Identity Resolution & Authentication
Qefro is not an Identity Provider for customers.
| Concern | Question | Owner |
|---|---|---|
| Identity Resolution | Who is this customer? | Qefro (IdentityResolver) |
| Access decision | May they perform this Business Action? | Organization Customer Access Service |
| Business Tool execution | Call the API with credentials | Qefro runtime (injection only) |
Architecture
Channel
↓
Identity Resolver
↓
Resolved Identity
↓
Organization Customer Access Service
↓
Authentication Decision
↓
Authentication Context (optional, encrypted)
↓
Business Tool
The Customer Access Service answers:
Given this resolved identity and requested Business Action, what should happen?
Possible decisions: authenticated, challenge_required, denied, customer_not_found.
That lets the organization vary policy per action without Qefro hardcoding rules — for example order status → authenticated, download invoice → challenge, delete account → denied.
What Qefro never does
- Send OTP
- Verify OTP
- Store OTP
- Authenticate customers
- Manage customer passwords
- Issue customer sessions or JWTs
- Decide whether a Business Action is allowed
What the organization owns
- Customer lookup
- Whether authentication is required for a given Business Action
- OTP / login / OAuth / passkeys
- Token issuance, refresh, and revocation
- Allow / deny / challenge decisions
Configure under Organization → Customer Access Service in the Admin Console.
Access API
Qefro calls your evaluate endpoint (full URL is configurable; recommended path):
POST /auth/evaluate
{
"conversation_id": "conv_123",
"business_action": "download_invoice",
"channel": "whatsapp",
"identity": {
"type": "phone",
"identifier": "+919876543210",
"verified_by_channel": true
}
}
business_action is included so your service can make action-specific decisions. Qefro does not send OTP, passwords, or sessions in this request.
Responses
{
"status": "challenge_required",
"challenge": {
"type": "email_otp",
"message": "We've sent a verification code."
}
}
{
"status": "authenticated",
"authentication_context": {
"type": "bearer_token",
"access_token": "...",
"expires_in": 900
}
}
| Status | Runtime behavior |
|---|---|
authenticated | Store Authentication Context; execute Business Tool |
challenge_required | Relay the organization's message (OTP / login URL); pause |
denied | Return error |
customer_not_found | Return error |
When the customer replies to a challenge, Qefro forwards the reply to the Access API. The organization verifies it.
Business Actions
Configure only:
publicverified_channelorganization_challenge
No provider configuration on Business Actions or Business Tools.