Secure Authentication Workflow for your bot for mobile SDK

## Secure Authentication Workflow for Mobile SDK The "ymAuthenticationToken" is a unique token that is used to connect the user's identity with the chatbot to fetch chat history (conversations between users and the bot). The chat history includes details such as user’s input, bot responses, and the date and time of the conversation. To enhance security and protect the "ymAuthenticationToken" from unauthorized access, you can use the "secure YMAuthentication". This authentication provide additional security to your bot conversations. The following are the steps involved in setting up secure YMAuthentication: 1. **Enable secure YMAuthentication**: Set `config.useSecureYmAuth` to `true` in your bot configuration to activate secure YMAuthentication. 2. **Obtain encrypted ymAuthenticationToken**: Initiate an API request to acquire an encrypted **ymAuthenticationToken**. 3. **Set ymAuthenticationToken**: During bot initialization, set the obtained ymAuthenticationToken to `config.ymAuthenticationToken`. 4. **Handle token expiry**: When the token expires, you will receive an event with the code `ym-revalidate-token`, containing data in the form of `{ "refreshSession": true|false }`. 5. **Retrieve a new token**: Create another API request to retrieve a new encrypted ymAuthenticationToken. 6. **Update configuration**: Once you receive the new token, update the configuration’s ymAuthenticationToken with a new value. 7. **Revalidate the token**: Pass this updated token, along with the "refreshSession" value (obtained earlier), by invoking the revalidateToken function from the Chatbot SDK. This action revalidates the token and refreshes the chat session. 8. **Handling invalid tokens**: If the token is found to be invalid, you will receive another `ym-revalidate-token` event (up to 3 incorrect attempts). Follow the above steps to revalidate the token. After three unsuccessful attempts, if the token remains invalid, you will be directed to an error page with a *Try again* option. ### Bot session validation upon launch ![](https://cdn.yellowmessenger.com/IwSJq5KuWhFg1695958536969.mp4) video ### Revalidating a loaded bot session when it expires ![](https://cdn.yellowmessenger.com/fJNg53raWVim1695958730603.mp4) video ### Use Secure YM Auth You can pass `useSecureYmAuth` to enable additional security to your chat history. This safeguards your chatbot from unauthorized access even if an unauthorized party tries to access the token. To enable secure YmAuth, set `useSecureYmAuth` to `true`. ```java ymChat.config.useSecureYmAuth = true ``` :::note For more detailed information on how to set up secure YMAuthentication, click [here](https://docs.yellow.ai/docs/platform_concepts/mobile/chatbot/secure-ymauth). ::: ## Revalidate Token When your authentication token expires (after every 2 minutes), you can use revalidate token to generate a new token. Once your secure YMAuth is enabled, whenever your authentication token expires, the server will automatically initiate a request to get a fresh token from Yellow. When you are using the `ym-revalidate-token` event, your application must include both the `apiToken` and `refreshSession` as mandatory parameters. This ensures a seamless and secure revalidation process. ```java try { YMChat ymChat = YMChat.getInstance(); ymChat.revalidateToken("new token", refreshSession); } catch (Exception e) { //Catch and handle the exception e.printStackTrace(); } ``` :::note For more detailed information on how to set up secure YMAuthentication, click [here](https://docs.yellow.ai/docs/platform_concepts/mobile/chatbot/secure-ymauth). :::