Authentication Suite Server SDK offline authentication API

  • Published on Feb 16, 2026
  • 4 minute(s) read
Prev Next

Authentication Suite Server SDK provides several functions that are used for offline authentication.

Only software versions of OneSpan Authentication Suite Server SDK support functionalities related to offline authentication (hash data block and state data block generation, state data block synchronization). The HSM versions of Authentication Suite Server SDK do not support offline authentication.

AAL2GenHashDataBlock (Function)

Function prototype

aat_int32 AAL2GenHashDataBlock (
        TDigipassBlob* DPData,
        TKernelParms* CallParms,
        aat_int32 EventWindow,
        aat_int32 StartTime,
        aat_int32 EndTime,
        aat_byte* Salt,
        aat_int32 SaltLength,
        aat_word32 MaxRadomValue,
        aat_byte* bKey,
        aat_int32 KeyLength,
        aat_byte* bHashDataBlock,
        aat_int32* HashDataBlockLength);

Description

This function generates a hash data block for the event window or time period for the given authenticator application BLOB. The content of HashDataBlock is transparent to the caller and loaded into the client-side hash verification library.

The buffer for HashDataBlock must be allocated by the client prior to the function call. It is returned as a byte string in the following format:

  • Serial number on 22 ASCII characters

  • Data block size on 4 bytes

  • Data block version on 2 bytes

  • Maximum random diversifier on 4 bytes

  • Start window on 4 bytes. It can be an event value or time indicated in seconds.

  • Number of hashes used on 4 bytes.

    • Since Authentication Suite Server SDK 3.17.1, the maximum number of OTP hashes is 12000.

    • Prior Authentication Suite Server SDK 3.17.1, the maximum number of OTP hashes was 3000.

  • Data which contains the hashes list. Size of data is (number of hashes x 20) bytes

  • CRC on 4 bytes

The allocated buffer size for bHashDataBlock must be (44 + (number of hashes x 20)) bytes. The number of hashes depends on the following parameters:

  • For event-based authenticators, the HashDataBlock buffer to allocate is (44 + (EventWindow x 20)) bytes.

    The maximum value for EventWindow is 12000 since Authentication Suite Server SDK 3.17.1 and was 3000 for earlier versions.

  • For time-based authenticators, the HashDataBlock buffer to allocate is (44 + ( ( (EndTime – StartTime) / TimeStep) x 20)) bytes.

    The maximum value for ( (EndTime – StartTime) / TimeStep) is 12000 since Authentication Suite Server SDK 3.17.1 and was 3000 for earlier versions.

Parameters

Table: Parameters (AAL2GenHashDataBlock)
TypeNameUseDescription
TDigipassBlob*DPDataI/OAuthenticator application BLOB. Upon return from the function call, this BLOB must be rewritten to the application database to reflect changes.
TKernelParms*CallParmsIStructure of runtime parameters to use during this function call.
aat_int32EventWindowI

Number of events used to generate an OTP

Possible values: 1–12000 (limited to 3000 prior Authentication Suite Server SDK 3.17.1).

aat_int32StartTimeIThe beginning of the time window in seconds since 1970. If 0 is used, the current server time is used as reference.
aat_int32EndTimeIThe end of the time window.
aat_byte*SaltIThis parameter is used to further randomize the produced hashes. The same salt value is used to generate hashes of all the OTP values in the package.
aat_int32SaltLengthI

Length of the salt string parameter.

Possible values: 1–512

aat_word32MaxRadomValueIThe maximum value of a random element that will be used for the hash calculation. The purpose of this parameter is to increase the processing time on the client side to prevent brute-force attacks. If it is 0, a default diversifier will be used (MaxRadomValue =100). A value smaller than 100 is not recommended.
aat_byte*bKeyI16-byte key that will be released in case of successful OTP validation.
aat_int32KeyLengthILength of the key
aat_byte*bHashDataBlockOHash data block list.
aat_int32*HashDataBlockLengthI/OHash data block list length.

Return codes

Table: Return codes (AAL2GenHashDataBlock)
CodeMeaning
0Success
132Unsupported token type. Only time- or event-based authenticators are supported.
153Invalid event window
154Invalid data block size (hash data block)
155Invalid time window
158Invalid salt pointer
160Invalid hash data block pointer
161Invalid key pointer
162Salt buffer too big The maximum salt length is 512 bytes.
163Key buffer too big The maximum key length is 16 bytes.
510Invalid Digipass data pointer
578Invalid BLOB status
1103Unlock Version 2 not supported

AAL2GetStateDataBlock (Function)

Function prototype

aat_int32 AAL2GetStateDataBlock (
        TDigipassBlob* DPData,
        TKernelParms* CallParms,
        aat_byte* bStateDataBlock,
        aat_int32* StateDataBlockLength);

Description

This function generates a state data block from an authenticator application BLOB.

The buffer for StateDataBlock must be allocated by the client prior to the function call. It is returned as a byte string in the following format:

  • Serial number on 22 ASCII characters

  • Data block size on 4 bytes

  • Data block version on 2 bytes

  • Token status on 1 byte

  • Static PIN length on 1 byte

  • OTP length on 1 byte

  • OTP format on 1 byte

  • Codeword on 4 bytes

  • LastTimeUsed value on 4 bytes

  • LastTimeShift Value on 4 bytes

  • Error counter on 4 bytes

  • Use counter on 4 bytes

  • Static PIN delta on 8 bytes

  • CRC on 4 bytes

The allocated buffer size for bStateDataBlock must be 64 bytes.

Parameters

Table: Parameters (AAL2GetStateDataBlock)
TypeNameUseDescription
TDigipassBlob*DPDataI/OAuthenticator application BLOB. Upon return from the function call, this BLOB must be rewritten to the application database to reflect changes.
TKernelParms*CallParmsIStructure of runtime parameters to use during this function call.
aat_byte*bStateDataBlockOData string of 64 bytes containing the last authenticator status.
aat_int32*StateDataBlockLengthI/OLength of the allocated state data block.

Return codes

Table: Return codes (AAL2GetStateDataBlock)
CodeMeaning
0Success
132Unsupported token type. Only time- or event-based authenticators are supported.
154State data block size too small
155Invalid time window
159Invalid state data block pointer
510Invalid Digipass data pointer
578Invalid BLOB status
1103Unlock Version 2 not supported

AAL2SyncStateData (Function)

Function prototype

aat_int32 AAL2SyncStateData (
        TDigipassBlob* DPData,
        TKernelParms* CallParms,
        aat_byte* bStateDataBlock,
        aat_int32 StateDataBlockLength);

Description

This function synchronizes an authenticator application BLOB with the state data block. It synchronizes the current event for event-based algorithms, the last time used and the last time shift for time-based algorithms, as well as the error and use counts.

Parameters

Table: Parameters (AAL2SyncStateData)
TypeNameUseDescription
TDigipassBlob*DPDataI/OAuthenticator application BLOB. Upon return from the function call, this BLOB must be rewritten to the application database to reflect changes.
TKernelParms*CallParmsIStructure of runtime parameters to use during this function call.
aat_byte*bStateDataBlockIData string of 64 bytes containing the last authenticator status.
aat_int32StateDataBlockLengthILength of the allocated state data block.

Return codes

Table: Return codes (AAL2SyncStateData)
CodeMeaning
0Success
132Unsupported token type. Only time- or event-based authenticators are supported.
154State data block size too small
155Invalid time window
159Invalid state data block pointer
412Invalid state data block checksum
510Invalid Digipass data pointer
578Invalid BLOB status
807Hash data block does not match with the state data block
1103Unlock Version 2 not supported