LogoLogo
Useful links
  • Home
  • Product guides
  • API
  • SDKs
  • Overview
  • OUR SOLUTIONS
    • User Onboarding
    • ID Document Verification
    • Know Your Customer - KYC
    • Know Your Business - KYB
    • Account Takeover Prevention
  • USER GUIDE
    • Trust Platform
      • New Query
      • Executions
      • Company
      • Onboarding List
      • Onboarding Builder
      • Query Templates
      • Workflow Builder
    • Smart Auth (identity)
      • Getting Started
      • Access Token
      • Checking the Response
  • Quick Start Guides
    • Onboarding Journey
    • Company Search through API
    • Onboarding links into WebView and iFrame
      • WebView
        • Android
        • iOS
        • React Native
        • Flutter
      • iFrame
      • Events
LogoLogo

2025 © Caf. - All rights reserved

On this page
  • Getting your Face Liveness keys
  • Getting your Smart Auth keys
  • Generating your token
  • Recommended method
  • Not recommended method (only for tests)
  • JWT payload parameters
  1. USER GUIDE
  2. Smart Auth (identity)

Access Token

Last updated 1 month ago

To use Smart Auth SDK, you will need to generate two access tokens: one for Smart Auth and another one for Face Liveness. This page shows the steps on how to create the keys, generate the access tokens and the recommended ways to do it.

Getting your Face Liveness keys

Go to to see how to generate it.

Getting your Smart Auth keys

  1. Go to the ;

  2. If you do not have a token, generate one.

  3. Retrieve the clientId and clientSecret from one of the generated tokens.

Do not store these fields directly in your mobile/web application. These values should not leave your backend.

You can repeat this procedure to generate accesses combining different functions and SDKs.

Generating your token

Recommended method

The following steps describe how you can generate a token that is valid only for a specific user. This is the recommended way to generate and distribute tokens because it limits a possible attack to a single user account.

  1. At some point in your application flow, create a JWT with the structure of the example below;

    • Remember to replace the {clientId}, {personId} and {expiresAt} fields.

    • All of these fields are strongly recommended, but you can see which ones are required at the bottom of this page.

  2. Sign the token with your clientSecret;

  3. Send this token to your application.

Example:

{
  "alg": "HS256",
  "typ": "JWT"
}
{
    "iss": "{clientId}", // string
    "exp": {expiresAt}, // number
    "personId": "{personId}" // string
}

Not recommended method (only for tests)

  2. Keep the Header field, do not change;

  3. Edit the payload, only the iss field is required;

  4. Replace **** your-256-bit-secret with your clientSecret;

  5. Click Share JWT to copy the generated token to the clipboard;

  6. Use this token to authenticate the SDK.

JWT payload parameters

Parameter
Required
Description

iss

Yes

Your clientId

exp

No

personId

No

The CPF (Individual Taxpayer Registration Number) for which the token will be valid

Go to ;

Expiration time (seconds since the )

SDK's access token tutorial page
Smart Auth tokens page
jwt.io
Unix Era