1 of 37

Mobile SDK

Keyless SDK Documentation

Nothing to remember. Nothing to steal. You are the key.

Key steps embed privacy-preserving biometric authentication in your mobile applications:

Step 1: Understand how the Keyless components interact with your application server.

Step 2: Understand a typical biometric authentication flow and how it interacts with your application.

Step 3: Follow the getting started guide for Android or iOS.

Introduction

Components

Learn about the interaction between Keyless components

The diagrams below show how the Keyless SDK, which runs within your mobile app on the user’s device, interacts with your application server and with the Keyless network.

Enrollment

During enrollment, your mobile app invokes the enroll method from the Keyless SDK, and then:

Guides the user through capturing a biometric signal with the device camera.
Interacts with Keyless to generate a new user identifier (Keyless ID), which is then returned to your mobile app.

Authentication

Authentication involves your application server, your mobile app, and the Keyless network, as depicted in Figure 2:

This process starts when the user performs an action that requires authentication using your mobile app.
The app provides the details of this action to your application server, which generates a challenge. The challenge is sent to the mobile app, which uses the Keyless SDK to compute the corresponding authentication token using the authenticate method.
The Keyless SDK authenticates the user by capturing the user’s biometrics using the mobile device’s camera.
The Keyless SDK connects to the Keyless network, and runs a secure multi-party computation protocol that authenticates the user and generates the authentication token in response to the challenge provided in Step 2. The Keyless SDK returns the authentication token to the mobile app.
The app sends the token to your application server, which verifies it.
If the authentication token is valid, the application server completes the transaction and notifies your mobile app.

Account Deletion

Account deletion is similar to authentication. First, your mobile app performs authentication steps 1-6, then it notifies your application server that the user wants to delete the account. Next, your mobile app invokes the deEnroll method from the Keyless SDK. This method issues a deletion request to the Keyless network (Step 7). The request removes all data associated with the user from the Keyless network.

Sample Apps

A description of, and links to, the Keyless sample apps to support integrators with a working example.

Keyless has created sample apps in both Android and iOS as companions to the official documentation. This effectively shows our SDKs working inside a basic application that can perform both Enrollment and Authentication flows.

This supports:

Developers who want to integrate and use the Keyless Mobile SDK in their apps, by allowing them to see the SDK functioning inside a working app or emulator.
A working demonstration of our SDK to see it in action.

The below links will launch the relevant github pages in a new tab:

Mobile SDK Guide

1️⃣ Getting started

In this short guide, you will learn how to integrate the Keyless SDK in your Android or iOS mobile application, and enroll and authenticate users through the Keyless platform.

Before jumping into your code editor, make sure that you're familiar with the various components of the authentication system, and common biometic authentication flows.

Prerequisites

Make sure you have both required API keys, and the list of productions hosts from your Keyless contact:

YOUR_CLOUDSMITH_TOKEN to download the SDK from cloudsmith repository
KEYLESS_API_KEY to configure the mobile SDK
KEYLESS_HOSTS a list of node URLs. Urls in KEYLESS_HOSTS must NOT contain any trailing slashes /.

Review the Keyless SDK requirements:

The Keyless SDK uses

(API level 23) and above

Installation

Keyless Anti-Inject variant for enhanced frames injection prevention

If you are using the anti-inject SDK variant with runtime application self protection - RASP, you need to:

Set the package repository partners-rasp-* communicated to you by our Delivery team.

To allow Keyless to handle the result of , you must call Keyless from an Activity implementing .
Extend any androidX activity that implements the interface for you, for example let your Activity extend the generic or the more widespread .
If you use Proguard, add the following rules to your Proguard configuration file:

Essential configuration

There is some essential configuration to do before you can use the Keyless SDK.

Initialize the Keyless SDK in your Application class:

If your application crashes due to java.lang.IllegalStateException: Attempting to launch an unregistered ActivityResultLauncher or while using React/Native bridges you can't receive a completion result at the end of an enrollment, it may be due to a difference between your applicationId and the namespace

Additional configuration

As well as the essential configuration parameters, you can also specify the optional configuration parameters detailed in the following sections. Details of these configuration options can be summarised in the relevant sections throughout the Mobile SDK (i.e. , etc.) and you can inspect the Config class to see optional parameters (or the builder to see exposed methods). Some of the more the more generic configurations are described below for convenience.

Shared circuits

This is the target desired number of circuits kept on the server. To set this number use the numberOfSharedCircuits.

Networking module

If you need to perform network requests on behalf of the Keyless SDK, you can implement the KLNetworkingModule interface. Set the networkingModule parameter with an instance of the KLNetworkingModule:

2️⃣ Enrollment

Enrollment is the process of registering a new user by connecting their facial biometrics to a Keyless account. During this process, a full and unobstructed view of the user's face is required.

val configuration = BiomEnrollConfig()

Keyless.enroll(

let configuration = BiomEnrollConfig()

Keyless.enroll(

val configuration = EnrollmentConfiguration.builder.build()

Keyless.enroll(
  enrollmentConfiguration = configuration,
  onCompletion = { result ->
    when (result) {
      is Keyless.KeylessResult.Success -> Log.d("KeylessSDK ", "Enroll success - userId ${result.value.keylessId}")
      is Keyless.KeylessResult.Failure -> Log.d("KeylessSDK ", "Enroll failure - error code ${result.error.code}")
    }
  }
)

let configuration = Keyless.EnrollmentConfiguration.builder.build()

Keyless.enroll(
  enrollmentConfiguration: configuration,
  onCompletion: { result in
    switch result {
    case .success(let enrollmentSuccess):
        print("Enrollment finished successfully. UserID: \(enrollmentSuccess.keylessId)")
    case .failure(let error):
        print("Enrollment finished with error: \(error.message)
    }
  })

import 'package:keyless_flutter_sdk/keyless.dart';
import 'package:keyless_flutter_sdk/models/configurations/enrollment_configuration.dart';

final configuration = BiomEnrollConfig();

try {
  final result = await Keyless.instance.enroll(configuration);
  print("Enrollment finished successfully. UserID: ${result.keylessId}");
} catch (error) {
  print("Enrollment finished with error: $error");
}


import Keyless, { BiomEnrollConfig } from '@react-native-keyless/sdk';

const enrollUser = async () => {
  const enroll = new BiomEnrollConfig();

  const result = await Keyless.enroll(enroll);

  result.fold({
    onSuccess: (data) => {
      console.log(`Enrollment finished successfully. UserID: ${data.keylessId}`);
    },
    onFailure: (error) => {
      console.error('Enrollment finished with error:', error);
    },
  });
};

enrollUser();

Enrollment configuration

You can configure the enrollment process with optional parameters in your BiomEnrollConfig() instance or using the builder pattern methods from the EnrollmentConfiguration builder.

Enrollment success result

Depending on the configuration you created for the Enrollment, Keyless will populate the corresponding fields in the EnrollmentSuccess result reported below.

Delaying the Keyless evaluation/decision

By default, our biometric decision making process initiates immediately on the camera being invoked and the camera preview showing. We believe this offers the maximum level of security in that an attacker is given no additional preparation time in front of the camera view, while at the same time we have looked to optimise the experience for genuine users i.e. delivering both approve and reject decisions in a way that feels natural and understandable to users. However, we recognise that our customers, and their users, have different contexts and preferences and therefore the cameraDelaySeconds configuration is available to specify the delay (in seconds) between when the camera preview appears, and when the liveness processing starts. In effect, no decision, whether \

Please note we advise careful consideration when implementing this feature for two reasons: i) While this allows users to frame themselves and have longer to understand what is happening, is also time for any attackers to also optimise their framing. ii) Implementing will ultimately mean that the "happy path" flow for all users is extended. If the delay is set for too long, some customers have noted that there is also the potential for some users to become frustrated and cancel/drop the flow. We're happy to engage further in what the best trade-offs may be for customers, given our wide-ranging experience of assisting customers in live implementations.

Secret management

During enrollment you can create, update, retrieve, and delete secrets, as well as list all stored secret IDs. Use savingSecret, retrievingSecret, deletingSecret, and shouldRetrieveSecretIDs configuration parameters. Retrieved secrets and secret IDs are available in the EnrollmentSuccess response. See for full details.

JWT Signing info

You can specify a payload to be added to a JWT signed by Keyless with the jwtSigningInfo parameter, more in .

Liveness Settings

Using livenessConfiguration you can configure the liveness security level during enrollment. The possible liveness configuration are under LivenessSettings.LivenessConfiguration :

You can also specify a livenessEnvironmentAware that is by default se to true to enhance liveness detection. This parameters helps to ensure the user is in a suitable setting for verification.

More details on liveness in the dedicated section.

Operation info

The parameter operationInfo specifies a customizable unique operation identifier and associated payload stored on the Keyless backend if the enrollment succeeds. Use this to add an extra level of confirmation in your operations.

Details on how to query our backend for stored operations are available on .

Client State

Keyless users can be enrolled via , Identity Verification Bridge. As a result of IDV-Bridge enrollment you receive a client state useful to register users in your app without undergoing the full enrollment flow.

Use the clientState parameter to register users from a client state obtained through IDV-Bridge.

You can also use a client state to recover an account of an existing user who lost access to the account. Follow the guide on .

Enrollment Frame

Integrators can specify whether or not to retrieve an enrollment frame, acquired during the user’s selfie capture during the enrollment or account recovery flow. You can achieve this by setting shouldReturnEnrollmentFrame to true on the BiomEnrollmentConfig (defaults to false). If the enrollment succeeds, you can retrieve the frame from the returned EnrollmentSuccess, via enrollmentFrame.

Enrollment circuits

To speed up enrollment you can use the numberOfEnrollmentCircuits to upload less than the default of five circuits upon enrollment. The remainder (50 - numberOfEnrollmentCircuits) are uploaded asynchronously.

Presentation Style

Use the presentationStyle parameter in BiomEnrollConfig to control how the enrollment UX/UI is presented during the enrollment flow.

Full Screen (default): Shows the standard full-screen enrollment experience.
Overlay: Shows a streamlined and faster UX/UI, consistent with the authentication experience.

Go to view the UI customization for this flow.

5️⃣ User and device management

The Keyless SDK "caches" the enrolled user locally on the device.

There are some use cases where it is possible to delete the user from server API and delete the device from server API. The Keyless SDK will not be notified about such deletions. For this reason if you try to authenticate a user or a device that have been deleted from server API you will get an error.

Call validateUserAndDeviceActive before authenticating, to validate that both the user and the device are still active in the Keyless backend, to avoid asking the user for biometric data which will still not let them authenticate.

Keyless.validateUserAndDeviceActive(
    onCompletion = { result ->
        when (result) {

Keyless.validateUserDeviceActive(
    completionHandler: { error in

try {
  await Keyless.validateUserAndDeviceActive();
  print("user and device active");
} catch (error) {
  print("user or device deactivated - error code: ${error.code}");
  // error code 1131 = user is not enrolled on the device (not even locally so did not check on backend)
  // error code 534 = user not found or deactivated on backend
  // error code 535 = device not found or deactivated on backend
}

import Keyless from '@react-native-keyless/sdk';

const validateUserAndDevice = async () => {
  const result = await Keyless.validateUserAndDeviceActive();

  result.fold({
    onSuccess: () => {
      console.log("user and device active");
    },
    onFailure: (error) => {
      console.error(`user or device deactivated - error code: ${error.code}`);
      // error code 1131 = user is not enrolled on the device (not even locally)
      // error code 534 = user not found or deactivated on backend
      // error code 535 = device not found or deactivated on backend
    }
  });
};

User identifier

Retrieve the user identifier with Keyless.getUserId():

Device identifier

The device is identified by its public signing key. To retrieve the public signing key use Keyless.getDevicePublicSigningKey():

Keyless SDK reset

Resetting the Keyless SDK to a clean state deletes local data from the device, but does not de-enroll the user from the Keyless backend or deactivate the device from the Keyless backend:

Lockout management

The getRateLimitInfo API checks whether the user is currently rate-limited and, if so, for how many seconds. This API is typically used to provide feedback to users after multiple failed authentication attempts.

Mobile SDK Reference

Error handling

Common errors, what they mean and recommended next steps.

The Keyless SDK uses three classes of errors, each error has an error code and an error message. Errors follow 3 main categories:

User errors: triggered by unintended or suspicious user behavior.
- 30_000 and above.
: triggered by a KeylessSDK integration misconfiguration.
- These span from 20_000 to 30_000.
: triggered by Keyless internals.
- All errors below 20_000

If you're implementing the Keyless SDK, you should handle errors coming from the SDK since the error message is not intended for end users.

User errors

User errors have code that are 30_000 and above.

Note that many of these errors are predictions only, when writing messages for your users it's often best to assume positive intent. For example, suggest that they make sure that nothing is obstructing the camera instead of suggesting that they are attempting to spoof.

Error

Code

Description

Integration errors

Integration errors have codes that span from 20_000 to 30_000.

Integration errors can be solved by making sure you are not misusing the API surface of the SDK. You can solve it by reading the error message and addressing the issue. If errors persist, please keep the error code, error message and stacktrace and contact us.

Error

Code

Description

Internal errors

All errors below 20_000 are classed as internal errors in that they relate to the response from our Core platform. Typically internal errors require investigation from Keyless support, however we've highlighted some of the more common ones here where action may be taken by the integrator.

Error

Code

Description

Notes / Recommendation

If errors in this range persist and are unclear, please keep the error code, error message and stacktrace and contact us. If possible we'd also recommend enabling at TRACE level and sending these logs to us to further speed up the Keyless investigation.

Anti-Inject errors

The errors in the following table apply to Keyless Anti-Inject variant only.

Error

Code

Description

Examples

Lockout Policy

This pages explains how the Lockout Policy works, what the implications are for users and how it is set.

From version 5.0.0 of the SDK onwards the lockout policy is configured on the server side and errors will be tracked and count towards the policy regardless of whether they occur on the client or server side. Please contact the Keyless team if you have questions or you would like to request changes to your policy.

Keyless has both client side (applicable to a specific device) and server side (applicable to all users and devices) lockout policies to help prevent brute force attacks.

Client side lockout is configurable in the SDK, and determines how many failed login attempts (lockoutAttemptsThreshold) are allowed over a set time period (lockoutAttemptsResetAfter) before the user is locked out for the set duration (lockoutDuration

Logging

This page explains how customers can leverage the option to log additional data from the mobile SDK for the purpose of performance monitoring, issue investigation and analytics

Logging is disabled by default.

Please note logs do not include any Personally Identifiable Information (PII).

How it works

Firstly, there are two options available related to logging data:

If you want to enable logging to the Keyless infrastructure use keylessLogsConfiguration . This options ensures Keyless has access to richer SDK logs to support investigations on our side, and also enriches the .
Alternatively, if you wish to collect logging for you own analytics without sending them to the Keyless infrastructure use customLogsConfiguration

Collect logs after setting up custom logging with customLogsConfiguration option:

Start collecting the Keyless.customLogs flow (This must happen before a Keyless.configure() to get all Logs Events):

Configure the SDK with the following SetupConfig:

Logging Levels

You may set different logging levels to provide more or less information in logs.

The available levels are the following:

INFO (default)
DEBUG
TRACE

The TRACE level provides the following additional data:

userId
devicePublicSigningKey
coreLogHistory (used for detailed debugging)

JWT signing

Keyelss mobile SDK can generate a signed a JWT containing a custom payload. You can use the signed JWT to implement .

Generate signed JWT

Pass JwtSigningInfo to the authentication to generate a signed JWT:

JWT Verification best practise

To use a jwks.json endpoint for JWT verification and seamless key rotation, follow this technical workflow.

We advise following best practise when leveraging JWT Verification. In doing so, this also allows us to rotate the KMS keys which in-turn helps us to increase the resilience of our SaaS platform (Active/active implementations etc.).

Where to download the Keyless `jwks.json` endpoint

The Keyless endpoint for downloading the jwks.json is available at

Note in this example we have used api.keyless.io as the Operation Service URL and "keyless" as the customer name. Replace this customer name with the tenant name you were provided nad the correct Operation Service URL for your region as listed .

The Verification Process

Extract the Header: Parse the JWT header (unverified) to retrieve the kid (Key ID) and alg (Algorithm) parameters.
Lookup the Key: * Search the cached jwks.json for a key where the kid matches the JWT header. Confirm the use property is sig

Handling Key rotation

To prevent authentication failures when keys are rotated, implement the following logic in your validation logic:

Caching with Refresh: Maintain an in-memory cache of the JWKS. Set a standard TTL (e.g., 24 hours).
Lazy Refresh on kid Mismatch: If a JWT arrives with a kid not present in your current cache, perform an immediate, one-time fetch of the jwks.json to see if a new key has been published.

Introduce Keyless to Users

In order to introduce Keyless to users before the very first enrollment, it may be helpful to show an explanatory screen on what is the flow about to start.

This screen is showable via the public API Keyless.showIntroductionScreen. This function can be called at any moment (even before setup). It expects a completion for when the user taps on the main CTA. The message can be customized as explained in UI-Customization

Examples

Keyless.showIntroductionScreen { 
    // Perform actions after user taps CTA
}

Mobile SDK Use Cases

Account recovery

This page explains what we mean by account recovery and the context you may need to integrate it.

What is Account Recovery?

Account Recovery is the term we use to describe the use case where a user is known to our customer (i.e. is registered in Keyless), but needs to be authenticated on a new device. Typically this is either where:

They had previously been enrolled on a device but the user no longer has access to it.
They are adding a back-up device.
They are known to our customer, perhaps having submitted a selfie during onboarding, but have yet to authenticate on a device via our Mobile SDK within our customer's app (which would have to leverage ).

Client State

Keyless is able to recover an account from the Keyless .

The client state is obtained either:

From your backend through Keyless IDV Bridge.
- To understand how to generate this state see our or
- Then head to to understand how to leverage this state to bind a userID to a new device.

Mobile SDK Changelog

Server API

Telemetry

This API calls allows you to retrieve meta data related to a user or specific transaction.

Introduction

Keyless is inevitably used as part of a wider authentication flow, whether it's an account recovery, login or step-up authentication. Integrators use this feature to collect additional insights around user transactions such as the result, errors and type of authentication and then leverage this data in their own systems for analytics, orchestration or fraud decisioning.

Telemetry data can be retrieved for specific transactions using the operationID. This ID is generated via:

The Mobile SDK by passing an operationInfo object to the EnrollConfig or AuthConfig following a specific transaction.
The WebSDK by adding the .

2️⃣ Enrollment

Enrollment is the process of registering a new user by connecting their facial biometrics to a Keyless account. During this process, a full and unobstructed view of the user's face is required.

val configuration = BiomEnrollConfig()

Keyless.enroll(

let configuration = BiomEnrollConfig()

Keyless.enroll(

val configuration = EnrollmentConfiguration.builder.build()

Keyless.enroll(
  enrollmentConfiguration = configuration,
  onCompletion = { result ->
    when (result) {
      is Keyless.KeylessResult.Success -> Log.d("KeylessSDK ", "Enroll success - userId ${result.value.keylessId}")
      is Keyless.KeylessResult.Failure -> Log.d("KeylessSDK ", "Enroll failure - error code ${result.error.code}")
    }
  }
)

let configuration = Keyless.EnrollmentConfiguration.builder.build()

Keyless.enroll(
  enrollmentConfiguration: configuration,
  onCompletion: { result in
    switch result {
    case .success(let enrollmentSuccess):
        print("Enrollment finished successfully. UserID: \(enrollmentSuccess.keylessId)")
    case .failure(let error):
        print("Enrollment finished with error: \(error.message)
    }
  })

import 'package:keyless_flutter_sdk/keyless.dart';
import 'package:keyless_flutter_sdk/models/configurations/enrollment_configuration.dart';

final configuration = BiomEnrollConfig();

try {
  final result = await Keyless.instance.enroll(configuration);
  print("Enrollment finished successfully. UserID: ${result.keylessId}");
} catch (error) {
  print("Enrollment finished with error: $error");
}


import Keyless, { BiomEnrollConfig } from '@react-native-keyless/sdk';

const enrollUser = async () => {
  const enroll = new BiomEnrollConfig();

  const result = await Keyless.enroll(enroll);

  result.fold({
    onSuccess: (data) => {
      console.log(`Enrollment finished successfully. UserID: ${data.keylessId}`);
    },
    onFailure: (error) => {
      console.error('Enrollment finished with error:', error);
    },
  });
};

enrollUser();

Enrollment configuration

You can configure the enrollment process with optional parameters in your BiomEnrollConfig() instance or using the builder pattern methods from the EnrollmentConfiguration builder.

Enrollment success result

Depending on the configuration you created for the Enrollment, Keyless will populate the corresponding fields in the EnrollmentSuccess result reported below.

Delaying the Keyless evaluation/decision

Secret management

JWT Signing info

You can specify a payload to be added to a JWT signed by Keyless with the jwtSigningInfo parameter, more in .

Liveness Settings

Using livenessConfiguration you can configure the liveness security level during enrollment. The possible liveness configuration are under LivenessSettings.LivenessConfiguration :

You can also specify a livenessEnvironmentAware that is by default se to true to enhance liveness detection. This parameters helps to ensure the user is in a suitable setting for verification.

More details on liveness in the dedicated section.

Operation info

Details on how to query our backend for stored operations are available on .

Client State

Use the clientState parameter to register users from a client state obtained through IDV-Bridge.

You can also use a client state to recover an account of an existing user who lost access to the account. Follow the guide on .

Enrollment Frame

Enrollment circuits

Presentation Style

Use the presentationStyle parameter in BiomEnrollConfig to control how the enrollment UX/UI is presented during the enrollment flow.

Full Screen (default): Shows the standard full-screen enrollment experience.
Overlay: Shows a streamlined and faster UX/UI, consistent with the authentication experience.

Go to view the UI customization for this flow.

Changelog

For a seamless SDK integration make sure to follow the section getting started.

You can check all the prerequisites that your app must meet for a successsful SDK integration under the prerequisites section.

Please note releases marked as release candidate - rc are available to selected customers in advance of the official release via partners-rc cloudsmith repo. Please note regression tests and QA activity is incomplete and we strongly advise against shipping these versions into production environments.

5.8.0 Android

Added Kotlin 2 and Ktor 3 support
- Potential breaking changes - The adoption of Ktor 3 might result in a breaking change for SDK consumers, with some changes required in specific setups. The last known Ktor 2 version is , dated November 2024. Please follow the .

5.7.3

Highlights

Live feedback for Authentication UI
- Instructions to guide the user to a successful authentication so that the user can address the liveness requirements in real time have now been added, as per the Enrollment UI.
Lighter touch Enrollment or Recovery flows

5.5.0

Anti-Inject variant

Only for customers using the Keyless Anti-Inject SDK variant

Biometric assets are now encrypted leveraging the Anti-Inject SDK signing functionalities.

Fixes

Removed an issue where the SDK occasionally triggered a crash if the user tapped the "X" button at a specific point after the enrollment selfie had been captured.

5.4.1

Deprecations

We updated our liveness levels naming as follow
Before
After

Fixes

iOS: return pin error instead of generic error if the pin inserted by the user is the wrong pin.

5.4.0

Breaking Change

We updated the cloudsmith artifacts' naming convention, with a summary of the changes as follows:
Please follow the to fetch the latest version.

5.3.3

Highlights

We have now switched the liveness environment aware configuration default to livenessEnvironmentAware = false. For more details in go to section.

5.3.2

Anti-Inject variant

Only for customers using the Keyless Anti-Inject SDK variant

Fine-tune error error code: 40002, error message: device might not be genuine based on updated security level.

5.3.1 iOS

Fixes

Avoid stripping debug symbols in order to run on iOS simulators.

5.3.0

Highlights

The existing lockout policy is now applied for enrollment using the client state. See the page for all details.

Fixes

Improved Error Handling for Spoofing errors: the SDK will return a Rejected taking into consideration internal filters. The Rejected error will take precedence over the incorrect Spoofing error.

Anti-Inject variant

Only for customers using the Keyless Anti-Inject SDK variant

Upon calling Keyless.configure you will now get an error if we detect that device is not genuine. The error is error code: 40002, error message: device might not be genuine. You shall redirect your users through a different flow since Keyless configuration will fail and it won't not possible to enroll or authenticate.

5.2.1

Highlights

Introduced a Client State type for clearer Client State handling.
- This change means that on the , customers using this SDK version and above will be able to see the type of "Keyless Client Devices" on the individual user pages.
- This clears up the confusion where "Devices" of the users were displayed but there was no way to distinguish bound client devices (now labelled 'Device Type: SDK) or client states stored or used by integrator to authenticate users in future using temporary or backup client states (Device Type: Temporary or Backup).

Deprecations

Temporary State terminology is now deprecated in favor of Client State.
- Flows such as Enroll from Temporary State, for example, will be deprecated having made Enroll from Client State available as a direct replacement.
- This is to clean-up a legacy issue where the terms Temporary State and Client State were used interchangeably.

5.2.0

Highlights

UI: optionally display a chip to show a loader before an authentication. This has been added as in some instances integrators have found there is a slight delay for the camera preview to open.
- Check the Authentication loading in the section for more details.

Fixes

Fix: For the error xMinPercentage is not in valid range [0.0..1.0] - Region of interest will be full screen in case we get inconsistent values.
- Note we believe this error was particularly prevalent on foldable devices or tablets but should be largely resolved from this release onwards.
Fix: update tensorflow to resolve a that was causing a crash in a very low % of cases on android devices.

Breaking changes

Removed the deprecated configuration builders. We believe that all of our customers have npw already moved to the remaining configuration: SeutpConfig, EnrollConfig, AuthConfig, and DeEnrollConfig and therefore no action is required.
Removed deprecated UserInfo APIs.

5.1.4

Only for customers using the Networking module feature

Fixes

Fix (Android): camera deprecation issues on Samsung Galaxy A23.
Fix (iOS): off-load networking module lockout request from the main thread.

5.1.3

Only for customers using the Networking module feature

Fixes

Fix: additional call on protocol level for information on rate limited requests.

5.1.2 Android

Highlights

16 KB page size support - .

5.1.1

Highlights

Only for customers using the Keyless Anti-Inject variant for enhanced frames injection prevention

Build variant is available for selected customers through partners-rasp.
Improved initialization performance for frames injection prevention to enhance the overall experience by reducing load times.

Fixes

Fix (Android): camera resolution issues on Samsung Galaxy A23.

5.1.0

Highlights

Enrollment Frame: Integrators can specify whether or not to retrieve an enrollment frame, acquired during the user’s selfie capture during the enrollment or account recovery flow. See details in section.
Enhanced Anti-Inject: this release introduces a new option for enhanced injection attack prevention.

5.0.5 iOS - 5.0.6 Android

Highlights

Environment-Aware Liveness Detection: a new, optional check has been introduced to enhance liveness detection helping to ensure the user is in a suitable setting for verification. This feature is enabled by default. To disable it, set livenessEnvironmentAware = false in the configuration for enrollment, authentication, or de-enrollment. See details in section.
Face Occlusion Detection for Enrollment: during the enrollment process, the SDK now provides immediate feedback to the user if their face is partially covered. A message, "Make sure your face is clearly visible," will be displayed to guide them..

Fixes

Improved Error Handling for Temporary States: the SDK now returns a more specific internal error (error code: 539) if the maximum number of temporary states is reached during an operation.
Added a Cancellation Button to the Camera View: an "x" button has been added to the top-left corner of the camera screen during enrollment, allowing users to safely cancel the face scan process.

5.0.3

Highlights

Enroll from photo preview: This feature introduces the ability to enroll users using a photo provided from a trusted source.
- Developer Responsibility: You are responsible for ensuring that the photo originates from a verified and trusted source (e.g., an official identity document).
- Security Note: Exposing this functionality to your end-users without rigorous verification of the photo's origin may introduce vulnerabilities, such as a user enrolling with another individual's facial image. Please implement appropriate safeguards.

Enhancement: biometric processing

Improved biometric performance through optimizations in frame timestamp processing.

5.0.1

Highlights

New Enrollment UX: a freshened up, new User Interface has been implemented and made available.
- It now displays real-time feedback about the quality of the processed image, allowing users to address the issues based on the messages shown during face capture.
  - Note these messages are not customizable since they are tied to Keyless image processing.

Improved error handling and information

Integrators familiar with our will notice that we have:

Added more detailed insight and guidance for the different types of errors and the relevant error code ranges for integrators to be aware of.
More clearly laid out the different types of User Errors with their codes & descriptions.
"Rejected" error - we have split out instances where Liveness could not be established into a new "Rejected" error. Previously these were all labelled as "Spoofing" errors, however we recognized that in some instances these incorrectly added a framed the authentication attempt as more malicious than was fair. Please note, the guidance remains that all modelling is in some way predictive and thefore we would still advise that "Spoofing" does not guarantee that there was malicious intent and for various reasons it's still better to assume positive intent in how you handle these with users.

SDK Size Reduction

Following customer feedback, we have reduced the size of the biometric libraries which has reduced both the iOS and Android SDK integration and download size. Please note that integration size can vary significantly between customers so please contact us if you have questions in this area.

Support for iOS emulator

The Keyless iOS SDK can now be run on an iOS emulator on both Windows PC or Mac, allowing integrators to achieve faster develop and test cycles as they make changes.

Deprecations

Liveness timeout no longer has effect and will be removed in future releases.
- This change was made given a set of comprehensive improvements to the Liveness biometrics models. We plan to support configuration options to support both faster and slower authentication and enrollment experiences in upcoming releases.
The mobile SDK Lockout policy, which had some reported inconsistencies, is now managed on the backend so no longer has an effect and will be removed in future releases.

Breaking changes

With the new UI texts that are shown to the user have changed. If you are using text customization, please make sure to update to the identifiers from the tab SDK v5 .
The API showScreenSuccessFaceCapture is no longer available since enrollment no longer considers the successful face capture step.
The successAnimationEnabled

4.8.2 iOS - 4.8.3 Android

Highlights

Improved biometric performance.
Improved error handling and information - .
SDK Size Reduction.
Support for iOS emulator.

Improved error handling and information

Introduced a new "Rejected" error - we have split out instances where Liveness could not be established into a new "Rejected" error. Previously these were all labelled as "Spoofing" errors, however we recognized that in some instances these incorrectly added a framed the authentication attempt as more malicious than was fair. Please note, the guidance remains that all modelling is in some way predictive and thefore we would still advise that "Spoofing" does not guarantee that there was malicious intent and for various reasons it's still better to assume positive intent in how you handle these with users.

SDK Size Reduction

Support for iOS emulator

The Keyless iOS SDK can now be run on an iOS emulator on both Windows PC or Mac, allowing integrators to achieve faster develop and test cycles as they make changes.

4.7.5 iOS - 4.7.6 Android

Highlights

Fix: fix client state retro compatibility with version >2.0.0 of the Keyless Agent

4.7.4

Highlights

UX: optional screens - it is now possible to opt-out the optional screens you don’t wish to show -
Enhancement: query remaining lockout time - \

UX: optional screens

We understand that the experience our customers create for their end users is of the utmost importance. To provide greater flexibility, we’ve made certain screens and steps in the Authentication and Enrollment flows optional. These screens will remain visible by default, but you now have the ability to opt out of displaying those that are not relevant to your workflow. For more details, please refer to the .

Please note that the camera view and Step 2 (“Enrollment Progress”) will remain mandatory for now, as they are critical to ensuring liveness detection and security during the capture process. However, Step 2 is highly customizable in terms of text and color scheme to align with your branding.

In upcoming releases, we will also be adding sample code and “User Flow” guides to further empower integrators and designers in tailoring their user experience.

Enhancement: query remaining lockout time

Customers can configure the maximum number of errors a user can make before being locked out for a 10-minute period.

Based on customer feedback, we’ve enhanced this feature to allow querying the remaining lockout time (in seconds) after a user has been locked out. For implementation details, please refer to the .

This enhancement enables customers to display the remaining lockout time to users at any given moment, improving transparency and user experience.

Bugs and Fixes

Fix (Android): Resolved a compatibility issue between the Compose Material library and Flutter.

4.7.3

UX: SDK Theme is customizable by customer -
Feature: possibility to specify a path to Keyless artifacts. Artifacts are provided by Keyless by default. Artifacts path can be overridden by the customer.

4.7.2

Feature: improved PSD2 compliance -
Feature: account recovery -
Fix: remove lottie dependency
UX: remove success animation in favor of static image

4.7.0

API Surface: deprecate builder pattern in favor of optional config constructor parameters (builders are deprecated)
Feature: expose SDK logs to customer app -
Feature: expose JWT signature compatible with core backend key pairs -

4.6.7

Bugfix: internal data cleanup
Performance improvements: avoid unnecessary assets extraction

4.6.6

Feature: Shared Circuits: integrators can now set the desired number of shared circuits when calling an sdk configure Fix: Liveness: update liveness setting for higher security

4.6.5

Feature: enroll with Keyless from an Auth0 user’s IdToken

4.6.3

Dynamic linking feature: new API exposing interface to choose one authentication method (BiomAuthConfig | PinAuthConfig)
UI customization: it is now possible to customize the font for Keyless SDK screens
UI customization: it is now possible to customize the brand color (primary accent color) for Keyless SDK screens

UI Customization

The Keyless SDK can be customised in order to provide a more familiar UX when integrated in any custom app.

Theme

The SDK theme can be customized to be dark, light or system.

Keyless will use the system defined theme by default.

Keyless.UI.Color.sdkTheme = SdkTheme.SYSTEM

// default theme is SYSTEM
public enum

Keyless.UI.Color.sdkTheme = .system

import Keyless, { SdkTheme } from '

Colors

It is possible to customize the following colors:

primary color This color is the one that appears most frequently across the screens and components.
onPrimary color The color used for elements that appear on top of the PrimaryColor, ensuring clear contrast and visibility.
accent color Color used in some small details of the UI (e.g. Camera Frame borders)

Example

Text

It is possible to customize the following text across the Introduction, Error, Enrollment and Success screens. Live Filters cannot be customized individually but translation files are available and can be provided.\

Introduction

title Should be no longer than two lines
description Should be no longer than four lines
cta Should be no more than two words

Enrollment

We suggest to use no more than three lines of text.

Instruction
- title
- subtitle

Error
- title
- subtitle

Process
- title
- subtitle

Success
- title Showed when the enrollment has been successfully completed.
- subtitle Showed when the enrollment has been successfully completed

Authentication

We recommend using no more than two lines of text on each.

loading Shown before the camera opens.
centerFace Shown before the user positions the face.
scan Shown while scanning the user's face.

Authentication whitout Camera Preview (BETA Available from 5.4.1)

We recommend using no more than two lines of text on each.

lookHere Shown before the user positions the face.
authenticate Shown while authenticating the user.
success Shown when the user has been authenticated successfully.

Live Filters

These appear dynamically on the camera preview screen during enrollment and guide the user to capture a high quality selfie are core to the product and subject to iterative change over time as we improve the product. Therefore these are not configurable individually however we do support localization – currently English and Italian are available but new ones can be created upon request.

The example below shows a live filter appearing to help the user. The corners/frame turns to the accent color (yellow in this example) once the biometric library is satisfied that a suitable image has been captured.

The following filters are returned though note the first two ("It's a bit dark, move closer to the light" and "The image is too bright, adjust lightning") are due to be added in Q4 2025.

Dynamic Linking

We recommend using no more than two lines of text on each.

Authentication.PayloadConfirmation
- title
- subtitle

Example

Optional Screens

It is possible to show or hide some of the Enrollment and Authentication steps above by setting to false the following fields.

The default value for all of them is true which means that the step is shown.

Enrollment

To toggle certain screens in Enrollment flow, use the following fields of a BiomEnrollConfig:

showInstructionsScreen: affects the Instruction screen (by default true)
showSuccessFeedback: affects the Success screen (by default true)

Example

Authentication

Use the following fields of a BiomAuthConfig:

showSuccessFeedback: affects the Step3

Example

Fonts

It is possible to customize the font.

Android: requires an android.graphics.Typeface object.
iOS: requires a String, the name of the font.

The custom font must be set as soon as available, a good moment to do so is before calling Keyless.configure

Example

Haptic feedback

Haptic feedback provides subtle vibration responses to user interactions.

It is possible to disable/enable haptic feedback. By default, haptic feedback is enabled (true).

Example

Theme

The SDK theme can be customized to be dark, light or system.

Keyless will use the system defined theme by default.

Colors

It is possible to customize the following colors:

Mobile SDK

Keyless SDK Documentation

Introduction

Components

hashtagEnrollment

hashtagAuthentication

hashtagAccount Deletion

Sample Apps

Mobile SDK Guide

1️⃣ Getting started

hashtagPrerequisites

hashtagInstallation

hashtagEssential configuration

hashtagAdditional configuration

hashtagShared circuits

hashtagNetworking module

2️⃣ Enrollment

hashtagEnrollment configuration

hashtagEnrollment success result

hashtagDelaying the Keyless evaluation/decision

hashtagSecret management

hashtagJWT Signing info

hashtagLiveness Settings

hashtagOperation info

hashtagClient State

hashtagEnrollment Frame

hashtagEnrollment circuits

hashtagPresentation Style

5️⃣ User and device management

hashtagUser identifier

hashtagDevice identifier

hashtagKeyless SDK reset

hashtagLockout management

Mobile SDK Reference

Error handling

hashtagUser errors

hashtagIntegration errors

hashtagInternal errors

hashtagAnti-Inject errors

hashtagExamples

Lockout Policy

Logging

hashtagHow it works

hashtagLogging Levels

JWT signing

hashtagGenerate signed JWT

JWT Verification best practise

hashtagWhere to download the Keyless jwks.json endpoint

hashtagThe Verification Process

hashtagHandling Key rotation

Introduce Keyless to Users

hashtagExamples

Mobile SDK Use Cases

Account recovery

hashtagWhat is Account Recovery?

hashtagClient State

Mobile SDK Changelog

Server API

Telemetry

hashtagIntroduction

Keyless SDK Documentation

Components

hashtagEnrollment

hashtagAuthentication

hashtagAccount Deletion

Sample Apps

JWT Verification best practise

hashtagWhere to download the Keyless jwks.json endpoint

hashtagThe Verification Process

hashtagHandling Key rotation

Introduce Keyless to Users

hashtagExamples

Account recovery

hashtagWhat is Account Recovery?

hashtagClient State

Telemetry

hashtagIntroduction

Lockout Policy

JWT signing

hashtagGenerate signed JWT

Enrollment

Authentication

Account Deletion

Prerequisites

Installation

Essential configuration

Additional configuration

Shared circuits

Networking module

Enrollment configuration

Enrollment success result

Delaying the Keyless evaluation/decision

Secret management

JWT Signing info

Liveness Settings

Operation info

Client State

Enrollment Frame

Enrollment circuits

Presentation Style

User identifier

Device identifier

Keyless SDK reset

Lockout management

User errors

Integration errors

Internal errors

Anti-Inject errors

Examples

How it works

Logging Levels

Generate signed JWT

Where to download the Keyless `jwks.json` endpoint

The Verification Process

Handling Key rotation

Examples

What is Account Recovery?

Client State

Introduction

Enrollment

Authentication

Account Deletion

Where to download the Keyless `jwks.json` endpoint

The Verification Process

Handling Key rotation

Examples

What is Account Recovery?

Client State

Introduction

Generate signed JWT

User signing public key

Lockout options and defaults

How it works

When is the lockout policy applied

If a user is locked-out

Prerequisites

Installation

Essential configuration

Additional configuration

Shared circuits

Networking module

Enrollment configuration

Enrollment success result

Delaying the Keyless evaluation/decision

Secret management

JWT Signing info

Liveness Settings

Operation info

Client State

Enrollment Frame

Enrollment circuits

Presentation Style

User identifier

Device identifier

Keyless SDK reset

Lockout management

User errors

Integration errors

Internal errors

Anti-Inject errors