---
title: Preparing Advanced Identity Cloud or PingAM for FIDO in React Native
description: Configure PingOne Advanced Identity Cloud or PingAM and prepare your Android and iOS apps before enabling FIDO authentication in React Native
component: orchsdks
page_id: orchsdks:journey:use-cases/fido/react-native/before-you-begin
canonical_url: https://developer.pingidentity.com/orchsdks/journey/use-cases/fido/react-native/before-you-begin.html
llms_txt: https://developer.pingidentity.com/orchsdks/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: Fri, 13 Jun 2026 09:39:02 +0200
section_ids:
  preparing_your_android_app_for_fido: Preparing your Android app for FIDO
  rn-android-fingerprints: Step 1. Generating Android signing key fingerprints
  sha256-fingerprint: Generating SHA-256 fingerprints of your Android signing certificates
  base64-sha256-fingerprint: Generating base64-encoded SHA-256 fingerprints of your Android signing certificates
  rn-android-assetlinks: Step 2. Associating your Android app with your Advanced Identity Cloud or PingAM server
  creating_a_digital_asset_links_json_file: Creating a Digital Asset Links JSON file
  hosting_assetlinks_json_in_advanced_identity_cloud_or_pingam: Hosting assetlinks.json in Advanced Identity Cloud or PingAM
  preparing_your_ios_app_for_fido: Preparing your iOS app for FIDO
  rn-ios-site-association: Step 1. Associating your iOS app with your Advanced Identity Cloud or PingAM server
  preparing_a_site_association_file: Preparing a site association file
  hosting_apple_app_site_association_files_in_advanced_identity_cloud_or_pingam: Hosting apple-app-site-association files in Advanced Identity Cloud or PingAM
  rn-fido-journeys: Configuring authentication journeys for FIDO
  next_steps: Next steps
---

# Preparing Advanced Identity Cloud or PingAM for FIDO in React Native

[icon: circle-check, set=far]PingOne Advanced Identity Cloud [icon: circle-check, set=far]PingAM [icon: react, set=fab]React Native

Before enabling FIDO authentication in your React Native apps you must configure your server and, depending on the platforms you support, prepare your Android or iOS apps.

## Preparing your Android app for FIDO

Complete the following steps to prepare your Android app for FIDO authentication:

* [Step 1. Generating Android signing key fingerprints](#rn-android-fingerprints)

* [Step 2. Associating your Android app with your Advanced Identity Cloud or PingAM server](#rn-android-assetlinks)

### Step 1. Generating Android signing key fingerprints

You need to generate signing key fingerprints so that you can create a secure, verifiable link between your server and your native Android app.

This prevents malicious apps from impersonating your official app to register or use FIDO credentials.

You need two different formats of fingerprint:

* [SHA-256 fingerprint](#sha256-fingerprint)

  For example, `E6:5A:5D:37:22:FC...22:99:20:03:E6:47`

* [Base64-encoded SHA-256 fingerprint](#base64-sha256-fingerprint)

  For example, `android:apk-key-hash:jEFEYh80...S5Pj-ZKHHjwi0k`

### Generating SHA-256 fingerprints of your Android signing certificates

You can use SHA-256 fingerprints of the certificates you use to sign your Android applications to ensure that FIDO only works with apps you've signed.

The steps for obtaining the fingerprint depend on the method you use to distribute your application.

* Android App Bundles

* Local debug keys

If you are using Android App Bundles to distribute your apps, then the hashes of the certificate used to sign your application are available in the Android Developer console.

Follow these steps to obtain the SHA-256 hash of your signing certificate:

1. Configure your Android App Bundle for signing. Google has a number of methods for managing the signing certificates, including uploading your own or having Google manage them for you.

   For information on how to set up signing, refer to [Sign your app](https://developer.android.com/studio/publish/app-signing) in the Google Developer Documentation.

2. In the [Google Play Console](https://play.google.com/console):

   1. Select the app that will be supporting mobile biometrics.

   2. Navigate to Setup > App integrity > App signing.

      ![android signing certificates en](../../../../_images/android/android-signing-certificates-en.png)Figure 1. App signing keys in the Google Play Console

   3. In the App signing key certificate section, copy the SHA-256 certificate fingerprint value.

      |   |                                                                                                                    |
      | - | ------------------------------------------------------------------------------------------------------------------ |
      |   | In the Digital Asset Links JSON section is a file that you can copy with the SHA-256 fingerprint already in place. |

You must manually generate a SHA-256 fingerprint of your signing key in the following scenarios:

* You are signing your APK with the default debug.jks that Android Studio created for the project

* You are signing your APK with your own keys that you have generated that have not been uploaded to the Google Play Console

Follow these steps to obtain the SHA-256 hash of your signing certificate:

1. In the `build.gradle` file for your application, check the settings defined in the `signingConfigs` property:

   Example signingConfigs when using the default debug.jks

   ```gradle
   signingConfigs {
       debug {
           storeFile file('../debug.jks')
           storePassword 'android'
           keyAlias 'androiddebugkey'
           keyPassword 'android'
       }
   }
   ```

2. In a terminal window, navigate to the location of the JKS file, and then run the following command:

   ```shell
   keytool -list -v -alias <keyAlias> -keystore <storeFile> | grep SHA256
   ```

   |   |                                                                                                                                                                                                       |
   | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | Swap the *\<keyAlias>* and *\<storeFile>* placeholders with the values you obtained from your project. For example:`keytool -list -v -alias "androiddebugkey" -keystore "./debug.jks" \| grep SHA256` |

3. When requested, enter the keystore password, as specified in the `keyPassword` property in the `build.gradle` file.

   |   |                                                                                          |
   | - | ---------------------------------------------------------------------------------------- |
   |   | The default keystore password for certificates in the local debug JKS file is `android`. |

   The command prints the SHA-256 fingerprint of the signing key:

   ```shell
   Enter keystore password:  android
   SHA256: E6:5A:5D:37:22:FC...22:99:20:03:E6:47
   Signature algorithm name: SHA256withRSA
   ```

### Generating base64-encoded SHA-256 fingerprints of your Android signing certificates

The steps for obtaining the base64-encoded SHA-256 hash depend on the method you use to distribute your application.

* Android App Bundles

* Local debug keys

Follow these steps to download the app signing certificate, and then generate a base64-encoded SHA-256 hash:

1. In the [Google Play Console](https://play.google.com/console):

   1. Select the app that will be supporting mobile biometrics.

   2. Navigate to Setup > App integrity > App signing.

   3. In the App signing key certificate section, click Download certificate.

      This downloads a local copy of the signing certificate, named `deployment_cert.der`.

2. In a terminal window, navigate to the location of the `deployment_cert.der` file, and then run the following command:

   ```shell
   cat deployment_cert.der | openssl sha256 -binary | openssl base64 | tr '/+' '_-' | tr -d '='
   ```

   The command prints the base64-encoded SHA-256 fingerprint of the signing key:

   ```shell
   jEFEYh80K55iHYkxsBRLGtAP6wvjOS5Pj-ZKHHjwi0k
   ```

3. Add a prefix of `android:apk-key-hash:` to the base64-encode SHA-256 fingerprint. For example:

   ```shell
   android:apk-key-hash:jEFEYh80K55iHYkxsBRLGtAP6wvjOS5Pj-ZKHHjwi0k
   ```

Follow these steps to extract the app signing certificate from the JKS and generate a base64-encoded SHA-256 hash:

1. In the `build.gradle` file for your application, check the settings defined in the `signingConfigs` property:

   Example signingConfigs when using the default debug.jks

   ```gradle
   signingConfigs {
       debug {
           storeFile file('../debug.jks')
           storePassword 'android'
           keyAlias 'androiddebugkey'
           keyPassword 'android'
       }
   }
   ```

2. In a terminal window, navigate to the location of the JKS file, and then run the following command:

   ```shell
   keytool -exportcert -alias <keyAlias> -keystore <storeFile> | openssl sha256 -binary | openssl base64 | tr '/+' '_-' | tr -d '='
   ```

   |   |                                                                                                                                                                                                                                                                    |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
   |   | Swap the *\<keyAlias>* and *\<storeFile>* placeholders with the values you obtained from your project. For example:`keytool -exportcert -alias "androiddebugkey" -keystore "./debug.jks" \| openssl sha256 -binary \| openssl base64 \| tr '/+' '_-' \| tr -d '='` |

3. When requested, enter the keystore password, as specified in the `keyPassword` property in the `build.gradle` file.

   |   |                                                                                          |
   | - | ---------------------------------------------------------------------------------------- |
   |   | The default keystore password for certificates in the local debug JKS file is `android`. |

   The command prints the base64-encoded SHA-256 fingerprint of the signing key:

   ```shell
   Enter keystore password:  android
   jEFEYh80K55iHYkxsBRLGtAP6wvjOS5Pj-ZKHHjwi0k
   ```

4. Add a prefix of `android:apk-key-hash:` to the base64-encode SHA-256 fingerprint. For example:

   ```shell
   android:apk-key-hash:jEFEYh80K55iHYkxsBRLGtAP6wvjOS5Pj-ZKHHjwi0k
   ```

### Step 2. Associating your Android app with your Advanced Identity Cloud or PingAM server

In this step you create a **Digital Asset Links** JSON file that allows your website to make a public, verifiable statement about its relationship with other assets, such as your Android app.

### Creating a Digital Asset Links JSON file

To associate your server with your Android app you need to make public, verifiable statements by using a Digital Asset Links JSON file (`assetlinks.json`).

Create or update an `assetlinks.json` with the SHA-256 fingerprint value you generated in the previous step:

Example `assetlinks.json` file

```json
[
    {
        "relation": [
            "delegate_permission/common.handle_all_urls",
            "delegate_permission/common.get_login_creds"
        ],
        "target": {
            "namespace": "android_app",
            "package_name": "com.example.app",
            "sha256_cert_fingerprints": [
                "E6:5A:5D:37:22:FC...22:99:20:03:E6:47"
            ]
        }
    }
]
```

For more information on creating an `assetlinks.json` file, refer to [Google Digital Asset Links](https://developers.google.com/digital-asset-links/v1/getting-started).

### Hosting assetlinks.json in Advanced Identity Cloud or PingAM

* For **PingOne Advanced Identity Cloud** deployments, refer to [Upload an Android assetlinks.json file](https://docs.pingidentity.com/pingoneaic/latest/end-user/upload-android-assetlinks.html).

* For self-managed **PingAM** deployments, host the file at `https://<your domain>/.well-known/assetlinks.json`.

## Preparing your iOS app for FIDO

Complete the following step to prepare your iOS app for FIDO authentication:

* [Step 1. Associating your iOS app with your Advanced Identity Cloud or PingAM server](#rn-ios-site-association)

### Step 1. Associating your iOS app with your Advanced Identity Cloud or PingAM server

Create an `apple-app-site-association` file that establishes a secure association between your domain and your iOS app.

This allows you to share credentials and use universal links to open your app from your website.

To create the secure association, upload the `apple-app-site-association` file to your domain, and add matching Associated Domains Entitlement keys to your app.

### Preparing a site association file

1. Prepare a JSON-formatted file named `apple-app-site-association`, as shown below.

   Ensure you include the `webcredentials` entitlement

   ```json
   {
     "applinks": {
       "details": [
         {
           "appIDs": [
             "XXXXXXXXXX.com.example.AppName"
           ],
           "components": [
             {
               "/": "/reset/*",
               "comment": "Success after reset password journey"
             }
           ]
         }
       ]
     },
     "webcredentials": {
       "apps": [
         "XXXXXXXXXX.com.example.AppName"
       ]
     }
   }
   ```

2. Replace *XXXXXXXXXX.com.example.AppName* with the app ID of your client iOS application.

Learn more in [Supporting associated domains](https://developer.apple.com/documentation/xcode/supporting-associated-domains) in the Apple Developer documentation.

### Hosting apple-app-site-association files in Advanced Identity Cloud or PingAM

* For **PingOne Advanced Identity Cloud** deployments, refer to [Upload an iOS apple-app-site-association file](https://docs.pingidentity.com/pingoneaic/latest/end-user/upload-ios-apple-app-site-association.html).

* For self-managed **PingAM** deployments, host the file at `https://<your domain>/.well-known/apple-app-site-association`.

## Configuring authentication journeys for FIDO

This step applies to both Android and iOS.

Authentication journeys for FIDO primarily use these nodes:

* WebAuthn Registration Node

  Handles the creation and storage of new passkeys.

* WebAuthn Authentication Node

  Manages the sign-in process by issuing and verifying challenges.

Learn more about creating authentication journeys for FIDO in [Journeys for WebAuthn](https://docs.pingidentity.com/pingoneaic/latest/am-authentication/authn-mfa-webauthn.html#authn-mfa-web-authn).

To prepare your authentication journeys to use FIDO with a React Native application, you need to configure each **WebAuthn Registration node** and **WebAuthn Authentication node** in your authentication journey to work with your React Native app.

|   |                                                                                                                                                                                                                              |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | You must use the same configuration values in each **WebAuthn Registration node** and **WebAuthn Authentication node** in the journey.Any mismatches in configuration between these nodes will cause authentication to fail. |

* Each WebAuthn Registration node and WebAuthn Authentication node

  1. In Origin domains, enter the URL where you host your React Native app.

     For example, `https://app.example.com`.

     |   |                                                                                                           |
     | - | --------------------------------------------------------------------------------------------------------- |
     |   | If you leave Origin domains empty, the server uses the origin of incoming requests as an accepted origin. |

* Each WebAuthn Registration node

  1. In Accepted signing algorithms, include one or more of `ES256` and `RS256`.

  2. Ensure the Limit registrations option is **not enabled**.

## Next steps

You can now proceed to [Integrating FIDO auth journeys in React Native](react-native-fido-auth-journey.html).
