Skip to main content

Sessions.Create — the bridge to mobile

This is the single most-called method in the Go SDK. Your backend calls it to mint a short-lived dv_tok_* JWT, which you then ship to a mobile client. The mobile client uses the JWT for one verification session.

session, err := client.Sessions.Create(ctx, ekyc.CreateSessionRequest{
    CustomerRef: "user_42",
    Scopes:      []string{"liveness:check"},  // optional
    TTL:         30 * time.Minute,            // gateway enforces upper bound
})

CreateSessionRequest fields

FieldTypeNotes
CustomerRefstringYour user id; opaque to the platform. Carried into the JWT and audit log.
Scopes[]stringOptional scoping; nil means default scope.
TTLtime.DurationOptional; default 30 minutes. Gateway clamps to its own upper bound.

Session response

type Session struct {
    Token     string    // dv_tok_live_<jwt> or dv_tok_test_<jwt>
    JTI       string    // for revocation
    ExpiresAt time.Time // parsed from RFC3339
    Scopes    []string
    Mode      string    // "live" or "test"
}

Ship session.Token to your mobile client over HTTPS. Don't log it, don't cache it longer than its TTL.

Typical pattern: an HTTP endpoint your mobile app hits

http.HandleFunc("/auth/session", func(w http.ResponseWriter, r *http.Request) {
    userID := authenticatedUserID(r)  // your own auth
    if userID == "" {
        http.Error(w, "unauthorized", 401)
        return
    }

    ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
    defer cancel()

    session, err := client.Sessions.Create(ctx, ekyc.CreateSessionRequest{
        CustomerRef: userID,
        TTL:         30 * time.Minute,
    })
    if err != nil {
        log.Printf("sessions.create: %v", err)
        http.Error(w, "internal error", 500)
        return
    }

    json.NewEncoder(w).Encode(map[string]any{
        "token":      session.Token,
        "expires_at": session.ExpiresAt,
    })
})

The mobile app's tokenProvider calls this endpoint when it needs a fresh token.

Don'ts

  • Don't issue tokens to unauthenticated users. Authenticate the caller first, then mint a session for that specific user.
  • Don't issue tokens with arbitrary customer_ref values. The gateway trusts whatever you pass; it's your job to ensure customer_ref matches the user you authenticated.
  • Don't re-issue tokens for the same customer_ref on every request. Tokens are reusable across requests for their full TTL. Issue once per session.