Skip to main content

Documentation Index

Fetch the complete documentation index at: https://developer.prove.com/llms.txt

Use this file to discover all available pages before exploring further.

Use this guide when you already know you want Prove Unified Authentication with a server-side SDK (Go, Java, .NET, TypeScript, or JavaScript). When you finish, your backend can start a Unify session, poll for the final possession result, and—if you use customer-supplied possession—bind the phone to the Prove Key. For conceptual background (flows, possession variants, Prove Key), see Unified Authentication overview. For end-to-end wiring with the client SDKs, see Unified Authentication implementation guide. Prerequisites
  • Prove OAuth — Client ID and client secret (Authentication).
  • Client integration — Your front end uses a Prove Unify client SDK; this guide covers the backend calls those clients depend on.
HTTP endpoints for this how-to

Installation

Install the server-side SDK of your choice by running a command in your terminal, or by using a dependency management tool specific to your project. 
// The Go library is hosted on GitHub so you can use this command to import it
// to your Go application.
go get github.com/prove-identity/prove-sdk-server-go

// Ensure you import the SDK in your code like this:
import (
  provesdkservergo "github.com/prove-identity/prove-sdk-server-go"
  "github.com/prove-identity/prove-sdk-server-go/models/components"
)
For request and response field definitions, use the API reference pages linked in each section below.

Authentication

To access the Prove API, configure your OAuth 2.0 client ID and client secret. You can use environment variables or another method: 
clientID := os.Getenv("PROVE_CLIENT_ID")
clientSecret := os.Getenv("PROVE_CLIENT_SECRET")

proveEnv := "uat-us" // Use UAT in US region.

client := provesdkservergo.New(
	provesdkservergo.WithServer(proveEnv),
	provesdkservergo.WithSecurity(components.Security{
		ClientID:     provesdkservergo.String(clientID),
		ClientSecret: provesdkservergo.String(clientSecret),
	}),
)
When you test in the European Union, set proveEnv to uat-eu.
Token ExpirationThe OAuth token expires after 60 minutes. If it expires, generate another token.

Unify()

Add an endpoint to your server such as POST /unify so the front end can submit the possession type and phone number. On the back end, start a Prove Unified Authentication flow with a call to the Unify() function. This function takes these required parameters:
  • Possession Type: specify mobile, desktop, or none for customer-supplied possession to describe which type of device the end user is starting their flow on.
  • Phone Number: phone number of the end user.
In sandbox, the phone number field determines which scenario to test. If you forget to pass in the phone number of a valid test user, then it returns a “no test user found matching the phone number” error.
Timeouts (operational)desktop uses Instant Link (three minutes from SMS send to link use). mobile tries the Prove Key first, then can fall back to OTP (two minutes from SMS send to code entry). For how possession variants fit together, see Unified Authentication overview.
Everything else — Optional fields (for example finalTargetUrl when possessionType=desktop, checkReputation, identifiers, deviceId, rebind, allowOTPRetry) are documented on POST /v3/unify. Set them according to your product rules.
For OTP retries (allowOTPRetry), implement the matching client behavior described in Unified Authentication implementation guide.
rspUnify, err := client.V3.V3UnifyRequest(ctx, &components.V3UnifyRequest{
	PossessionType: "desktop",
	FinalTargetURL: provesdkservergo.String("https://google.com"),
	PhoneNumber:    provesdkservergo.String("2001004014"),
})
if err != nil {
	t.Fatal(err)
}
Use these fields from the Unify() response
  • Auth token — When Prove-led possession applies, return this to the client for Authenticate(). Short-lived JWT scoped to this session.
  • Correlation ID — Persist on the server and pass into UnifyStatus() for the same flow. Expires 15 minutes after this response.
  • Success — On this first call, expect pending while possession runs.
For every response field, JWT behavior, and errors, see POST /v3/unify.

UnifyStatus()

After the client finishes possession, call UnifyStatus() with the correlation ID from Unify() to read the final outcome (including success). This maps to POST /v3/unify-status. Required
  • Correlation ID — UUID returned by Unify(). Format: ^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$.
rspUnifyStatus, err := client.V3.V3UnifyStatusRequest(ctx, &components.V3UnifyStatusRequest{
	CorrelationID: &rspUnify.V3UnifyResponse.CorrelationID,
})
if err != nil {
	t.Fatal(err)
}
The function returns the following fields: For the full response schema and status semantics, see POST /v3/unify-status. You can then respond to the front end with the results of the authentication.

UnifyBind()

Customer-supplied possession only: after your possession check succeeds, call UnifyBind() to bind the phone to the Prove Key. This maps to POST /v3/unify-bind. Required
  • Correlation ID — From the Unify() response.
  • Phone number — To bind to the Prove Key.
Optional fields (for example clientRequestId) are listed on POST /v3/unify-bind. 
rspUnifyBind, err := client.V3.V3UnifyBindRequest(context.TODO(), &components.V3UnifyBindRequest{
	CorrelationID: rspUnify.V3UnifyResponse.CorrelationID,
  PhoneNumber:   "2001004018",
})
if err != nil {
	return fmt.Errorf("error on UnifyBind(): %w", err)
}
The function returns the following fields:
  • Success: true if the binding succeeded, false if it failed.
  • Phone Number: the phone number bound to the Prove Key.
  • clientHumanId: a client-generated unique ID to identify a specific customer across business lines.
  • clientRequestId: a client-generated unique ID for a specific session.
  • deviceId: the unique identifier for the Prove Key on the device.
For all response fields and errors, see POST /v3/unify-bind. Interpret evaluation using the Global Fraud Policy when present.

Related topics

Client-Side iOS SDKSet up Prove SDKs in your projectClient-Side Web SDKImplement Prove Possession Using The Web SDK