SDK Integration Documentation

1. Overview

This documentation guides you through generating mobile tokens and properly integrating with CAF's SDK solutions.

2. Generating Access Tokens

2.1. Getting Your Keys

To use CAF's SDK solutions, you'll need a Mobile Key. Account users can retrieve their keys from the TRUST platform by:

Logging into TRUST platform
Navigating to "API Integration" under the settings.
Copy existing keys or create new ones, specifying products and key names.

2.2. Recommended Token Generation Method

The recommended way to generate and distribute tokens is by limiting them to specific users, reducing potential attack surface.

Steps to Create and Use a JWT Token

Create a JWT with the following fields:
- clientId: Your client ID.
- peopleId: The unique identifier for the user (or person) in your system.
- expiresAt: The expiration time of the token, typically in Unix timestamp format (seconds since the epoch).
Sign the JWT using your clientSecret. This is a secret key that should be kept private and used for signing the token.
Use this token in your API or SDK calls to authenticate the requests.

Example

Here is an example JWT payload structure:

{
    "iss": "your-client-id",
    "exp": 1728000000,
    "peopleId": "user-unique-id"
}

Important: Remember to replace the fields your-client-id, user-unique-id, and 1728000000 with your actual values for clientId, peopleId, and expiresAt respectively.

2.3. Non-Recommended Method (Testing Purposes)

For testing, you can use jwt.io to manually generate tokens, but this is not recommended for production. Keep in mind that these methods are vulnerable to attacks.

2.4. JWT Payload Parameters

Parameter Required Description

Parameter	Required	Description
`iss`	Yes	The `clientId` provided by CAF
`exp`	No	Token expiration time (Unix timestamp)
`peopleId`	No	CPF (Taxpayer ID) to restrict the token

iss

Yes

The clientId provided by CAF

exp

Token expiration time (Unix timestamp)

peopleId

CPF (Taxpayer ID) to restrict the token

3. Integration Checklist

Ensure you have checked all the following before going live:

Tokens are generated on the server-side.
Tokens are specific to the user's CPF.
Tokens have reasonable expiration times.
Server validates SDK response signatures using clientSecret.

3.1. Token Generation Best Practices

Always generate tokens on your server to avoid security risks. Avoid storing sensitive information in your app that attackers could reverse engineer.

3.2. Response Validation

When verifying critical operations like device verification or facial authentication, send the signed JWT response to your server to validate the payload and signature before giving the user access.

4. Security Tips

Never store tokens on the client-side: Always generate them server-side.
Use restrictive token scopes: Limit tokens to specific products and user actions.
Validate SDK responses server-side: Ensure all responses are validated server-side before allowing further access.

Last updated 1 month ago