Adding a push credential generates a private/public key pair, where the private key is secured on the user’s mobile device and the public key is held by Authsignal.This operation must be authorized with a short-lived token, which can be obtained by tracking an action from your backend in an authenticated context.
A formatted error code which may additionally be present if the SDK call encountered an error.
Possible values are: token_not_set, expired_token or network_error.
A formatted error code which may additionally be present if the SDK call encountered an error.
Possible values are: invalid_credential when the credential exists on the device but has
been removed from the server.
Push tokens are not permanent. The OS rotates them - on app reinstall or restore to a new device, after clearing app data, when a token expires, or whenever the push service decides to issue a new one. The token you registered with addCredential eventually goes stale, and a notification sent to a stale token is silently dropped.Use updateCredential to point the existing credential at a fresh device token. Unlike addCredential, it requires no token from your backend and no user session - the device proves possession of its existing credential, so you can call it from a background handler without any user interaction. It also leaves the credential’s keys in place, so the user stays enrolled.
await authsignal.push.updateCredential(pushToken: "<APNs or FCM token>")
Both Apple and Google recommend the same pattern: subscribe to the OS token callback and send the new token to your server as soon as it changes. With Authsignal, “send to your server” means calling updateCredential. Register the latest token whenever it changes so Authsignal always has a deliverable one:
On token rotation - the most important trigger. Subscribe to the OS push token callback and update the credential whenever a new token is issued.
React Native - messaging().onTokenRefresh covers the FCM token (Android, and iOS in Firebase mode). For the raw APNs token in Default mode, use Expo Notifications’ addPushTokenListener, which surfaces the same didRegisterForRemoteNotificationsWithDeviceToken callback to JavaScript. Pass the token the listener receives straight to updateCredential rather than re-fetching it, as Expo warns that calling getDevicePushTokenAsync inside the listener can re-trigger it.
On app foreground or launch - retrieve the current token, compare it against the one you last registered, and update the credential if it changed. This is a backstop for tokens that rotated while the app was killed, when no rotation callback fires.
Skip the call if no push credential exists yet - the first token is registered by addCredential at enrolment. The token type must match your tenant’s configured provider, the same as for addCredential.
updateCredential has a second use. If you configure a credential lifetime on the push authenticator, credentials expire unless kept alive. Pass resetExpiry to reset the credential’s lease and keep the device enrolled. Both parameters are optional, so you can rotate the token, reset the expiry, or do both in one call.
// Reset the lease without changing the tokenawait authsignal.push.updateCredential(resetExpiry: true)// Rotate the token and reset the lease togetherawait authsignal.push.updateCredential(pushToken: "<APNs or FCM token>", resetExpiry: true)
// Reset the lease without changing the tokenauthsignal.push.updateCredential(resetExpiry = true)// Rotate the token and reset the lease togetherauthsignal.push.updateCredential(pushToken = "<FCM token>", resetExpiry = true)
// Reset the lease without changing the tokenawait authsignal.push.updateCredential({ resetExpiry: true });// Rotate the token and reset the lease togetherawait authsignal.push.updateCredential({ pushToken: "<APNs or FCM token>", resetExpiry: true });
When no lifetime is configured, credentials never expire and you don’t need resetExpiry. See Keeping credentials alive for where to call this in your app’s lifecycle.Each successful updateCredential call also fires the authenticator.updated webhook, so your backend can track token rotations and expiry extensions without polling.
updateCredential is supported on the iOS SDK from v2.11.0, the Android SDK from v4.1.0, and the React Native SDK from v3.1.0.
An unstructured error description present if the SDK call encountered an error. This could
occur if no credential exists on the device, or if the credential is no longer valid because
the corresponding user authenticator has been deleted in the Authsignal Portal.
An unstructured error description present if the SDK call encountered an error. This could
occur if the credential on the device is no longer valid because the corresponding user
authenticator has been deleted in the Authsignal Portal.
let response = await authsignal.push.getChallenge()if let error = result.error { // The credential stored on the device is invalid} else if let challenge = result.data { // A pending challenge request is available // Present the user with a prompt to approve or deny the request let challengeId = challenge.challengeId} else { // No pending challenge request}
val response = authsignal.push.getChallenge()if (response.error != null) { // The credential stored on the device is invalid} else if (response.data != null) { // A pending challenge request is available // Present the user with a prompt to approve or deny the request val challengeId = response.data.challengeId} else { // No pending challenge request}
const {data, error} = await authsignal.push.getChallenge();if (error) { // The credential stored on the device is invalid} else if (data) { // A pending challenge request is available // Present the user with a prompt to approve or deny the request val challengeId = data.challengeId} else { // No pending challenge request}
final response = await authsignal.push.getChallenge();if (response.error != null) { // The credential stored on the device is invalid} else if (response.data != null) { // A pending challenge request is available // Present the user with a prompt to approve or deny the request final challengeId = response.data.challengeId;} else { // No pending challenge request}
An unstructured error description present if the SDK call encountered an error. This could
occur if the credential on the device is no longer valid because the corresponding user
authenticator has been deleted in the Authsignal Portal.
An unstructured error description present if the SDK call encountered an error. This could
occur if the credential on the device is no longer valid because the corresponding user
authenticator has been deleted in the Authsignal Portal.
When adding a credential for push verification, it is possible to require that the user authenticate via their OS biometrics or PIN whenever they access the credential (e.g. when approving or rejecting a challenge).
The timeout param determines the time (in seconds) that the credential can be accessed after authenticating - or 0 if authentication must occur for every credential use.
The authorizationType param determines if authentication is required via biometrics and/or device credential (e.g. pin).If user authentication is required for a credential, you must call updateChallenge in a biometric prompt authentication callback.
Initialize a signature before displaying the biometric prompt
val signature = authsignal.push.startSigning()val cryptoObject = CryptoObject(signature)// Initialize biometric prompt and prompt infoval biometricPrompt = ...val promptInfo = ...biometricPrompt.authenticate(promptInfo, cryptoObject);
Retrieve the signature from the crypto object in your prompt’s authentication callback
override fun onAuthenticationSucceeded(result: AuthenticationResult) { super.onAuthenticationSucceeded(result) val cryptoObject = result.cryptoObject val signer = cryptoObject.signature authsignal.push.updateChallenge( challengeId = challengeId, approved = true, signer = signer )}