Skip to main content
Skip table of contents

JWT Enrolment

This is a generic mechanism that can be used whenever the user was already validated in a previous step. If the user is already known (was validated on the mobile app through credentials, was just enrolled in the system through a self-service), biometric information can be attached to that identity. This identity can be sent to the VeridiumID server through a JWT message signed with a predefined public-private key pair properly setup on the integration server and the VeridiumID server. 

The Integration server needs to generate a JWT message using user identity from its data store. The minimum requirement is that the token contains the sub claim with a unique value that can be used to identify the user, iss (issuer), aud (audience) and exp (expiration time - ms epoch time System time ). The sub value will be saved as a user primary key in the VeridiumID database. The signature is done with a chosen private key.

Other attributes read by Veridium are name, email and phone_number.

JWT Token Generation

To generate a JWT token can be used. Default pub - priv from can be used for testing, for private environments custom crypto pair should be used. First use these commands to generate the necessary crypto information (pub-priv keys used for signing).

openssl genrsa -out key.pem 2048
openssl rsa -in key.pem -outform PEM -pubout -out pubkey.pem
base64 pubkey.pem > pubkey.pem.b64

Paste the content of pubkey.pem and key.pem in the appropriate fields, choose RS256 as signing algorithm and fill in the JWT payload:

  • Payload Data :​​​

    Example: {​​​ "sub": "userId", "iss": "", "aud": "VeridiumID", "exp": 1657631390, "iat": 1619184075 }

The resulting JWT can be used as input for the JWT Enrollment step in VeridiumID.c

Alternatives for generating Pub-Priv pairs:

  • certificate generation / extraction

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 3650 -nodes

openssl x509 -pubkey -noout -in cert.pem > pubkey.pem

openssl x509 -outform der -in cert.pem -out cert.der

base64 cert.pem > cert.b64
  • Eliptic Curve keys

openssl ecparam -name prime256v1 -genkey -noout -out key.pem

openssl ec -in key.pem -pubout -out pubkey.pem

base64 pubkey.pem > pubkey.pem.b64

Admin Dashboard Configuration

In the Admin Dashboard two actions are required to enable the JWT enrolment:

  1. Choose JWT Enrolment step in the corresponding Integration’s details page. Edit the Jwt Enrollment step, navigate to 'Options' tab and set the issuer to the value configured in JWT above.

  2. Setup the integration to have Desktop Biometry as Server side only (for Kiosk)

  3. Policy should have “Has Desktop Touch Id Biometry” set to TRUE (for Kiosk)

  4. Create a journey with 4F Browser biometry ONLY. To make authentications with it, if it is not the only journey, the default selector can have a transition with the condition 'input.session.exploiterDeviceContext.serviceIdentifier == null'

  5. Setup the corresponding Public Key to be used for JWT validation under Configuration->adaptors->jwt.config.json. The Public key must be base64 encoded PEM (e.g. the cert.pem or pubkey.pem.b64 generated above). Also the config json needs to contain the audience and issuer expected claims values.

With these settings in place the VeridiumID server is capable of validating the JWT claims, extract necessary information for user creation and return a result back to the caller.


Starting 3.2 server version the supported PublicKey formats are Public keys (RSA or EC) in PEM format or Certificates with public key in PEM format. Until that version only Certificate format wes accepted.

Mobile calls

The JWT message can be requested explicitly by the Mobile app or passed as a registration response from the Integration server. The Mobile app will then call the MobileSDK enroll() API call with this value passed in the userEnrollmentToken parameter.


VIDMobileSDK.shared().enrollDelegate = self
let config = VIDEnrollmentConfig()
let jwt_msg = "<insert jwt_token>"
config.userEnrollmentToken = "{\"JWT\":\"\(jwt_msg)\"}"
VIDMobileSDK.shared().enroll(config: config)


String userToken = "{\"JWT\": \"<jwt_msg>\"}";
VeridiumIdPendingIntent pendingIntent = VeridiumMobileSDK.getInstance().enroll(BuildConfig.VERIDIUMID_SERVER_PAIRING_TOKEN, null);
if (pendingIntent.hasPendingIntent()) {
  try {
    pendingIntent.launchPendingIntent(getActivity(), MainActivity.RC_ENROLL);
  } catch (IntentSender.SendIntentException e) {

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.