Access token

This page shows the steps of how to generate a mobile token and how the recommended manners to do this.

To use CAF's SDK solutions, you will first need to have a Mobile Key. This is a token that CAF provides for authorization and is used by the client when initialize the SDK.

Getting your keys

Account users with appropriate permissions will be able to retrieve or create their mobile key from the TRUST platform by following the below steps:

  1. Once logged into the TRUST platform, click on the setting button (gear icon) within the client navigation area and then select "API Integration" from the options.

  2. Ensure the active tab is "Mobile Keys", on this page you can see your keys and the linked products. Click "copy" to save to your clipboard.

  3. To create a new one, click on the "New key" button and select which products the token will be allowed to run and a name for the key, then click on "Generate key". The page will show you clientId and clientSecret, keep it safe.

Don’t store your keys directly on your mobile application. Does this turn trivial for one attacker to realize reverse engineering on your application and get these informations. In this case, the attacker can realize requests fraudulently in your name, compromising the security of your application and causing undue charges.

If the environment used is the homologation (beta) environment, the access keys must be generated in the same environment: TRUST platform beta.

Generating your token

The following steps describe how can you generate tokens that are only valid for a specific user. This is the recommended way to generate and distribute the tokens because it limits a possible attack on a single user account.

  1. At some point in your application flow, create a JWT with the structure of the example below;

    • Remember to replace the fields {clientId}, {peopleId} and {expiresAt}

    • All fields are highly recommended, you can see which one is required at the bottom of this page

  2. Sign the token with your clientSecret;

  3. Use this token to authenticate API or SDK calls.


    "alg": "HS256",
    "typ": "JWT"
  1. Go to the website;

  2. Keep the Header field, do not change;

  3. Edit the payload, only the iss field is required;

  4. Replace your-256-bit-secret with your clientSecret;

  5. Go to Share JWT to copy the generated token to the clipboard;

  6. Use this token to authenticate API or SDK calls.

JWT payload parameters






Your clientId



Expiration time (seconds Unix time)



The CPF (Individual Taxpayer Registration Number) in which the token will be valid

Last updated


2023 Β© Caf. - All rights reserved