with
Request active authentication — verifies the chip is genuine and has not been cloned. Requires withPersonalData to also be called (shares the same PACE session).
When verified, ReadResult.activeAuth is ro.eidkit.sdk.model.ActiveAuthStatus.Verified and ReadResult.claim will include ro.eidkit.sdk.model.CeiIdentityClaim.activeAuthProof.
Request active authentication with a server-generated nonce.
Use this overload when your backend supplies the 48-byte challenge so it can verify the resulting ro.eidkit.sdk.model.ActiveAuthProof.signature server-side, preventing replay attacks. The nonce must be exactly 48 bytes.
The resulting ro.eidkit.sdk.model.CeiIdentityClaim.activeAuthProof will contain the provided nonce as ro.eidkit.sdk.model.ActiveAuthProof.challenge.