Sardine SDK Integration
Step-by-step guide for integrating Sardine's Device Intelligence & Behavior Biometrics SDK with Cybrid transfers and executions to enable enriched risk screening.
The Sardine Risk SDK Integration allows your application to collect device intelligence and behavioral
biometrics from your end-users and correlate them with Cybrid's server-side transfer screening. This gives
Sardine richer signals to assess transaction risk — including device fingerprinting, bot detection, and
behavioral anomalies — beyond what is available from PII and transaction data alone.
The integration involves two independent channels that are linked by a shared session key:
- Client side — Your application initializes the Sardine SDK, which collects device signals
asynchronously and sends them directly to Sardine. The session key tags those signals to a specific
user session. - Server side — When creating a transfer or execution, you pass the Sardine session GUID to the
Cybrid API, which forwards the session key to Sardine during screening so it can match the device
signals to the transaction.
Process Overview
-
Prerequisites — Obtain Sardine access credentials, a
clientIdfrom Cybrid,
and configure custom subdomains for the Sardine SDK. -
Step 1 — Install the Sardine SDK in your client
application and initialize it with yourclientId, environment, and subdomains. -
Step 2 — Create a Sardine session by calling the Cybrid API.
The response contains asardine_session_keyto pass to the SDK and aguidto include in the
transfer or execution request. -
Step 3 — Update the SDK configuration with
the session key. The SDK will collect and send device signals to Sardine. Await the SDK call before
submitting a transfer or execution. -
Step 4 — Include the
Sardine sessionguidin the transfer or execution request. The platform uses it to enable
device-enriched risk screening.
Prerequisites
Before starting the integration, ensure the following are in place:
Request your Sardine access credentials from CybridCybrid issues your Sardine access credentials once the Sardine integration is included in your
signed agreement. Contact Cybrid to have them provisioned:
- An NPM access token for the private Sardine SDK packages. See Sardine's Web SDK overview for the available web SDKs.
- A GitHub access token if you are integrating a mobile SDK, to access Sardine's mobile SDK libraries. See Sardine's Mobile SDK overview.
-
Sardine
clientId— Cybrid will provide you with the SardineclientIdfor your integration at
onboarding time. Do not generate this yourself — use the value provided by Cybrid. -
Custom subdomains — Sardine recommends routing SDK traffic through custom subdomains under your
own domain. This has several benefits:- Increased Performance — Using a custom subdomain can result in a significant increase in
accuracy in browsers with strict privacy features, such as Safari or Firefox. This is because the
custom subdomain allows for the recognition of cookies as "first-party", which can extend the
lifetime of device IDs and improve performance. - Ad-blocker Resistance — Ad-blockers will not block the JavaScript agent from sending
identification requests to the server, as sending data to an internal URL (such as a subdomain) is
allowed. This makes it less likely that the data being sent will be blocked. - Harder to Detect — Routing through a custom subdomain makes the fingerprinting process harder
for automated blockers and fraudsters to detect, because requests sent directly to a separate
third-party domain are easier to identify and block.
- Increased Performance — Using a custom subdomain can result in a significant increase in
Custom subdomains require DNS configurationYou must create two subdomains under your domain (for example,
api.example.comand
p.example.com) and configure CNAME records pointing to Sardine's infrastructure. See Sardine's
Custom Subdomain Integration Guide
for the full setup instructions, including CNAME records, CAA configuration, and certificate provisioning.
Step 1: Install and Initialize the Sardine SDK
Follow Sardine's recommendations on where and how to initialize the SDK in your application to best
capture device signals and behavior biometrics across your user flows.
Behavior Biometrics consent requiredIf you use Sardine's Behavior Biometrics feature, ensure that your End User agrees to your privacy
policy before you begin collecting their Behavior Biometric data.
1.1 Install the SDK
Add the Sardine NPM access token to your .npmrc file:
//registry.npmjs.org/:_authToken=${NPM_TOKEN}Then install the appropriate package for your framework:
npm install @sardine-ai/web-sdkFor mobile applications, refer to Sardine's Mobile SDK documentation.
1.2 Initialize the SDK
Initialize the SDK once at application startup, before any user interaction. Pass the clientId
provided by Cybrid and the target environment (sandbox or production). If you configured custom
subdomains in the Prerequisites, include them here.
import { setupSardine } from '@sardine-ai/web-sdk';
setupSardine({
clientId: 'YOUR_CYBRID_PROVIDED_CLIENT_ID',
environment: 'sandbox', // or 'production'
apiSubdomain: 'api.example.com', // recommended — your configured API subdomain
pixelSubdomain: 'p.example.com', // recommended — your configured pixel subdomain
});
More SDK optionsThe examples above cover the web JS and React SDKs. Sardine provides SDKs for other platforms — see Sardine's Risk SDK overview for the full list.
Step 2: Create a Sardine Session
Create a Sardine session by calling the Cybrid API to obtain the session key for your client SDK
integration. The response returns a sardine_session_key (the UUID to pass to the Sardine SDK in
Step 3) and a guid (the Cybrid session identifier to include in your transfer or execution request
in Step 4).
POST /api/sardine_sessions — Cybrid API docs
Required scope: sardine_sessions:execute
{
"customer_guid": "customer_guid"
}
customer_guidis inferred for customer tokensIf your application uses a customer-scoped access token,
customer_guidis derived from the token
automatically and the field may be omitted.
Request Body Field Reference
| Field | Type | Required | Description |
|---|---|---|---|
customer_guid | string | Conditional | The GUID of the customer the session is for. Required for organization and bank subject tokens. Inferred from the token for customer subject tokens. |
{
"guid": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
"sardine_session_key": "550e8400-e29b-41d4-a716-446655440000",
"customer_guid": "customer_guid",
"expires_at": "2026-01-01T01:00:00.000Z"
}Response Field Reference
| Field | Type | Description |
|---|---|---|
guid | string | The Cybrid GUID for this session. Pass this as sardine_session_guid in the transfer or execution request (Step 4). |
sardine_session_key | string | The UUID session key to pass to the Sardine SDK (Step 3). |
customer_guid | string | The customer this session is associated with. |
expires_at | datetime | The datetime when this session key expires. Store this value and refresh the session before it expires. See Session Key Lifecycle for guidance. |
Be mindful ofexpires_atCheck this value before submitting a transfer or execution and refresh the session if it is close to
expiry. See Session Key Lifecycle for when and how to refresh.
Store session values for subsequent stepsStore both the
guidand thesardine_session_keyin your application state for use in Steps 3 and 4.
Step 3: Configure the SDK and Collect Device Signals
Update the Sardine SDK configuration with the sardine_session_key returned in Step 2 and follow Sardine's recommendations on when and how to update the session key throughout your user flows to ensure device signals are captured before the transfer or execution is submitted.
The flow value is a label you define to identify the stage of your application (for example,
"transfer" or "checkout").
import { updateSardineConfig } from '@sardine-ai/web-sdk';
await updateSardineConfig({
customerId: 'YOUR_CUSTOMER_ID',
sessionKey: sardineSessionKey, // sardine_session_key from Step 2
flow: 'transfer',
});
Always await the SDK call before submitting the transfer or executionIf you call the Cybrid API before the SDK callback completes, Sardine will not find device data for
that session and the request will be screened without device signals.
Step 4: Submit a Transfer or Execution with the Sardine Session GUID
Include the sardine_session_guid field using the guid returned in Step 2 when creating a transfer
or execution. The platform uses it to correlate the device signals collected by the Sardine SDK with
the screening request.
Ensure device signals have been sent to Sardine before calling this APIComplete Step 3 and await the SDK callback before submitting a transfer or execution. If you call
this API before the SDK has finished sending signals, Sardine will not be able to match device data
to the session and the request will be screened without device intelligence.
Backward compatibleIf
sardine_session_guidis omitted ornull, the transfer or execution is screened using
server-side data only. Existing integrations continue to work unchanged.
Transfers
POST /api/transfers — Cybrid API docs
Required scope: transfers:execute
The sardine_session_guid field is supported for funding and instant_funding transfer types.
{
"quote_guid": "quote_guid",
"transfer_type": "funding",
"external_bank_account_guid": "external_bank_account_guid",
"source_participants": [
{
"type": "customer",
"guid": "customer_guid",
"amount": 10000
}
],
"destination_participants": [
{
"type": "customer",
"guid": "customer_guid",
"amount": 10000
}
],
"sardine_session_guid": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6"
}| Field | Type | Required | Description |
|---|---|---|---|
sardine_session_guid | string | No | The guid of the Sardine session created in Step 2. When provided, the platform uses device signals collected by the Sardine SDK to enrich transfer screening. |
Executions
POST /api/executions — Cybrid API docs
Required scope: executions:execute
{
"plan_guid": "plan_guid",
"sardine_session_guid": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6"
}| Field | Type | Required | Description |
|---|---|---|---|
sardine_session_guid | string | No | The guid of the Sardine session created in Step 2. When provided, the platform uses device signals collected by the Sardine SDK to enrich execution screening. |
Session Key Lifecycle
Expiry
The expires_at field in the session creation response indicates when the session key expires.
When expires_at is set:
- Check
expires_atbefore submitting a transfer or execution. If the session has expired, create
a new one before callingupdateSardineConfig/updateSardineConfigAsyncand proceeding. - Refresh at least whenever the user's session is refreshed. A Sardine session should not outlive
the user's authenticated session.
Reuse Across Transactions
You may reuse the same Sardine session key across multiple transfers within the same user session.
Reusing the key allows Sardine to accumulate device signals across the session, which can improve risk
assessment accuracy. There is no need to create a new session for each transfer as long as the session
has not expired.
When to Create a New Session
Create a new Sardine session when:
- The current session has expired (
expires_atis in the past). - The user logs out and back in.
- You receive an
invalid_sardine_sessionorsardine_session_expirederror on a transfer or
execution (see API Errors below).
API Errors
Session Creation Errors
| HTTP Status | Error Code | Cause | Response |
|---|---|---|---|
| 422 | not_found | Customer GUID not found or does not belong to the requesting principal | "Invalid customer for this request" |
| 422 | invalid_parameter | Upstream session creation failed | "Sardine session creation failed" |
Transfer and Execution Errors
These errors are returned when POST /api/transfers or POST /api/executions includes a
sardine_session_guid that is not found or has expired. When you receive either error, create a new
Sardine session (Step 2), re-initialize the SDK with the new session key (Step 3), and resubmit the
request with the new sardine_session_guid.
| HTTP Status | Error Code | Cause | Response |
|---|---|---|---|
| 422 | invalid_sardine_session | The sardine_session_guid provided does not match any session | "Sardine session is invalid" |
| 422 | sardine_session_expired | The session key has passed its expires_at time | "Sardine session has expired" |
For full API schema details, see the
Create Sardine Session API reference.

