# Why do we need the client certificate's SHA-256 for Passkey to work? #### Technical Background: Digital Asset Links (DAL) Passkey on Android uses the Digital Asset Links protocol to establish a verifiable and secure association between the client's native application and Unico's web domain. This link is mandatory by the Android operating system's design for authentication with passkeys in [Google](https://developers.google.com/identity/passkeys/developer-guides) mobile applications. #### How Security Verification Works Before generating a key pair for a passkey, the Android authenticator verifies the Relying Party ID (RP ID) present in the server's response against the domain name specified in the [Digital Asset Links file](https://blogs.halodoc.io/streamlining-logins-and-reducing-cost-passkey-integration-in-android-apps/). Without this successful verification, Passkey simply will not work. **What is SHA-256 and why is it necessary?** The SHA-256 fingerprint is a unique hash generated from the application's signing certificate, used to identify the [app's authenticity and integrity](https://docs.loginid.io/reference-documentation/mobile/android/). This certificate corresponds to the key used to sign the APK/AAB [before distribution](https://docs.pingidentity.com/sdks/latest/sdks/use-cases/mobile-biometrics/android/01-prepare-assetlinks-json-file.html) on the Google Play Store. It is necessary to [register this fingerprint](https://developer.android.com/identity/credential-manager/prerequisites) in the `assetlinks.json` file hosted on Unico's domain under the path `/.well-known/assetlinks.json` #### Structure of the `assetlinks.json` file The file must include two specific permissions: `delegate_permission/common.handle_all_urls` (for [Android App Links](https://developer.android.com/identity/credential-manager/prerequisites)) and `delegate_permission/common.get_login_creds` (for sharing credentials between the website and the Android app), along with the client's package name and SHA-256 fingerprint. #### Why do we request this information? * Different data for debug vs. production: The fingerprints associated with the signing and upload keys are different. It is important to have this clear distinction, especially considering that apps can have [multiple versions](https://developer.android.com/studio/publish/app-signing) (debug, release, different product flavors). * Total blockage: The server needs to know about the client's app in two different places: in the publicly available file (`assetlinks.json`) and in the server configuration ([expected origin](https://www.droidcon.com/2025/05/19/implementing-passkeys-in-android-a-full-stack-guide/)). Without the correct SHA-256, no passkey operation will work. #### How to obtain the SHA-256 It is possible to [extract the SHA-256 fingerprint](https://docs.pingidentity.com/sdks/latest/sdks/use-cases/mobile-biometrics/android/01-prepare-assetlinks-json-file.html) using the Java Development Kit (JDK) `keytool` tool or find it directly in the Google Play Console in the "App Signing" section under "Setup > App integrity". #### Conclusion The SHA-256 is not just a technical requirement—it is a fundamental Android security mechanism to ensure that only the legitimate client application can create and use passkeys associated with Unico's domain. Without it, there is no way to establish the necessary trust between the app and the server, making it impossible to activate the Passkey functionality for that client. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://devcenter.unico.io/unico-idcloud/by-client-integration/sdk/available-sdks/android-sdk/why-do-we-need-the-client-certificates-sha-256-for-passkey-to-work.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.