Authentication payload

To secure the communication between the application and the PKSA, they need to share some offline information NOT transmitted over the Internet that we will refer to as auth_req_payload. That information will not available to the HAS.

It can be provided to the PKSA through a QR code that is displayed by the app and manually scanned by the user, or by using a deep-link when on mobile.

The auth_req_payload has the following structure:


    account: string
    uuid: string,
    key: string,
    host: string
  • account: the username of the account performing the authentication.

  • uuid: the request identifier received with the auth_wait reply.

  • key: an app-generated encryption key (we recommend using an uuid)

  • host: URL of the HAS server to connect to (ex: "wss://")

With this information, the PKSA knows which host to connect to and which account it should register. It also knows it should receive an authentication request with a specific request identifier (uuid). Finally, it now owns a session encryption key (auth_key) that will be used to secure the authentication process and communication.

The PKSA should connect to the provided host and ask for the host encryption key

Last updated