Skip to main content
API docs by Redocly

Signicat MobileID Admin API (1.0)

Download OpenAPI specification:Download

  • Base URL: https://api.signicat.com/mobileid/admin/
  • Documentation: See the MobileID developer documentation.
  • Support: Create a support ticket in the Signicat Dashboard.

Introduction

The Signicat MobileID Admin API enables you to carry out administrative tasks and configuration management for the Signicat MobileID service.

This REST API uses the OAuth 2.0 protocol for authorisation. All request and response bodies are formatted in JSON.

Get started

1. Connect to this API

Before you can start making requests to this API, you need to learn how to connect to it. To do this, see the Connect to Signicat APIs Quick start guide.

2. Onboard to MobileID

You need to complete the onboarding of your account for MobileID. To do this, you can use the Signicat Dashboard:

  1. Go to Signicat Dashboard > Products > MobileID.
  2. Click the Add MobileID button.

Success! You can now start making requests to the MobileID Admin API.

Using this API

Audit logs

Use the Signicat Audit logs service to see documented evidence of the sequence of activities that have affected a system.

  • Access it: Signicat Dashboard > Settings > Audit logs
  • For information generic to all Signicat audit logs, see the general Audit logs documentation.

Errors

When you make an API call to Signicat and an error occurs, you will receive a response message with an error code.

  • For errors generic to all Signicat APIs, see the general Error codes documentation.

Events (callback)

Use the Signicat Events service to automatically receive information about when something happens in one of our services into your system.

Note: This is often referred to as callback.

  • Access it: Go to Signicat Dashboard > Settings > Events
  • For information generic to all Signicat events, see the general Events documentation.

Accounts

The MobileID Admin accounts API provides you with operations related to administering your MobileID account, such as adding an account, and fetching information about an account.

Note: The request and response samples are for illustrative purposes only, and discrepancies can occur between the sample values in request and response objects.

Get MobileID account

The Get MobileID account operation returns the properties of a MobileID account.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

statistics
boolean
Default: true
Example: statistics=true

Control whether the statistics (AccountStatistics) is returned in the response object. Statistics are returned by default.

Note: Returned statistical data is not live data.

Responses

Response samples

Content type
application/json
Example

Response sample when fetching a sandbox account.

{
  • "created": "2023-09-06T06:47:20.000Z",
  • "modified": "2023-09-06T06:49:23.000Z",
  • "organisationId": "o-d-Abcdefgh1234JC4Cczm4",
  • "id": "a-sdge-abcdefghijk123456789",
  • "name": "Sample Account",
  • "type": "SANDBOX",
  • "state": "ENABLED",
  • "sandboxProperties": {
    },
  • "statistics": {
    },
  • "configurations": [
    ],
  • "onboardedForMobileId": true,
  • "onboardedForPasskeys": false
}

Add MobileID account

The Add MobileID account operation fulfils the onboarding of your account to MobileID by adding an account to the MobileID service.

This is a prerequisite for all other operations.

Note: This operation is a part of the onboarding process.

Authorizations:
None
query Parameters
onboardingType
string
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Responses

Response samples

Content type
application/json
Example

Response sample when adding a sandbox account.

{
  • "created": "2023-09-06T06:54:18.000Z",
  • "organisationId": "o-d-Abcdefgh1234JC4Cczm4",
  • "id": "a-sdge-abcdefghijk123456789",
  • "name": "Sample Account",
  • "type": "SANDBOX",
  • "state": "ENABLED",
  • "sandboxProperties": {
    },
  • "statistics": {
    },
  • "configurations": [
    ],
  • "onboardedForMobileId": true,
  • "onboardedForPasskeys": false
}

Update account

Updates a specified customer account.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Request Body schema: application/json
required
state
string
Enum: "ENABLED" "DISABLED"
Example: "ENABLED"

Account state

Responses

Request samples

Content type
application/json
{
  • "state": "ENABLED"
}

Response samples

Content type
application/json
{
  • "id": "a-sdge-abcdefghijk123456789",
  • "state": "ENABLED",
  • "organisationId": "1fb22154-8633-417b-a918-cd59a3ccd12f",
  • "encapApiKey": "M2NhZjFmYTItNmUyMi00NGFkLWE0YmUtZTZlMTZ...",
  • "sandboxDeviceLimit": "200"
}

APNs tokens

The MobileID Admin APNs tokens API provides you with operations related to creating and managing Apple Push Notifications service (APNs) tokens.

APNs tokens can be used so that your end-users can receive push notifications in your mobile app.

Note: The request and response samples are for illustrative purposes only, and discrepancies can occur between the sample values in request and response objects.

Useful information

An APNs token can be used by all accounts in the same organisation.

Get APNS tokens

The Get APNs tokens operation returns a list of the APNs tokens for the organisation that the account belongs to. This includes both production and sandbox APNs tokens.

The maximum number of APNs token objects per list is 20.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Responses

Response samples

Content type
application/json
{
  • "apnsTokens": [
    ]
}

Add APNS token

The Add APNs token operation enables you to add a new APNs token to your MobileID account.

An APNs token can be used by all accounts in the same organisation.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Request Body schema: application/json
required
name
required
string non-empty
Example: "APNs token name"

The name of the APNs token

description
string
Example: "This is the APNs token ..."

The description of the APNs token

privateKey
required
string non-empty
Example: "replace with base64 encoded private key"

The Base64 encoded string of APNs token private key

keyId
required
string non-empty
Example: "key-id"

Key ID of the APNs token

teamId
required
string non-empty
Example: "team-id"

Team ID of Apple Developer Account

Responses

Request samples

Content type
application/json
{
  • "name": "Test app APNs token",
  • "description": "test-token-description",
  • "privateKey": "replace with base64 encoded private key",
  • "keyId": "ABCD1234",
  • "teamId": "EDFG5678"
}

Response samples

Content type
application/json
{
  • "id": "82a634bf-a485-457c-90c4-88ddd56319c1",
  • "description": "test-token-description",
  • "name": "Test app APNs token",
  • "created": "2022-12-11T12:35:52.000Z",
  • "sha1Fingerprint": "ab:6b:bb:f3:e3:5e:6f:11",
  • "sha256Fingerprint": "21:31:57:72:33:ec:23:84:ad:30:68:1c:e3:ab",
  • "keyId": "ABCD1234",
  • "teamId": "EDFG5678"
}

Get APNS token

The Get APNs token operation returns a specified APNs token for your MobileID account.

An APNs token can be used by all accounts in the same organisation.

Authorizations:
None
path Parameters
apnsTokenId
required
string
Example: 82a634bf-a485-457c-90c4-88ddd56319ac

The ID of the APNs token.

query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Responses

Response samples

Content type
application/json
{
  • "id": "82a634bf-a485-457c-90c4-88ddd56319c1",
  • "description": "test-token-description",
  • "name": "Test app APNs token",
  • "created": "2022-12-11T12:35:52.000Z",
  • "sha1Fingerprint": "ab:6b:bb:f3:e3:5e:6f:11",
  • "sha256Fingerprint": "21:31:57:72:33:ec:23:84:ad:30:68:1c:e3:ab",
  • "keyId": "ABCD1234",
  • "teamId": "EDFG5678"
}

Delete APNS token

The Delete APNs token operation deletes a specified APNs token from your MobileID account.

An APNs token can be used by all accounts in the same organisation.

Authorizations:
None
path Parameters
apnsTokenId
required
string
Example: 82a634bf-a485-457c-90c4-88ddd56319ac

The ID of the APNs token.

query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Responses

Response samples

Content type
application/json
Example

Account ID missing

{
  • "type": "https://developer.signicat.com/errors?code=account_id_missing",
  • "title": "An Account ID must be specified for this request",
  • "code": "account_id_missing",
  • "status": 400,
  • "traceId": "4bf239c088089f2bca77d3a413909f1c",
  • "detail": "An Account ID must be specified for this request. An AccountID can be specified in three ways. 1) For machine clients configured on an Account, the provided access token will specify the account ID. 2) Account ID can be provided as a query parameter `signicat-accountId=<accountId>`. 3) Account ID can be provided as a HTTP Header `Signicat-AccountId: <accountId>`. A request will be rejected if more than one account ID is specified."
}

Application configuration

The MobileID Admin Application configuration API provides you with operations related to administering your application configuration.

Note: The request and response samples are for illustrative purposes only, and discrepancies can occur between the sample values in request and response objects.

Useful information

An application configuration is a specific set of application attributes for a mobile application. These attributes determine how the application should work.

What does it look like?

An application configuration consists of the following:

  • The UUID of the application configuration.
  • The ID of the application configuration.
  • The name of the application configuration.
  • The APNs UUID of the application configuration.
  • The state of the application configuration.
  • An object containing the properties of the application configuration.

You can also use this API to configure MobileID features, by making changes to the default values in the application configuration properties. For further information, see our MobileID feature guides.

Always collected risk data

Some risk data is always collected, for debugging purposes. This means that for enabledRiskData:

  • If you pass null, the always collected risk data will still be returned.
  • If you specify risk attributes, the always collected risk data will be returned in addition to those you have specified.

You can find a list of what risk data is always enabled in the MobileID API reference documentation. See risk attributes in the Common concepts section.

Get state of application configuration

The Get state of application configuration operation returns the state of a specified application configuration.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Responses

Response samples

Content type
application/json
{
  • "state": "ENABLED"
}

Update state of application configuration

The Update state of application configuration operation enables you to update the state of a specified application configuration.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Request Body schema: application/json
required
state
required
string
Example: "ENABLED"

The state of the application configuration. This can be either ENABLED or DISABLED

Responses

Request samples

Content type
application/json
{
  • "state": "ENABLED"
}

Response samples

Content type
application/json
{
  • "state": "ENABLED"
}

Get APNs UUID of application configuration

The Get APNs UUID of application configuration operation returns the APNs UUID of a specified application configuration.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Responses

Response samples

Content type
application/json
{
  • "apnsUuid": "12ef6f3a-a12a-4c5e-bb1b-1d75a9f37d59"
}

Update APNs UUID of application configuration

The Update APNs UUID of application configuration operation enables you to update a specified APNs UUID of an application configuration.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Request Body schema: application/json
required
apnsUuid
required
string
Example: "ENABLED"

The application config's apns UUID

Responses

Request samples

Content type
application/json
{
  • "apnsUuid": "12ef6f3a-a12a-4c5e-bb1b-1d75a9f37d59"
}

Response samples

Content type
application/json
{
  • "apnsUuid": "12ef6f3a-a12a-4c5e-bb1b-1d75a9f37d59"
}

Get properties of application configuration

The Get properties of application configuration operation returns the properties of a specified application configuration.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Responses

Response samples

Content type
application/json
{
  • "amountFailuresAllowed": "3",
  • "activationCodeType": "NUMERIC",
  • "activationCodeLength": "6",
  • "allowedAuthMethods": [
    ],
  • "maxPinCodeLength": "6",
  • "pinCodeLength": "6",
  • "pinCodeType": "NUMERIC",
  • "maximumSessionExpiry": "187200000",
  • "sessionExpiry": "300000",
  • "apnExpiry": "1",
  • "enabledRiskData": [
    ],
  • "hwKeyValidationStrategy": "SUPPORTED",
  • "nativePushEnabled": "false",
  • "firebaseTimeToLive": "0",
  • "firebaseServiceAccount": "<Base64 encoded string>",
  • "allowedAuthMethodsForAuthAndActivate": [
    ],
  • "recoveryEnabled": "false",
  • "recoveryCodeMinLength": "6",
  • "recoveryCodeMaxLength": "50",
  • "recoveryCodeFormat": "NUMERIC",
  • "recoveryCodeAmountFailuresAllowed": "3",
  • "apnsNotificationSoundEnabled": "true",
  • "geofencingActivationMode": "OFF",
  • "geofencingAuthenticationMode": "OFF",
  • "geofencingTimeout": "10000",
  • "attestationIosAppAttestMode": "OFF",
  • "attestationIosAppAttestEnvironment": "PRODUCTION",
  • "attestationIosAppAttestTimeout": "20000",
  • "attestationAndroidPlayIntegrityMode": "OFF",
  • "attestationAndroidPlayIntegrityTimeout": "200000",
  • "apnsTimeSensitiveInterruptionLevelEnabled": "true",
  • "clientDebugDataEnabledOsTypes": "IOS,ANDROID",
  • "lockScope": "DEVICE"
}

Update properties of application configuration

The Update properties of application configuration operation enables you to update the properties of a specified application configuration.

It is not currently possible to update the following properties with this endpoint:

  • maximumSessionExpiry
  • clientDebugDataEnabledOsTypes

If you would like to update them, please contact us at support@signicat.com.

Note: You will still see these properties returned in the operation response.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Request Body schema: application/json
required
amountFailuresAllowed
string
Example: "3"

The grace amount of failed authentications for any client before they are locked out.

Allowed values: From 0 to MAXINT

activationCodeType
string
Example: "NUMERIC"

The type of characters that can be used during the generation of the activation code.

Allowed values: ALPHA, ALPHANUMERIC, ANY or numeric

activationCodeLength
string
Example: "10"

The length in characters of the activation code that should be

Allowed values: From 4 to MAXINT.

allowedAuthMethods
Array of strings
Example: ["DEVICE","DEVICE:PIN"]

Comma-separated list of allowed authentication methods.

Determines which authentication methods can be activated and used for authentication.

apnConfig
string
Example: "PRODUCTION"

The APN server configuration that defines where to reach the APNs.

Allowed values: PRODUCTION or SANDBOX

enabledRiskData
Array of strings
Example: "ALL"

The risk attributes to collect for the device.

To learn how to configure which risk attributes are collected, see Risk data in our Application configuration feature documentation.

maxPinCodeLength
string
Example: "6"

The maximum length in characters of the PIN.

Allowed values: From 1 to MAXINT.

pinCodeLength
string
Example: "6"

The length in characters of the PIN. Set 0 to disable PIN code.

Note: This is a hint to the client and not enforced by the server (but enforced in the client SDK).

Allowed values: From 1 to MAXINT.

pinCodeType
string
Example: "NUMERIC"

The type of characters that can be used in the PIN.

Note: This is a hint to the client and not enforced by the server.

Allowed values: ANY, NUMERIC, ALPHA, ALPHANUMERIC

sessionExpiry
string
Example: "300000"

The amount of time (in milliseconds) that a new client session remains valid for. After this time has elapsed, the session can no longer be used for any operations.

Allowed values: From 1 to MAXINT.

minimumRequiredEncapApiVersionAndroid
string
Example: "3.7.0"

What Android client SDK version should be allowed. This can be used to narrow (not extend) the SDK version.

Allowed values: Semantic version, such as 3.7.0.

Example: If the server minimum is 3.5.0, and you only want to allow 3.6.0 clients, then this can be achieved. However, there is no effect if you set 3.3.0.

minimumRequiredEncapApiVersionIos
string
Example: "3.7.0"

What iOS client SDK version should be allowed. This can be used to narrow (not extend) the SDK version.

Allowed values: Semantic version, such as 3.7.0.

Example: If the server minimum is 3.5.0, and you only want to allow 3.6.0 clients, then this can be achieved. However, there is no effect if you set 3.3.0.

apnExpiry
string
Example: "86400000"

The amount of time (in milliseconds) that APNs will try to deliver the message for. If not delivered within this time, then the message is discarded.

Allowed values: From 1to MAXINT.

Note: APNS will attempt to deliver the message at least once, regardless of the set expiration time.

encapApiBlacklistAndroid
string
Example: "3.5.3, 3.6.8"

Android SDK API versions to blacklist (and reject). See the android configuration chapter in the server manual for smart device for details.

Allowed values: Comma-separated semantic version such as: 3.5.3, 3.6.8.

encapApiBlacklistIos
string
Example: "3.5.3, 3.6.8"

IOS SDK API versions to blacklist (and reject). See the ios configuration chapter in the server manual for smart device for details.

Allowed values: Comma-separated semantic version such as: 3.5.3, 3.6.8.

nativePushEnabled
string
Example: "false"

Enable the server to send push messages with Fire Cloud Messaging or Apple APNs.

Allowed values: true or false

firebaseTimeToLive
string
Example: "0"

Firebase Cloud Messaging. Maximum lifespan of the message in milliseconds. This means deliver now or never.

FCM guarantees best effort for messages with this lifespan.

Allowed values: From 0 to MAXINT.

Default value: 0

firebaseServiceAccount
string
Example: "<Base64 encoded string>"

Firebase Cloud Messaging. The contents of the serviceAccount.json (credentials file) for your Firebase Cloud Messaging project."; Note: The field has to be Base64 encoded.

attestationAndroidPackageName
string
Example: "the package name"

Play Integrity Attestation, the APK package name.

Note: This is required if attestationAndroidPlayIntegrityMode is REQUIRED or OPTIONAL.

apnsBundleId
string
Example: "the bundle id"

Apples bundle ID for the application. Used as topic on the push message sent to APNs, required when using APNS_TOKEN.

allowedAuthMethodsForAuthAndActivate
Array of strings
Example: ["DEVICE:PIN"]

Comma-separated list of allowed authentication methods for activation of a new authentication method.

Determines which authentication methods can be used to authenticate during activation of a new authentication method.

Note: The value(s) here must be present in the ALLOWED_AUTH_METHODS parameter. Offline authentication methods cannot be used here.

recoveryEnabled
string
Example: "true"

Enable users to set up recovery with an alternative set of user credentials.

Allowed values: true or false

recoveryCodeMinLength
string
Example: "6"

The minimum number of characters for the recovery PIN.

Note: This is a hint to the client and not enforced by the server.

Allowed values: From 0 to MAXINT.

recoveryCodeMaxLength
string
Example: "50"

The maximum number of characters for the recovery PIN.

Note: This is a hint to the client and not enforced by the server.

Allowed values: From 0 to MAXINT.

recoveryCodeFormat
string
Example: "ALPHA"

The type of characters that can be used in the recovery PIN.

Note: This is a hint to the client and not enforced by the server.

Allowed values: ALPHA, ALPHANUMERIC, ANY, NUMERIC

recoveryCodeAmountFailuresAllowed
string
Example: "3"

The grace amount of failed recovery code attempts for any client before the recovery for the client is locked.

Allowed values: From 0 to MAXINT.

apnsNotificationSoundEnabled
string
Example: "false"

Enable notification sound for push messages to iOS devices.

Allowed values: true, false

geofencingActivationMode
string
Example: "OPTIONAL"

The geofencing mode to use for the registration.

Allowed values: REQUIRED, OPTIONAL, or OFF.

For more information, see Geofencing in our Application configuration feature documentation.

geofencingActivationAllowedContinents
string
Example: "EU"

Comma-separated list of continents where registration is allowed, in a two-letter continent code format.

Allowed values: AF, NA, OC, AN, AS, EU, or SA.

geofencingActivationAllowedCountries
string
Example: "US"

Comma-separated list of countries where registration is allowed, in an ISO 3166-1 alpha-2 two-letter country code format.

These countries are in addition to those covered by the allowed continents parameter.

You can find a list of countries and corresponding codes at GeoNames.

geofencingActivationDeniedCountries
string
Example: "RU"

Comma-separated list of countries where registration is not allowed, in an ISO 3166-1 alpha-2 two-letter country code format.

These countries will be excluded from those covered by the allowed continents parameter.

You can find a list of countries and corresponding codes at GeoNames.

geofencingAuthenticationMode
string
Example: "OFF"

The geofencing mode to use for the authentication.

Allowed values: REQUIRED, OPTIONAL, or OFF.

For more information, see Geofencing in our Application configuration feature documentation.

geofencingAuthenticationAllowedContinents
string
Example: "EU"

Comma-separated list of continents where authentication is allowed, in a two-letter continent code format.

Allowed values: AF, NA, OC, AN, AS, EU, or SA.

geofencingAuthenticationAllowedCountries
string
Example: "US"

Comma-separated list of countries where authentication is allowed, in an ISO 3166-1 alpha-2 two-letter country code format.

These countries are in addition to those covered by the allowed continents parameter.

You can find a list of countries and corresponding codes at GeoNames.

geofencingAuthenticationDeniedCountries
string
Example: "RU"

Comma-separated list of countries where authentication is not allowed, in an ISO 3166-1 alpha-2 two-letter country code format.

These countries will be excluded from those covered by the allowed continents parameter.

You can find a list of countries and corresponding codes at GeoNames.

geofencingTimeout
string
Example: "10000"

The maximum time (given in milliseconds) to wait for the location lookup and reverse geocoding to complete on the SDK.

The timing starts when the SDK calls the finish operation.

If the timeout is exceeded, then the SDK will continue without a country.

Allowed values: From 0 to MAXINT.

attestationIosAppAttestMode
string
Example: "OFF"

The iOS App Attest attestation mode to use for the operation.

Allowed values: REQUIRED, OPTIONAL or OFF.

For more information, see App attestation in our Application configuration feature documentation.

attestationIosAppAttestEnvironment
string
Example: "PRODUCTION"

The environment for an app that uses the App Attest service to validate itself.

Allowed values: DEVELOPMENT, PRODUCTION

attestationIosAppAttestTimeout
string
Example: "20000"

iOS app attestation timeout, after this time, in milliseconds, the attestation request will time out. Allowed values: From 1 to MAXINT

attestationIosAppAttestAppId
string
Example: "some app id"

Application ID which is a concatenation of a 10-digit team identifier, a period, and the app's CFBundleIdentifier value.

Note: This is required when using Apple App Attest service.

apnsTimeSensitiveInterruptionLevelEnabled
string
Example: "false"

Sets the interruption level for push messages to iOS devices to time-sensitive.

When enabled, push notifications can notify the end-users, even when the device is in Focus mode.

attestationAndroidPlayIntegrityMode
string
Example: "REQUIRED"

The Android Play Integrity attestation mode to use for the operation.

Allowed values: REQUIRED, OPTIONAL or OFF.

Note: Play Integrity attestation was introduced in version 3.17 and is only applicable for clients 3.17 or newer.

For more information, see App attestation in our Application configuration feature documentation.

attestationAndroidPlayIntegrityTimeout
string
Example: "30000"

Play Integrity attestation timeout, in milliseconds, the timeout for a request made to Play Integrity.

Note: This is required if attestationAndroidPlayIntegrityMode is REQUIRED or OPTIONAL.

attestationAndroidPlayIntegrityDecryptionKey
string
Example: "<key>"

Play Integrity attestation decryption key, used to decrypt the integrity token.

Note: This is required if attestationAndroidPlayIntegrityMode is REQUIRED or OPTIONAL.

attestationAndroidPlayIntegrityVerificationKey
string
Example: "<key>"

Play Integrity attestation verification key, used to validate the integrity token.

Note: This is required if attestationAndroidPlayIntegrityMode is REQUIRED or OPTIONAL.

lockScope
string
Example: "DEVICE"

Configure lock scope.

Allowed values: AUTH_METHOD or DEVICE

Responses

Request samples

Content type
application/json
{
  • "amountFailuresAllowed": "3"
}

Response samples

Content type
application/json
{
  • "amountFailuresAllowed": "3",
  • "activationCodeType": "NUMERIC",
  • "activationCodeLength": "6",
  • "allowedAuthMethods": [
    ],
  • "maxPinCodeLength": "6",
  • "pinCodeLength": "6",
  • "pinCodeType": "NUMERIC",
  • "maximumSessionExpiry": "187200000",
  • "sessionExpiry": "300000",
  • "apnExpiry": "1",
  • "enabledRiskData": [
    ],
  • "hwKeyValidationStrategy": "SUPPORTED",
  • "nativePushEnabled": "false",
  • "firebaseTimeToLive": "0",
  • "firebaseServiceAccount": "<Base64 encoded string>",
  • "allowedAuthMethodsForAuthAndActivate": [
    ],
  • "recoveryEnabled": "false",
  • "recoveryCodeMinLength": "6",
  • "recoveryCodeMaxLength": "50",
  • "recoveryCodeFormat": "NUMERIC",
  • "recoveryCodeAmountFailuresAllowed": "3",
  • "apnsNotificationSoundEnabled": "true",
  • "geofencingActivationMode": "OFF",
  • "geofencingAuthenticationMode": "OFF",
  • "geofencingTimeout": "10000",
  • "attestationIosAppAttestMode": "OFF",
  • "attestationIosAppAttestEnvironment": "PRODUCTION",
  • "attestationIosAppAttestTimeout": "20000",
  • "attestationAndroidPlayIntegrityMode": "OFF",
  • "attestationAndroidPlayIntegrityTimeout": "200000",
  • "apnsTimeSensitiveInterruptionLevelEnabled": "true",
  • "clientDebugDataEnabledOsTypes": "IOS,ANDROID",
  • "lockScope": "DEVICE"
}

Get application configuration

The Get application configuration operation returns a specified application configuration.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Responses

Response samples

Content type
application/json
{
  • "uuid": "762e9a1a-01f4-4731-a540-4f75dbeae43c",
  • "appId": "a-sdge-abcdefghijk123456789",
  • "state": "ENABLED",
  • "properties": {
    }
}

Signing certificates

The MobileID Admin signing certificates API allows you to get signing certificates, which can be used for certificate verification.

Useful information

JSON Web Tokens (JWTs) are returned as a result of the MobileID signature operation, and are signed with a private key.

A signing certificate contains the corresponding public key, which can be used to verify the signature.

Note: The request and response samples are for illustrative purposes only, and discrepancies can occur between the sample values in request and response objects.

Get signing certificates

The Get list of signing certificates operation returns a list of signing certificates for MobileID.

You can specify the state of the signing certificates that you would like to list.

If a state (state) is not specified in the query parameters, then the operation will return a list containing the current signing certificates and the signing certificates that were used previously.

Note: A previously used signing certificate is a certificate whose corresponding private key has at some point of time, been used for signing JWTs.

Authorizations:
None
query Parameters
state
string
Example: state=ACTIVE

The state of the signing certificates that you want to list.

This is an an enum, and can be either ACTIVE or DEACTIVATED.

If not provided, then all certificate types are listed.

signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Responses

Response samples

Content type
application/json
{
  • "signingCertificates": [
    ]
}

End-to-end (E2E) keys

The MobileID Admin end-to-end (E2E) keys API provides you with operations related to creating and managing your E2E keys.

We use E2E keys to create an extra encryption layer in addition to the TLS between the MobileID server and the SDK. They are required for configuring the Authenticator App and the mobile SDK.

Useful information

For each MobileID account, we create a new E2E key during the onboarding process. We strongly recommend that you use this specific key for the corresponding MobileID account and application configuration.

Ensure that you do not share E2E keys between sandbox and production accounts.

Note: The request and response samples are for illustrative purposes only, and discrepancies can occur between the sample values in request and response objects.

Update E2E key

Changing the state of the key. Changing state to DISABLED means that it will no longer be usable for client requests.

Authorizations:
None
path Parameters
e2eKeyId
required
string
Example: 82a634bf-a485-457c-90c4-88ddd56319ac

The ID of the end-to-end key.

query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Request Body schema: application/json
required
state
string

Responses

Request samples

Content type
application/json
{
  • "state": "DISABLED"
}

Response samples

Content type
application/json
{
  • "state": "DISABLED"
}

Get E2E keys

The Get E2E keys operation returns a list of the E2E key objects for the organisation that the account belongs to. This includes both production and sandbox E2E keys.

The maximum number of E2E key objects per list is 20.

You can specify the state of the E2E keys that you would like to list.

If a state (state) is not specified in the query parameters, then the operation will return a list containing E2E keys of all states.

Note: E2E keys have the account name in the E2E key name (name).

Authorizations:
None
query Parameters
state
string
Example: state=ENABLED

The state of the E2E keys that you want to list.

This is an an enum, and can be either ENABLED or DISABLED.

If not provided, then all E2E key types are listed.

signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Responses

Response samples

Content type
application/json
{
  • "e2eKeys": [
    ]
}

Add E2E key

Create a new end-to-end key. A new end-to-end key pair is generated by the server and the public key is sent back in the response.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Request Body schema: application/json
required
name
required
string non-empty
Example: "Default E2E key"

Name for the end-to-end key

description
string
Example: "This is the E2E key ..."

Description for the end-to-end key

Responses

Request samples

Content type
application/json
{
  • "name": "Default E2E key - migrated",
  • "description": "Default key/cert generated at first db init"
}

Response samples

Content type
application/json
{
  • "id": "op36b8k9-xr2f-996f-9039-a1baba22bc1b",
  • "name": "Default E2E key - migrated",
  • "description": "Default key/cert generated at first db init",
  • "createdBy": "52e107e6-1ce9-4a4b-a051-612ad888de11",
  • "created": "2023-01-05T12:04:24.812Z",
  • "sha256Fingerprint": "21:31:57:72:33:ec:23:84:ad:30:68:1c:e3:ab",
  • "publicKey": "cHVibGljS2V5VmFsdWU=",
  • "state": "ENABLED"
}

Get E2E key

Get details for an end-to-end Key.

Authorizations:
None
path Parameters
e2eKeyId
required
string
Example: 82a634bf-a485-457c-90c4-88ddd56319ac

The ID of the end-to-end key.

query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Responses

Response samples

Content type
application/json
{
  • "id": "op36b8k9-xr2f-996f-9039-a1baba22bc1b",
  • "name": "Default E2E key - migrated",
  • "description": "Default key/cert generated at first db init",
  • "createdBy": "52e107e6-1ce9-4a4b-a051-612ad888de11",
  • "created": "2023-01-05T12:04:24.812Z",
  • "sha256Fingerprint": "21:31:57:72:33:ec:23:84:ad:30:68:1c:e3:ab",
  • "publicKey": "cHVibGljS2V5VmFsdWU=",
  • "state": "ENABLED"
}

Delete E2E key

Delete a specific end-to-end key.

Authorizations:
None
path Parameters
e2eKeyId
required
string
Example: 82a634bf-a485-457c-90c4-88ddd56319ac

The ID of the end-to-end key.

query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Responses

Response samples

Content type
application/json
Example

Account ID missing

{
  • "type": "https://developer.signicat.com/errors?code=account_id_missing",
  • "title": "An Account ID must be specified for this request",
  • "code": "account_id_missing",
  • "status": 400,
  • "traceId": "4bf239c088089f2bca77d3a413909f1c",
  • "detail": "An Account ID must be specified for this request. An AccountID can be specified in three ways. 1) For machine clients configured on an Account, the provided access token will specify the account ID. 2) Account ID can be provided as a query parameter `signicat-accountId=<accountId>`. 3) Account ID can be provided as a HTTP Header `Signicat-AccountId: <accountId>`. A request will be rejected if more than one account ID is specified."
}

Risk indicators configuration

You can use the Risk indicators configuration resource for operations related to retrieving and updating risk indicator properties.

Note: The request and response samples are for illustrative purposes only, and discrepancies can occur between the sample values in request and response objects.

Get risk indicators configuration

This operation returns the risk indicators for a specified account.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Responses

Response samples

Content type
application/json
{
  • "riskIndicatorsConfiguration": {
    }
}

Update risk indicators configuration

This operation updates the risk indicators for a specified account.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Request Body schema: application/json
required
object (RiskIndicatorsProperties)
Example: {"riskIndicatorsConfiguration":{"allowedNrOfUsersWithSameDeviceHash":"3"}}

Account configuration properties. To delete an existing property, supply value null for the property to be deleted

allowedNrOfUsersWithSameDeviceHash
string
Example: "2"

The maximum number of users that can have devices with the same device hash without it being flagged as suspicious. Allowed values: The default value is 2

Responses

Request samples

Content type
application/json
{
  • "riskIndicatorsConfiguration": {
    }
}

Response samples

Content type
application/json
{
  • "riskIndicatorsConfiguration": {
    }
}

Statistics

Lock devices with device hash

This operation locks all devices associated with a given device hash.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

Request Body schema: application/json
required
deviceHash
string
Example: "wBHQ4HC3yLEUvEwnX5EBTBAbKkCia35WwO1dxqiFvYo="

The device hash that the operation will be carried out for.

Note: This must be URL-safe Base64 encoded.

Responses

Request samples

Content type
application/json
{
  • "deviceHash": "wBHQ4HC3yLEUvEwnX5EBTBAbKkCia35WwO1dxqiFvYo="
}

Response samples

Content type
application/json
{
  • "lockedDevices": [
    ]
}

Get active users and devices (by day count)

This operation returns active user and device statistics for a Signicat account, aggregated over a period defined by a specified number of days counting back from the current date.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

nrOfDays
integer <int32>
Example: nrOfDays=150

The number of days over which to aggregate statistics, counting back from the current date.

Responses

Response samples

Content type
application/json
{
  • "fromDate": "2022-08-01",
  • "toDate": "2024-08-31",
  • "users": {
    },
  • "devices": {
    }
}

Get active users and devices (by date interval)

This operation returns active user and device statistics for a Signicat account, aggregated over a period defined by a specified start and end date.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

fromDate
string
Example: fromDate=2024-04-04

The start date from when the device statistics are aggregated.

Format: yyyy-MM-dd.

toDate
string
Example: toDate=2026-06-06

The end date to which the device statistics are aggregated.

Format: yyyy-MM-dd.

Responses

Response samples

Content type
application/json
{
  • "fromDate": "2022-08-01",
  • "toDate": "2024-08-31",
  • "users": {
    },
  • "devices": {
    }
}

Get detailed device statistics

This operation returns detailed device statistics for a Signicat account.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

type
required
string
Example: type=allbasic

The type of detailed device statistics that are obtained.

Allowed values: It must be either:

Allowed values Description
sdk The Encap SDK version used.
platform The mobile device platform.
model The mobile device model name.
version The mobile device operating system version.
manufacturer The mobile device manufacturer.
allbasic Returns sdk and platform statistics.
alldetails Returns model, version, and manufacturer statistics.
platform
string
Example: platform=Android

The platform for which the detailed device statistics should be obtained.

Allowed values: It must be either ANDROID or IOS.

Note: This parameter is required if you pass either alldetails, model, version, or manufacturer as the type in the request.

Responses

Response samples

Content type
application/json

AllBasic

{
  • "accountId": "a-sdge-UWPzmkeEVjkxJPkQtm0a",
  • "aggregatedAt": "2026-04-10T10:32:42Z",
  • "total": 29,
  • "platforms": [
    ],
  • "sdkversions": [
    ]
}

Get device hash statistics

This operation returns statistics about devices that have identical device hashes. It detects and flags all device hashes that belong to two or more users.

Note:

  • Normally, each device should have a unique device hash.
  • There are use cases where multiple devices share the same device hash.
Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

allowedNrOfUsersWithSameDeviceHash
integer <int64>
Example: allowedNrOfUsersWithSameDeviceHash=3

The maximum number of users that can have devices with the same device hash without it being flagged as suspicious.

Allowed values: The default value is 2.

detailed
boolean
Example: detailed=true

Determines whether an extended response containing the full set of device IDs and corresponding states is returned.

Responses

Response samples

Content type
application/json
{
  • "accountId": "a-sdge-UWPzmkeEVjkxJPkQtm0a",
  • "aggregatedAt": "2026-04-10T10:32:42Z",
  • "count": {
    },
  • "suspiciousDeviceHashes": [
    ]
}

Get devices with device hash

This operation returns a list of devices associated with a given device hash, grouped by the user that registered them.

Authorizations:
None
query Parameters
signicat-accountid
string
Example: signicat-accountid=a-sdge-abcdefghijk123456789

The ID of the Signicat account, in a valid UUID format.

Note: This is an optional parameter, as the account ID is fetched from the access token that you use when initiating the request.

deviceHash
required
string
Example: deviceHash=wBHQ4HC3yLEUvEwnX5EBTBAbKkCia35WwO1dxqiFvYo=

The device hash that the operation will be carried out for.

Note: This must be URL-safe Base64 encoded.

Responses

Response samples

Content type
application/json
[
  • {
    },
  • {
    }
]