Method: challenge.verify

Verifies the challenge response.

HTTP request

POST https://verifiedaccess.googleapis.com/v2/challenge:verify

The URL uses gRPC Transcoding syntax.

Request body

The request body contains data with the following structure:

JSON representation 
{
  "challengeResponse": string,
  "expectedIdentity": string
}
Fields
challengeResponse

string (bytes format)

Required. The generated response to the challenge, the bytes representation of SignedData.

A base64-encoded string.
expectedIdentity

string

Optional. Service can optionally provide identity information about the device or user associated with the key. For an EMK, this value is the enrolled domain. For an EUK, this value is the user's email address. If present, this value will be checked against contents of the response, and verification will fail if there is no match.

Response body

Result message for VerifiedAccess.VerifyChallengeResponse.

The response returned when successful for Managed profiles on Unmanaged browsers will NOT have devicePermanentId, keyTrustLevel, virtualDeviceId and customerId fields. Managed profiles will INSTEAD have the profileCustomerId, virtualProfileId, profilePermanentId and profileKeyTrustLevel fields.

If successful, the response body contains data with the following structure:

JSON representation 
{
  "devicePermanentId": string,
  "virtualDeviceId": string,
  "customerId": string,
  "signedPublicKeyAndChallenge": string,
  "deviceSignal": string,
  "deviceSignals": {
    object (DeviceSignals)
  },
  "keyTrustLevel": enum (KeyTrustLevel),
  "profileCustomerId": string,
  "virtualProfileId": string,
  "profilePermanentId": string,
  "profileKeyTrustLevel": enum (KeyTrustLevel),
  "attestedDeviceId": string,
  "deviceEnrollmentId": string
}
Fields
devicePermanentId

string

Output only. Device permanent id is returned in this field (for the machine response only).
virtualDeviceId

string

Output only. Virtual device id of the device. The definition of virtual device id is platform-specific.
customerId

string

Output only. Unique customer id that this device belongs to, as defined by the Google Admin SDK at https://developers.google.com/admin-sdk/directory/v1/guides/manage-customers
signedPublicKeyAndChallenge

string

Output only. Certificate Signing Request (in the SPKAC format, base64 encoded) is returned in this field. This field will be set only if device has included CSR in its challenge response. (the option to include CSR is now available for both user and machine responses)
deviceSignal

string

Output only. Deprecated. Device signal in json string representation. Prefer using deviceSignals instead.
deviceSignals

object (DeviceSignals)

Output only. Device signals.
keyTrustLevel

enum (KeyTrustLevel)

Output only. Device attested key trust level.
profileCustomerId

string

Output only. Unique customer id that this profile belongs to, as defined by the Google Admin SDK at https://developers.google.com/admin-sdk/directory/v1/guides/manage-customers
virtualProfileId

string

Output only. The client-provided ID of a profile on the device.
profilePermanentId

string

Output only. The unique server-side ID of a profile on the device.
profileKeyTrustLevel

enum (KeyTrustLevel)

Output only. Profile attested key trust level.
attestedDeviceId

string

Output only. Attested device ID (ADID).
deviceEnrollmentId

string

Output only. Device enrollment id for ChromeOS devices.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/verifiedaccess

For more information, see the OAuth 2.0 Overview.

DeviceSignals

The device signals as reported by Chrome. Unless otherwise specified, signals are available on all platforms.

JSON representation 
{
  "deviceManufacturer": string,
  "deviceModel": string,
  "operatingSystem": enum (OperatingSystem),
  "osVersion": string,
  "displayName": string,
  "diskEncryption": enum (DiskEncryption),
  "serialNumber": string,
  "osFirewall": enum (OsFirewall),
  "systemDnsServers": [
    string
  ],
  "hostname": string,
  "macAddresses": [
    string
  ],
  "screenLockSecured": enum (ScreenLockSecured),
  "allowScreenLock": boolean,
  "imei": [
    string
  ],
  "meid": [
    string
  ],
  "secureBootMode": enum (SecureBootMode),
  "windowsMachineDomain": string,
  "windowsUserDomain": string,
  "deviceEnrollmentDomain": string,
  "browserVersion": string,
  "deviceAffiliationIds": [
    string
  ],
  "profileAffiliationIds": [
    string
  ],
  "builtInDnsClientEnabled": boolean,
  "chromeRemoteDesktopAppBlocked": boolean,
  "safeBrowsingProtectionLevel": enum (SafeBrowsingProtectionLevel),
  "siteIsolationEnabled": boolean,
  "passwordProtectionWarningTrigger": enum (PasswordProtectionWarningTrigger),
  "realtimeUrlCheckMode": enum (RealtimeUrlCheckMode),
  "thirdPartyBlockingEnabled": boolean,
  "trigger": enum (Trigger),
  "profileEnrollmentDomain": string,
  "antivirus": {
    object (Antivirus)
  },
  "crowdStrikeAgent": {
    object (CrowdStrikeAgent)
  }
}
Fields
deviceManufacturer

string

Output only. The name of the device's manufacturer.
deviceModel

string

Output only. The name of the device's model.
operatingSystem

enum (OperatingSystem)

Output only. The type of the Operating System currently running on the device.
osVersion

string

Output only. The current version of the Operating System. On Windows and linux, the value will also include the security patch information.
displayName

string

Output only. The display name of the device, as defined by the user.
diskEncryption

enum (DiskEncryption)

Output only. The encryption state of the disk. On ChromeOS, the main disk is always ENCRYPTED.
serialNumber

string

Output only. The serial number of the device. On Windows, this represents the BIOS's serial number. Not available on most Linux distributions.
osFirewall

enum (OsFirewall)

Output only. The state of the OS level firewall. On ChromeOS, the value will always be ENABLED on regular devices and UNKNOWN on devices in developer mode. Support for MacOS 15 (Sequoia) and later has been introduced in Chrome M131.
systemDnsServers[]

string

List of the addesses of all OS level DNS servers configured in the device's network settings.
hostname

string

Hostname of the device.
macAddresses[]

string

Output only. MAC addresses of the device.
screenLockSecured

enum (ScreenLockSecured)

Output only. The state of the Screen Lock password protection. On ChromeOS, this value will always be ENABLED as there is not way to disable requiring a password or pin when unlocking the device.
allowScreenLock

boolean

Output only. Value of the AllowScreenLock policy on the device. See https://chromeenterprise.google/policies/?policy=AllowScreenLock for more details. Available on ChromeOS only.
imei[]

string

Output only. International Mobile Equipment Identity (IMEI) of the device. Available on ChromeOS only.
meid[]

string

Output only. Mobile Equipment Identifier (MEID) of the device. Available on ChromeOS only.
secureBootMode

enum (SecureBootMode)

Output only. Whether the device's startup software has its Secure Boot feature enabled. Available on Windows only.
windowsMachineDomain

string

Output only. Windows domain that the current machine has joined. Available on Windows only.
windowsUserDomain

string

Output only. Windows domain for the current OS user. Available on Windows only.
deviceEnrollmentDomain

string

Output only. Enrollment domain of the customer which is currently managing the device.
browserVersion

string

Output only. Current version of the Chrome browser which generated this set of signals. Example value: "107.0.5286.0".
deviceAffiliationIds[]

string

Output only. Affiliation IDs of the organizations that are affiliated with the organization that is currently managing the device. When the sets of device and profile affiliation IDs overlap, it means that the organizations managing the device and user are affiliated. To learn more about user affiliation, visit https://support.google.com/chrome/a/answer/12801245?ref_topic=9027936.
profileAffiliationIds[]

string

Output only. Affiliation IDs of the organizations that are affiliated with the organization that is currently managing the Chrome Profile’s user or ChromeOS user.
builtInDnsClientEnabled

boolean

Output only. Whether Chrome's built-in DNS client is used. The OS DNS client is otherwise used. This value may be controlled by an enterprise policy: https://chromeenterprise.google/policies/#BuiltInDnsClientEnabled.
chromeRemoteDesktopAppBlocked

boolean

Output only. Whether access to the Chrome Remote Desktop application is blocked via a policy.
safeBrowsingProtectionLevel

enum (SafeBrowsingProtectionLevel)

Output only. Safe Browsing Protection Level. That setting may be controlled by an enterprise policy: https://chromeenterprise.google/policies/#SafeBrowsingProtectionLevel.
siteIsolationEnabled

boolean

Output only. Whether the Site Isolation (a.k.a Site Per Process) setting is enabled. That setting may be controlled by an enterprise policy: https://chromeenterprise.google/policies/#SitePerProcess
passwordProtectionWarningTrigger

enum (PasswordProtectionWarningTrigger)

Output only. Whether the Password Protection Warning feature is enabled or not. Password protection alerts users when they reuse their protected password on potentially suspicious sites. This setting is controlled by an enterprise policy: https://chromeenterprise.google/policies/#PasswordProtectionWarningTrigger.

Note that the policy unset does not have the same effects as having the policy explicitly set to PASSWORD_PROTECTION_OFF.
realtimeUrlCheckMode

enum (RealtimeUrlCheckMode)

Output only. Whether Enterprise-grade (i.e. custom) unsafe URL scanning is enabled or not. This setting may be controlled by an enterprise policy: https://chromeenterprise.google/policies/#EnterpriseRealTimeUrlCheckMode
thirdPartyBlockingEnabled
(deprecated)

boolean

Output only. Deprecated. The corresponding policy is now deprecated.

Whether Chrome is blocking third-party software injection or not. This setting may be controlled by an enterprise policy: https://chromeenterprise.google/policies/?policy=ThirdPartyBlockingEnabled. Available on Windows only.
trigger

enum (Trigger)

Output only. The trigger which generated this set of signals.
profileEnrollmentDomain

string

Output only. Enrollment domain of the customer which is currently managing the profile.
antivirus

object (Antivirus)

Output only. Information about Antivirus software on the device. Available on Windows only.
crowdStrikeAgent

object (CrowdStrikeAgent)

Output only. Crowdstrike agent properties installed on the device, if any. Available on Windows and MacOS only.

OperatingSystem

Supported Operating Systems.

Enums
OPERATING_SYSTEM_UNSPECIFIED UNSPECIFIED.
CHROME_OS ChromeOS.
CHROMIUM_OS ChromiumOS.
WINDOWS Windows.
MAC_OS_X Mac Os X.
LINUX Linux

DiskEncryption

Possible states of encryption for the main disk.

Enums
DISK_ENCRYPTION_UNSPECIFIED Unspecified.
DISK_ENCRYPTION_UNKNOWN Chrome could not evaluate the encryption state.
DISK_ENCRYPTION_DISABLED The main disk is not encrypted.
DISK_ENCRYPTION_ENCRYPTED The main disk is encrypted.

OsFirewall

Possible states of the OS-level firewall.

Enums
OS_FIREWALL_UNSPECIFIED Unspecified.
OS_FIREWALL_UNKNOWN Chrome could not evaluate the OS firewall state.
OS_FIREWALL_DISABLED The OS firewall is disabled.
OS_FIREWALL_ENABLED The OS firewall is enabled.

ScreenLockSecured

Possible states of the Screen Lock password protection.

Enums
SCREEN_LOCK_SECURED_UNSPECIFIED Unspecified.
SCREEN_LOCK_SECURED_UNKNOWN Chrome could not evaluate the state of the Screen Lock mechanism.
SCREEN_LOCK_SECURED_DISABLED The Screen Lock is not password-protected.
SCREEN_LOCK_SECURED_ENABLED The Screen Lock is password-protected.

SecureBootMode

Possible states of the Secure Boot mode of the device.

Enums
SECURE_BOOT_MODE_UNSPECIFIED Unspecified.
SECURE_BOOT_MODE_UNKNOWN Chrome was unable to determine the Secure Boot mode.
SECURE_BOOT_MODE_DISABLED Secure Boot was disabled on the startup software.
SECURE_BOOT_MODE_ENABLED Secure Boot was enabled on the startup software.

SafeBrowsingProtectionLevel

Possible values for the Safe Browsing Protection Level.

Enums
SAFE_BROWSING_PROTECTION_LEVEL_UNSPECIFIED Unspecified.
INACTIVE Safe Browsing is disabled.
STANDARD Safe Browsing is active in the standard mode.
ENHANCED Safe Browsing is active in the enhanced mode.

PasswordProtectionWarningTrigger

Possible values for the Password Protection Warning Trigger.

Enums
PASSWORD_PROTECTION_WARNING_TRIGGER_UNSPECIFIED Unspecified.
POLICY_UNSET The policy is not set.
PASSWORD_PROTECTION_OFF No password protection warning will be shown.
PASSWORD_REUSE Password protection warning is shown if a protected password is re-used.
PHISHING_REUSE Password protection warning is shown if a protected password is re-used on a known phishing website.

RealtimeUrlCheckMode

Possible values for the Realtime Url Check Mode.

Enums
REALTIME_URL_CHECK_MODE_UNSPECIFIED Unspecified.
REALTIME_URL_CHECK_MODE_DISABLED Disabled. Consumer Safe Browsing checks are applied.
REALTIME_URL_CHECK_MODE_ENABLED_MAIN_FRAME Realtime check for main frame URLs is enabled.

CrowdStrikeAgent

Properties of the CrowdStrike agent installed on a device.

JSON representation 
{
  "agentId": string,
  "customerId": string
}
Fields
agentId

string

Output only. The Agent ID of the Crowdstrike agent.
customerId

string

Output only. The Customer ID to which the agent belongs to.

Trigger

Possible values for the Trigger.

Enums
TRIGGER_UNSPECIFIED Unspecified.
TRIGGER_BROWSER_NAVIGATION When navigating to an URL inside a browser.
TRIGGER_LOGIN_SCREEN When signing into an account on the ChromeOS login screen.

Antivirus

Antivirus information on a device.

JSON representation 
{
  "state": enum (State)
}
Fields
state

enum (State)

Output only. The state of the antivirus on the device. Introduced in Chrome M136.

State

Possible antivirus state on a device.

Enums
STATE_UNSPECIFIED Unspecified.
MISSING No antivirus was detected on the device.
DISABLED At least one antivirus was installed on the device but none was enabled.
ENABLED At least one antivirus was enabled on the device.

KeyTrustLevel

The trust level of the attested key.

Enums
KEY_TRUST_LEVEL_UNSPECIFIED UNSPECIFIED.
CHROME_OS_VERIFIED_MODE ChromeOS device in verified mode.
CHROME_OS_DEVELOPER_MODE ChromeOS device in developer mode.
CHROME_BROWSER_HW_KEY Chrome Browser with the key stored in the device hardware.
CHROME_BROWSER_OS_KEY Chrome Browser with the key stored at OS level.
CHROME_BROWSER_NO_KEY Chrome Browser without an attestation key.