LogoLogo
Useful links
  • Home
  • Product guides
  • API
  • SDKs
  • Overview
  • First steps
  • ANDROID
    • Getting Started with the SDK
    • Standalone Modules
      • Document Detector
        • Release Notes
        • Current Version
        • Requirements
        • Gradle Dependencies
        • Gradle Source Code
        • Setting up the SDK
          • Setting properties
          • Capture Stages
          • Messages Settings
          • Customization
          • Security Settings
          • Detection Steps
          • Upload Mode
          • Advanced Settings
            • Proxy configuration
            • Preview configuration
        • Start Document Detection
        • Source Code
        • Google security form
        • Reduce SDKs size
        • SDKs response
        • References
        • FAQ
      • Face Liveness
        • Release Notes
        • Current Version
        • Requirements
        • Gradle Dependencies
        • Gradle Source Code
        • SDK Lifecycle
        • Building the SDK
        • Start Liveness Verification
        • Source Code
        • References
        • Advanced Features
        • FAQ
      • Face Authenticator
        • Release Notes
      • Smart Auth
        • Release Notes
        • Current Version
        • Requirements
        • Gradle Dependencies
        • Gradle Source Code
        • Permissions
        • SDK Lifecycle
        • Building the SDK
        • Start Smart Authentication
        • Source Code
        • References
        • FAQ
      • Face Liveness (deprecated)
        • Release Notes
  • iOS
    • Getting Started with the SDK
    • Standalone Modules
      • Document Detector
        • Release Notes
        • Current Version
        • Requirements
        • Installing the SDK
        • Setting up the SDK
          • Setting properties
          • Messages Settings
          • Customization
          • Detection Steps
          • Upload Mode
          • Advanced Settings
            • Proxy configuration
            • Preview configuration
        • Start Document Detection
        • References
        • FAQ
      • Face Liveness
        • Release Notes
        • Installation
        • Current Version
        • Requirements
        • SDK Lifecycle
        • Building the SDK
        • Start Liveness Verification
        • Source Code
        • References
        • FAQ
      • Face Authenticator
        • Release Notes
        • Installation
        • Current Version
        • Requirements
        • Building the SDK
        • Start the SDK
        • References
        • FAQ
      • Smart Auth
        • Release Notes
        • Installation
        • Current Version
        • Requirements
        • SDK Lifecycle
        • Building the SDK
        • Start Smart Authentication
        • Source Code
        • References
        • FAQ
      • Face Liveness (deprecated)
        • Release Notes
  • REACT NATIVE
    • Standalone Modules
      • Document Detector
        • Release Notes
        • Current Version
        • Requirements
        • Installation
        • Hooks
        • Start Document Verification
        • Source Code
        • TypeScript References
        • Customizing Style
        • FAQ
      • Face Liveness
        • Release Notes
        • Current Version
        • Requirements
        • Installation
        • Hooks
        • Start Liveness Verification
        • Source Code
        • TypeScript References
        • FAQ
      • Face Authenticator
        • Release Notes
        • Current Version
        • Requirements
        • Installation
        • Hooks
        • Start Authentication Verification
        • Source Code
        • TypeScript References
        • FAQ
      • Smart Auth
        • Getting started
        • Release notes
        • Using Native Modules
          • Requirements
          • Gradle Source Code
          • Podfile Source Code
          • Native Module Android
          • Native Module iOS
          • Import Native Modules
          • Source Code
          • TypeScript References
          • FAQ
        • Using Expo Modules
          • Requirements
          • Create Local Expo Module
          • Gradle Source Code
          • Podspec Source Code
          • Native Module Android
          • Native Module iOS
          • Import Expo Modules
          • Source Code
          • TypeScript References
          • FAQ
  • WEB (JAVASCRIPT)
    • Standalone Modules
      • Document Detector
        • Getting started
        • SDK builder options
          • Analytics
          • Appearance
          • Messages
        • SDK methods
        • Event listeners
        • Customization
        • Release notes
      • Face Liveness
        • Customization
        • Release notes
      • Face Authenticator
        • Customization
        • Release notes
      • Smart Auth
        • SDK errors
        • Customization
        • Release notes
LogoLogo

2025 © Caf. - All rights reserved

On this page
  • 1. Generating Access Tokens
  • 1.1. Getting Your Keys
  • 1.2. Recommended Token Generation Method
  • Steps to Create and Use a JWT Token
  • Example
  • 1.3. Non-Recommended Method (Testing Purposes)
  • 1.4. JWT Payload Parameters
  • 2. Integration Checklist
  • 2.1. Token Generation Best Practices
  • 2.2. Response Validation
  • 3. Security Tips

First steps

Last updated 1 month ago

1. Generating Access Tokens

1.1. Getting Your Keys

To use CAF's SDK solutions, you'll need a Mobile Key. Account users can retrieve their keys from the TRUST platform by:

  1. Logging into

  2. Navigating to "API Integration" under the settings.

  3. Copy existing keys or create new ones, specifying products and key names.

1.2. Recommended Token Generation Method

The recommended way to generate and distribute tokens is by limiting them to specific users, reducing potential attack surface.

Steps to Create and Use a JWT Token

  1. Create a JWT with the following fields:

    • clientId: Your client ID.

    • peopleId: The unique identifier for the user (or person) in your system.

    • expiresAt: The expiration time of the token, typically in Unix timestamp format (seconds since the epoch).

  2. Sign the JWT using your clientSecret. This is a secret key that should be kept private and used for signing the token.

  3. Use this token in your API or SDK calls to authenticate the requests.

Example

Here is an example JWT payload structure:

{
    "iss": "your-client-id",
    "exp": 1728000000,
    "peopleId": "user-unique-id"
}

Important: Remember to replace the fields your-client-id, user-unique-id, and 1728000000 with your actual values for clientId, peopleId, and expiresAt respectively.

1.3. Non-Recommended Method (Testing Purposes)

1.4. JWT Payload Parameters

Parameter
Required
Description

iss

Yes

The clientId provided by CAF

exp

No

Token expiration time (Unix timestamp)

peopleId

No

CPF (Taxpayer ID) to restrict the token

2. Integration Checklist

Ensure you have checked all the following before going live:

2.1. Token Generation Best Practices

Always generate tokens on your server to avoid security risks. Avoid storing sensitive information in your app that attackers could reverse engineer.

2.2. Response Validation

When verifying critical operations like device verification or facial authentication, send the signed JWT response to your server to validate the payload and signature before giving the user access.

3. Security Tips

  • Never store tokens on the client-side: Always generate them server-side.

  • Use restrictive token scopes: Limit tokens to specific products and user actions.

  • Validate SDK responses server-side: Ensure all responses are validated server-side before allowing further access.

For testing, you can use to manually generate tokens, but this is not recommended for production. Keep in mind that these methods are vulnerable to attacks.

TRUST platform
jwt.io