On this page, you will find information about the Identity SDK.


The main goal of the Identity SDK is to prove that a user is really who he says he is. The SDK works as a form of multi-factor authentication for registered identities.

How it works

How the Identity SDK works can be seen in the flow chart below:


  1. During some routine of your application or website (such as login, password changes, or bank transfers) a call will be made to the SDK with the ID of the policy to be verified and the CPF of the user.

  2. We will receive the request and, according to policy, determine if the user context is known.

    1. If it is, the SDK jumps to item 3.

    2. If not, the user will go through all the means of authentication required by the policy (e.g. facial authentication, via SMS, etc.).

      1. If all are correct, the SDK jumps to item 3.

      2. If either one fails, the SDK jumps to item 4.

  3. The SDK returns a signed JWT using your clientSecret attesting that the user is who they say they are.

    1. You send this JWT to your API and check the details and the signature.

      1. If something is incorrect, the user is not authenticated

      2. If everything is correct, the user is authenticated and cleared to perform the desired operation.

    2. End of execution

  4. The SDK returns that the user is not authorized.

    1. End of execution

Useful resources

And these are the versions of the Identity SDK that are publicly available today:

Last updated


2023 © Caf. - All rights reserved