App-to-app signing

  • Published on Jul 8, 2025
  • 1 minute(s) read
Prev Next

The App-to-App feature gives users with activated accounts the ability to approve a pending request from a third-party application or web page with their mobile device. This feature is also supported for integrations with DIGIPASS Gateway.

Overview of app-to-app communication

With the app-to-app communication, a third-party application or web page invokes the Mobile Authenticator Studio app with a Secure Channel message. The Mobile Authenticator Studio app then calls back the third-party application or web page with the signature of the Secure Channel message.

Mobile Authenticator Studio is invoked from a URL that has the following format:

${scheme}://app2app_secure_channel?x-success=thirdpartyapp://...&x-error=thirdpartyapp://...&x-cancel=thirdpartyapp://...&secure_message=0000C3E40F4

  • ${scheme} is a string specified in the course of the Mobile Authenticator Studio application customization, according to the iOS and Android scheme policies.

  • x-success is the callback URL invoked by Mobile Authenticator Studio in case of success. The signature of the Secure Channel transaction message is concatenated to this URL..

  • x-error is the call-back URL invoked by Mobile Authenticator Studio in case of error. The error code is concatenated to this URL.

  • x-cancel is the call-back URL invoked by Mobile Authenticator Studio in case of process interruption by the user.

  • secure_message is the Secure Channel message string provided by Authentication Server Framework.

To prevent the call-back URL from being compromised, it is checked against a URL white list defined in the Mobile Authenticator Studio configuration file.

For more information about supported actions and parameters, refer to the Mobile Authenticator Studio Integration Guide.

Sequence of an app-to-app request approval

The following steps are processed for approving a transaction initialized by another application:

To approve an app-to-app request

  1. An external, third-party application or web page requests approval on a transaction from the user.

  2. The operating system makes the call to open the transaction using Mobile Authenticator Studio.

  3. The splash screen of the Mobile Authenticator Studio app is displayed.

  4. The user reviews the request details and taps Approve to continue the process.

  5. The user is required to confirm their identity using OTP or biometric authentication.

  6. The user is returned to the external, third-party application confirming the request approval.

There is an additional scenario:

  • If the user does not want to approve the transaction, they can tap Cancel or Deny to exit the approval process.

Signing parameter limitations

Limitations apply for the following mask parameters when you use the app-to-app signing feature:

  • DeviceIdentifier

    This parameter is only supported on Android.

  • RootingStatus

    The response returned by this parameter is always false.

  • UserIdentifier

    This parameter is only supported for activation and app-to-app signing operations with DIGIPASS Gateway but not for a regular multi-device licensing app-to-app signing operation.