Client and server interaction flow

Orchestration journeys are typically initiated by the client; however, most of the workflow is executed server-side. The journey processes each server-side step sequentially until a client-side interaction is needed.

Practically, when a client interaction step is encountered, the current state of the journey is stored, and the client —using the SDK— takes over until the required input is provided. Once the input is received, control returns to the server, and the journey continues according to the defined orchestration flow.

The SDKs for handling client-side interactions are available for web, iOS, and Android, ensuring smooth communication between the client and server throughout the journey.

Throughout the client-server interaction, multiple layers of security are applied:

• Data protection : All communication between client and server is protected to prevent replay attacks, session hijacking, and other common threats.
• Cryptographic binding : Device cryptographic binding uses PKI (Public Key Infrastructure) and challenge signing with private keys securely stored on the device. This process ensures that only authorized devices can interact with the server.
• Risk signals : Collected through the Mosaic SDK, client-side data is used to detect anomalies. The Mosaic risk engine responds with allow, challenge, or deny actions based on this data.