Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/signing-sdk/face-auth-ios/llms.txt

Use this file to discover all available pages before exploring further.

TadSigningConfig is the single configuration object you pass to TadSigningViewController. It holds your API endpoint, the public key used to verify JWT results, and the WebAuthn relying party settings for your domain. You create it once — typically as a shared singleton — before presenting the view controller.

Full example

The following is the complete configuration used in the TAD Signing demo app: 
import Foundation
import TadSigningSDK

enum SDKConfig {
    static let shared = TadSigningConfig(
        apiBaseUrl: URL(string: "https://signing.tadi.uz")!,
        publicKeyPem: """
        -----BEGIN PUBLIC KEY-----
        MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQANTC0w0ACO79+hPYfK5fEF9nAAztI
        zpD8M0UTyR4ON5DeT3nKY12noi9PVVCIK1uwImeqsWx56cc7kMmWC99RKV0Az3JC
        Zq5gRExuUzk+aWcoG3DppFy2hCwEVeuDTENz0P5Rhx/BBJ8Q4jWVOM2AM2W3SQ/q
        1nG5s8ixxX2BnPBTQ7w=
        -----END PUBLIC KEY-----
        """,
        rpId: "signing.tadi.uz",
        serviceName: "tad-signing-demo",
        blockProxy: true
    )
}
Never hardcode a production public key directly in source code. Store it in an environment-specific configuration file or a secrets manager and inject it at build time. Committing real keys to version control creates a security risk.

Parameters

apiBaseUrl
URL
required
The base URL of your TAD signing API. All SDK network requests are sent to this endpoint.Must be a valid URL value. The demo app uses https://signing.tadi.uz. For production, use the URL provided by your backend team.
apiBaseUrl: URL(string: "https://signing.tadi.uz")!
publicKeyPem
String
required
The ES512 (ECDSA P-521) public key in PEM format, used to verify the JWT returned after a successful signing operation. This key is provided by your backend team and corresponds to the private key the signing service uses to sign JWTs.The value must be a PEM string including the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- headers.
publicKeyPem: """
-----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAj...
-----END PUBLIC KEY-----
"""
rpId
String
required
The WebAuthn relying party ID. This must match the domain you configured in your app’s Associated Domains entitlement under the webcredentials: prefix.For example, if your entitlement is webcredentials:signing.tadi.uz, set rpId to "signing.tadi.uz". Mismatched values will cause passkey operations to fail.
rpId: "signing.tadi.uz"
serviceName
String
required
A string identifier for your service, sent to the signing API to scope passkey operations. Use a consistent, URL-safe value that identifies your app or service.The demo app uses "tad-signing-demo". For production, use a value agreed upon with your backend team.
serviceName: "tad-signing-demo"
blockProxy
Bool
required
When true, the SDK rejects network connections routed through a proxy. This reduces the risk of man-in-the-middle interception during biometric and signing API calls.Set to false only in development environments where a proxy is needed for debugging. Never disable proxy blocking in production builds.
blockProxy: true

Environment-specific configuration

Create a separate TadSigningConfig instance for each environment — development, staging, and production — and select the appropriate one at build time using a build flag or configuration file. This keeps test keys and URLs isolated from production values.
import Foundation
import TadSigningSDK

enum SDKConfig {
    static var shared: TadSigningConfig {
        #if DEBUG
        return TadSigningConfig(
            apiBaseUrl: URL(string: "https://your-staging-api.example.com")!,
            publicKeyPem: BuildConfig.signingPublicKey,  // inject from build config
            rpId: "your-staging-domain.example.com",
            serviceName: "your-service-name",
            blockProxy: false  // Allow proxy in development for debugging
        )
        #else
        return TadSigningConfig(
            apiBaseUrl: URL(string: "https://your-production-api.example.com")!,
            publicKeyPem: BuildConfig.signingPublicKey,  // inject from build config
            rpId: "your-production-domain.example.com",
            serviceName: "your-service-name",
            blockProxy: true
        )
        #endif
    }
}

Associated Domains requirement

Your Xcode project must declare an Associated Domains entitlement that matches rpId. Add the following to your .entitlements file: 
<key>com.apple.developer.associated-domains</key>
<array>
  <string>webcredentials:signing.tadi.uz</string>
</array>
Without this entitlement, the FIDO2 passkey operations will fail at runtime on real devices.

Build docs developers (and LLMs) love

Get started for freeTalk to us