# Introduction The FACETID (facet ID) is a unique identifier used in FIDO2/WebAuthn for Android apps that provides: | Feature | Description | | --- | --- | | App Identity Verification | It uniquely identifies **which Android app** is requesting FIDO2 credentials, based on the app’s **signing certificate**. | | Prevents App Spoofing | Only the app signed with the **same certificate** can access the credentials created under that FACETID. This protects against malicious apps pretending to be your app. | | Credential Binding | FIDO2 credentials (public keys) are **bound to the FACETID**, ensuring they can only be used by the same app in the future. | | Trust Anchor in WebAuthn | The FACETID is sent during registration and authentication. Relying parties use it to **validate app origin** and enforce app-level access control. | In order to use the Belvo Android SDK for biometric authentication, you need to generate a FACETID for your app. This is essential for FIDO2/WebAuthn operations and is used to ensure that the credentials are securely bound to your app. In this guide, we will walk you through the steps to generate a FACETID for your Android app. ## Generating FACETID To generate your app's FACETID: 1. Locate your app’s signing certificate (usually **.jks** or **.keystore**). For example: my-release-key.jks 2. Export the signing certificate in **.der** format. ```shell Export Signing Certificate ## Export the certificate keytool -exportcert \ -alias your-key-alias \ -keystore my-release-key.jks \ -storepass your-keystore-password \ -rfc > cert.pem ## Convert to DER format openssl x509 -in cert.pem -outform DER -out cert.der ``` 1. Generate the SHA-256 hash of the certificate ```shell Generate SHA-256 Hash openssl dgst -sha256 -binary cert.der | openssl base64 -A ``` 1. Convert Base64 to Base64URL: - Replace `+` with `-` - Replace `/` with `_` - Remove `=` padding at the end of the string. For example, `nabc65V09KlcsLjIWTnaRB8PKXagy9Lbai/5ahhSE08=` becomes `nabc65V09KlcsLjIWTnaRB8PKXagy9Lbai_5ahhSE08`. 1. Build the FACETID ```shell Building FACETID Example ## FACETID format android:apk-key-hash: ## Example with Base64URL encoded hash android:apk-key-hash:nabc65V09KlcsLjIWTnaRB8PKXagy9Lbai_5ahhSE08 ``` 1. Share your FACETID with Belvo. Done! Done! You have successfully generated your app's FACETID. After you have shared it with Belvo, you can continue with the integration of the Belvo Android SDK for biometric payments. ## Handy Script Our fantastic developer team has created a handy script to help automate the FACETID generation process. **How to use:** 1. Save the code below as `generate_facetid.sh`. 2. Update the `KEYSTORE_PATH`, `ALIAS`, and `STOREPASS` variables with your app's details. 3. Make the script executable: `chmod +x generate_facetid.sh` 4. Run the script: `./generate_facetid.sh` Check it out below: ```bash FACETID Generation Script #!/bin/bash # === CONFIGURATION === KEYSTORE_PATH="my-release-key.jks" ALIAS="your-key-alias" STOREPASS="your-keystore-password" # === TEMP FILES === CERT_PEM="cert.pem" CERT_DER="cert.der" # === 1. Export cert in PEM format === echo "[*] Exporting cert to PEM..." keytool -exportcert -alias "$ALIAS" -keystore "$KEYSTORE_PATH" -storepass "$STOREPASS" -rfc > "$CERT_PEM" # === 2. Convert PEM to DER === echo "[*] Converting PEM to DER..." openssl x509 -in "$CERT_PEM" -outform DER -out "$CERT_DER" # === 3. SHA-256 hash + Base64 === echo "[*] Generating SHA-256 hash..." BASE64_HASH=$(openssl dgst -sha256 -binary "$CERT_DER" | openssl base64 -A) # === 4. Convert Base64 to Base64URL === FACET_HASH=$(echo "$BASE64_HASH" | tr '+/' '-_' | tr -d '=') # === 5. Output === echo "" echo "✅ FACETID:" echo "android:apk-key-hash:$FACET_HASH" ```