Offline Signatures
Offline signatures are used in case when the mobile device is not connected to the internet. An intermediate web application with connection to the PowerAuth server can generate a QR code which is scanned by the mobile device and an offline signature is generated based on scanned QR code data. The offline signature consists of digits which can be rewritten into the web application which performs online code verification against PowerAuth server.
The following endpoints are available for offline signatures:
- Generating personalized offline signature payload
- Generating non-personalized offline signature payload
- Verifying offline signatures
Generating personalized offline signature payload
Personalized offline signatures are used when activation ID is known (e.g. an activated mobile token). A typical use case is offline verification of signature for payments.
REST method: createPersonalizedOfflineSignaturePayload
For Web Flow the format of request data
is documented in the Offline Signatures QR Code documentation chapter.
The offlineData
in response already contains all data required to display a QR code. The validity of the QR code should be verified by computing the ECDSA signature of offlineData
content before the computed signature and comparing it with the ECDSA_SIGNATURE
in offlineData
. The nonce
in response will be required during offline signature verification step.
Generating non-personalized offline signature payload
Non-personalized offline signatures are used when activation ID is not known. A typical use case is offline verification for login operation.
REST method: createNonPersonalizedOfflineSignaturePayload
For Web Flow the format of request data
is documented in the Offline Signatures QR Code documentation chapter.
The offlineData
in response already contains all data required to display a QR code. The validity of the QR code should be verified by computing the ECDSA signature of offlineData
content before the computed signature and comparing it with the ECDSA_SIGNATURE
in offlineData
. The nonce
in response will be required during offline signature verification step.
Verifying offline signatures
Once the mobile device successfully scans the QR code and verifies the QR code data signature, the signature of the data related to the operation can be computed as described in Computing and Validating Signatures. The generated signature can be verified against PowerAuth server.
REST method: verifyOfflineSignature
The normalized data
for verifyOfflineSignature requests should be constructed as described in Normalized data for HTTP requests. The nonce
generated in the generate offline signature payload step should be used.
The validity of the offline signature can be checked by verifying the signatureValid
value in VerifyOfflineSignatureResponse.