with
Request Chip Authentication (BSI TR-03110 CA) — cryptographically binds the identity data in EF.SOD to the physical chip via ECDH key agreement against the DG14 public key.
CA does not require a PIN. It runs during the ICAO phase and produces a ro.eidkit.sdk.model.ChipAuthProof that allows a server to verify the chip holding the DG14 key (hashed in SOD by MAI) was physically present.
Required for SSO flows where identity↔chip binding must be verified server-side.
Request server-key Chip Authentication (v2 backend-key CA).
Use this overload for the v2 SSO flow. Instead of generating the terminal keypair on-device, the SDK pauses mid-ICAO session (card still on reader), calls onDg14Ready with the raw DG14 bytes, and waits for your backend to return the server-generated Q_terminal (65-byte uncompressed brainpoolP256r1 point, as a ByteArray).
The callback should POST to /v2/session/ca-prepare and return the caTerminalPublicKey bytes. The server holds d_terminal and verifies CA independently — the app never has d_terminal, closing the forged-app attack vector.
Return null from the callback to skip CA for this session (e.g. on server error).
Parameters
Suspend callback invoked with rawDg14 while the card is still on the reader. Must return the server-supplied Q_terminal bytes, or null to skip CA.