Send Session Feedback

BindID allows you to enrich the user and trust profile based on information you report. For example, if you confirm new users using your own authentication, this will be reflected in the user metadata after subsequent logins to the Client Application. See the Session Feedback API reference.

Confirm New Users

The first time a user logs into your Client Application, the application should run the following process to confirm the new user:

  1. Validate the user’s identity. Your web application should run its existing authentication process to authenticate the user (e.g., using username and password). Whichever process you choose to run should establish the identity of the user in your web application. We recommend explaining to the user that you only need their username and password this time to enable Biometric Login.

  2. Define the BindID Alias for the user. The Alias is an identifier that BindID will return to your application every time the user completes a successful authentication process. Whether the alias is a new identifier you generate only for BindID purposes, or an existing internal user identifier that the application already uses, it must be unique for the user. You should not use the same Alias for different users of your application.

  3. Record that BindID Alias on the BindID service. To set the BindID Alias for the BindID user, your application server should send the following HTTP POST request:

    POST /session-feedback HTTP/1.1
    Host: api.bindid-sandbox.io
    Content-Type: application/json
    Authorization: BindIdBackend AccessToken [ACCESS_TOKEN]; [FEEDBACK_AUTH_VALUE]
    {
    "subject_session_at": [ACCESS_TOKEN],
    "reports": [{
    "type": "authentication_performed",
    "alias": [BINDID_ALIAS],
    "time": [AUTHENTICATION_TIME]
    }]
    }
    TokenSubstitute with...
    [ACCESS_TOKEN]Access token received in the /token response.
    [BINDID_ALIAS]BindID Alias to assign to the BindID user.
    [AUTHENTICATION_TIME]Time when the user was authenticated, expressed as the number of seconds since 1970-01-01 00:00. You can use the current time at the time of this request.
    [FEEDBACK_AUTH_VALUE]Token validating this request. This should be computed by the application server by computing HMAC-SHA256 over the [ACCESS-TOKEN] value, using the Client Secret obtained in step 1 as the secret. The HMAC-SHA256 computation result is then included encoded with Base64 encoding. See sample below.

    This sample Java code generates the [FEEDBACK_AUTH_VALUE] and constructs the Authorization header value:

    import javax.crypto.Mac;
    import javax.crypto.spec.SecretKeySpec;
    import java.io.UnsupportedEncodingException;
    import java.nio.charset.StandardCharsets;
    import java.security.InvalidKeyException;
    import java.security.NoSuchAlgorithmException;
    import java.util.Base64;
    public static String calculateAuthorizationHeaderValue(String clientSecret, String bindIdAccessToken) throws UnsupportedEncodingException, InvalidKeyException, NoSuchAlgorithmException {
    // Create and initialize the Mac instance
    Mac mac = Mac.getInstance("HmacSHA256");
    byte[] keyBytes = clientSecret.getBytes(StandardCharsets.UTF_8);
    SecretKeySpec keySpec = new SecretKeySpec(keyBytes, "HmacSHA256");
    mac.init(keySpec);
    // Calculate the MAC on the BindID AccessToken
    byte[] signedBytes = mac.doFinal(bindIdAccessToken.getBytes(StandardCharsets.UTF_8));
    // Encode the signed bytes to base64
    String encodedResult = Base64.getEncoder().encodeToString(signedBytes);
    // Create the Authorization Header value
    return "BindIdBackend AccessToken " + bindIdAccessToken + "; " + encodedResult;
    }