Authentication Compatible Checklist

Authentication compatible applies to all solutions that access FamilySearch resources.

The following checkbox items will be reviewed for your solution to obtain Authentication Compatible.

All Solution Minimum Capabilities

[   ] Each user must obtain a FamilySearch access token in order to read or write to the Family Tree.

[   ] Access tokens must be protected. If a user access token is passed to a web browser in a cookie, that cookie must be a secure cookie. All cookies that give a user the ability to use an access token must also be secure cookies.

[   ] Network traffic is encrypted with SSL from the end user to the FamilySearch API.

[   ] User authentication is completed by directly calling the FamilySearch Third-Party User Authentication web page using OAuth 2 as specified by the Identity documentation as follows.

• [   ] No storage of FamilySearch usernames or passwords is permitted with web solutions.

• [   ] FamilySearch Person ID numbers can be stored by the solution.

• [   ] The FamilySearch session cookie must be a secure cookie.

• [   ] No permanent storage of FamilySearch API Session ID is permitted.

[   ] Refresh tokens can be used for selected confidential clients as determined case by case. This capability is implemented through the use of a service account.

[   ] Have a documented security policy, which is periodically reviewed, is approved by management, and is communicated to all employees.

Read Implementation Guide

• Go to Guide

Desktop and Mobile Solution Minimum Capabilities

[   ] An embedded web browser can be used to call the FamilySearch Third-Party User Authentication web page if the URL being called is clearly visible.

[   ] Native Apps must request acceptance to the following information:

      [Product Name] would like to know your basic FamilySearch profile information and access data about your ancestors from the FamilySearch family tree.

      [Product Name] will use this information in accordance with their respective terms of service and privacy policies.

[   ] Desktop apps may store passwords locally using 128 AES encryption. On iOS, Apple Keychain is acceptable.