Web-to-app authentication process

869 views December 1, 2018 September 10, 2019 1

In this process, a user who has already completed the MobileID app registration process can authenticate their identity. To support browser-based authentication, you need to handle the whole authentication process from your browser, all the way from initializing the authentication to receiving a response with the result of the authentication.

1) Initiate the authentication

Web integration with the MobileID app is done via the same API as Signicat’s other ID methods. See “Get started with authentication“ for more information.

To initiate the authentication, send a GET request to the in-app URL you have received from Signicat. The deviceId returned in the registration process must be sent as a parameter in the following format: login_hint=deviceId-{deviceId}.

As a response, you will receive a 302 redirect URI generated by your server, as well as an HTML response with a ‘Waiting’ page.

Request example


2) Start the MobileID app

The user starts the MobileID app and and is asked to authenticate with a PIN code or fingerprint.

3) Get the result of the authentication process

You are redirected to the redirect URI from step 1 with a “code” query parameter.

4) Send token request

Use the redirect URI and the code received in step 1 to send a POST request towards the token endpoint. The request must contain the following URI-encoded parameters:

  • client_id: Your client ID
  • redirect_uri: Must equal the URI the flow started with
  • grant_type=authorization_code: We are using an authorization code for this flow, hence the value of this parameter
  • code: Must equal the code received in step 3

Request example

curl -XPOST "" -H "Authorization: Basic ZGVtby1wcmVwcm9kOm1xWi1fNzUtZjJ3TnNpUVRPTmI3T240YUFaN3pjMjE4bXJSVmsxb3VmYTg=" -d "client_id=demo-preprod&redirect_uri= GOES HERE"

Response example

{"access_token":"eyJra...","token_type":"Bearer","refresh_token":"S4rkjLZ-13aXtuLhyHngFZGcC2mbmKcK","scope":"mobileid profile openid","expires_in":1800,"id_token":"eyJra..."}

Extract the access token from the response to use it in the next step.

5) Send userinfo request

Use the access token to fetch the deviceId with a GET request.

Request example

curl -XGET "" -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Response example


Note that the response will vary depending on the ID method. For further information, refer to OIDC Response Examples.

Save the deviceId, as it will be used to start any future authentication processes from that user.

Any further actions after receiving this response are your responsibility. Signicat does not have any responsibility for how the result of the registration is used.


Was this helpful?