v2.4.0-pre.1 · Pre-release · by request

Official TOKEN PAY ID SDKs

Fully native authentication widgets for every platform. No WebView, no browser redirect. OAuth 2.0 + PKCE S256, TLS certificate pinning, Keychain / EncryptedSharedPreferences, Device Flow for TV/watch/IoT.

Pre-release — the SDKs are distributed as source releases under NDA for vetted partners. Maven Central / SwiftPM registry publication is planned for GA. Request access at [email protected] and include your organisation, intended use, and expected volume.

Available SDKs

Platform matrix

Platform	SDK	Min OS	Native UI	Status
Android (phone/tablet)	Kotlin	Android 7.0 (API 24)	Jetpack Compose	Available
Android TV	Kotlin (Device Flow)	Android 7.0 (API 24)	Jetpack Compose Leanback	Available
Wear OS	Kotlin (Device Flow)	Wear OS 3 (API 30)	Compose for Wear	Available
iOS / iPadOS	Swift	iOS 15	SwiftUI	Available
macOS	Swift	macOS 12	SwiftUI	Available
tvOS	Swift (Device Flow)	tvOS 15	SwiftUI	Available
watchOS	Swift (Device Flow)	watchOS 8	SwiftUI	Available
visionOS	Swift	visionOS 1	SwiftUI	Available
Windows 10/11	.NET 8 (WinUI 3)	Windows 10 1809	WinUI 3	Q2 2026
Linux Desktop	C++ (Qt 6)	Qt 6.4	Qt QML	Q2 2026
Flutter	Dart package wrapping native	Flutter 3.16	Hosted native view	Q2 2026
React Native	TS wrapper	RN 0.73	Native fabric component	Q2 2026
Tizen / webOS / HarmonyOS	Device Flow (raw HTTP)	-	Partner-provided	Device Flow only
Xbox / PlayStation / Switch	Device Flow (raw HTTP)	-	Partner-provided	Device Flow only

Install — Android (Kotlin)

Unpack the source release into your project and include it as a Gradle module:

# Download the source release
curl -L -O https://tokenpay.space/sdk/android/tokenpay-id-android-2.4.0-pre.1.tar.gz

# Verify checksum
sha256sum -c tokenpay-id-android-2.4.0-pre.1.tar.gz.sha256

# Unpack inside your project root
tar -xzf tokenpay-id-android-2.4.0-pre.1.tar.gz

# Reference in settings.gradle.kts
include(":tokenpay-id-sdk")
project(":tokenpay-id-sdk").projectDir = file("sdk/android/tokenpay-id-sdk")

# In app/build.gradle.kts
dependencies {
    implementation(project(":tokenpay-id-sdk"))
}

Use in Compose:

import space.tokenpay.id.TpidAuth
import space.tokenpay.id.TpidConfig
import space.tokenpay.id.TpidLoginButton

// In Application.onCreate():
TpidAuth.initialize(
    context = applicationContext,
    config = TpidConfig(
        clientId = "tpid_pk_YOUR_KEY",
        redirectUri = "com.cupol.vpn:/auth/callback",
    )
)

// In Compose:
TpidLoginButton { result -> handle(result) }

Install — Swift (iOS/macOS/tvOS/watchOS/visionOS)

Local Swift Package Manager:

# Download the source release
curl -L -O https://tokenpay.space/sdk/swift/tokenpay-id-swift-2.4.0-pre.1.tar.gz
shasum -a 256 -c tokenpay-id-swift-2.4.0-pre.1.tar.gz.sha256
tar -xzf tokenpay-id-swift-2.4.0-pre.1.tar.gz

# In Xcode: File → Add Package Dependencies… → Add Local…
# select the unpacked directory and add the TokenPayID product to your target.

Use with SwiftUI:

import SwiftUI
import TokenPayID

@main
struct MyApp: App {
    init() {
        TpidAuth.shared.initialize(config: .init(
            clientId: "tpid_pk_YOUR_KEY",
            redirectURI: URL(string: "com.cupol.vpn:/auth/callback")!
        ))
    }
    var body: some Scene { WindowGroup { ContentView() } }
}

struct ContentView: View {
    var body: some View {
        TpidLoginButton { result in handle(result) }
    }
}

Signed commits & checksums

Every tarball ships with a .sha256 file alongside it. Current release checksums:

File	Size	SHA-256
Loading…

What's in each SDK

Fully native UI — Jetpack Compose / SwiftUI screens: email, password, email code, 2FA (TOTP), passkey, recovery, loading, success, fatal error.
OAuth 2.0 + PKCE S256 — mandatory. No fallback to plain or implicit flow.
TLS certificate pinning — SPKI SHA-256 pins via OkHttp CertificatePinner / URLSession delegate. Auto-refreshed from /sdk/tls-pins.
Secure storage — EncryptedSharedPreferences (Android) / Keychain (Apple) with device-only ACL.
Device Flow (RFC 8628) — for TV, watch, consoles, and IoT where a keyboard is unavailable.
Telemetry — opt-out, with client-side PII scrubbing before send.
Anti-phishing badge — visible domain + TLS pin confirmation in the widget header.
Screenshot protection — FLAG_SECURE on Android; secure text field on Apple platforms.
Full i18n — RU / EN / ZH, with partners able to override strings.
Zero heavy dependencies — Swift SDK is pure Foundation/CryptoKit/SwiftUI. Android uses OkHttp + AndroidX only.

Security

Pin mismatch → widget aborts, clears local tokens, returns TpidError.phishingDetected.
Refresh tokens are rotated on every use by the server.
Session version is checked on cold start via /auth/session-version; server-side invalidation forces re-login.
All requests carry a unique X-TPID-SDK header identifying platform and SDK version.

Full threat model: tokenpay.space/docs#native-widget-security.

Support

Partner support: [email protected]
Security reports: [email protected]
Status: status.tokenpay.space