Signicat MobileIDAdm API reference (1.0)
Download OpenAPI specification:Download
Signicat's MobileID Admin API offers a simple way to carry out administrative tasks and configuration management needed by Signicat's MobileID strong authentication service
The MobileID Admin API is a RESTful API that uses the OAuth 2.0 protocol for authorisation. All request and response bodies are formatted in JSON.
If you do not have an account already, then you need to sign up to Signicat.
In the Signicat Dashboard, you must create an organisation and create an account.
Note: It is also possible to add a domain, but this is not required for MobileID.
To authenticate against our APIs, you need to set up an API client. From this step, you will obtain a Client ID and a Client Secret.
To use MobileID, you need to set the required permissions. Ensure that you select both MobileID API and MobileID Admin API as permissions.
You need to complete the onboarding of your account for MobileID. To do this, you can either:
Use the Signicat Dashboard
Log in to the Signicat Dashboard.
In the top navigation bar, use the dropdown menu next to your organisation name to select the account that you want to use MobileID on.
In the left-side menu, select Products, then select MobileID..
Click the Add MobileID button.
Use our MobileID Admin REST API
Make a request to the Add MobileID account endpoint.
Result of the onboarding
As a result of the onboarding, an account is added to the MobileID service. For each MobileID account, we will create an application configuration and an E2E key.
The application configuration is identified by an
applicationId
, and contains specific settings for you app. You can see all of the configurable properties in our application configuration feature documentation.The E2E key is used to end-to-end encryption of all communication between our MobileID SDK and our service.
To configure the Authenticator App and the mobile SDK, you need the following:
Application ID (
applicationId
)Public E2E key (
publicKey
)Server URL (
https://api.signicat.com/encore/encap
)
Note: Our server URL is the same for both sandbox and production accounts.
To get your Application ID (applicationId
) and Public E2E key (publicKey
), you can either:
Use the Signicat Dashboard
Log in to the Signicat Dashboard.
In the top navigation bar, use the dropdown menu next to your organisation name to select the account that you have onboarded to MobileID.
In the left-side menu, select MobileID.
Use the tabs for Account and E2E keys to see your Application ID and Public key.
Use our MobileID Admin REST API
Make a request to the Get MobileID account endpoint to fetch your
applicationId
.Make a request to the Get E2E keys endpoint to fetch your
publicKey
.
For the MobileID account, you will be able to create users.
Each user can register one or more devices.
The devices can then be used to perform authentication and authorisation operations.
This API uses OAuth 2.0 for authorisation. OAuth 2.0 is an open protocol to allow secure authorisation in a simple and standardised manner.
For more information on how to access the MobileID API, see the Accessing Signicat API products guide in our developer documentation.
The MobileID Admin accounts API provides you with operations related to administering your MobileID account, such as adding an account, and fetching information about an account.
Note: The request and response samples are for illustrative purposes only, and discrepancies can occur between the sample values in request and response objects.
Get MobileID account
The Get MobileID account operation returns the properties of a MobileID account.
Authorizations:
query Parameters
signicat-accountid | string Example: signicat-accountid=a-sdge-abcdefghijk123456789 The ID of the Signicat account. This is an optional parameter, as the account ID will be fetched from the access token that you use when initiating the request. |
statistics | string Example: statistics=true Control whether the statistics ( Note: Returned statistical data is not live data. |
Responses
Response samples
- 200
- 403
- 404
Response sample when fetching a sandbox account.
{- "created": "2023-09-06T06:47:20.000Z",
- "modified": "2023-09-06T06:49:23.000Z",
- "organisationId": "o-d-Abcdefgh1234JC4Cczm4",
- "id": "a-sdge-abcdefghijk123456789",
- "name": "Sample Account",
- "type": "SANDBOX",
- "state": "ENABLED",
- "sandboxProperties": {
- "sandboxDeviceLimit": "100",
- "numberOfDevices": "0"
}, - "statistics": {
- "numberOfActiveDevices": "0",
- "numberOfActiveUsers": "0"
}, - "configurations": [
- {
- "description": "Created by admin.",
- "default": true,
- "accountId": "a-sdge-abcdefghijk123456789",
- "id": "5ecbf73d-90bd-46a7-a58e-9ac56d229e3e",
- "properties": {
- "applicationId": "a-sdge-abcdefghijk123456789",
- "inactiveDeviceDeleteRetentionTime": "365"
}, - "additionalFeatures": {
- "passportScanEnabled": false
}
}
]
}
Add MobileID account
The Add MobileID account operation fulfils the onboarding of your account to MobileID by adding an account to the MobileID service.
This is a prerequisite for all other operations.
Note: This operation is a part of the onboarding process.
Authorizations:
query Parameters
signicat-accountid | string Example: signicat-accountid=a-sdge-abcdefghijk123456789 The ID of the Signicat account. This is an optional parameter, as the account ID will be fetched from the access token that you use when initiating the request. |
Responses
Response samples
- 201
- 403
- 409
Response sample when adding a sandbox account.
{- "created": "2023-09-06T06:54:18.000Z",
- "organisationId": "o-d-Abcdefgh1234JC4Cczm4",
- "id": "a-sdge-abcdefghijk123456789",
- "name": "Sample Account",
- "type": "SANDBOX",
- "state": "ENABLED",
- "sandboxProperties": {
- "sandboxDeviceLimit": "100",
- "numberOfDevices": "0"
}, - "statistics": {
- "numberOfActiveDevices": "0",
- "numberOfActiveUsers": "0"
}, - "configurations": [
- {
- "description": "Created by admin.",
- "default": true,
- "accountId": "a-sdge-abcdefghijk123456789",
- "id": "02510f61-6faf-44e0-9d58-e62cfc35d5aa",
- "properties": {
- "applicationId": "a-sdge-abcdefghijk123456789",
- "inactiveDeviceDeleteRetentionTime": "365"
}, - "additionalFeatures": {
- "passportScanEnabled": false
}
}
]
}
Update account
Updates a specified customer account.
Authorizations:
query Parameters
signicat-accountid | string Example: signicat-accountid=a-sdge-abcdefghijk123456789 The ID of the Signicat account. This is an optional parameter, as the account ID will be fetched from the access token that you use when initiating the request. |
Request Body schema: application/jsonrequired
state | string Enum: "ENABLED" "DISABLED" Account state |
Responses
Request samples
- Payload
{- "state": "ENABLED"
}
Response samples
- 200
- 400
- 403
- 404
{- "id": "a-sdge-abcdefghijk123456789",
- "state": "ENABLED",
- "organisationId": "1fb22154-8633-417b-a918-cd59a3ccd12f",
- "encapApiKey": "M2NhZjFmYTItNmUyMi00NGFkLWE0YmUtZTZlMTZ...",
- "sandboxDeviceLimit": "200"
}
The MobileID Admin APNs tokens API provides you with operations related to creating and managing Apple Push Notifications service (APNs) tokens.
APNs tokens can be used so that your end-users can receive push notifications in your mobile app.
Note: The request and response samples are for illustrative purposes only, and discrepancies can occur between the sample values in request and response objects.
Get APNS tokens
The Get APNs tokens operation returns a list of the APNs tokens for the organisation that the account belongs to. This includes both production and sandbox APNs tokens.
The maximum number of APNs token objects per list is 20.
Authorizations:
query Parameters
signicat-accountid | string Example: signicat-accountid=a-sdge-abcdefghijk123456789 The ID of the Signicat account. This is an optional parameter, as the account ID will be fetched from the access token that you use when initiating the request. |
Responses
Response samples
- 200
- 400
- 403
{- "apnsTokens": [
- {
- "id": "82a634bf-a485-457c-90c4-88ddd5631922",
- "description": "test-token-description",
- "name": "Test app APNs token",
- "created": "2022-12-11T12:35:52.000Z",
- "sha1Fingerprint": "ab:6b:bb:f3:e3:5e:6f:11",
- "sha256Fingerprint": "21:31:57:72:33:ec:23:84:ad:30:68:1c:e3:ab",
- "keyId": "ABCD1234",
- "teamId": "EDFG5678"
}, - {
- "id": "c21d007a-d8ad-4856-a9ab-cee11a65de31",
- "description": "test-token-description",
- "name": "Test app APNs token",
- "created": "2022-12-11T12:35:53.000Z",
- "sha1Fingerprint": "ab:6b:bb:f3:e3:5e:6f:11",
- "sha256Fingerprint": "21:31:57:72:33:ec:23:84:ad:30:68:1c:e3:ab",
- "keyId": "ABCD1234",
- "teamId": "EDFG5678"
}
]
}
Add APNS token
The Add APNs token operation enables you to add a new APNs token to your MobileID account.
An APNs token can be used by all accounts in the same organisation.
Authorizations:
query Parameters
signicat-accountid | string Example: signicat-accountid=a-sdge-abcdefghijk123456789 The ID of the Signicat account. This is an optional parameter, as the account ID will be fetched from the access token that you use when initiating the request. |
Request Body schema: application/jsonrequired
name required | string The name of the APNs token |
description | string The description of the APNs token |
privateKey required | string The Base64 encoded string of APNs token private key |
keyId required | string Key ID of the APNs token |
teamId required | string Team ID of Apple Developer Account |
Responses
Request samples
- Payload
{- "name": "Test app APNs token",
- "description": "test-token-description",
- "privateKey": "replace with base64 encoded private key",
- "keyId": "ABCD1234",
- "teamId": "EDFG5678"
}
Response samples
- 201
- 400
- 403
{- "id": "82a634bf-a485-457c-90c4-88ddd56319c1",
- "description": "test-token-description",
- "name": "Test app APNs token",
- "created": "2022-12-11T12:35:52.000Z",
- "sha1Fingerprint": "ab:6b:bb:f3:e3:5e:6f:11",
- "sha256Fingerprint": "21:31:57:72:33:ec:23:84:ad:30:68:1c:e3:ab",
- "keyId": "ABCD1234",
- "teamId": "EDFG5678"
}
Get APNS token
The Get APNs token operation returns a specified APNs token for your MobileID account.
An APNs token can be used by all accounts in the same organisation.
Authorizations:
path Parameters
apnsTokenId required | string Example: 82a634bf-a485-457c-90c4-88ddd56319ac The ID of the APNs token. |
query Parameters
signicat-accountid | string Example: signicat-accountid=a-sdge-abcdefghijk123456789 The ID of the Signicat account. This is an optional parameter, as the account ID will be fetched from the access token that you use when initiating the request. |
Responses
Response samples
- 200
- 400
- 403
- 404
{- "id": "82a634bf-a485-457c-90c4-88ddd56319c1",
- "description": "test-token-description",
- "name": "Test app APNs token",
- "created": "2022-12-11T12:35:52.000Z",
- "sha1Fingerprint": "ab:6b:bb:f3:e3:5e:6f:11",
- "sha256Fingerprint": "21:31:57:72:33:ec:23:84:ad:30:68:1c:e3:ab",
- "keyId": "ABCD1234",
- "teamId": "EDFG5678"
}
Delete APNS token
The Delete APNs token operation deletes a specified APNs token from your MobileID account.
An APNs token can be used by all accounts in the same organisation.
Authorizations:
path Parameters
apnsTokenId required | string Example: 82a634bf-a485-457c-90c4-88ddd56319ac The ID of the APNs token. |
query Parameters
signicat-accountid | string Example: signicat-accountid=a-sdge-abcdefghijk123456789 The ID of the Signicat account. This is an optional parameter, as the account ID will be fetched from the access token that you use when initiating the request. |
Responses
Response samples
- 400
- 403
- 404
Account ID missing
{- "title": "An Account ID must be specified for this request",
- "code": "account_id_missing",
- "status": 400,
- "traceId": "4bf239c088089f2bca77d3a413909f1c",
- "detail": "An Account ID must be specified for this request. An AccountID can be specified in three ways. 1) For machine clients configured on an Account, the provided access token will specify the account ID. 2) Account ID can be provided as a query parameter `signicat-accountId=<accountId>`. 3) Account ID can be provided as a HTTP Header `Signicat-AccountId: <accountId>`. A request will be rejected if more than one account ID is specified."
}
The MobileID Admin Application configuration API provides you with operations related to administering your application configuration.
Note: The request and response samples are for illustrative purposes only, and discrepancies can occur between the sample values in request and response objects.
An application configuration is a specific set of application attributes for a mobile application. These attributes determine how the application should work.
What does it look like?
An application configuration consists of the following:
- The UUID of the application configuration.
- The ID of the application configuration.
- The name of the application configuration.
- The APNs UUID of the application configuration.
- The state of the application configuration.
- An object containing the properties of the application configuration.
You can also use this API to configure MobileID features, by making changes to the default values in the application configuration properties. For further information, see our MobileID feature guides.
Always collected risk data
Some risk data is always collected, for debugging purposes. This means that for enabledRiskData
:
- If you pass
null
, the always collected risk data will still be returned. - If you specify risk attributes, the always collected risk data will be returned in addition to those you have specified.
You can find a list of what risk data is always enabled in the MobileID API reference documentation. See risk attributes in the Common concepts section.
Get state of application configuration
The Get state of application configuration operation returns the state of a specified application configuration.
Authorizations:
query Parameters
signicat-accountid | string Example: signicat-accountid=a-sdge-abcdefghijk123456789 The ID of the Signicat account. This is an optional parameter, as the account ID will be fetched from the access token that you use when initiating the request. |
Responses
Response samples
- 200
- 400
- 403
- 404
{- "state": "ENABLED"
}
Update state of application configuration
The Update state of application configuration operation enables you to update the state of a specified application configuration.
Authorizations:
query Parameters
signicat-accountid | string Example: signicat-accountid=a-sdge-abcdefghijk123456789 The ID of the Signicat account. This is an optional parameter, as the account ID will be fetched from the access token that you use when initiating the request. |
Request Body schema: application/jsonrequired
state required | string The state of the application configuration. This can be either |
Responses
Request samples
- Payload
{- "state": "ENABLED"
}
Response samples
- 200
- 400
- 403
- 404
{- "state": "ENABLED"
}
Get APNs UUID of application configuration
The Get APNs UUID of application configuration operation returns the APNs UUID of a specified application configuration.
Authorizations:
query Parameters
signicat-accountid | string Example: signicat-accountid=a-sdge-abcdefghijk123456789 The ID of the Signicat account. This is an optional parameter, as the account ID will be fetched from the access token that you use when initiating the request. |
Responses
Response samples
- 200
- 400
- 403
- 404
{- "apnsUuid": "12ef6f3a-a12a-4c5e-bb1b-1d75a9f37d59"
}
Update APNs UUID of application configuration
The Update APNs UUID of application configuration operation enables you to update a specified APNs UUID of an application configuration.
Authorizations:
query Parameters
signicat-accountid | string Example: signicat-accountid=a-sdge-abcdefghijk123456789 The ID of the Signicat account. This is an optional parameter, as the account ID will be fetched from the access token that you use when initiating the request. |
Request Body schema: application/jsonrequired
apnsUuid required | string The application config's apns UUID |
Responses
Request samples
- Payload
{- "apnsUuid": "12ef6f3a-a12a-4c5e-bb1b-1d75a9f37d59"
}
Response samples
- 200
- 400
- 403
- 404
{- "apnsUuid": "12ef6f3a-a12a-4c5e-bb1b-1d75a9f37d59"
}
Get properties of application configuration
The Get properties of application configuration operation returns the properties of a specified application configuration.
Authorizations:
query Parameters
signicat-accountid | string Example: signicat-accountid=a-sdge-abcdefghijk123456789 The ID of the Signicat account. This is an optional parameter, as the account ID will be fetched from the access token that you use when initiating the request. |
Responses
Response samples
- 200
- 400
- 403
- 404
{- "amountFailuresAllowed": "3",
- "activationCodeType": "NUMERIC",
- "activationCodeLength": "6",
- "allowedAuthMethods": [
- "DEVICE",
- "DEVICE:PIN",
- "DEVICE:STRONG_TOUCH_ID",
- "DEVICE:IOS_FACE_ID",
- "DEVICE:ANDROID_BIOMETRIC_PROMPT",
- "DEVICE:SERVER_SIDE_FACE"
], - "maxPinCodeLength": "6",
- "pinCodeLength": "6",
- "pinCodeType": "NUMERIC",
- "maximumSessionExpiry": "187200000",
- "sessionExpiry": "300000",
- "apnExpiry": "1",
- "enabledRiskData": [
- "deviceHash",
- "deviceModel",
- "deviceManufacturer",
- "operatingSystemFingerprint",
- "operatingSystemVersion",
- "operatingSystemType"
], - "hwKeyValidationStrategy": "SUPPORTED",
- "nativePushEnabled": "false",
- "firebaseTimeToLive": "0",
- "firebaseServiceAccount": "<Base64 encoded string>",
- "allowedAuthMethodsForAuthAndActivate": [
- "DEVICE:PIN"
], - "recoveryEnabled": "false",
- "recoveryCodeMinLength": "6",
- "recoveryCodeMaxLength": "50",
- "recoveryCodeFormat": "NUMERIC",
- "recoveryCodeAmountFailuresAllowed": "3",
- "apnsNotificationSoundEnabled": "true",
- "geofencingActivationMode": "OFF",
- "geofencingAuthenticationMode": "OFF",
- "geofencingTimeout": "10000",
- "attestationIosAppAttestMode": "OFF",
- "attestationIosAppAttestEnvironment": "PRODUCTION",
- "attestationIosAppAttestTimeout": "20000",
- "attestationAndroidPlayIntegrityMode": "OFF",
- "attestationAndroidPlayIntegrityTimeout": "200000",
- "apnsTimeSensitiveInterruptionLevelEnabled": "true",
- "clientDebugDataEnabledOsTypes": "IOS,ANDROID",
- "serverSideFaceEnabled": "false",
- "lockScope": "DEVICE"
}
Update properties of application configuration
The Update properties of application configuration operation enables you to update the properties of a specified application configuration.
It is not currently possible to update the following properties with this endpoint:
maximumSessionExpiry
clientDebugDataEnabledOsTypes
If you would like to update them, please contact us at support@signicat.com.
Note: You will still see these properties returned in the operation response.
Authorizations:
query Parameters
signicat-accountid | string Example: signicat-accountid=a-sdge-abcdefghijk123456789 The ID of the Signicat account. This is an optional parameter, as the account ID will be fetched from the access token that you use when initiating the request. |
Request Body schema: application/jsonrequired
amountFailuresAllowed | string The grace amount of failed authentications for any client before they are locked out. Allowed values: 0..MAXINT |
activationCodeType | string The type of characters that can be used during the generation of the activation code. Allowed values: ALPHA, ALPHANUMERIC, ANY or numeric |
activationCodeLength | string The length in characters of the activation code that should be generated. Allowed values: 4 .. MAXINT |
allowedAuthMethods | Array of strings Comma separated list of allowed authentication methods. Determines which auth methods can be activated and used for authentication |
apnConfig | string The APN server configuration that defines where to reach the APNs. Allowed values: PRODUCTION or SANDBOX |
enabledRiskData | Array of strings The risk attributes to collect for the device. You can find out how to configure which attributes are collected in the application configuration feature documentation. |
maxPinCodeLength | string The maximum length in characters of the PIN. Allowed values: 1..MAXINT |
pinCodeLength | string The length in characters of the PIN. Set 0 to disable PIN code. Note: This is a hint to the client and not enforced by the server (but enforced in the client SDK). Allowed values: 1..MAXINT |
pinCodeType | string The type of characters that can be used in the PIN. Note: This is a hint to the client and not enforced by the server. Allowed values: ANY, NUMERIC, ALPHA, ALPHANUMERIC |
sessionExpiry | string The amount of time (in milliseconds) that a new client session remains valid for. After this time has elapsed, the session can no longer be used for any operations. Allowed values: 1..MAXINT |
minimumRequiredEncapApiVersionAndroid | string What Android client SDK version should be allowed. This can be used to narrow (not extend) the SDK version. Example is if the server minimum is "3.5.0", and someone wants to only to allow "3.6.0" -clients, this can be achieved here. But putting "3.3.0" will not have any effect. Allowed values: Semantic version, ex: "3.7.0" |
minimumRequiredEncapApiVersionIos | string The same as minimumRequiredEncapApiVersionAndroid, but applies to iOS clients. Allowed values: Semantic version, ex: "3.7.0" |
apnExpiry | string The amount of time (in milliseconds) that APNs will try to deliver the message for. If not delivered within this time, then the message is discarded. The allowed value is from Note: APNS will attempt to deliver the message at least once, regardless of the set expiration time. |
encapApiBlacklistAndroid | string Android SDK API versions to blacklist (and reject). See the android configuration chapter in the server manual for smart device for details. Allowed values: Comma separated semantic version, ex: "3.5.3, 3.6.8" |
encapApiBlacklistIos | string IOS SDK API versions to blacklist (and reject). See the ios configuration chapter in the server manual for smart device for details. Allowed values: Comma separated semantic version, ex: "3.5.3, 3.6.8" |
nativePushEnabled | string Enable the server to send push messages with Fire Cloud Messaging or Apple APNs. Allowed values: true or false |
firebaseTimeToLive | string Firebase Cloud Messaging. Maximum lifespan of the message in milliseconds. The default value is 0. This means deliver “now or never”. FCM guarantees best effort for messages with this lifespan. Allowed values: 0..MAXINT |
firebaseServiceAccount | string Firebase Cloud Messaging. The contents of the serviceAccount.json (credentials file) for your Firebase Cloud Messaging project."; The field has to be Base64 Encoded |
attestationAndroidPackageName | string Play Integrity Attestation, the APK package name. Required if attestationAndroidPlayIntegrityMode is REQUIRED or OPTIONAL. |
apnsBundleId | string Apples bundle ID for the application. Used as topic on the push message sent to APNs, required when using APNS_TOKEN. |
allowedAuthMethodsForAuthAndActivate | Array of strings Comma separated list of allowed authentication methods for activation of a new auth-method. Determines which auth methods can be used to authenticate during activation of a new auth method. The value(s) here must be present in the ALLOWED_AUTH_METHODS parameter. Offline authentication methods can not be used here. |
recoveryEnabled | string Enable users to set up recovery with an alternative set of user credentials. Allowed values: true or false |
recoveryCodeMinLength | string The minimum number of characters for the recovery PIN. Note: This is a hint to the client and not enforced by the server. Allowed values: 0..MAXINT |
recoveryCodeMaxLength | string The maximum number of characters for the recovery PIN. Note: This is a hint to the client and not enforced by the server. Allowed values: 0..MAXINT |
recoveryCodeFormat | string The type of characters that can be used in the recovery PIN. Note: This is a hint to the client and not enforced by the server. Allowed values: ALPHA, ALPHANUMERIC, ANY, NUMERIC |
recoveryCodeAmountFailuresAllowed | string The grace amount of failed recovery code attempts for any client before the recovery for the client is locked. Allowed values: 0..MAXINT |
apnsNotificationSoundEnabled | string Enable notification sound for push messages to iOS devices. Allowed values: true, false |
geofencingActivationMode | string Determines if or how geofencing is used for registration. The geofencing mode can be either You can read about what the different geofencing modes mean in our application configuration feature documentation. |
geofencingActivationAllowedContinents | string Comma-separated list of continents where registration is allowed, in a two-letter continent code format. This can be either |
geofencingActivationAllowedCountries | string Comma-separated list of countries where registration is allowed, in an ISO 3166-1 alpha-2 two-letter country code format. These countries are in addition to those covered by the allowed continents parameter. You can find a list of countries and corresponding codes at GeoNames. |
geofencingActivationDeniedCountries | string Comma-separated list of countries where registration is not allowed, in an ISO 3166-1 alpha-2 two-letter country code format. These countries will be excluded from those covered by the allowed continents parameter. You can find a list of countries and corresponding codes at GeoNames. |
geofencingAuthenticationMode | string Determines if or how geofencing is used for authentication. The geofencing mode can be either You can read about what the different geofencing modes mean in our application configuration feature documentation. |
geofencingAuthenticationAllowedContinents | string Comma-separated list of continents where authentication is allowed, in a two-letter continent code format. This can be either |
geofencingAuthenticationAllowedCountries | string Comma-separated list of countries where authentication is allowed, in an ISO 3166-1 alpha-2 two-letter country code format. These countries are in addition to those covered by the allowed continents parameter. You can find a list of countries and corresponding codes at GeoNames. |
geofencingAuthenticationDeniedCountries | string Comma-separated list of countries where authentication is not allowed, in an ISO 3166-1 alpha-2 two-letter country code format. These countries will be excluded from those covered by the allowed continents parameter. You can find a list of countries and corresponding codes at GeoNames. |
geofencingTimeout | string The maximum time (given in milliseconds) to wait for the location lookup and reverse geocoding to complete on the SDK. The timing starts when the SDK calls the finish operation. If the timeout is exceeded, then the SDK will continue without a country. The allowed value is from |
attestationIosAppAttestMode | string iOS Attestation mode when using Apple App Attest. REQUIRED: App attestation enabled. If attestation fails the activation/authentication request will fail. Note that devices running versions of iOS older than 14 will always fail if the mode is set to REQUIRED, due to requirements by the Apple App Attest API. OPTIONAL: App attestation enabled. Even if the attestation fails, the activation/authentication request will succeed, and a new attestation will be performed on the next request. The status can be seen in the response object. OFF: App attestation disabled. Allowed values: REQUIRED, OPTIONAL, OFF |
attestationIosAppAttestEnvironment | string The environment for an app that uses the App Attest service to validate itself. Allowed values: DEVELOPMENT, PRODUCTION |
attestationIosAppAttestTimeout | string iOS app attestation timeout, after this time, in milliseconds, the attestation request will time out. Allowed values: 1..MAXINT |
attestationIosAppAttestAppId | string Application ID which is a concatenation of a 10-digit team identifier, a period, and the app's CFBundleIdentifier value. Required when using Apple App Attest service. |
apnsTimeSensitiveInterruptionLevelEnabled | string Sets the interruption level for push messages to iOS devices to "time-sensitive". When enabled, this will allow push notifications to notify users even when the device is in "Focus" mode. |
attestationAndroidPlayIntegrityMode | string Play Integrity attestation mode. REQUIRED: Play Integrity attestation is preformed. If attestation fails activation/authentication request will fail. OPTIONAL: Play Integrity attestation is preformed. If attestation fails activation/authentication request will not fail and a new attestation is performed on the next request. OFF: Play Integrity attestation is not preformed. Play Integrity attestation was introduced in version 3.17 and will only be applicable for clients 3.17 or newer. |
attestationAndroidPlayIntegrityTimeout | string Play Integrity attestation timeout, in milliseconds, the timeout for a request made to Play Integrity. Required if attestationAndroidPlayIntegrityMode is REQUIRED or OPTIONAL. |
attestationAndroidPlayIntegrityDecryptionKey | string Play Integrity attestation decryption key, used to decrypt the integrity token. Required if attestationAndroidPlayIntegrityMode is REQUIRED or OPTIONAL. |
attestationAndroidPlayIntegrityVerificationKey | string Play Integrity attestation verification key, used to validate the integrity token. Required if attestationAndroidPlayIntegrityMode is REQUIRED or OPTIONAL. |
serverSideFaceEnabled | string Enable the server to use Server Side Face feature. Allowed values: true or false |
lockScope | string Configure lock scope. Allowed values: AUTH_METHOD or DEVICE |
Responses
Request samples
- Payload
{- "amountFailuresAllowed": "3"
}
Response samples
- 200
- 400
- 403
- 404
{- "amountFailuresAllowed": "3",
- "activationCodeType": "NUMERIC",
- "activationCodeLength": "6",
- "allowedAuthMethods": [
- "DEVICE",
- "DEVICE:PIN",
- "DEVICE:STRONG_TOUCH_ID",
- "DEVICE:IOS_FACE_ID",
- "DEVICE:ANDROID_BIOMETRIC_PROMPT",
- "DEVICE:SERVER_SIDE_FACE"
], - "maxPinCodeLength": "6",
- "pinCodeLength": "6",
- "pinCodeType": "NUMERIC",
- "maximumSessionExpiry": "187200000",
- "sessionExpiry": "300000",
- "apnExpiry": "1",
- "enabledRiskData": [
- "deviceHash",
- "deviceModel",
- "deviceManufacturer",
- "operatingSystemFingerprint",
- "operatingSystemVersion",
- "operatingSystemType"
], - "hwKeyValidationStrategy": "SUPPORTED",
- "nativePushEnabled": "false",
- "firebaseTimeToLive": "0",
- "firebaseServiceAccount": "<Base64 encoded string>",
- "allowedAuthMethodsForAuthAndActivate": [
- "DEVICE:PIN"
], - "recoveryEnabled": "false",
- "recoveryCodeMinLength": "6",
- "recoveryCodeMaxLength": "50",
- "recoveryCodeFormat": "NUMERIC",
- "recoveryCodeAmountFailuresAllowed": "3",
- "apnsNotificationSoundEnabled": "true",
- "geofencingActivationMode": "OFF",
- "geofencingAuthenticationMode": "OFF",
- "geofencingTimeout": "10000",
- "attestationIosAppAttestMode": "OFF",
- "attestationIosAppAttestEnvironment": "PRODUCTION",
- "attestationIosAppAttestTimeout": "20000",
- "attestationAndroidPlayIntegrityMode": "OFF",
- "attestationAndroidPlayIntegrityTimeout": "200000",
- "apnsTimeSensitiveInterruptionLevelEnabled": "true",
- "clientDebugDataEnabledOsTypes": "IOS,ANDROID",
- "serverSideFaceEnabled": "false",
- "lockScope": "DEVICE"
}
Get application configuration
The Get application configuration operation returns a specified application configuration.
Authorizations:
query Parameters
signicat-accountid | string Example: signicat-accountid=a-sdge-abcdefghijk123456789 The ID of the Signicat account. This is an optional parameter, as the account ID will be fetched from the access token that you use when initiating the request. |
Responses
Response samples
- 200
- 400
- 403
- 404
{- "uuid": "762e9a1a-01f4-4731-a540-4f75dbeae43c",
- "appId": "a-sdge-abcdefghijk123456789",
- "state": "ENABLED",
- "properties": {
- "amountFailuresAllowed": "3",
- "activationCodeType": "NUMERIC",
- "activationCodeLength": "6",
- "allowedAuthMethods": [
- "DEVICE",
- "DEVICE:PIN",
- "DEVICE:STRONG_TOUCH_ID",
- "DEVICE:IOS_FACE_ID",
- "DEVICE:ANDROID_BIOMETRIC_PROMPT",
- "DEVICE:SERVER_SIDE_FACE"
], - "maxPinCodeLength": "6",
- "pinCodeLength": "6",
- "pinCodeType": "NUMERIC",
- "maximumSessionExpiry": "187200000",
- "sessionExpiry": "300000",
- "apnExpiry": "1",
- "enabledRiskData": [
- "deviceHash",
- "deviceModel",
- "deviceManufacturer",
- "operatingSystemFingerprint",
- "operatingSystemVersion",
- "operatingSystemType"
], - "hwKeyValidationStrategy": "SUPPORTED",
- "nativePushEnabled": "false",
- "firebaseTimeToLive": "0",
- "firebaseServiceAccount": "<Base64 encoded string>",
- "allowedAuthMethodsForAuthAndActivate": [
- "DEVICE:PIN"
], - "recoveryEnabled": "false",
- "recoveryCodeMinLength": "6",
- "recoveryCodeMaxLength": "50",
- "recoveryCodeFormat": "NUMERIC",
- "recoveryCodeAmountFailuresAllowed": "3",
- "apnsNotificationSoundEnabled": "true",
- "geofencingActivationMode": "OFF",
- "geofencingAuthenticationMode": "OFF",
- "geofencingTimeout": "10000",
- "attestationIosAppAttestMode": "OFF",
- "attestationIosAppAttestEnvironment": "PRODUCTION",
- "attestationIosAppAttestTimeout": "20000",
- "attestationAndroidPlayIntegrityMode": "OFF",
- "attestationAndroidPlayIntegrityTimeout": "200000",
- "clientDebugDataEnabledOsTypes": "IOS, ANDROID",
- "apnsTimeSensitiveInterruptionLevelEnabled": "true",
- "serverSideFaceEnabled": "false",
- "lockScope": "DEVICE"
}
}
The MobileID Admin signing certificates API allows you to get signing certificates, which can be used for certificate verification.
JSON Web Tokens (JWTs) are returned as a result of the MobileID signature operation, and are signed with a private key.
A signing certificate contains the corresponding public key, which can be used to verify the signature.
Note: The request and response samples are for illustrative purposes only, and discrepancies can occur between the sample values in request and response objects.
Get signing certificates
The Get list of signing certificates operation returns a list of signing certificates for MobileID.
You can specify the state of the signing certificates that you would like to list.
If a state (state
) is not specified in the query parameters, then the operation will return a list containing the current signing certificates and the signing certificates that were used previously.
Note: A previously used signing certificate is a certificate whose corresponding private key has at some point of time, been used for signing JWTs.
Authorizations:
query Parameters
state | string Example: state=ACTIVE The state of the signing certificates that you want to list. This is an an enum, and can be either If not provided, then all certificate types are listed. |
signicat-accountid | string Example: signicat-accountid=a-sdge-abcdefghijk123456789 The ID of the Signicat account. This is an optional parameter, as the account ID will be fetched from the access token that you use when initiating the request. |
Responses
Response samples
- 200
- 403
{- "signingCertificates": [
- {
- "certificate": "<PEM encoded Certificate>",
- "sha256Fingerprint": "29:ce:22:91:dc:82:3e:ce:c1:33:67:03:c5:af:b3:03:63:29:ce:22:91:dc:82:9a:8a:e9:49:1e:8a:e9:49:1e",
- "state": "ACTIVE",
- "activatedAt": "2024-11-09T21:59:00.000Z"
}, - {
- "certificate": "<PEM encoded Certificate>",
- "sha256Fingerprint": "11:22:a2:ce:7f:9d:3e:ce:c1:33:67:03:c5:af:b3:03:63:29:ce:22:91:dc:82:9a:8a:e9:49:1e:9b:d0:12:aa",
- "state": "DEACTIVATED",
- "activatedAt": "2024-11-09T21:59:00.123Z",
- "deactivatedAt": "2024-11-09T21:59:00.321Z"
}
]
}
The MobileID Admin end-to-end (E2E) keys API allows you to get your E2E keys, which are used to create an additional encryption layer in addition to the TLS between the MobileID server and the SDK.
They are required for configuring the Authenticator App and the mobile SDK.
For each MobileID account, we create a new E2E key during the onboarding process. We strongly recommend that you use this specific key for the corresponding MobileID account and application configuration.
Ensure that you do not share E2E keys between sandbox and production accounts.
Note: The request and response samples are for illustrative purposes only, and discrepancies can occur between the sample values in request and response objects.
Get E2E keys
The Get E2E keys operation returns a list of the E2E key objects for the organisation that the account belongs to. This includes both production and sandbox E2E keys.
The maximum number of E2E key objects per list is 20.
You can specify the state of the E2E keys that you would like to list.
If a state (state
) is not specified in the query parameters, then the operation will return a list containing E2E keys of all states.
Note: E2E keys have the account name in the E2E key name (name
).
Authorizations:
query Parameters
state | string Example: state=ENABLED The state of the E2E keys that you want to list. This is an an enum, and can be either If not provided, then all E2E key types are listed. |
signicat-accountid | string Example: signicat-accountid=a-sdge-abcdefghijk123456789 The ID of the Signicat account. This is an optional parameter, as the account ID will be fetched from the access token that you use when initiating the request. |
Responses
Response samples
- 200
- 400
- 403
{- "e2eKeys": [
- {
- "id": "op36b8k9-xr2f-996f-9039-a1baba22bc1b",
- "name": "E2E key - migrated",
- "description": "E2E key for QA testing",
- "createdBy": "52e107e6-1ce9-4a4b-a051-612ad888de11",
- "created": "2023-01-05T12:04:24.812Z",
- "sha256Fingerprint": "21:31:57:72:33:ec:23:84:ad:30:68:1c:e3:ab",
- "publicKey": "cHVibGljS2V5VmFsdWU=",
- "state": "ENABLED"
}, - {
- "id": "aaa124e1-fs4d-2rg4-8a3h-aa123a2c7x33",
- "name": "Default E2E key - migrated",
- "description": "Default key/cert generated at first db init",
- "createdBy": "52e107e6-1ce9-4a4b-a051-612ad888de11",
- "created": "2023-01-05T12:04:24.815Z",
- "sha256Fingerprint": "98:23:57:55:25:ec:23:84:hw:22:69:2c:s2:ba",
- "publicKey": "cHVibGljS2V5VmFsdWU=",
- "state": "ENABLED"
}
]
}