Skip to main content

Identity Resolution & Authentication

Qefro is not an Identity Provider for customers.

ConcernQuestionOwner
Identity ResolutionWho is this customer?Qefro (IdentityResolver)
Access decisionMay they perform this Business Action?Organization Customer Access Service
Business Tool executionCall the API with credentialsQefro runtime (injection only)

Architecture

Channel

Identity Resolver

Resolved Identity

Organization Customer Access Service

Authentication Decision

Authentication Context (optional, encrypted)

Business Tool

The Customer Access Service answers:

Given this resolved identity and requested Business Action, what should happen?

Possible decisions: authenticated, challenge_required, denied, customer_not_found.

That lets the organization vary policy per action without Qefro hardcoding rules — for example order status → authenticated, download invoice → challenge, delete account → denied.

What Qefro never does

  • Send OTP
  • Verify OTP
  • Store OTP
  • Authenticate customers
  • Manage customer passwords
  • Issue customer sessions or JWTs
  • Decide whether a Business Action is allowed

What the organization owns

  • Customer lookup
  • Whether authentication is required for a given Business Action
  • OTP / login / OAuth / passkeys
  • Token issuance, refresh, and revocation
  • Allow / deny / challenge decisions

Configure under Organization → Customer Access Service in the Admin Console.

Access API

Qefro calls your evaluate endpoint (full URL is configurable; recommended path):

POST /auth/evaluate
{
"conversation_id": "conv_123",
"business_action": "download_invoice",
"channel": "whatsapp",
"identity": {
"type": "phone",
"identifier": "+919876543210",
"verified_by_channel": true
}
}

business_action is included so your service can make action-specific decisions. Qefro does not send OTP, passwords, or sessions in this request.

Responses

{
"status": "challenge_required",
"challenge": {
"type": "email_otp",
"message": "We've sent a verification code."
}
}
{
"status": "authenticated",
"authentication_context": {
"type": "bearer_token",
"access_token": "...",
"expires_in": 900
}
}
StatusRuntime behavior
authenticatedStore Authentication Context; execute Business Tool
challenge_requiredRelay the organization's message (OTP / login URL); pause
deniedReturn error
customer_not_foundReturn error

When the customer replies to a challenge, Qefro forwards the reply to the Access API. The organization verifies it.

Business Actions

Configure only:

  • public
  • verified_channel
  • organization_challenge

No provider configuration on Business Actions or Business Tools.

Security