Response signature
What is it?
Response signing is a feature introduced to ensure the veracity of the information received from our API when it needs to be transmitted through a device you do not control (such as your customer's cell phone, for example).
When use it?
The functionality to sign requests is optional, and if you are integrating directly on your backend, there is no need to use it.
However, if you intend to make requests for our API from an application that does not run on a device you control, we strongly recommend that you sign your requests and always check your server for signing.
How does it work?
When you enable this functionality in your requests, we will no longer send the response in JSON format. The body response will become a JWT signing using the clientSecret
of your token. In the payload of this JWT will be the body of the response, with all the fields that it would return if the response was not signed.
How does this ensure the authenticity of the information?
It’s simple! If an attacker modifies the response body (for example, say that his photo passed on the face liveness), this change would break the JWT signature, and you would be able to detect this in your backend, blocking its access to your system.
How to request that a response be signed?
Simply send the value true
to the query string parameter shouldSingResponse
in your request on routes that support the feature.
You can check whether the route supports the signature response by checking the general information on the route page.
Examples
Request example:
Note the ?shouldSignResponse=true
at the end of the URL.
Response example:
The JWT above was signed using the clientSecret
of the {token}
sent in the request.
If we extract the payload from the JWT above, we get the following JSON:
If any field in the payload is changed, the signature breaks and you are able to detect the change in your backend.
Last updated