Skip to main content
In-app verification
In-app verification uses device credentials to verify that high-risk actions are performed on authorized devices. This method leverages public key cryptography where private keys are securely stored on the user’s device. The Mobile SDK is used for two key steps:
  1. Registering a mobile device for in-app verification by adding a credential. This step creates a new public/private key pair.
  2. Verifying an action. This step uses the device’s private key to sign a message which is verified on the server using the public key.

Sequence diagram

SDK setup

Server SDK

Initialize the SDK using your secret key from the API keys page and the API URL for your region. 
import { Authsignal } from "@authsignal/node";

const authsignal = new Authsignal({
  apiSecretKey: "YOUR_SECRET_KEY",
  apiUrl: "YOUR_API_URL",
});

Mobile SDK

Initialize the Mobile SDK using your tenant ID from the API keys page and your API URL. 
import Authsignal

let authsignal = Authsignal(
    tenantID: "YOUR_TENANT_ID",
    baseURL: "YOUR_API_URL"
)

Enrollment

Scenario - Enroll users for in-app verification so it can be used later to authorize a high-risk action.

1. Generate enrollment token

In your backend, track an action for a user (e.g. “addAuthenticator”) to generate a short-lived token. This token will be used to authorize enrolling a new authentication method on their mobile device. The add:authenticators scope is required to enroll a new authentication factor for an existing user. This scope should only be used when the user is in an already authenticated state. For more information on using scopes safely refer to our documentation on authenticator binding.

2. Add credential

Use the token obtained in step 1 to enroll a new device credential for the user in the mobile app.

Authentication

Scenario - Strongly authenticate actions performed by users with in-app verification.

1. Track action

Track an action from your backend which reflects the activity that the user is performing (e.g. authorizing a payment). This step can apply rules to determine if additional strong authentication is required. 
const request = {
  userId: "dc58c6dc-a1fd-4a4f-8e2f-846636dd4833",
  action: "authorizePayment",
};

const response = await authsignal.track(request);

if (response.state === "CHALLENGE_REQUIRED") {
  // Obtain token to present challenge
  const token = response.token;
}
Return the token to your mobile app and set it via the Mobile SDK. 
authsignal.setToken(token: "eyJhbGciOiJ...")

2. Verify action in app

Use the Mobile SDK to verify the action. 
await authsignal.device.verify()
If the device credentials were created without using the userAuthenticationRequired flag, you may optionally present your own challenge dialog such as a PIN screen prior to calling the verify method. If the device credentials were created using the userAuthenticationRequired flag, the OS will present the challenge dialog upon calling the verify method. To learn more, see our Mobile SDK documentation.

3. Complete authentication

Once the user has verified the action in the app, you will obtain a new token in the app which can be passed to your backend in order to validate the action and complete authentication.

Next steps

  • Passkeys - Offer the most secure and user-friendly passwordless authentication
  • Adaptive MFA - Set up smart rules to trigger authentication based on risk
I