamField>

<ParamField body="rawId" type="string" required>
  Raw identifier of the credential
</ParamField>

<ParamField body="type" type="string" required>
  Credential type. Always "public-key"
</ParamField>

<ParamField body="response" type="object" required>
  WebAuthn signature data returned by the authenticator

  <Expandable title="Response properties">
    <ParamField body="authenticatorData" type="string" required>
      Authenticator data, base64-encoded
    </ParamField>

    <ParamField body="clientDataJSON" type="string" required>
      Client data related to the assertion, base64-encoded
    </ParamField>

    <ParamField body="signature" type="string" required>
      Signature generated by the authenticator, base64-encoded
    </ParamField>

    <ParamField body="userHandle" type="string">
      Identifier of the user associated with the credential, when applicable
    </ParamField>
  </Expandable>
</ParamField>

### Optional

<ParamField body="clientExtensionResults" type="object">
  Client extensions returned by the authenticator

  <Expandable title="clientExtensionResults properties">
    <ParamField body="uvm" type="array">
      User verification methods used during the assertion
    </ParamField>
  </Expandable>
</ParamField>

***

## Request Body

```json theme={"theme":{"light":"github-light","dark":"poimandres"}}
{
  "id": "...",
  "rawId": "...",
  "type": "public-key",
  "response": {
    "authenticatorData": "...",
    "clientDataJSON": "...",
    "signature": "...",
    "userHandle": null
  },
  "clientExtensionResults": { "uvm": [] }
}
```

***

## Response

### 200

Returns the result of the assertion processing by the instance. There are three possible variations:

**Success:**

```json theme={"theme":{"light":"github-light","dark":"poimandres"}}
{ "success": true }
```

**Failure — missing required fields:**

```json theme={"theme":{"light":"github-light","dark":"poimandres"}}
{ "success": false, "reason": "assertion (rawId + response) is required" }
```

**Failure — invalid field type:**

```json theme={"theme":{"light":"github-light","dark":"poimandres"}}
{ "success": false, "reason": "assertion fields must be strings" }
```

<Note>
  Responses with `success: false` indicate that the assertion payload is malformed — the request body must be corrected and resent. These are not Z-API infrastructure errors.
</Note>

### 400

Returned in the following cases:

* **Instance not found** for the `instanceId` + `token` pair:

```json theme={"theme":{"light":"github-light","dark":"poimandres"}}
{ "error": "Instance not found", "value": null }
```

### 405

In this case, make sure you are sending the correct method specification, i.e., check whether you sent a POST or GET request as specified at the beginning of this topic.

### 415

If you receive a 415 error, make sure to add the "Content-Type" of the object you are sending to the request headers, most commonly "application/json".
