JSON Web Tokens

The mCard SDKs use JSON Web Tokens (JWT) for user identification and authorization. JWT is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. For more information see https://jwt.io/introduction. Mobile application integration with the mCards platform requires the use of two types of tokens:

Each mCard SDK (other than the Auth SDK) requires an Authorization JWT during initialization. There are two methods to use to obtain an Authorization JWT:

• Auth0
• mCards

Obtaining Auth0 Authorization JWTs

The Auth SDK provides the ability to obtain Auth0 JWTs for authorization. If you choose use Auth0 to provide the Authorization JWTs, the mCards team will provide you with required Auth0 settings (client ID and domain) necessary to initialize the Auth SDK.

Once the Auth SDK is initialized with these Auth0 values, the Auth SDK will display the Auth0 UI prompting the user for the phone number and passcode received via SMS to login.

Obtaining mCards Authorization JWTs

Developer partners can also choose to obtain mCards Authorization JWTs. This approach requires the developer partner backend system to call an mCards endpoint to obtain the Authorization JWTs. These tokens can then be used to initialize any of the SDKs.

Regardless of which method you use to obtain your tokens, two different tokens will be returned to you:

• Access Token - The Access token is required to initialize all SDKs.
• ID Token - Both the Access token and ID token are required for loading secure features marketplace webviews using the Features Marketplace SDK.