Introduction
The FACETID (facet ID) is a unique identifier used in FIDO2/WebAuthn for Android apps that provides:
| Feature | Description |
|---|---|
| App Identity Verification | It uniquely identifies which Android app is requesting FIDO2 credentials, based on the app’s signing certificate. |
| Prevents App Spoofing | Only the app signed with the same certificate can access the credentials created under that FACETID. This protects against malicious apps pretending to be your app. |
| Credential Binding | FIDO2 credentials (public keys) are bound to the FACETID, ensuring they can only be used by the same app in the future. |
| Trust Anchor in WebAuthn | The FACETID is sent during registration and authentication. Relying parties use it to validate app origin and enforce app-level access control. |
In order to use the Belvo Android SDK for biometric authentication, you need to generate a FACETID for your app. This is essential for FIDO2/WebAuthn operations and is used to ensure that the credentials are securely bound to your app. In this guide, we will walk you through the steps to generate a FACETID for your Android app.
Generating FACETID
To generate your app's FACETID:
- Locate your app’s signing certificate (usually .jks or .keystore). For example: my-release-key.jks
- Export the signing certificate in .der format.
## Export the certificate
keytool -exportcert \
-alias your-key-alias \
-keystore my-release-key.jks \
-storepass your-keystore-password \
-rfc > cert.pem
## Convert to DER format
openssl x509 -in cert.pem -outform DER -out cert.der- Generate the SHA-256 hash of the certificate
openssl dgst -sha256 -binary cert.der | openssl base64 -A- Convert Base64 to Base64URL:
- Replace
+with- - Replace
/with_ - Remove
=padding at the end of the string.
- Replace
For example, nabc65V09KlcsLjIWTnaRB8PKXagy9Lbai/5ahhSE08= becomes nabc65V09KlcsLjIWTnaRB8PKXagy9Lbai_5ahhSE08.
- Build the FACETID
## FACETID format
android:apk-key-hash:<base64url_encoded_hash>
## Example with Base64URL encoded hash
android:apk-key-hash:nabc65V09KlcsLjIWTnaRB8PKXagy9Lbai_5ahhSE08- Share your FACETID with Belvo.
Done! You have successfully generated your app's FACETID. After you have shared it with Belvo, you can continue with the integration of the Belvo Android SDK for biometric payments.
Handy Script
Our fantastic developer team has created a handy script to help automate the FACETID generation process.
How to use:
- Save the code below as
generate_facetid.sh. - Update the
KEYSTORE_PATH,ALIAS, andSTOREPASSvariables with your app's details. - Make the script executable:
chmod +x generate_facetid.sh - Run the script:
./generate_facetid.sh
Check it out below:
#!/bin/bash
# === CONFIGURATION ===
KEYSTORE_PATH="my-release-key.jks"
ALIAS="your-key-alias"
STOREPASS="your-keystore-password"
# === TEMP FILES ===
CERT_PEM="cert.pem"
CERT_DER="cert.der"
# === 1. Export cert in PEM format ===
echo "[*] Exporting cert to PEM..."
keytool -exportcert -alias "$ALIAS" -keystore "$KEYSTORE_PATH" -storepass "$STOREPASS" -rfc > "$CERT_PEM"
# === 2. Convert PEM to DER ===
echo "[*] Converting PEM to DER..."
openssl x509 -in "$CERT_PEM" -outform DER -out "$CERT_DER"
# === 3. SHA-256 hash + Base64 ===
echo "[*] Generating SHA-256 hash..."
BASE64_HASH=$(openssl dgst -sha256 -binary "$CERT_DER" | openssl base64 -A)
# === 4. Convert Base64 to Base64URL ===
FACET_HASH=$(echo "$BASE64_HASH" | tr '+/' '-_' | tr -d '=')
# === 5. Output ===
echo ""
echo "✅ FACETID:"
echo "android:apk-key-hash:$FACET_HASH"