First steps
Last updated
Useful links
Last updated
To use CAF's SDK solutions, you'll need a Mobile Key. Account users can retrieve their keys from the TRUST platform by:
Logging into
Navigating to "API Integration" under the settings.
Copy existing keys or create new ones, specifying products and key names.
The recommended way to generate and distribute tokens is by limiting them to specific users, reducing potential attack surface.
Create a JWT with the following fields:
clientId: Your client ID.
peopleId: The unique identifier for the user (or person) in your system.
expiresAt: The expiration time of the token, typically in Unix timestamp format (seconds since the epoch).
Sign the JWT using your clientSecret. This is a secret key that should be kept private and used for signing the token.
Use this token in your API or SDK calls to authenticate the requests.
Here is an example JWT payload structure:
Important: Remember to replace the fields
your-client-id,user-unique-id, and1728000000with your actual values forclientId,peopleId, andexpiresAtrespectively.
iss
Yes
The clientId provided by CAF
exp
No
Token expiration time (Unix timestamp)
peopleId
No
CPF (Taxpayer ID) to restrict the token
Ensure you have checked all the following before going live:
Always generate tokens on your server to avoid security risks. Avoid storing sensitive information in your app that attackers could reverse engineer.
When verifying critical operations like device verification or facial authentication, send the signed JWT response to your server to validate the payload and signature before giving the user access.
Never store tokens on the client-side: Always generate them server-side.
Use restrictive token scopes: Limit tokens to specific products and user actions.
Validate SDK responses server-side: Ensure all responses are validated server-side before allowing further access.
For testing, you can use to manually generate tokens, but this is not recommended for production. Keep in mind that these methods are vulnerable to attacks.