Skip to main content
Whether you are implementing app verification for push, QR code, or in-app flows, you’ll need to consider when to enroll and un-enroll users in your mobile app. This guide will cover the appropriate points in your app’s authentication lifecycle to enroll and un-enroll users by adding and removing device credentials.

When to enroll

The recommended place to enroll users by adding a device credential is within a post-authentication handler. This handler should be triggered in the following two scenarios.
  1. Immediately after the user signs in to the app.
  2. When the app is launched and the user is already authenticated (e.g. due to a persistent session).
If your app uses long-lived sessions and doesn’t require frequent sign-ins, the second scenario is especially important. It will ensure that users who launch the app after installing your updated version are enrolled for app verification without explicitly having to sign in again. 
func postAuthenticationHandler() async {
    let response = await authsignal.device.getCredential()

    if response.data != nil {
        // A credential already exists
        return
    }

    // Fetch an enrollment token from your backend
    let token = try await getEnrollmentToken()

    // Silently enroll a new device credential
    await authsignal.device.addCredential(token: token)
}
Your backend code to generate the enrollment token should be implemented within an authenticated endpoint. 
// A mock example of an endpoint for generating enrollment tokens
app.post("/generate-enrollment-token", async (req, res) => {
  // Determine user from authenticated request context
  const userId = req.user.sub;

  const { token } = await authsignal.track({
    userId,
    action: "addCredential",
    attributes: {
      scope: "add:authenticators",
    },
  });

  res.json({ token });
});
The add:authenticators scope is required here since we are enrolling a new authentication method in an authenticated context. The action can be any value which describes the enrollment activity and will be used for observability in the Authsignal Portal.

When to un-enroll

The recommended point in your app to un-enroll users for app verification is after sign-out. This means that once signed out users will no longer be enrolled for app verification on that device. 
func postSignOutHandler() async {
    await authsignal.device.removeCredential()
}
I