Authentication

This guide explains how to securely and efficiently authenticate Caf SDKs.

Integration overview

Obtain access credentials (Mobile Key)
Generate the Authentication Token (JWT signed with your client-secret)
Exchange this token for a Mobile Token (Session Token)
Use the Mobile Token when initializing the SDK

For clients using Caf SDKs who subsequently create transactions to perform additional validations, you will have an additional step: link the Mobile Token to a transaction, sending it as a referenceToken in the creation request to allow complete tracking of the user journey. Check out Transaction linking for more details.

1. Obtain access credentials (Mobile Key)

Mobile Keys are used to sign and authenticate requests.

How to obtain:

Go to the Trust Platform
Navigate to Settings → API configurations (Mobile Keys "tab")
Copy an existing key or create a new one, specifying the products and key name.

2. Generate Authentication Token (JWT)

This JWT is generated on your server and signed with the Mobile Key's client-secret.

Payload fields:

Field

Required

Description

iss

Yes

Your client-id (provided by CAF)

exp

Token expiration (Unix timestamp)

Example payload:

{
  "iss": "your-client-id",
  "exp": 1728000000
}

This JWT must be signed with the Mobile Key's client-secret.

3. Exchange Authentication Token for Mobile Token

After generating the JWT, you must exchange it for the Mobile Token, which will be used to initialize the SDK. For each SDK session in your application, generate a Mobile Token using the previously created Authentication Token.

Generate Mobile Token (Session Token)

get

Returns a JWT token enriched with a unique session identifier.

Authorizations

Responses

200

JWT generated with session details

application/json

401

Invalid or missing token

application/json

500

Internal server error

application/json

get

GET /bff/session-tokens HTTP/1.1
Host: web.us.prd.caf.io
Authorization: Bearer JWT
Accept: */*

{
  "requestId": "123e4567-e89b-12d3-a456-426614174000",
  "sessionToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

4. Use the Mobile Token in the SDK

The mobile-token (Session Token) is used during SDK initialization and ensures that each session is securely authenticated and traceable.

Below is how to integrate it on different platforms:

let builder = CafSdkProvider.Builder(
    mobileToken: "mobile-token",
    ...
)

Check out iOS SDK Integration for more details.

val builder = CafSdkProvider.Builder(
    mobileToken = "mobile-token",
    ...
).build()

Check out Android SDK Integration for more details.

const builder = await CafSdkProvider.initializeSdk(
  "mobile-token",
  ...
);

Check out Web SDK Integration for more details.

Transaction linking

To ensure the security and complete traceability of the user journey, each transaction created via the API must be linked to the original session generated by the SDK. This link is made by including the Mobile Token (session token) in your calls, creating a unified audit trail.

See Transaction linking for more details.

Best practices

✅ Do

❌ Avoid

Generate and sign tokens on the server

Generating tokens on the frontend

Exchange the JWT at the /session-tokens endpoint before initializing the SDK

Storing keys or secrets in the app

Use short expiration times for the JWT

Validate SDK responses on the backend using the client-secret

Last updated 20 days ago