SDK Integration Documentation

1. Overview

This documentation guides you through generating mobile tokens and properly integrating with CAF's SDK solutions.

2. Generating Access Tokens

2.1. Getting Your Keys

To use CAF's SDK solutions, you'll need a Mobile Key. Account users can retrieve their keys from the TRUST platform by:

  1. Logging into TRUST platform

  2. Navigating to "API Integration" under the settings.

  3. Copy existing keys or create new ones, specifying products and key names.

The recommended way to generate and distribute tokens is by limiting them to specific users, reducing potential attack surface.

Steps to Create and Use a JWT Token

  1. Create a JWT with the following fields:

    • clientId: Your client ID.

    • peopleId: The unique identifier for the user (or person) in your system.

    • expiresAt: The expiration time of the token, typically in Unix timestamp format (seconds since the epoch).

  2. Sign the JWT using your clientSecret. This is a secret key that should be kept private and used for signing the token.

  3. Use this token in your API or SDK calls to authenticate the requests.

Example

Here is an example JWT payload structure:

{
    "iss": "your-client-id",
    "exp": 1728000000,
    "peopleId": "user-unique-id"
}

Important: Remember to replace the fields your-client-id, user-unique-id, and 1728000000 with your actual values for clientId, peopleId, and expiresAt respectively.

For testing, you can use jwt.io to manually generate tokens, but this is not recommended for production. Keep in mind that these methods are vulnerable to attacks.

2.4. JWT Payload Parameters

Parameter
Required
Description

iss

Yes

The clientId provided by CAF

exp

No

Token expiration time (Unix timestamp)

peopleId

No

CPF (Taxpayer ID) to restrict the token

3. Integration Checklist

Ensure you have checked all the following before going live:

3.1. Token Generation Best Practices

Always generate tokens on your server to avoid security risks. Avoid storing sensitive information in your app that attackers could reverse engineer.

3.2. Response Validation

When verifying critical operations like device verification or facial authentication, send the signed JWT response to your server to validate the payload and signature before giving the user access.

4. Security Tips

  • Never store tokens on the client-side: Always generate them server-side.

  • Use restrictive token scopes: Limit tokens to specific products and user actions.

  • Validate SDK responses server-side: Ensure all responses are validated server-side before allowing further access.

Last updated

Logo

2023 © Caf. - All rights reserved