# Application configuration

An application configuration is a specific set of application attributes for a mobile application. These attributes determine how the application should work.

# How it works

MobileID comes with a standard application configuration. It is possible to change the default values in this configuration to suit your needs. To get help with this, contact us with your preferences at support@signicat.com.

You can find an overview of all application configuration parameters and their default values in the tables below.

# Configurations

Application configuration parameters

Application behaviour
Push configuration
Risk data configuration
Hardware protected keys configurations
App attestation configurations
Account recovery configurations
Geofencing configurations

# Application behaviour

The parameters below represent base configurations, which determine your application's behaviour.

Property name	Description	Allowed values	Default value
`activationCodeLength`	The length (in characters) that the generated activation code will be.	From `4` to `MAXINT`	`6`
`activationCodeType`	The types of characters that can be used for the generated activation code.	`ANY`, `NUMERIC`, `ALPHA`, `ALPHANUMERIC`	`NUMERIC`
`allowedAuthMethods`	Allowed authentication methods, given as a comma separated list.	For allowed values, see the Authentication methods section in our MobileID API reference documentation.	`DEVICE`, `DEVICE:PIN`, `DEVICE:STRONG_TOUCH_ID`, `DEVICE:IOS_FACE_ID`, `DEVICE:ANDROID_BIOMETRIC_PROMPT`
`allowedAuthMethodsForAuthAndActivate`	Allowed authentication methods when adding a new authentication method, given as a comma separated list. All authentication methods specified here must be present in the `allowedAuthMethods` parameter.	For allowed values, see the Authentication methods section in our MobileID API reference documentation.	`DEVICE:PIN`
`amountFailuresAllowed`	The amount of failed authentications allowed for any client, before they are locked out.	From `0` to `MAXINT`	`3`
`encapApiBlacklistAndroid`	Which Android client SDK versions to blocklist (sometimes referred to as blacklist). Devices running blocklisted versions will be rejected/denied.	Comma separated semantic version. Example: `"3.5.3, 3.6.8"`
`encapApiBlacklistIos`	Which iOS client SDK versions to blocklist (sometimes referred to as blacklist). Devices running blocklisted versions will be rejected/denied.	Comma separated semantic version. Example: `"3.5.3, 3.6.8"`
`maxPinCodeLength`	The maximum length (in characters) of the PIN code.	From `1` to `MAXINT`	`4`
`minimumRequiredEncapApiVersionAndroid`	The minimum Android client SDK version allowed. This can only be used to narrow down the allowed Android SDK versions (not extend). Example: If the minimum supported client version on the server is `"3.5.0"`, and someone wants to only allow `"3.6.0"`, this can be achieved. However, specifying `"3.3.0"` would have no effect, as it is below the minimum supported client version on the server.	Semantic version. Example: `"3.7.0"`	`null`
`minimumRequiredEncapApiVersionIos`	The minimum iOS client SDK version allowed. This can only be used to narrow down the allowed iOS SDK versions (not extend). Example: If the minimum supported client version on the server is `"3.5.0"`, and someone wants to only allow `"3.6.0"`, this can be achieved. However, specifying `"3.3.0"` would have no effect, as it is below the minimum supported client version on the server.	Semantic version. Example: `"3.7.0"`	`null`
`pinCodeLength`	The minimum length (in characters) of the PIN code. Note: This parameter is a hint to the client, and is not enforced by the server. However, it is enforced in the client SDK.	From `1` to `MAXINT`	`4`
`pinCodeType`	The types of characters that can be used for the PIN code. Note: This parameter is a hint to the client, and is not enforced by the server. However, it is enforced in the client SDK.	`ANY`, `NUMERIC`, `ALPHA`, `ALPHANUMERIC`	`NUMERIC`
`sessionExpiry`	The amount of time (in milliseconds) that a new device operation session remains valid for. After this time has elapsed, the session can no longer be used for any operations. Note: This value cannot exceed the maximum configured value of `187200000`.	From `1` to `187200000`	`187200000`

# Push configurations

For MobileID to send a push notification to your application, it needs to be specified in the application configuration. The process for this depends on if you are setting up for Android or for iOS:

For iOS, push notifications are set up with the Apple Push Notification Service (APNs). MobileID supports APNs tokens. These can be created within the Apple Developer Program Portal. You will need to share the following:
- APNs token
- Team ID
- Key ID
For Android, push notifications are set up with Firebase Cloud Messaging (FCM). This can be configured with your mobile application in the Firebase project console.

The parameters below represent push configurations, which determine push notification functionality for your application. This table describes parameters for both Android and iOS, so they may not all apply.

Property name	Description	Allowed values	Default value
`apnConfig`	The APN server configuration that defines where to reach the APNs.	`PRODUCTION`, `SANDBOX`	`PRODUCTION`
`apnExpiry`	The amount of time that a message dispatched to the APN service should remain valid for. If the APNs cannot deliver the message before this time expires, the message will be discarded and therefore never arrive.	From `1` to `MAXINT`	`1`
`apnsBundleId`	Apple's bundle ID for the application. This is used as a topic on the push message sent to APNs, and is required when using APNs tokens.	String
`apnsNotificationSoundEnabled`	Determines whether a notification sound is played on iOS devices when the device receives a push message. If the option is set to `true` , the 'default' sound on the device is played when a push is received. If the option is omitted or set to `false` , no sound is played. Note: This parameter only applies to iOS devices. On Android, the app itself determines whether a notification sound is played.	`true`, `false`	`true`
`apnsTimeSensitiveInterruptionLevelEnabled`	Sets the interruption level for push messages to iOS devices to 'time-sensitive'. If set to `true`, push notifications are given a higher priority and can notify users even when the device is in 'Focus' mode. If set to `false`, the default interruption level 'Active' is assumed by the device.	`true`, `false`	`false`
`nativePushEnabled`	Enables the server to send push messages with Firebase Cloud Messaging (FCM) or Apple Push Notification service (APNs).	`true`, `false`	`false`
`firebaseDatabaseUrl`	The URL of your Firebase database (as shown in the Firebase project settings). This parameter relates to Firebase Cloud Messaging (FCM).	String
`firebaseServiceAccountB64`	The contents of the `serviceAccount.json` file (credentials file), for your Firebase Cloud Messaging (FCM) project. Note: This has to be supplied to us Base64-encoded.	String
`firebaseTimeToLive`	The maximum lifespan of the message (in milliseconds), for Firebase Cloud Messaging (FCM). The default value is `0` , which means to deliver the message "now or never". FCM guarantees best effort for messages with this lifespan.	From `0` to `MAXINT`	`0`

# Risk data configuration

A set of risk attributes can be collected for each operation.

The enabledRiskData property is used to configure MobileID's risk data feature for your application. This determines which attributes are collected and returned in the operation response. See table below for possible values.

# How to configure risk data

You can update this parameter using the Update properties of application configuration endpoint in our MobileID Admin API.

# Always collected risk data

Some risk data is always collected, for debugging purposes. This means that for enabledRiskData:

If you pass null, the always collected risk data will still be returned.
If you specify risk attributes, the always collected risk data will be returned in addition to those you have specified.

You can find a list of what risk data is always enabled in the MobileID API reference documentation. See risk attributes in the Common concepts section.

# Location risk data

Location (location) is a risk data attribute that describes the location of the device used in the operation.

It is returned as its own object in the operation response instead of in the risk attributes (riskAttributes) object.

You can enable location risk data by adding value location to the enabled risk data (enabledRiskData) in the application configuration, or by using value ALL.

# Configurations

Property name	Description	Allowed values	Default value
`enabledRiskData`	Determines which risk data to collect. You can either: Collect all risk data available. Collect only selected risk data (including always collected risk data). Collect only always collected risk data.	`ALL` or Select specific attributes, given as a JSON array. In addition to `location`, see the risk attributes in the Common concepts of the MobileID API reference documentation for allowed values. or Leave this field empty (`null`).	`null`

# Hardware-protected keys configurations

The parameter below is used to configure MobileID's hardware protected keys feature for your application.

Property name Description Allowed values Default value

hwKeyValidationStrategy

Determines what to do with devices if the validation hardware-protected keys signature fails.

SUPPORTED means that if the validation hardware-protected keys signature fails, then the device operation will fail.
RISK_PARAMS means that if the validation hardware-protected keys signature fails, then the device operation will not fail. It is up to you what action is taken on the result.

The result of the hardware signature validation is always returned as a part of the following risk attributes:

Hardware-protected key client statuses (hwKeyClientStatus).
Hardware-protected key server results (hwKeyServerResult).

SUPPORTED,
RISK_PARAMS

SUPPORTED

# App attestation configurations

The parameters below are used to configure MobileID's app attestation feature (App Attest for iOS, and Play Integrity for Android) for your application.

Property name	Description	Allowed values	Default value
`attestationAndroidPlayIntegrityMode`	Determines whether Play Integrity attestation is performed, and how the request is handled. This is reflected in three different modes: `REQUIRED` means that Play Integrity attestation is performed. If attestation fails, then the device operation will fail. `OPTIONAL` means that Play Integrity attestation is performed. If attestation fails, then the device operation will not fail, and a new attestation is performed on the next request. It is up to you what action is taken on the result. `OFF` means that Play Integrity attestation is not performed.	`REQUIRED`, `OPTIONAL`, `OFF`	`OFF`
`attestationAndroidPlayIntegrityTimeout`	The timeout (given in milliseconds) for a request made to Play Integrity.	From `1` to `MAXINT`
`attestationAndroidPlayIntegrityDecryptionKey`	Play Integrity attestation decryption key, used to decrypt the integrity token.	Base64 encoded value
`attestationAndroidPlayIntegrityVerificationKey`	Play Integrity attestation verification key, used to validate the integrity token.	Base64 encoded value
`attestationAndroidPackageName`	The APK package name. This is required if `attestationAndroidPlayIntegrityMode` is set to `REQUIRED` or `OPTIONAL`.	String
`attestationIosAppAttestMode`	Determines whether Apple App Attest Service (used to validate whether an application runs on a real iOS device) is performed, and how the request is handled. This is reflected in three different modes: `REQUIRED` means that App attestation is performed. If attestation fails, then the device operation will fail. Note: Devices running versions of iOS older than iOS 14 will always fail if the mode is `REQUIRED`, due to requirements by Apple. `OPTIONAL` means that App attestation is performed. If attestation fails, then the device operation will not fail, and a new attestation is performed on the next request. It is up to you what action is taken on the result. `OFF` means that App attestation is not performed.	`REQUIRED`, `OPTIONAL`, `OFF`	`OFF`
`attestationIosAppAttestEnvironment`	Determines the environment where an iOS app that uses App attestation validates itself.	`PRODUCTION`, `DEVELOPMENT`	`PRODUCTION`
`attestationIosAppAttestTimeout`	The timeout (given in milliseconds) for an iOS app attestation request.	From `1` to `MAXINT`	`20000`
`attestationIosAppAttestAppId`	An iOS app ID, which is a concatenation of: A 10-digit team identifier A period The app's `CFBundleIdentifier` value	String	`null`

# Account recovery configurations

The parameters below are used to configure MobileID's account recovery feature for your application.

Property name	Description	Allowed values	Default value
`recoveryEnabled`	Enable users to set up cloud based recovery credentials.	`true`, `false`	`false`
`recoveryCodeMinLength`	The minimum length (in characters) of the recovery code. Note: This parameter is a hint to the client, and is not enforced by the server. However, it is enforced in the client SDK.	From `0` to `MAXINT`	`6`
`recoveryCodeMaxLength`	The maximum length (in characters) of the recovery code. Note: This parameter is a hint to the client, and is not enforced by the server. However, it is enforced in the client SDK.	From `0` to `MAXINT`	`50`
`recoveryCodeFormat`	The types of characters that can be used for the recovery code. Note: This parameter is a hint to the client, and is not enforced by the server. However, it is enforced in the client SDK.	`ALPHA`, `ALPHANUMERIC`, `ANY`, `NUMERIC`	`NUMERIC`
`recoveryCodeAmountFailuresAllowed`	The amount of failed recovery code attempts allowed for any client, before the recovery for the client is locked.	From `0` to `MAXINT`	`3`

# Geofencing configurations

The parameters below are used to configure MobileID's geofencing feature for your application.

Property name	Description	Allowed values	Default value
`geofencingActivationMode`	Determines if/how geofencing is used for activation. This is reflected in three different modes: `REQUIRED` means that a device location check is performed. If the location is not a part of the allowed regions, or if the location check fails, then the activation request will fail. `OPTIONAL` means that a device location check is performed. If the location is not a part of the allowed regions, or if the location check fails, then the activation request will be performed. It is up to you what action is taken on the result. `OFF` means that a device location check is not performed.	`REQUIRED`, `OPTIONAL`, `OFF`	`OFF`
`geofencingActivationAllowedContinents`	List of continents where activation is allowed, given as a two letter continent code.	Continents to be given as two-letter codes, as defined by: `AF` (Africa), `AN` (Antarctica), `AS` (Asia), `EU` (Europe), `NA` (North America), `OC` (Oceania), `SA` (South America)
`geofencingActivationAllowedCountries`	List of countries where activation is allowed, given as a two letter country code. These countries are in addition to those covered by the allowed continents parameter.	To be given as two-letter country codes, as defined by the ISO 3166-1 alpha-2 standard. You can find a list of countries and corresponding codes at: GeoNames.
`geofencingActivationDeniedCountries`	List of countries where activation is not allowed, given as a two letter country code. These countries will be excluded from those covered by the allowed continents parameter.	To be given as two-letter country codes, as defined by the ISO 3166-1 alpha-2 standard. You can find a list of countries and corresponding codes at: GeoNames.
`geofencingAuthenticationMode`	Determines if/how geofencing is used for authentication. This is reflected in three different modes: `REQUIRED` means that a device location check is performed. If the location is not a part of the allowed regions, or if the location check fails, then the authentication request will fail. `OPTIONAL` means that a device location check is performed. If the location is not a part of the allowed regions, or if the location check fails, then the authentication request will be performed. It is up to you what action is taken on the result. `OFF` means that a device location check is not performed.	`REQUIRED`, `OPTIONAL`, `OFF`	`OFF`
`geofencingAuthenticationAllowedContinents`	List of continents where authentication is allowed, given as a two letter continent code.	Continents to be given as two-letter codes, as defined by: `AF` (Africa), `AN` (Antarctica), `AS` (Asia), `EU` (Europe), `NA` (North America), `OC` (Oceania), `SA` (South America)
`geofencingAuthenticationAllowedCountries`	List of countries where authentication is allowed, given as a two letter country code. These countries are in addition to those covered by the allowed continents parameter.	To be given as two-letter country codes, as defined by the ISO 3166-1 alpha-2 standard. You can find a list of countries and corresponding codes at: GeoNames.
`geofencingAuthenticationDeniedCountries`	List of countries where authentication is not allowed, given as a two letter country code. These countries will be excluded from those covered by the allowed continents parameter.	To be given as two-letter country codes, as defined by the ISO 3166-1 alpha-2 standard. You can find a list of countries and corresponding codes at: GeoNames.
`geofencingTimeout`	The timeout (given in milliseconds) allowed for the client to wait for location, and to perform a reverse geolocation lookup. If the timeout is exceeded, then the client will continue without a country.	From `0` to `MAXINT`	`10000`

← App attestation Broadcast →