Trusted Authentication

Overview

Authentication is the process of verifying the phone number associated with that User profile through an SMS code. This is how Astra Authenticates Users before they Authorize your Client. Any action by the User in Astra’s SDK requires an active, non-expired Authentication.

📘

Re-Authentication is required when the User changes their phone number or is using Astra on a new device

Trusted Authentication is a joint solution developed by Astra and trusted Clients that enables access to Astra for all Users who have successfully completed mobile 2FA with a Client, providing a more streamlined onboarding experience. If a User has Authenticated with your Client in the last 30 days, Astra will “trust” this Authentication and allow the User to bypass the Authentication step prior to providing an Authorization for your Client.

Approval

Trusted Authentication requires a level of trust between your company and Astra. In order to ensure a high level of security for all parties, Astra requires all trusted Clients to fill out an Authentication security questionnaire.

1. Do you use phone number / mobile 2FA to authenticate your Users? If not, please share how.
2. When do you Authenticate Users? ex: During onboarding? When a phone number changes? When they add or change sensitive information?
3. When do you Re-authenticate Users?
4. How long does an authenticated User's session last? ex: 15 minutes, 24 hours, 1 week, 30 days

Client Configuration

Your Client will need to provide a secure API endpoint that Astra can access to retrieve customer information, which must include a last Authenticated time and phone number that matches the Astra UserIntent or User phone number details. Once that has been approved, Astra will enable your Client for Trusted Authentication.

Example Endpoint  
Endpoint: GET /v1/customers/123456  
Example Response:  
{  
"customer_id": "123456",  
"first_name": "Jane",  
"last_name": "Doe",  
"phone": "+15555551234",  
"last_authentication_time": "2023-01-01T13:47:13.920Z"  
}

Trusted Authentication Flow

Step 1: Generating a Partner Identity Verification Token

The first step in Authenticating a User is generating a short-lived (1 minute), one-time-use Partner Identity Verification Token. In order to generate a token, your Client must provide a customer_id from your system (to be verified by Astra), as well as the Astra user_id, user_intent_id, or business_profile_id of the User.

Client Request  
Endpoint: POST /v1/partner/identity/verification Headers: {  
"Content-Type": "application/json", "Accept": "application/json", "Authorization": "Basic \*\*\*\*",  
}  
{  
"provider": "ClientXYZ", "provider_data": {  
"customer_id": "123456" },  
"client_id": "client_123456",  
"user_id": "user_123456",  
"user_intent_id": "user_intent_123456", "business_profile_id": "busines_profile_123456"  
}  
Astra Response  
{  
"token": "token_123456"  
}

📘

Only provide one of user_id, user_intent_id, or business_profile_id

📘

Provide a user_intent_id if you are signing up the User for Astra’s services (Authorizing)

📘

Provide a user_id if you are signing them in (Authenticating)

📘

Provide a business_profile_id if you are signing up a business user (Authorizing)

Step 2: Authenticating a User

Once your Client has a Partner Identity Verification Token, the User should be directed to the Astra Web SDK with the following query string parameters.

Example with Query Strings

• https://app.astra.finance/login/oauth/authorize?session_token=token_123456&client_id=client_123456&user_id=user_123456&redirect_uri=https://redirect.com/&response_type=code
• https://app.astra.finance/login/oauth/authorize?session_token=token_123456&client_id=client_123456&user_intent_id=user_intent_123456&redirect_uri=
  https://redirect.com/&response_type=code
• https://app.astra.finance/login/oauth/authorize?session_token=token_123456&client_id=client_123456&business_profile_id=business_profile_123456&redirect_uri=https://redirect.com/&response_type=code