Go-Live Checklist
Use this checklist before launching in production. Share it with your integration team.
Credentials & setup
- Received client_id and client_secret from tyntec
- Received an API token from tyntec
- Registered redirect_uri(s) confirmed with tyntec
- Auth server domain reachable from your environment
- Credentials stored securely — never hardcoded in client-side code
Authentication flow
- login_hint passed in E.164 format (+country code + number) when provided
- Omitting login_hint tested — tyntec MSISDN prompt window displays correctly
- State parameter used to prevent CSRF attacks
- Token exchange handled server-side (client_secret never exposed to browser)
- login_hint validated against phone number in returned token after exchange
- Session rejected immediately if login_hint and token phone number do not match
Token handling
- access_token (JWT) decoded and phone_number_verified claim checked
- MobileID (mobile_id) claim stored if used as user identifier
- Tokens stored securely server-side
Testing
- End-to-end test on mobile data — successful verification
- End-to-end test on Wi-Fi — fallback triggered correctly
- Test with login_hint omitted — tyntec prompt window appears
- Tampered login_hint test — session rejected correctly
- Expired / invalid code test — error handled gracefully
Go-live
- tyntec account manager notified of planned go-live date
- Monitoring and alerting configured for auth failure rates
- Support team briefed on Silent Authentication behaviour
Need help? For technical support or integration questions, contact your tyntec account representative or email support@tyntec.com. Full API documentation: https://api.tyntec.com/reference/silent-authentication/current.html#silent-authentication-api.