Mobile SDKs - App verification

The mobile SDK’s app verification methods can be used to respond to authentication requests using public key cryptography.

Push verification

Adding a push credential

Adding a push credential generates a private/public key pair, where the private key is secured on the user’s mobile device and the public key is held by Authsignal. This operation must be authorized with a short-lived token, which can be obtained by tracking an action from your backend in an authenticated context.

await authsignal.push.addCredential(token: "eyJhbGciOiJ...")

Parameters

token

string

A short-lived token obtained by tracking an action.

Response

response

AuthsignalResponse<AppCredential>

Show properties

error

string

An unstructured error description present if the SDK call encountered an error.

errorCode

string

A formatted error code which may additionally be present if the SDK call encountered an error. Possible values are: token_not_set, expired_token or network_error.

data

AppCredential | null

Show properties

credentialId

string

required

The ID of the app credential.

createdAt

string

required

The date and time the app credential was created.

userId

string

required

The user ID of the user that the app credential belongs to.

Getting a push credential

Get information about the push credential stored on the device, if one exists.

let response = await authsignal.push.getCredential()

Response

response

AuthsignalResponse<AppCredential>

Show properties

error

string

An unstructured error description present if the SDK call encountered an error.

errorCode

string

A formatted error code which may additionally be present if the SDK call encountered an error. Possible values are: invalid_credential when the credential exists on the device but has been removed from the server.

data

AppCredential

Show properties

credentialId

string

required

The ID of the app credential.

createdAt

string

required

The date and time the app credential was created.

lastAuthenticatedAt

string

The date and time the app credential was last used for authentication. Will be null if the credential has never been used.

userId

string

required

The user ID of the user that the app credential belongs to.

Removing a push credential

await authsignal.push.removeCredential()

Response

response

AuthsignalResponse<boolean>

Show properties

error

string

An unstructured error description present if the SDK call encountered an error. This could occur if the credential on the device is no longer valid because the corresponding user authenticator has been deleted in the Authsignal Portal.

data

boolean

True if the app credential was successfully removed.

Getting a push challenge

let response = await authsignal.push.getChallenge()

if let error = result.error {
    // The credential stored on the device is invalid
} else if let challenge = result.data {
    // A pending challenge request is available
    // Present the user with a prompt to approve or deny the request
    let challengeId = challenge.challengeId
} else {
    // No pending challenge request
}

Response

response

AuthsignalResponse<DeviceChallenge>

Show properties

error

string

data

DeviceChallenge

Show properties

challengeId

string

required

The ID of the challenge corresponding to a particular device credential authentication request.

actionCode

string

The action code identifying the action associated with the challenge.

idempotencyKey

string

The idempotency key identifying the action associated with the challenge.

userAgent

string

The user agent of the device which initiated the challenge. Present if passed as input to the original track request.

deviceId

string

The device ID of the device which initiated the challenge. Present if passed as input to the original track request.

ipAddress

string

The IP address of the device which initiated the challenge. Present if passed as input to the original track request.

Updating a push challenge

After presenting the user with a prompt to approve or reject the request, you should update the challenge with their response.

await authsignal.push.updateChallenge(
    challengeId: challengeId,
    approved: true
)

Response

response

AuthsignalResponse<boolean>

Show properties

error

string

data

boolean

True if the device challenge was successfully updated.

QR code verification

Adding a QR code credential

Adding a QR code credential generates a private/public key pair, where the private key is secured on the user’s mobile device and the public key is held by Authsignal. This operation must be authorized with a short-lived token, which can be obtained by tracking an action from your backend in an authenticated context.

await authsignal.qr.addCredential(token: "eyJhbGciOiJ...")

Parameters

token

string

A short-lived token obtained by tracking an action.

Response

response

AuthsignalResponse<AppCredential>

Show properties

error

string

An unstructured error description present if the SDK call encountered an error.

errorCode

string

A formatted error code which may additionally be present if the SDK call encountered an error. Possible values are: token_not_set, expired_token or network_error.

data

AppCredential | null

Show properties

credentialId

string

required

The ID of the app credential.

createdAt

string

required

The date and time the app credential was created.

userId

string

required

The user ID of the user that the app credential belongs to.

Getting a QR code credential

Get information about the QR code credential stored on the device, if one exists.

let response = await authsignal.qr.getCredential()

Response

response

AuthsignalResponse<AppCredential>

Show properties

error

string

An unstructured error description present if the SDK call encountered an error.

errorCode

string

data

AppCredential

Show properties

credentialId

string

required

The ID of the app credential.

createdAt

string

required

The date and time the app credential was created.

lastAuthenticatedAt

string

The date and time the app credential was last used for authentication. Will be null if the credential has never been used.

userId

string

required

The user ID of the user that the app credential belongs to.

Removing a QR code credential

await authsignal.qr.removeCredential()

Response

response

AuthsignalResponse<boolean>

Show properties

error

string

data

boolean

True if the app credential was successfully removed.

Claiming a QR code challenge

When the user scans the QR code, you should call claimChallenge to set the user attempting to complete the challenge. This will return some context about the desktop or kiosk device initiating the challenge such as ip address, location, user agent and custom data. This data can be shown to the user to help them decide if they want to approve or decline the challenge.

await authsignal.qr.claimChallenge(
    challengeId: challengeId
)

Response

response

AuthsignalResponse<ClaimChallengeResponse>

Show properties

error

string

data

ClaimChallengeResponse

Show properties

ipAddress

string

required

The IP address of the device which initiated the challenge.

userAgent

string

required

The user agent of the device which initiated the challenge.

custom

object

Custom data passed to the challenge.

In-app verification

Adding an in-app credential

Adding an in-app credential generates a private/public key pair, where the private key is secured on the user’s mobile device and the public key is held by Authsignal. This operation must be authorized with a short-lived token, which can be obtained by tracking an action from your backend in an authenticated context.

await authsignal.inapp.addCredential(token: "eyJhbGciOiJ...")

Parameters

token

string

A short-lived token obtained by tracking an action.

Response

response

AuthsignalResponse<AppCredential>

Show properties

error

string

An unstructured error description present if the SDK call encountered an error.

errorCode

string

A formatted error code which may additionally be present if the SDK call encountered an error. Possible values are: token_not_set, expired_token or network_error.

data

AppCredential | null

Show properties

credentialId

string

required

The ID of the app credential.

createdAt

string

required

The date and time the app credential was created.

userId

string

required

The user ID of the user that the app credential belongs to.

Getting an in-app credential

Get information about the in-app credential stored on the device, if one exists.

let response = await authsignal.inapp.getCredential()

Response

response

AuthsignalResponse<AppCredential>

Show properties

error

string

An unstructured error description present if the SDK call encountered an error.

errorCode

string

data

AppCredential

Show properties

credentialId

string

required

The ID of the app credential.

createdAt

string

required

The date and time the app credential was created.

lastAuthenticatedAt

string

The date and time the app credential was last used for authentication. Will be null if the credential has never been used.

userId

string

required

The user ID of the user that the app credential belongs to.

Removing an in-app credential

await authsignal.inapp.removeCredential()

Response

response

AuthsignalResponse<boolean>

Show properties

error

string

data

boolean

True if the app credential was successfully removed.

Verifying an action

Verify an action in your app using the credential stored securely on the device.

let response = await authsignal.inapp.verify()

let token = response.data?.token

Response

response

AuthsignalResponse<VerifyDeviceResponse>

Show properties

error

string

data

VerifyDeviceResponse

Show properties

token

string

required

A token which can be used for server-side validation.

userId

string

required

The user ID of the user that the device credential belongs to.

userAuthenticatorId

string

required

The user authenticator ID that the device credential belongs to.

username

string

The username of the user that the device credential belongs to.

Requiring user authentication

When adding a credential for push, QR code, or in-app verification, it is possible to require that the user authenticate via their OS biometrics or PIN whenever they access the credential (e.g. when approving or rejecting a challenge).

iOS

To require user authentication on iOS, set the userPresenceRequired flag to true when adding the credential.

await authsignal.push.addCredential(
    token: token,
    userPresenceRequired: true
)

This is all that’s needed - iOS will automatically handle displaying the biometrics or PIN prompt when updating a challenge or verifying a device.

Android

To require user authentication on Android, set the userAuthenticationRequired flag to true when adding the credential.

authsignal.push.addCredential(
    token = token,
    userAuthenticationRequired = true
)

It’s also possible to specify additional user authentication parameters.

authsignal.push.addCredential(
    token = token,
    userAuthenticationRequired = true,
    timeout = 60,
    authorizationType = 0
)

The timeout param determines the time (in seconds) that the credential can be accessed after authenticating - or 0 if authentication must occur for every credential use. The authorizationType param determines if authentication is required via biometrics and/or device credential (e.g. pin). If user authentication is required for a credential, you must call updateChallenge in a biometric prompt authentication callback.

Initialize a signature before displaying the biometric prompt

val signature = authsignal.push.startSigning()

val cryptoObject = CryptoObject(signature)

// Initialize biometric prompt and prompt info
val biometricPrompt = ...
val promptInfo = ...

biometricPrompt.authenticate(promptInfo, cryptoObject);

Retrieve the signature from the crypto object in your prompt’s authentication callback

override fun onAuthenticationSucceeded(result: AuthenticationResult) {
    super.onAuthenticationSucceeded(result)

    val cryptoObject = result.cryptoObject
    val signer = cryptoObject.signature

    authsignal.push.updateChallenge(
        challengeId = challengeId,
        approved = true,
        signer = signer
    )
}

Server

Client

Mobile SDKs - App verification

Push verification

Adding a push credential

Parameters

Response

Getting a push credential

Response

Removing a push credential

Response

Getting a push challenge

Response

Updating a push challenge

Response

QR code verification

Adding a QR code credential

Parameters

Response

Getting a QR code credential

Response

Removing a QR code credential

Response

Claiming a QR code challenge

Response

In-app verification

Adding an in-app credential

Parameters

Response

Getting an in-app credential

Response

Removing an in-app credential

Response

Verifying an action

Response

Requiring user authentication

iOS

Android

Server

Client

​Push verification

​Adding a push credential

​Parameters

​Response

​Getting a push credential

​Response

​Removing a push credential

​Response

​Getting a push challenge

​Response

​Updating a push challenge

​Response

​QR code verification

​Adding a QR code credential

​Parameters

​Response

​Getting a QR code credential

​Response

​Removing a QR code credential

​Response

​Claiming a QR code challenge

​Response

​In-app verification

​Adding an in-app credential

​Parameters

​Response

​Getting an in-app credential

​Response

​Removing an in-app credential

​Response

​Verifying an action

​Response

​Requiring user authentication

​iOS

​Android

Push verification

Adding a push credential

Parameters

Response

Getting a push credential

Response

Removing a push credential

Response

Getting a push challenge

Response

Updating a push challenge

Response

QR code verification

Adding a QR code credential

Parameters

Response

Getting a QR code credential

Response

Removing a QR code credential

Response

Claiming a QR code challenge

Response

In-app verification

Adding an in-app credential

Parameters

Response

Getting an in-app credential

Response

Removing an in-app credential

Response

Verifying an action

Response

Requiring user authentication

iOS

Android