Introduction
This guide is aimed at developers and will provide the necessary steps for integrating with the Trust SDK. The guide offers a step by step walkthrough on how to authenticate with TrustX and start a TrustX authentication or Identity Verification process through the Trust SDK.
To complete this guide, the reader must have access to the TrustX back office application in order to create API Keys and Process definitions. If the reader does not have access to the TrustX back office application, they can request access via support@daon.com
Add the Trust SDK to your Gradle Project
Alternatively, to get started with the the Trust SDK using Gradle, begin by adding the SDK to your Gradle project.
Copy the following AAR files to your module 'libs' folder. If you don't have a 'libs' folder then create one. New projects module 'libs' folder location should be 'My Application/app/libs'.
- daon-trust-sdk-1.0.x.aar
Open your module level Gradle settings file. New projects module Gradle settings location should be
My Application/app/build.gradle.Make the ‘libs’ folder easily accessible. To do that, add the following lines to your ‘module’ level Gradle file:
repositories { flatDir { dirs 'libs' }}By default, you might not have any settings for repositories in your ‘module’ level ‘build.gradle’ file. If this is the case, you can simply add it to the end of the file outside any other objects. Also, it is possible that you already have flatDir { dirs 'libs' } in your repositories. In this case, no change is necessary. If you are using a newer gradle version, there may be a requirement to add flatDir support to the ‘settings.gradle‘ file. It should be located in the same folder as the project-level ‘build.gradle‘ file. In ‘settings.gradle‘ add following lines:
dependencyResolutionManagement {
repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
repositories {
//Posible some other repositories
flatDir {
dirs 'libs'
}
}
}
- Add libraries for the Daon Trust SDK along with other necessary dependencies to your ‘module’ Gradle dependencies:
// You might already have other librarires/dependencies here you should leave them // as they are and just add yours in the new line//Daon Trust SDK and NFC SDK that are located in 'libs' folderimplementation fileTree(dir: 'libs', include: ['*.aar'])//QR Code Scannerimplementation('com.journeyapps:zxing-android-embedded:4.3.0') { transitive = false }implementation 'com.google.zxing:core:3.3.0' //Gsonimplementation 'com.google.code.gson:gson:2.11.0'//AppCompat, Material, Kotlin coreimplementation 'androidx.core:core-ktx:1.7.0'implementation 'androidx.appcompat:appcompat:1.6.0'implementation 'com.google.android.material:material:1.12.0'implementation 'androidx.constraintlayout:constraintlayout:2.1.4'//Reflectionimplementation 'org.jetbrains.kotlin:kotlin-reflect:1.7.10'Optional - Configure Local AAR Files
This is an alternative approach for environments that cannot access the Daon Maven registry. The Maven-based approach described above is recommended for all new integrations.
Copy the following AAR files to your module's
libsfolder. If you don't have alibsfolder, create one. The default location for new projects isMy Application/app/libs.daon-trust-sdk-1.0.x.aar
Open your module-level Gradle settings file (
My Application/app/build.gradle).Make the
libsfolder accessible. Add the following to yoursettings.gradlefile:
dependencyResolutionManagement { repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS) repositories { // ... your other repositories ... flatDir { dirs 'libs' } } }By default, you might not have any repository settings in your module-level build.gradle . If so, add the block to the end of the file outside any other objects. If flatDir { dirs 'libs' } is already present in your repositories, no change is necessary.
- Add the Trust SDK and other required dependencies to your module Gradle dependencies:
// app/build.gradle dependencies { // You might already have other libraries/dependencies here — leave them // as they are and just add yours on a new line // Daon Trust SDK located in the 'libs' folder implementation fileTree(dir: 'libs', include: ['*.aar']) // QR Code Scanner implementation('com.journeyapps:zxing-android-embedded:4.3.0') { transitive = false } implementation 'com.google.zxing:core:3.3.0' // Gson implementation 'com.google.code.gson:gson:2.11.0' // AppCompat, Material, Kotlin core implementation 'androidx.core:core-ktx:1.7.0' implementation 'androidx.appcompat:appcompat:1.6.0' implementation 'com.google.android.material:material:1.12.0' implementation 'androidx.constraintlayout:constraintlayout:2.1.4' // Reflection implementation 'org.jetbrains.kotlin:kotlin-reflect:1.7.10' }TrustX Integration Overview
Sequence Diagram with calls for a typical integration scenario.
This guide assumes that the user is integrating from a mobile application. In summary:
The End User starts the journey on a Relying Party's application, possibly by clicking on a button or a link to start the TrustX Identity Verification and Authentication journey.
The Relying Party makes a series of calls to TrustX. These calls serve a number of purposes:
- Authenticate the relying party so that they can makes calls to TrustX.
- Create a Process Instance from a Process Definition based on a Process Token.
The mobile application has imported the Trust SDK. See Android Trust SDK Native Interface for more information.
Start the Process Definition and redirect the End User to TrustX so that the end user can complete the journey.
A Relying Party is a term commonly used to refer to the entity wishing to establish a claim of Identity.
Step 1. Create Token
A Token is created by invoking the API call below:
POST https://{{tenant}}.{{region}}.trustx.com/api/arthr/apiKeys/issueContent-Type: application/jsonX-API-Key: {{apiKey}}{}A token grants access to the caller to invoke API calls on TrustX. Once the token is generated it can be reused, however it must be noted that the token has a 'time to live'. Once the 'time to live' has expired a new token must be generated.
When calling the API to issue a token, you will need to provide an API Key. This API Key is obtained from an API Key's secret. See the API Key Guide for information on how to manage API keys.
When the api/arthr/apiKeys/issue API is invoked, the response to this call provides a bearer token. This bearer token is used to authenticate subsequent calls to TrustX.
The permissions required for the APIs calls within this integration guide are as follows (note: replace {tenantid} with literal value):
TNT#{tenantid}#ProcessManager:addProcessTokenTNT#{tenantid}#ProcessManager:getProcessInstanceTNT#{tenantid}#UserDataServer:getProcessInstanceUserDataTokens should be protected - they should reside only in the back end service and should not be publicly shared by embedding in web pages. If a token is compromised it can provide bad actors access to your services and data in TrustX.
Step 2. Create Process Token
A process token is used to create process instances from a Process Definition. For more information on creating a Process Definition, see the Process Definition Guide. When creating the process token the process definition name and version must be supplied.
Daon recommends that the _redirectUrl uses the HTTPS protocol.
POST https://{{tenant}}.{{region}}.trustx.com/api/process-manager/processTokensContent-Type: application/jsonAuthorization: Bearer {{token}}{ "name": "My Process Token", "description": "A token that allows me to start create an instance of my process definition", "status": "ACTIVE", "type": "MULTI_USE_COUNT_LIMITED", "maxCount": 1, "processDefnName": "{{processDefnName}}", "processDefnVersion": "{{processDefnVersion}}", "uiUrl": "https://{{tenant}}.{{region}}.trustx.com/web/trustweb", "parameters": { "email": "myemail@daon.com", "_redirectUrl": "https://www.daon.com" }}When creating a process instance, extra parameters can be passed to provide additional information about the process. For example, the End User's details such as email, phone, first-name, surname, etc. can be passed as parameters. See the API Guide for more information.
Process Token Resource
The process token resource above contains the following attributes. See the API Guide for more information.
| Type | Description | |
|---|---|---|
| name | string | A unique name to describe the process token. |
| description | string | A short description of the token |
| status | string | The process token status. In the example above we create the token to be active. Valid values: ACTIVE,INACTIVE |
| type | string | The process token status. In the example above we create the token to be active. Valid values: UNLIMITED, MULTI_USE COUNT_LIMITED,_ MULTI_USE_TIME_LIMITED |
| maxCount | number | The number of times the token can be used. In the example above the token can be used once only. |
| processDefnName | string | The process definition name. Using the combination of process definition name and process definition version a specific process definition is bound to the process token to be used when a process instance created with a token (See Step 3.) |
| processDefnVersion | string | The process definition version. Using the combination of process definition name and process definition version a specific process definition is bound to the process token to be used when a process instance created with a token (See Step 3.) |
| uiUrl | string | The URI of the application to execute the process definition when the process instance is started. Currently on TruxtX user interfaces are supported. |
| parameters | Map<String,String> | A map of additional parameters can be supplied to provide extra information when the process instance is started. This additional parameter map could typically contain information such as:
These are typically attributes that are useful for searching for an ID&V applicant. Any set of additional parameters may be passed in. |
In order to set the redirect URL for the end of a process instance - a special parameter should be added to parameters map - _redirectUrl. This parameter is used to redirect the end user back to the relying party.
Step 3. Create Process Instance
Once a Process Token is created, it can be used to create the Process Instance.
POST https://{{tenant}}.{{region}}.trustx.com/api/process-manager/processInstances/create?pt={{ptoken}}Content-Type: application/jsonAuthorization: Bearer {{token}}The response provides the redirect URL that is then used to start the process definition.
Optional - Set Default Language
It is possible to set the default language by appending the redirect URL with the lang query parameter. This query parameter accepts an ISO language code as input in the format: redirectUrl + "&lang=<ISO language code>"
Example:
https://skyprod.oak.trustx-dev.com/web/trustweb/?pt=7BU2B6IHVVCZWE2PM5JMZW7GUE&lang=it
Step 4. End User completes Journey
The end user will be redirected to TrustX where they can complete the Identity Verification and Authentication journey as defined in the Process Definition.
Step 5. Getting Process Instance Status
Once the user has completed the journey the status of the process instance can be checked.
GET https://{{tenant}}.{{region}}.trustx.com/api/process-manager/processInstances/{{processInstanceId}}Authorization: Bearer {{token}}Alternatively webhooks can be used to get notification about the process instance at any stage in the process definition. For information on webhooks see the Webhooks Guide.
Step 6. Getting End User's provided Data
GET https://{{tenant}}.{{region}}.trustx.com//api/userdata-server/processDefinitions/{processDefnId}/processInstances/{processInstanceId}/userdataAuthorization: Bearer {{token}}| Type | Description | |
|---|---|---|
| processDefnId | String | The id of the process definition. This is generated when creating the process definition |
| processInstanceId | String | The id of the process instance. This is generated when creating the process instance. |
Optional: Appkeys Integration
Appkeys utilize the FIDO Universal Authentication Framework (UAF) specification to provide a passwordless solution to registration and authentication where an identity is bound to only one device or biometric profile without the need for passwords or QR codes.
To take full advantage of Appkeys in TrustX, it is necessary to integrate the FIDO SDK with the Trust SDK to
- Store Appkeys on a device for stronger security than the web-based alternative.
- Capture biometrics (face, fingerprint) to complete biometric-bound registration and authentication flows with Appkeys.
This section will describe the configuration steps to include the SDK with your Android application.
Dependencies
The xAuth FIDO SDK is provided as a Maven package on the same Daon registry configured in Add the Trust SDK to your Gradle Project. Make sure that setup is complete before continuing.
Step 1. Update the Version Catalog
Add the following entries to gradle/apps.versions.toml :
[versions]# Daon Trust SDK – shared with the core trust-* modulesdaon-trust = "1.8.10"# Daon vendor SDK – authenticator + fido-client-ktx share the same versiondaon-vendor = "5.0.79"daon-fido-crypto = "4.9.13"daon-fido-device = "4.9.10"daon-face = "5.3.87"biometric = "1.1.0"[libraries]daon-trust-appkeys = { group = "com.daon.sdk", name = "trust-appkeys", version.ref = "daon-trust" }daon-authenticator = { group = "com.daon.sdk", name = "authenticator", version.ref = "daon-vendor" }daon-fido-client-ktx = { group = "com.daon.sdk", name = "fido-client-ktx", version.ref = "daon-vendor" }daon-fido-crypto = { group = "com.daon.sdk", name = "fido-crypto", version.ref = "daon-fido-crypto" }daon-fido-device = { group = "com.daon.sdk", name = "fido-device", version.ref = "daon-fido-device" }daon-face = { group = "com.daon.sdk", name = "face", version.ref = "daon-face" }androidx-biometric = { group = "androidx.biometric", name = "biometric", version.ref = "biometric" }The AppKeysManager package can be imported by adding com.daon.trustsdk.appkeysManager to your project.
Step 2. Add Dependencies
Add the following to your module-level app/build.gradle :
// app/build.gradledependencies { // ... existing dependencies ... // Appkeys implementation apps.daon.trust.appkeys implementation apps.daon.authenticator implementation apps.daon.fido.client.ktx implementation apps.daon.fido.crypto implementation apps.daon.fido.device implementation apps.daon.face implementation apps.androidx.biometricAlternative - Local AAR Files
This is an alternative approach for environments that cannot access the Daon Maven registry. The Maven-based approach described above is recommended for all new integrations.
Copy the following AAR files into your module's libs folder and declare them as dependencies in app/build.gradle :
// app/build.gradledependencies { // ... existing dependencies ... implementation(name: 'com.daon.sdk.authenticator-5.0.xx', ext: 'aar') implementation(name: 'com.daon.sdk.fido-client-ktx-5.0.xx', ext: 'aar') implementation(name: 'com.daon.sdk.crypto-4.9.xx', ext: 'aar') implementation(name: 'com.daon.sdk.device-4.9.xx', ext: 'aar') implementation 'androidx.biometric:biometric:1.1.0'}Optional: NFC Integration
The Trust SDK supports optional integration of the NFC capture and processing using the TrustNFCManager class.
Step 1. Update Dependencies
To utilize NFC functionality in your project, first complete the setup described in Add the Trust SDK to your Gradle Project.
Update The Version Catalog
Add the following libraries to gradle/apps.versions.toml :
[versions]# Daon Trust SDK – shared with the core trust-* modulesdaon-trust = "1.8.10"daon-nfc = "1.3.57"jmrtd = "0.8.3"scuba = "0.0.26"spongycastle = "1.58.0.0"mlkit-text = "19.0.1"[libraries]daon-trust-nfcmanager = { group = "com.daon.sdk", name = "trust-nfcmanager", version.ref = "daon-trust" }daon-nfc = { group = "com.daon.sdk", name = "nfc", version.ref = "daon-nfc" }jmrtd = { module = "org.jmrtd:jmrtd", version.ref = "jmrtd" }scuba-sc-android = { module = "net.sf.scuba:scuba-sc-android", version.ref = "scuba" }spongycastle-prov = { module = "com.madgag.spongycastle:prov", version.ref = "spongycastle" }play-services-mlkit-text-recognition = { group = "com.google.android.gms", name = "play-services-mlkit-text-recognition", version.ref = "mlkit-text" }Add Dependencies
Add the following libraries to your module-level app/build.gradle :
// app/build.gradledependencies { // ... existing dependencies ... // NFC implementation apps.daon.trust.nfcmanager implementation apps.daon.nfc implementation apps.jmrtd implementation apps.scuba.sc.android implementation apps.spongycastle.prov implementation apps.play.services.mlkit.text.recognition}Alternative: Local AAR Files
This is an alternative approach for environments that cannot access the Daon Maven registry. The Maven-based approach described above is recommended for all new integrations.
// app/build.gradledependencies { // ... existing dependencies ... // Gson implementation 'com.google.code.gson:gson:2.11.0' // NFC implementation(name: 'com.daon.sdk.nfc-1.2.33', ext: 'aar') implementation(name: 'com.daon.sdk.trust.nfcmanager-1.5.31', ext: 'aar') implementation 'org.jmrtd:jmrtd:0.7.19' implementation 'net.sf.scuba:scuba-sc-android:0.0.26' implementation 'com.madgag.spongycastle:prov:1.54.0.0' implementation 'com.google.android.gms:play-services-mlkit-text-recognition:18.0.0'}Step 2. Initialization
The code sample below implements NFC functionality into the standard document and face capture flow. This occurs during initialization detailed in Step 5.
DaonTrustSDK daonTrustSDK = new DaonTrustSDK(this, new DaonEventListener() { public void onFail(DaonEvent event) { ... } public void onInfo(DaonEvent event) { ... } public void onSuccess(String description) { // On successful completion, get the Process Instance status. See Step 7. } } ); getLifecycle().addObserver(daonTrustSDK);//Configure NFC SDK options - OPTIONALTrustNFCManager trustNFCManager = new TrustNFCManager.Builder().build();daonTrustSDK.addTrustNFCManager(trustNFCManager);In the above sample, a new TrustNFCManager is defined and added to the DaonTrustSDK using the addTrustNFCManager(TrustNFCManager) method.
When the flow is started, NFC capture and processing will be included as part of the flow. To start the flow, define Trust SDK options and call the start(Options) method as highlighted in Step 5.
DaonOptions options = new DaonOptions(); options.setServerURL("URL-Generated-From-Step3"); options.setInitializationTimeout(15000L); //initialization timeout is expressed in millisecondsdaonSDK.start(options);ProGuard / R8 Configuration
When code shrinking or obfuscation is enabled (minifyEnabled true), some components may be removed or altered by ProGuard / R8, which can lead to runtime failures during NFC passport reading or certificate verification.
To ensure correct behavior, the following ProGuard rules must be added to your application's proguard-rules.pro file.
# JMRTD (Passport reading logic)-keep class org.jmrtd.** { *; }-dontwarn org.jmrtd.**# SCUBA (Smart card utility bridge)-keep class net.sf.scuba.** { *; }-keep class net.sf.scuba.smartcards.IsoDepCardService { *; }-dontwarn net.sf.scuba.**# BouncyCastle (Cryptographic provider)# Native algorithms and reflection-based provider lookups must be preserved-keep class org.bouncycastle.** { *; }-dontwarn org.bouncycastle.**See Also
Optional: Device Integrity Integration
The device-integrity module is an optional add-on to the Daon Trust SDK that collects Device Integrity Signals. Device Integrity Signals are used to collect rich, high-fidelity telemetry from every web and native session. Device signals can be used to uniquely identify visitors and additional device signals (for example, if a device is rooted/ jailbroken) that can be applied for further fraud analysis.
Requirements
| Requirements | Details |
|---|---|
| Minimum Android SDK | 24 (Android 7.0) |
| Runtime permissions (Optional) | ACCESS_FINE_LOCATION and ACCESS_COARSE_LOCATION are merged into the host manifest automatically via manifest merger. The coarse location permission is required. Note that accuracy will be lower without the fine location permission. See Step Three for more information. |
Quick Start
Step One: Add the Maven Repository
The Device Integrity Signals provider requires a dedicated Maven registry. Add it to your project's
settings.gradle in the dependencyResolutionManagement block:
dependencyResolutionManagement { repositories { // ... other repositories maven { url 'https://maven.fpregistry.io/releases' } }}Step Two: Add the Dependency
In the application module's build.gradle, add:
dependencies { implementation project(path: ':device-integrity') // or, when consuming the distributed AAR: implementation files('libs/com.daon.sdk.trust.deviceIntegrity-<version>.aar')}Step Three: Request Location Permissions at Runtime
The Device Integrity Signals provider uses location signals when the user grants access. Request the appropriate permissions before starting the SDK flow by performing the following request:
ActivityCompat.requestPermissions( this, arrayOf( Manifest.permission.ACCESS_FINE_LOCATION, Manifest.permission.ACCESS_COARSE_LOCATION ), PERMISSION_REQUEST_CODE)The coarse location permission is required. Note that accuracy will be lower without the fine location permission.
The following permissions are declared in the module's AndroidManifest.xml and merged into the host application's manifest automatically:
| Permission | Required | Purpose |
|---|---|---|
android.permission.ACCESS_COARSE_LOCATION | No | Used by the Device Integrity Signal provider. When granted - improves signal accuracy |
android.permission.ACCESS_FINE_LOCATION | No | Used by the Device Integrity Signal provider. When granted - improves signal accuracy |
Both are dangerous permissions on Android 6.0+ and must be requested at runtime by the host application. The SDK never requests permissions on behalf of the host app.
Step Four: Construct and Register DeviceIntegrityManager
Create the manager in your Activity.onCreate() and register it with your DaonTrustSDK instance before calling start() .
import com.daon.trustsdk.deviceIntegrity.DeviceIntegrityManager// Inside Activity.onCreate():val deviceIntegrityManager = DeviceIntegrityManager(applicationContext)daonTrustSDK.addDeviceIntegrityManager(deviceIntegrityManager)- Always pass
applicationContext— never pass anActivityreference to avoid memory leaks. addDeviceIntegrityManager()must be called beforedaonTrustSDK.start(options).
Full Initialization Example
The example below shows DeviceIntegrityManager in context alongside the other optional modules,matching the pattern used in the sample applications:
// 1. Create the SDK instanceval daonTrustSDK = DaonTrustSDK(this, object : DaonEventListener { override fun onSuccess(description: String) { /* handle success */ } override fun onFail(daonEvent: DaonEvent) { /* handle failure */ } override fun onInfo(daonEvent: DaonEvent) { /* handle info events */ }})lifecycle.addObserver(daonTrustSDK)val deviceIntegrityManager = DeviceIntegrityManager(applicationContext)daonTrustSDK.addDeviceIntegrityManager(deviceIntegrityManager)// 3. Start the flowval options = DaonOptions().apply { serverUrl = "https://your-server.example.com" }daonTrustSDK.start(options)