SDK Integration Documentation
1. Overview
This documentation guides you through generating mobile tokens and properly integrating with CAF's SDK solutions.
2. Generating Access Tokens
2.1. Getting Your Keys
To use CAF's SDK solutions, you'll need a Mobile Key. Account users can retrieve their keys from the TRUST platform by:
Logging into TRUST platform
Navigating to "API Integration" under the settings.
Copy existing keys or create new ones, specifying products and key names.
2.2. Recommended Token Generation Method
The recommended way to generate and distribute tokens is by limiting them to specific users, reducing potential attack surface.
Steps to Create and Use a JWT Token
Create a JWT with the following fields:
clientId
: Your client ID.peopleId
: The unique identifier for the user (or person) in your system.expiresAt
: The expiration time of the token, typically in Unix timestamp format (seconds since the epoch).
Sign the JWT using your
clientSecret
. This is a secret key that should be kept private and used for signing the token.Use this token in your API or SDK calls to authenticate the requests.
Example
Here is an example JWT payload structure:
Important: Remember to replace the fields
your-client-id
,user-unique-id
, and1728000000
with your actual values forclientId
,peopleId
, andexpiresAt
respectively.
2.3. Non-Recommended Method (Testing Purposes)
For testing, you can use jwt.io to manually generate tokens, but this is not recommended for production. Keep in mind that these methods are vulnerable to attacks.
2.4. JWT Payload Parameters
iss
Yes
The clientId
provided by CAF
exp
No
Token expiration time (Unix timestamp)
peopleId
No
CPF (Taxpayer ID) to restrict the token
3. Integration Checklist
Ensure you have checked all the following before going live:
3.1. Token Generation Best Practices
Always generate tokens on your server to avoid security risks. Avoid storing sensitive information in your app that attackers could reverse engineer.
3.2. Response Validation
When verifying critical operations like device verification or facial authentication, send the signed JWT response to your server to validate the payload and signature before giving the user access.
4. Security Tips
Never store tokens on the client-side: Always generate them server-side.
Use restrictive token scopes: Limit tokens to specific products and user actions.
Validate SDK responses server-side: Ensure all responses are validated server-side before allowing further access.
Last updated