SDK Session Tokens
Starting with mobile SDK v2.0.0, the QoreID SDK is launched with a short-lived session token minted by your backend. Your clientId and secret never leave your server.
Why session tokens?Session tokens follow the principle of least privilege: your client credentials stay on your backend, and each token is scoped to a single product (or a single workflow), expires within minutes, and can only be used once. This keeps the credential footprint on the device as small as possible.
How it works
- Your backend calls
POST /v1/sessionsto mint a session token. - Your backend passes the resulting
sdkSessionTokento your app. - Your app launches the SDK with
sessionTokenonly — the product or workflow is encoded inside the token.
Mint a session — POST /v1/sessions
POST /v1/sessionsAuth: HTTP Basic — Authorization: Basic base64(clientId:secret) using your existing client credentials. This endpoint is backend-to-backend only; never call it from a browser or mobile client.
Headers: Content-Type: application/json. Optionally include an Idempotency-Key header to dedupe retries.
Request — collection session (one product)
{
"productCode": "liveness",
"reference": "integrator-txn-8842",
"subjectRef": "user-internal-1192",
"ttlSeconds": 120,
"maxAttempts": 3
}| Field | Description |
|---|---|
productCode | Required for collection sessions. See Product Codes. |
reference | Required. Your transaction reference. |
subjectRef | Optional. A pseudonymous identifier for the subject — do not include PII. |
ttlSeconds | Optional. Token lifetime in seconds; server-capped. |
maxAttempts | Optional. Maximum redemption attempts; server-capped. |
Request — workflow session
Authenticate with the flow client's credentials.
{
"type": "workflow",
"workflowId": 123,
"reference": "integrator-txn-8842"
}type is optional and defaults to "collection". productCode (collection) and workflowId (workflow) are mutually exclusive.
Success — 201
201{
"sessionId": "sess_...",
"sdkSessionToken": "<JWT to hand to the device>",
"type": "collection", // collection | Workflow
"productCode": "liveness", // for collection type
"worflowId": 123, // for workflow type
"expiresAt": "2026-06-11T14:32:10.000Z"
}
productCode is present for collection sessions and workflowId is present for workflow sessions. Pass only sdkSessionToken to your app — the token is short-lived (minutes) and single-use.
Errors
| Code | Meaning |
|---|---|
| 400 | Missing/unknown productCode, or productCode/workflowId not valid for the session type |
| 401 | Invalid clientId/secret |
| 403 | Not subscribed to the product / credentials not valid for the workflow |
| 503 | Authentication service temporarily unavailable |
See the full endpoint reference here: Mint a Session Token.
Launch the SDK with the token
Mobile SDK (v2.0.0)
val qoreIDParams = QoreIDParams()
.sessionToken(sessionToken) // from your backend (POST /v1/sessions)
.inputData(inputData) // optional; user prompted if omitted
qoreIdButton.params(qoreIDParams).registerForResult(activityResultLauncher)The same launch works for both collection and workflow sessions — the token carries the mode. The workflow onFlowRequestId callback is unchanged.
See QoreID Android SDK, QoreID iOS SDK, QoreID React Native SDK, QoreID Flutter SDK for more
Web SDK
await QoreID.start({
token: 'eyJ...', // from your backend (POST /v1/sessions)
customerReference: 'unique-ref',
applicantData: { firstname, lastname, email }, // optional
ocrAcceptedDocuments: 'DRIVERS_LICENSE_NGA' // optional
});See Collection - Usage Examples, Workflow - Usage Examples and the QoreID Web SDK guide for more.