Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/signing-sdk/face-auth-ios/llms.txt

Use this file to discover all available pages before exploring further.

The TAD Signing SDK uses WebAuthn passkeys (FIDO2) for document signing. Apple’s passkey implementation requires the Associated Domains entitlement to cryptographically bind a passkey to a specific domain. Without this binding, iOS will refuse to create or use passkeys, and all registration and signing operations will fail. The entitlement works by telling iOS which domain your app is authorised to act on behalf of. The SDK’s TadSigningConfig.rpId must equal the domain listed in this entitlement exactly — any mismatch causes passkey operations to fail silently or with a generic authorization error.
The rpId value in TadSigningConfig must exactly match the domain in your Associated Domains entitlement. For example, if your entitlement lists webcredentials:signing.tadi.uz, then rpId must be "signing.tadi.uz" — not a subdomain, not a full URL, not a path.

How Associated Domains works for passkeys

When your app attempts a WebAuthn registration or assertion, iOS checks:
  1. The app’s Associated Domains entitlement contains a webcredentials:<domain> entry.
  2. Your server hosts an Apple App Site Association (AASA) file at https://<domain>/.well-known/apple-app-site-association.
  3. The AASA file lists your app’s Team ID and bundle identifier under the webcredentials section.
All three must be consistent. If any check fails, iOS blocks the passkey operation.

Setting up Associated Domains

1

Enable the Associated Domains capability in Xcode

In Xcode, select your app target, open the Signing & Capabilities tab, click + Capability, and add Associated Domains.
2

Add the webcredentials entry

In the Associated Domains capability panel, click + and add the following entry, replacing signing.tadi.uz with your own relying party domain:
webcredentials:signing.tadi.uz
Your entitlements file (YourApp.entitlements) will be updated automatically by Xcode to contain:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.developer.associated-domains</key>
    <array>
        <string>webcredentials:signing.tadi.uz</string>
    </array>
</dict>
</plist>
3

Configure the entitlement in XcodeGen (project.yml)

If you manage your project with XcodeGen, add the entitlement under the target’s entitlements.properties block:
targets:
  TadSigningDemo:
    type: application
    platform: iOS
    deploymentTarget: "16.0"
    entitlements:
      path: TadSigningDemo/TadSigningDemo.entitlements
      properties:
        com.apple.developer.associated-domains:
          - webcredentials:signing.tadi.uz
4

Set the matching rpId in TadSigningConfig

In your SDK configuration, set rpId to the bare domain — no scheme, no trailing slash:
import TadSigningSDK

enum SDKConfig {
    static let shared = TadSigningConfig(
        apiBaseUrl: URL(string: "https://signing.tadi.uz")!,
        publicKeyPem: "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----",
        rpId: "signing.tadi.uz",
        serviceName: "your-service-name",
        blockProxy: true
    )
}
5

Serve the Apple App Site Association file from your backend

Your backend must serve a valid AASA file at:
https://signing.tadi.uz/.well-known/apple-app-site-association
The file must be served as application/json over HTTPS with no redirects. Include a webcredentials section that lists your app’s Team ID and bundle identifier:
{
  "webcredentials": {
    "apps": [
      "ABCDE12345.uz.tad.TadSigningDemo"
    ]
  }
}
Replace ABCDE12345 with your Apple Developer Team ID and uz.tad.TadSigningDemo with your app’s bundle identifier. You can add multiple bundle IDs to the array if you have development and production targets.

Verifying the setup

After deploying the AASA file, use the Apple App Site Association validator or the CDN cache-buster endpoint at https://app-site-association.cdn-apple.com/a/v1/<domain> to confirm Apple can fetch and parse your file.
Apple caches AASA files via its CDN. During development, install your app directly via Xcode onto a device — this bypasses the CDN and fetches the file directly from your server, which speeds up iteration.

Build docs developers (and LLMs) love

Get started for freeTalk to us