Skip to main content

Overview

πŸ“± GuardianKey Mobile SDK​

The GuardianKey Mobile SDK brings Auth Security XE (checkaccessxe) to native mobile apps. It is a Kotlin Multiplatform (KMP) library that you call at the login step of your own Android/iOS application β€” exactly the way the reference demo app does. For each login attempt the SDK collects device and behavioral information, builds a gkas_solution token, and your backend forwards it to GuardianKey, which returns a risk decision (ALLOW / BLOCK).

It is the mobile equivalent of the web collector: where the browser runs a JavaScript snippet on the login form, the SDK runs the same logic natively.

πŸ”’ The contents and format of gkas_solution are intentionally not documented β€” treat it as an opaque token. You never need to read, build or parse it: the SDK produces it, your app forwards it to your backend, and your backend forwards it unchanged to checkaccessxe. This page and the integration guides cover everything required to integrate; the internal payload is a black box by design.

🧩 What you integrate​

PieceWho provides itRole
Mobile SDK (io.guardiankey.gkas)GuardianKey (this SDK)Collects signals, builds the gkas_solution token, talks to your backend.
Your app (Android/iOS)YouCalls the SDK during login and reacts to the decision.
Your backend (REST)YouExposes GET /config and POST /login; calls checkaccessxe server‑side with your GuardianKey credentials.

πŸ” GuardianKey credentials (key/iv/agentId/…) live only on your backend. The mobile app never holds them. The app only talks to your backend.

πŸ”„ Login flow​

The SDK exposes three calls. A login screen drives them in order:

        β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   1. fetchConfig()      β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
        β”‚   Your app  β”‚ ──────────────────────▢ β”‚ Your backend β”‚  GET /config
        β”‚  (login UI) β”‚ ◀────────────────────── β”‚   (REST)     β”‚  β†’ salt, once, time, policy, url
        β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   salt/once/time/policy β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
              β”‚
              β”‚ 2. buildSolution(config, username)
              β”‚    collect signals + resolve identity β†’ gkas_solution (opaque token)
              β–Ό
        β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   3. login(LoginRequest) β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   checkaccessxe   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
        β”‚   Your app  β”‚ ──────────────────────▢  β”‚ Your backend β”‚ ────────────────▢ β”‚ GuardianKeyβ”‚
        β”‚             β”‚ ◀──────────────────────  β”‚              β”‚ ◀──────────────── β”‚    XE      β”‚
        β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   decision: ALLOW|BLOCK  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   risk decision   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
              β”‚
              β”œβ”€ ALLOW β†’ enter the app (Home)
              └─ BLOCK β†’ stay on login, show the block message
  1. fetchConfig() β€” GET /config returns salt, once (one‑time nonce), time, url and a policy that tells the SDK which identity tier to use.
  2. buildSolution(config, username) β€” collects signals, resolves the device identity, and returns the gkas_solution (an opaque token). username is the field value bound to this attempt.
  3. login(LoginRequest(...)) β€” POST /login with the credentials and the gkas_solution. The backend validates/consumes the once, calls checkaccessxe, and returns a normalized decision.

πŸͺͺ Device identity tiers​

The backend's policy.tiers selects, in cascade with fallback, how the device identifies itself for the attempt. The only thing the integrator needs to know is the user‑facing behavior:

TierUser experience
biometricShows a biometric prompt (fingerprint/face) during login.
softwareSilent β€” no prompt.
uuidSilent fallback when stronger tiers are unavailable.

On iOS the same tiers map to the platform's native mechanisms (currently provided as compilable stubs β€” see the iOS page).

πŸ“¦ Collected signals​

During buildSolution() the SDK gathers a range of device and behavioral information (such as biometric/identity signals, touch behavior, among others) and packs it into the opaque gkas_solution token.

What matters for integration:

  • Best‑effort, never blocks login. Every collector tolerates missing permissions or unavailable hardware β€” if something can't be read, it is simply omitted and login still proceeds.
  • No typed content is captured (e.g. behavioral touch signals record timing, not what the user types).
  • Permissions are optional. Granting more runtime permissions yields richer signals, but denying them never breaks the flow. See the Android guide for the permission list.

⏭️ Next steps​