Authentication

Authenticate the Mobile API with your access key to use the available resources.

To access CAF resources using this REST API, you will first need a Mobile Key. This is a token that CAF provides for authorization and is used by the client when making each API call.

API keys are a secret that only the client and CAF know. Like Basic authentication, API key-based authentication is only considered secure if used together with other security mechanisms such as HTTPS/SSL.

Getting your keys

Account users with appropriate permissions will be able to retrieve or create their mobile key from the Trust Platform by following the below steps:

Once logged into the Trust Platform, click on the setting button (gear icon) within the client navigation area and then select "API Integration" from the options.
Ensure the active tab is "Mobile Keys", on this page you can see your keys and the linked products. Click "copy" to save to your clipboard.
To create a new one, click on the "New key" button and select which products the token will be allowed to run and a name for the key, then click on "Generate key". The page will show you clientId and clientSecret, keep it safe.

If the environment used is the homologation (beta) environment, the access keys must be generated in the same environment: Trust Platform BETA.

Generating your token

Recommended method

The following steps describe how can you generate tokens that are only valid for a specific user. This is the recommended way to generate and distribute the tokens because it limits a possible attack on a single user account.

At some point in your application flow, create a JWT with the structure of the example below;
- Remember to replace the fields {clientId}, {peopleId} and {expiresAt}
- All fields are highly recommended, you can see which one is required at the bottom of this page
Sign the token with your clientSecret;
Use this token to authenticate API or SDK calls.

Example:

{
    "iss": "{clientId}", // string
    "exp": {expiresAt}, // number
    "peopleId": "{peopleId}" // string
}

Not recommended method (only for tests)

Go to the website jwt.io;
Keep the Header field, do not change;
Edit the payload, only the iss field is required;
Replace your-256-bit-secret with your clientSecret;
Go to Share JWT to copy the generated token to the clipboard;
Use this token to authenticate API or SDK calls.

JWT payload parameters

Parameter

Required

Description

iss

Yes

Your clientId

exp

Expiration time (seconds Unix time)

peopleId

The CPF (Individual Taxpayer Registration Number) in which the token will be valid

Best practices for token-based authentication

To ensure a secure and reliable integration when using token-based authentication with our service, follow these recommended practices and avoid common pitfalls.

✅ Recommended practices

Practice

Description

Generate and sign tokens on the server

Always issue JWTs from your trusted backend system to avoid exposing signing keys.

Use HTTPS for all communications

Prevent man-in-the-middle attacks and ensure encryption in transit.

Use short expiration times for JWTs

Minimize the window for token misuse in case of interception. Tokens should typically expire within a few minutes.

Monitor token usage and behavior

Implement logging and monitoring to detect abnormal or suspicious activity.

❌ Unsafe practices

Practice

Risk

Generating tokens on the frontend

Exposes your signing keys and compromises the entire authentication system.

Storing signing keys or secrets in frontend/mobile apps

Secrets in client-side code can be extracted and misused.

Using long-lived tokens

Increases the window of vulnerability in case of leakage.

Hardcoding secrets in version-controlled code

Secrets in code repositories can be leaked or accessed by unauthorized users.

Security tip

Never expose your secrets, private keys, or JWT signing credentials on the client-side. Always treat tokens and secrets as sensitive data and follow the principle of least privilege.

Last updated 10 days ago