Authentication
This guide explains how to securely and efficiently authenticate Caf SDKs.
Integration overview
Obtain access credentials (Mobile Key)
Generate the Authentication Token (JWT signed with your
client-secret
)Exchange this token for a Mobile Token (Session Token)
Use the Mobile Token when initializing the SDK
For clients using Caf SDKs who subsequently create transactions to perform additional validations, you will have an additional step: link the Mobile Token to a transaction, sending it as a referenceToken
in the creation request to allow complete tracking of the user journey. Check out Transaction linking for more details.
1. Obtain access credentials (Mobile Key)
Mobile Keys are used to sign and authenticate requests.
How to obtain:
Go to the Trust Platform
Navigate to Settings → API configurations (Mobile Keys "tab")
Copy an existing key or create a new one, specifying the products and key name.
2. Generate Authentication Token (JWT)
This JWT is generated on your server and signed with the Mobile Key's client-secret
.
Payload fields:
iss
Yes
Your client-id
(provided by CAF)
exp
No
Token expiration (Unix timestamp)
Example payload:
{
"iss": "your-client-id",
"exp": 1728000000
}
This JWT must be signed with the Mobile Key's client-secret
.
3. Exchange Authentication Token for Mobile Token
After generating the JWT, you must exchange it for the Mobile Token, which will be used to initialize the SDK. For each SDK session in your application, generate a Mobile Token using the previously created Authentication Token.
Returns a JWT token enriched with a unique session identifier.
JWT generated with session details
Invalid or missing token
Internal server error
GET /bff/session-tokens HTTP/1.1
Host: web.us.prd.caf.io
Authorization: YOUR_AUTHENTICATION_TOKEN
{
"requestId": "123e4567-e89b-12d3-a456-426614174000",
"sessionToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
4. Use the Mobile Token in the SDK
The mobile-token
(Session Token) is used during SDK initialization and ensures that each session is securely authenticated and traceable.
Below is how to integrate it on different platforms:
let builder = CafSdkProvider.Builder(
mobileToken: "mobile-token",
...
)
Check out iOS SDK Integration for more details.
Transaction linking
To ensure the security and complete traceability of the user journey, each transaction created via the API must be linked to the original session generated by the SDK. This link is made by including the Mobile Token (session token) in your calls, creating a unified audit trail.
See Transaction linking for more details.
Best practices for token-based authentication
To ensure a secure and reliable integration when using token-based authentication with our SDK, follow these recommended practices and avoid common pitfalls.
✅ Recommended practices
Generate and sign tokens on the server
Always issue JWTs from your trusted backend system to avoid exposing signing keys.
Exchange JWTs using /session-tokens
before SDK initialization
Use our secure /session-tokens
endpoint to obtain short-lived session tokens.
Use short expiration times for JWTs
Minimize the window for token misuse in case of interception. Tokens should typically expire within a few minutes.
Validate SDK responses on your backend using the client-secret
Always verify responses server-side to ensure integrity and authenticity.
Use HTTPS for all communications
Prevent man-in-the-middle attacks and ensure encryption in transit.
Rotate secrets periodically
Regularly rotate your signing keys and client-secret
to reduce exposure risks.
Monitor token usage and behavior
Implement logging and monitoring to detect abnormal or suspicious activity.
❌ Unsafe practices
Generating tokens on the frontend
Exposes your signing keys and compromises the entire authentication system.
Storing signing keys or secrets in frontend/mobile apps
Secrets in client-side code can be extracted and misused.
Using long-lived tokens
Increases the window of vulnerability in case of leakage.
Skipping token validation on the backend
Opens up the system to forged or tampered tokens.
Hardcoding secrets in version-controlled code
Secrets in code repositories can be leaked or accessed by unauthorized users.
Security tip
Never expose your secrets, private keys, or JWT signing credentials on the client-side. Always treat tokens and secrets as sensitive data and follow the principle of least privilege.
Last updated