Response signature

What is it?

Response signing is a feature introduced to ensure the veracity of the information received from our API when it needs to be transmitted through a device you do not control (such as your customer's cell phone, for example).

When use it?

The functionality to sign requests is optional, and if you are integrating directly on your backend, there is no need to use it.

However, if you intend to make requests for our API from an application that does not run on a device you control, we strongly recommend that you sign your requests and always check your server for signing.

How does it work?

When you enable this functionality in your requests, we will no longer send the response in JSON format. The body response will become a JWT signing using the clientSecret of your token. In the payload of this JWT will be the body of the response, with all the fields that it would return if the response was not signed.

How does this ensure the authenticity of the information?

It’s simple! If an attacker modifies the response body (for example, say that his photo passed on the face liveness), this change would break the JWT signature, and you would be able to detect this in your backend, blocking its access to your system.

How to request that a response be signed?

Simply send the value true to the query string parameter shouldSingResponse in your request on routes that support the feature.

You can check whether the route supports the signature response by checking the general information on the route page.


Request example:

Note the ?shouldSignResponse=true at the end of the URL.

curl --location \
    --request POST '' \
    --header 'Authorization: {token}' \
    --header 'Content-Type: application/json' \
    --data-raw '{
        "imageUrl": ""

Response example:


The JWT above was signed using the clientSecret of the {token} sent in the request.

If we extract the payload from the JWT above, we get the following JSON:

    "requestId": "bf9403ff-9940-4846-b4ef-841662f52139",
    "isAlive": false,
    "iat": 1594925080

If any field in the payload is changed, the signature breaks and you are able to detect the change in your backend.

Last updated


2023 © Caf. - All rights reserved