Transaction Confirmation - Client Verification

This section refers to the client verification phase as part of the 3 phase transaction confirmation for Android and iOS as described on the below pages:

‚Äč

Step 1: JWT has 3 components: Header, Payload, and Signatures. Here is a sample of the Header (which you will need for client verification):

{
"alg": "ES256",
"typ": "JWT",
"kid": "f82151ed-cdc4-447c-bb80-981bfbcc2497"
}

Step 2: Based on the header information on JWT header, you can grab the public key by using

https://jwt.sandbox-usw1.api.loginid.io/certs?kid=<key id here>

This will return the public key certificate.

Step 3: Then use the package in JWT recommended on https://jwt.io/ based on your programming language you are using. You will then need to validate the signatures based on the public key obtained from the URL.

Step 4: Ensure that the hash of the transaction details as specified in the JWT is correct.

Step 5: Ensure that the nonce as specified in the JWT matches the nonce that was passed into the initial transaction confirmation API call.

Step 6: Ensure the other data in the JWT (e.g. user, audience) is as expected.

The JWT payload contains identification information about a given user, and any other transaction-level data:

interface IJWTPayload {
/**The user id**/
sub: string;
/**The namespace id**/
nid: string;
/**Identifies the principal that issued the JWT ('loginid.io' or rpId)**/
iss: string;
/**The client id**/
aud: string;
/**Username**/
username: string;
/**Type of action taken**/
action: string;
/**Issued at**/
iat: number;
/**Transaction hash**/
tx_hash: string;
/** Nonce**/
nonce: string;
}