Toqen.app Mobile is Now Open Source

Source: Dev.to

What is Toqen

Toqen is an access‑first authentication infrastructure designed for secure, real‑time authorization. Each access request is:

• created in real time
• explicitly approved by the user
• cryptographically signed by the device
• verified by the backend

The mobile app acts as a secure execution layer for these decisions.

What the open source mobile app actually does

The mobile client has a very narrow and well‑defined responsibility:

1. Scan or receive an access request
2. Fetch request context from the backend
3. Show the user what is being requested
4. Collect explicit approval or denial
5. Sign a short‑lived challenge using a device key
6. Send the signed result back for verification

The app does not grant access on its own; all final decisions are verified by the server.

What data the app collects

This is the key point—you can verify it directly in the code. The mobile app stores only what is strictly required to perform cryptographic authorization:

• device_private_key (generated on device, never leaves it)
• device_id
• app_instance_id

That is the full set of stored sensitive data. There is no storage of:

• passwords
• session tokens
• refresh tokens
• reusable credentials
• backend secrets

Sensitive data is stored using OS‑level secure storage (Keychain / Keystore).

What is NOT inside the system

Toqen is built around strict data minimization:

• QR codes do not contain secrets
• Authorization requests are short‑lived and single‑use
• No reusable tokens exist in the flow

Even if a QR code is intercepted, it cannot be used to gain access. Authorization always requires:

• user confirmation
• device signature
• backend verification

How authorization actually works

All flows follow the same pattern:

request → context → user decision → signature → verification → result

This guarantees:

• no silent approvals
• no implicit trust
• no background authorization

Every access is intentional and verifiable.

Security model (short version)

The system assumes a hostile environment:

• network is untrusted
• QR codes can be intercepted
• requests can be replayed

Security is achieved through:

• device‑bound cryptographic keys
• challenge‑response authorization
• short‑lived requests
• server‑side verification

Private keys never leave the device, and the backend never has access to them.

Why only the mobile app is open

The mobile client is the most critical part to verify from a trust perspective. By open‑sourcing it, I allow:

• independent security review
• verification of data handling
• inspection of cryptographic flows
• validation of what is and is not collected

The backend remains closed, but its behavior is fully defined through:

• API contracts
• documented flows
• security model
• threat model

This keeps the system verifiable without exposing operational infrastructure.

Build transparency

The build and release process is also documented. Each build includes:

• version
• commit hash
• tag
• CI reference

This allows anyone to trace how a distributed app was produced.

What this means

You no longer have to rely on claims alone. You can:

• inspect the code
• verify storage behavior
• review cryptographic operations
• confirm data handling

The mobile app is fully transparent by design.

Repository

https://github.com/toqenapp/mobile-react-native