Concepts#
Concept pages describe the ideas that span every layer of the HAAPI SDKs. They contain no client-side code — read them when you want to understand what something does before deciding how to implement it. Each page links to its corresponding implementation in the Driver, SDK, or UI Layer.
Concepts vs implementation. A concept page tells you what the feature is and why it exists; the matching layer page tells you which builder method, configuration record, or runtime call wires it up. Most concept pages link directly to their implementation counterparts.
Pages#
| Concept | What it covers |
|---|---|
| Attestation and Fallback | Hardware-backed device attestation (App Attest on iOS, Key Attestation on Android) and the fallback path for non-attestation devices |
| Client Authentication | Secret, MTLS, and Signed JWT — when each is appropriate and why DCR fallback needs one |
| Dynamic Client Registration (DCR) | Per-device dynamic OAuth clients, server-side template requirements, security trade-offs |
| DPoP and Nonces | DPoP proof-of-possession, the dpop-nonce lifecycle, and auto-management semantics |
| Error Handling | The retryable / unrecoverable / OAuth-protocol error categorisation shared across every layer |
| Logging and Observability | HaapiLogger, follow-up tags, sensitive-value masking, sink semantics |
| Risk Assessment | Device-context collection for BankID-style risk-scoring authentication services |
| Token Binding | DPoP-bound authorization codes and refresh tokens, server / client matching, security model |