push namespace. If you’re implementing QR code or in-app verification, replace push with qr or inapp.
When to enroll
App verification enrollment for users is typically an invisible process which happens automatically when they’re signed in to your mobile app. Your app uses one of our Mobile SDKs to generate a cryptographic device credential and bind it to an authenticated user. The recommended place to enroll users by adding a device credential is within a post-authentication handler. This handler should be triggered in the following two scenarios.- Immediately after the user signs in to the app.
- When the app is launched and the user is already authenticated (e.g. due to a persistent session).
Handling app updates
A common question is how to enroll users who are already signed in and just received an app update that introduces app verification. The post-launch handler shown above covers this scenario automatically. No separate flow is required. When an existing authenticated user opens the updated app for the first time:- The post-launch handler runs because the user’s session is still valid.
getCredentialreturns no credential (since the device hasn’t been enrolled yet on this version).- A new device credential is silently enrolled via
addCredential.
getCredential short-circuits and no re-enrollment occurs, so the flow is safe to run on every launch.
Keeping credentials alive
By default a device credential never expires. You can optionally configure a credential lifetime on the push authenticator so that credentials expire if the device goes quiet for too long. This is useful for pruning credentials belonging to devices a user no longer has. Set the lifetime in the Authsignal Portal under the push authenticator configuration. When it’s unset, credentials never expire and no keep-alive is needed. When a lifetime is configured, a credential expires if it isn’t kept alive within that window. An expired credential is removed: it’s excluded from push challenges andgetCredential returns no credential. To stay enrolled, the device extends its own lease by calling updateCredential with resetExpiry set to true.
getCredential returns no credential once one expires, the enrollCredential function shown above already handles the expired case: it enrolls a fresh credential when none is found.

