Architecture
How TrulyYou works under the hood
TrulyYou is built on industry-standard cryptographic primitives and hardware security features. The architecture consists of three main components that work together to provide seamless, secure authentication.
System Components
Available for Web, iOS, Android, React Native, and more. Handles key generation, biometric prompts, and request signing.
await sdk.fetchWithSignature('/api/transfer', { ... })
Hardware-isolated secure area where private keys are generated and stored. On iOS this is the Secure Enclave, on Android it's the StrongBox or TEE. Keys never leave this secure environment.
Available for Node.js, Python, Go, Ruby, Java, PHP. Verifies request signatures and extracts user identity.
if (valid) processPayment(userId, amount)
Authentication Flow
- SDK generates an ECDSA P-256 key pair in device TEE
- Private key is bound to biometric authentication
- Public key is sent to your server and stored with user ID
- Key ID is returned and stored locally for future use
- SDK creates request payload (endpoint + body + timestamp)
- Prompts for biometric authentication (Face ID / Touch ID)
- After biometric success, TEE signs payload with private key
- Signature is attached to HTTP request headers
- Extracts signature and key ID from headers
- Retrieves user's public key from database
- Verifies signature using ECDSA verification
- Checks timestamp to prevent replay attacks
- Returns user ID and validation status
- Check user permissions and account status
- Process the requested action (payment, transfer, etc.)
- Return success/failure response to client
Security Guarantees
Hardware-backed Keys
Private keys never leave device secure hardware
Biometric Proof
Every sensitive action requires biometric authentication
Replay Protection
Timestamps prevent signature reuse
Cross-Platform
Same key works across all interfaces
See it in action
Explore real-world use cases and implementation examples.