Why Two SDKs?

SophID splits browser and backend responsibilities into separate SDKs because the trust boundaries are different.

Web SDK Responsibilities

Launch the SophID mobile app from a phone browser
Present QR-based handoff for desktop browsers
Poll for completed biometric results
Handle browser-facing helper methods and UX concerns

Server SDK Responsibilities

Mint Biometric Session Tokens (BST)
Validate signed Biometric Result Tokens (BRT)
Enforce replay protection and session lifetimes
Bind user identity and operation context on the backend

Why This Separation Matters

The Web SDK should not hold backend signing responsibilities, and the Server SDK should not depend on browser state. Keeping the SDKs separate makes the integration easier to reason about and more secure.

Web SDK Responsibilities​

Server SDK Responsibilities​

Why This Separation Matters​

Web SDK Responsibilities

Server SDK Responsibilities

Why This Separation Matters