Checking the response
To ensure the integrity of the results from the Identity SDK, the return information is included in a payload within a JSON Web Token (JWT) signed using your clientSecret. This token is called an attestation and must be sent to your backend and verified before granting the user access to your system.
In addition to the attestation when isAuthorized is true, which contains the attemptId within the token, there is also a case when isAuthorized is false. In this scenario, the attemptId is returned alongside the isAuthorized field.
Please ensure that both the attestation and attemptId (when applicable) are properly handled and verified in your backend system.
How check response without JWT(attestation)
In cases where the attestation is not present in the response, you will receive an object with two fields: isAuthorized and attemptId.
The attemptId field can be used to capture data about the authentication attempt. For more information, please refer to here.
How to get your clientSecret
clientSecretSee the documentation about Identity access tokens.
JWT validation
For user validation, we use the returned JWT token.
From it we take data needed for validation (isAuthorized and isNewContext).
Data entered into JWT(attestation)
| Field | Type | Description |
|---|---|---|
| string | Authentication attempt ID |
| string | Authenticated user CPF |
| string | Validated policy ID |
| boolean | Indicates whether the user has been authorized according to the policy rules |
| boolean | Indicates whether the user context was already known |
How to extract data from the JWT
Authorization check
Last updated
