TS.43 Deep Dive (Android)
Complete technical reference for the Android Digital Credentials API authentication flow.
TS.43 is a GSMA standard that enables secure, SIM-based authentication on Android devices. The credential is created carrier-side using the Digital Credentials API, ensuring maximum security through cryptographic binding to the physical SIM.
Complete Protocol Flow
Phase Breakdown
Prepare Phase
Aggregator generates cryptographic keys (session_key, nonce, ECDH P-256 encryption key) and returns the dcql_query parameters needed for the Digital Credentials API call.
Digital Credential Collection
The browser or native app calls the Digital Credentials API, which triggers the Android TS.43 service. The SIM generates an SD-JWT signed with the SIM key and encrypted with Glide's public key.
Credential Resolution
Aggregator parses and decrypts the SD-JWT, extracts the temp_token, exchanges it with the carrier for an access_token, then calls the carrier API to retrieve or verify the phone number.
SD-JWT Token Structure
Certificate Chain Validation
Technical Details
Encryption
ECDH P-256 for key exchange, AES-128-GCM for payload encryption. The encrypted_credential JWE can only be decrypted by Glide's backend.
Signature Verification
SD-JWT is signed with ES256 (ECDSA with P-256). Certificate chain (x5c) validates the signing key traces back to a known carrier root certificate.
Audience Binding
The aud claim is set by the browser to the invoking origin, preventing cross-origin replay attacks.