Skip to main content
The MBKYC SDK runs inside your application and handles two things for you: talking to local hardware (smart card readers and fingerprint sensors), and communicating with the Validation Gateway over a secure channel. You work with one simple API; the SDK takes care of the rest.

The big picture

Your environment reaches ICP only through your own proxy — the agreed entry point between the two networks — over a private MPLS or IP-whitelisted channel. Nothing in your environment connects to ICP services directly.

Domains go through your proxy

Your proxy fronts every ICP domain you use — the package repository, the dashboard, and the API. So each ICP hostname in these docs is really your proxied equivalent; your ICP contact gives you the actual hostnames. Throughout the docs we use these placeholders:
WhatPlaceholderUsed for
Package repositoryrepo.client.aePulling SDK packages and desktop services from Nexus
Dashboardthe Client PortalOnboarding, API keys, devices, transactions
APIapi.client.aeThe SDK’s baseUrl — verification traffic to the Validation Gateway
You configure the SDK with a single base URL — your proxied API host. The Validation Gateway is the boundary you integrate against: it receives your request, runs the verification against ICP records, and returns the result.

What the SDK does for you

Talks to hardware

Discovers readers and sensors, reads the Emirates ID chip, and captures fingerprints — so you don’t integrate vendor hardware yourself.

Secures the channel

Registers the device, opens an encrypted session, and submits each verification. You never build these requests by hand.

Trust boundaries

Your application

Embeds the SDK. Holds the non-secret API key ID. Never holds the API secret.

Your backend

Holds the API secret and signs requests on the SDK’s behalf via the token signer.

Validation Gateway

Owns the verification decision and all identity data. Operated by ICP.

On Android: hardware integrations

On Android, support for a hardware vendor can live inside your own app or in a separate companion app — whichever suits your deployment. Either way, the hardware integration must carry the same Android signing certificate as the SDK component that uses it, because that connection is protected at the signature level. The SDK then discovers the available readers and sensors automatically. See the Android guide for details.

The verification sequence

At runtime the SDK makes three calls to the Validation Gateway — register, handshake, validate — described in SDK ↔ Validation Gateway.