Truecaller SDK
  • Hello!
  • Why Truecaller SDK
  • Getting Started
  • ANDROID
    • 🆕OAuth SDK 3.0
      • Implementing user flow for your App
      • Scenarios for all user verifications : Truecaller and Non Truecaller Users
      • Integration Steps
        • Generating Client ID
        • Setup
        • Implementing Callbacks
        • Initialisation
        • Setting up OAuth parameters
        • Invocation
        • Customisation
        • Clearing SDK Instance
        • Handling Error Scenarios
        • Integrating with your Backend
          • Fetching User Token
          • Fetching User Profile
        • Non Truecaller User Verification
          • Completing Verification
          • TrueException
          • Server Side Validation
      • Instrumentation
      • Getting Release Ready
        • Testing your verification flow
          • Non-Truecaller user verification flow
          • Truecaller user verification flow
          • Test Setup
        • Google play store app permission declaration form
        • Moving to Production
    • SDK v2.8.0
      • Implementing user flow for your app
      • Scenarios for all user verifications : Truecaller and Non Truecaller Users
      • Generating App Key
      • Integrating with your App
        • Setup
        • App Key Configuration
        • Initialisation
        • Customisation
        • Implement Callbacks
        • Clearing SDK instance
        • Handling Error Scenarios
        • Verifying non Truecaller users
          • TrueException
          • Completing Verification
        • Advanced Steps
      • Server Side Response Validation
        • For Truecaller users verification flow
        • For Non-Truecaller users verification flow
      • Instrumentation
      • Getting Release Ready
        • Testing your verification flow
          • Truecaller user verification flow
          • Non-Truecaller User Verification Flow
          • Test Setup
        • Google Play App Signing
        • Google Play Store app permissions declaration
        • Google Play Policy Change for Device Identifiers
      • Changelog
  • MOBILE WEBSITES
    • Implementing user flow for your Mobile Website
    • Generating App Key
    • Integrating with your mobile website
      • Initialisation
      • Invoking verification
      • Fetch User Profile
      • Completing User Verification
      • Handling Error Scenarios
    • Getting Release Ready
      • Instrumentation
      • Testing your verification flow
  • IOS
    • Generating App Key
    • Integrating with your iOS App
      • Setup
      • Configuration
      • Usage
        • Swift
        • Objective-C
      • Verifying Non-Truecaller app users
        • Completing Verification
      • Handling Error Scenarios
        • Safari Redirection
    • Server Side Response Validation
  • SHOPIFY APP
    • Generating App Key
    • App Configuration
    • Deactivating App Block
  • FAQs
    • General
    • Developer Account
    • Android App SDK
    • Android OAuth SDK
    • Mobile Web SDK
    • Number Verification Plugin
  • PRODUCT UPDATES
    • App Review Process
    • Introducing dark theme
Powered by GitBook
On this page

Was this helpful?

  1. ANDROID
  2. SDK v2.8.0
  3. Server Side Response Validation

For Truecaller users verification flow

Recommended Steps for validating the authenticity of SDK response at your server side

PreviousServer Side Response ValidationNextFor Non-Truecaller users verification flow

Last updated 3 years ago

Was this helpful?

Truecaller SDK already verifies the authenticity of the response before forwarding it to your app. However, if you wish to additionally check the authenticity of the response at your end, you can do so.

In the response for TrueProfile we return -

  • Payload, which is a Base64 encoding of the json object containing all profile info

  • Signature, which contains the payload's signature . Signature is generated by applying signing algorithm with our private key

  • Signature Algorithm in the response header

To verify the payload, our public key for a given algorithm can be fetched using this API: .

Using the payload, the signature and the public key, you can verify that the content sent is authentic through the following flow:

a. Apply verification, which means apply our public key to the signature (with given algorithm) and comparing result with payload

b. If verified, you would know that response comes from Truecaller's backend and is authentic. The profile can then be used as base64 decoding of the payload.

For details on the verification flow and sample code snippets in different programming languages, please refer this

In order to add another layer of security, you can also put a check to identify if the payload that is passed on to your server was initially generated for your app (package name) itself. The payload that you receive in the success response has a field with a key as “verifier”. Here, you need to generate HMAC SHA256 of your package name, using your appKey (partner key) as a secret. (The appKey mentioned here is the one that you generate from our developer portal). The output that you get from above should match the verifier value received in the payload. In case it doesn't, which means that the payload that was generated was tampered.

https://api4.truecaller.com/v1/key
link