Prove® Platform Web SDK
Learn how to integrate the client-side web SDK into your web application.
Supported Languages
We provide client web SDKs in the following languages: JavaScript/TypeScript. You don’t need to use TypeScript to be able to use our SDK. TypeScript is just a layer of enhancements like types used during development, once you publish to production, the code will be running on end users browsers in JavaScript anyway.
Installation
The Prove® Platform Web SDK has an unpacked size of 171 kB, and a single dependency: @prove-identity/mobile-auth. Install the client SDK of your choice by running a command in your terminal, or by using a dependency management tool specific to your project.
Determine the Type of Flow: Mobile or Desktop
You can determine if the user is on a mobile or desktop browser using this example. If the isMobile is true, you should pass mobile to the Start() function on the server, otherwise you can pass desktop:
In a mobile flow, Mobile Auth is attempted first and if that fails, it will perform OTP validation on the mobile phone. In a desktop flow, an Instant Link is sent via text message to the mobile phone for verification.
In the mobile flow, once either Mobile Auth or the OTP validation is complete, the AuthFinishStep function will be called.
Mobile Auth
In order for Mobile Auth to succeed:
- The end user must not be using a VPN.
- Private Relay on iOS needs to be disabled.
When testing, you can ignore any Chrome error messages that mention ERR_TUNNEL_CONNECTION_FAILED - this is due to the VPN, but the SDK will still properly fallback to OTP.
In the desktop flow, a WebSocket will be opened for 2 minutes on the desktop browser while waiting for the user to click on the link in the text message. Once the link is clicked, the WebSocket will close and the AuthFinishStep function will be called.
Instant Link
If you are using Content-Security-Policy (CSP) headers, please ensure you allow wss: device.uat.prove-auth.proveapis.com and wss: device.prove-auth.proveapis.com or you may receive the error message in your browser console: Refused to connect to ... because it violates the following Content Security Policy directive.
Authenticate()
The SDK requires an authToken as a parameter for the Authenticate() function. This token is returned from the Start() call of the server SDK. The token is session specific so it can only be used for a single flow so it cannot be reused. It also expires after 15 minutes.
Retrieve authToken
To start the flow, you’ll need to send a request to your backend server with the phone number, flow type, and an optional challenge of either the date of birth (format: YYYY-MM-DD) or social security number (format: last 4 digits).
Setup Authenticator
Once you have the authToken, build the authenticator for both the mobile and desktop flows.
Validate the Mobile Phone
In the AuthFinishStep, you’ll specify a function to call once the possession checks are complete on the mobile phone. This endpoint on your backend server will then call the Validate() function to check if the phone number was validated. If it was successful, the server should return the results from the Challenge() function that will include user information. If it was not successful, the server won’t return user information. We’ve included a few example fields that should be returned and then pre-filled on a form for the user to verify. The AuthFinishStep will be called whether the possession checks completed successfully or were cancelled. In the event of cancellation, the server side should make a call to the Validate() function and it will return success=false.
OTP Configuration
There are two functions to implement for the OTP handling - a start and a finish step.
Note: Retry functionality is not supported in OTP.
In order to set the OTP handler, withOtpFallback(startStep: OtpStartStep | OtpStartStepFn, finishStep: OtpFinishStep | OtpFinishStepFn), OtpStartStep and OtpFinishStep interfaces should be implemented. The JavaScript snippet has a simplified example while the TypeScript snippet explains various situations.
Call the resolve(input: OtpStartInput) method to return the collected phone number to the SDK, where the phoneNumber value is wrapped with OtpStartInput.
If the phone number was already specified in the Start() call, then resolve(null) should be called to communicate to the SDK that the mobile app has the user’s agreement to deliver the SMS OTP message to the provided phone number.
Call the reject("some error message") method to communicate to the SDK any issues while trying to obtain the phone number. An error should be reported if the user explicitly cancels the SMS OTP transaction or presses the back button to leave the SMS OTP start step screen.
Call the resolve(result: OtpFinishResult) method to return the collected OTP value in which result variable should contain OnSuccess enum value for OtpFinishResultType and the OTP value wrapped in OtpFinishInput.
Call the reject("some error message") method to communicate to the SDK any issues while trying to obtain the OTP value. An error should be reported if the user explicitly cancels the SMS OTP transaction or presses the back button to exit out of the SMS OTP finish step screen.
Also call the resolve(result: OtpFinishResult) method to request a new SMS OTP message in which the result variable should contain OnResendOtp as enum value for OtpFinishResultType. The SDK will then initiate a new OtpStartStep.execute() call to allow the mobile app to restart the phone number collection logic. The SDK allows for up to 3 OTPs to be sent during the same authentication session.
Instant Link Configuration
There is one function to configuration for Instant Link.
Note: Retry functionality is not support in Instant Link.
In order to set the Instant Link handler, withInstantLinkFallback(startStep: InstantLinkStartStep | InstantLinkStartStepFn) requires implementing the InstantLinkStartStep interface. The JavaScript snippet has a simplified example while the TypeScript snippet explains various situations.
Call the resolve(input: InstantStartInput) method to return the collected phone number to the SDK, where the phoneNumber value is wrapped with InstantStartInput.
If the phone number was already delivered to the Prove server in the Start() call, then resolve(null) should be called to communicate to the SDK that the mobile app has the user’s agreement to deliver the Instant Link message to the provided phone number.
Call the reject("some error message") method to communicate to the SDK any issues while trying to obtain the phone number. An error should be reported if the user explicitly cancels the Instant Link transaction or presses the back button to leave the Instant Link start step dialog.
Verify the User Information
Once the user has made any edits to their pre-fill information, you should submit that information to the backend server so the Complete() call can then verify the user information.
Function Reference
The flow can be initiated with Authenticator.authenticate(), while an instance of Authenticator can be created using AuthenticatorBuilder.build().
The following methods can be used to configure Authenticator before instantiating. All methods return the same instance of AuthenticatorBuilder to allow chaining of the configuration methods.
withAuthFinishStep(step: AuthFinishStep | AuthFinishStepFn): AuthenticatorBuilder
This step customizes the handling of the authentication finish call. The implementation should call the customer’s backend to retrieve authentication results. The format of the response is defined by the customer to suit the application needs. This configuration is mandatory and must be specified by the application.
withRole(role: DeviceRole): AuthenticatorBuilder
Sets the authentication role for this device. It can be either Primary or Secondary. The Primary value should be set when the end user is on a mobile device web browser that can be registered directly with Prove system and later authenticated by verifying this registration. On other hand, the Secondary value should be set when the end user is on a desktop web browser, which is authenticated after receiving user feedback on their Primary device.
withMobileAuthImplementation(implementation: MobileAuthImplementation): AuthenticatorBuilder
Sets the implementation type for Mobile Auth authenticator. Possible values are Fetch or Pixel with Fetch set by default.
withDeviceIpAddress(deviceIp: string | (() => string | null) | null): AuthenticatorBuilder
Sets the public IP address for this device to be reported during device registration. If this method is not called, or the IP address value is null, the system will attempt to auto-detect the IP address using either an external service or, if not accessible, using the client’s IP address of the HTTP connection. The client’s public IP address is required for the successful Mobile Auth authentication.
withOtpFallback(startStep: OtpStartStep | OtpStartStepFn, finishStep: OtpFinishStep | OtpFinishStepFn): AuthenticatorBuilder
Configure start and finish handlers for SMS OTP authenticator. These handlers are required for collecting user input to enter the phone number where OTP codes will be delivered, and to enter received OTP codes.
withInstantLinkFallback(startStep: OtpStartStep | OtpStartStepFn): AuthenticatorBuilder
Configure handler for Instant Link authenticator. This handler is required for collecting user input to enter the phone number where Instant Link will be delivered.
build(): Authenticator
Finalizes the configuration and returns a new a instance of the Authenticator.
Was this page helpful?