Truecaller
Search…
2.6.0
Hello!
Why Truecaller SDK
Getting Started
ANDROID
Implementing user flow for your app
Scenarios for all user verifications : Truecaller and Non Truecaller Users
Generating App Key
Integrating with your App
Server Side Response Validation
For Truecaller users verification flow
For Non-Truecaller users verification flow
Instrumentation
Getting Release Ready
MOBILE WEBSITES
Implementing user flow for your Mobile Website
Generating App Key
Integrating with your mobile website
Getting Release Ready
IOS
Generating App Key
Integrating with your iOS App
Server Side Response Validation
SHOPIFY APP
Generating App Key
App Configuration
Deactivating App Block
FAQs
General
Developer Account
Android App SDK
Mobile Web SDK
Shopify App
PRODUCT UPDATES
App Review Process
Introducing dark theme
Powered By GitBook
For Truecaller users verification flow
Recommended Steps for validating the authenticity of SDK response at your server side
Truecaller SDK already verifies the authenticity of the response before forwarding it to your app. However, if you wish to additionally check the authenticity of the response at your end, you can do so.
In the response for TrueProfile we return -
  • Payload, which is a Base64 encoding of the json object containing all profile info
  • Signature, which contains the payload's signature . Signature is generated by applying signing algorithm with our private key
  • Signature Algorithm in the response header
To verify the payload, our public key for a given algorithm can be fetched using this API: https://api4.truecaller.com/v1/key.
Using the payload, the signature and the public key, you can verify that the content sent is authentic through the following flow:
a. Apply verification, which means apply our public key to the signature (with given algorithm) and comparing result with payload
b. If verified, you would know that response comes from Truecaller's backend and is authentic. The profile can then be used as base64 decoding of the payload.
For details on the verification flow and sample code snippets in different programming languages, please refer this link
In order to add another layer of security, you can also put a check to identify if the payload that is passed on to your server was initially generated for your app (package name) itself. The payload that you receive in the success response has a field with a key as “verifier”. Here, you need to generate HMAC SHA256 of your package name, using your appKey (partner key) as a secret. (The appKey mentioned here is the one that you generate from our developer portal). The output that you get from above should match the verifier value received in the payload. In case it doesn't, which means that the payload that was generated was tampered.
ANDROID - Previous
Server Side Response Validation
Next
For Non-Truecaller users verification flow
Last modified 1mo ago
Copy link