Asynchronous authentication and authorisation using the Client-Initiated Backchannel Authentication (CIBA) flow is now Generally Available for our Enterprise plan customers. The CIBA flow works as an asynchronous, decoupled flow across two different devices:
Consumption device: initiates the authentication request.
Authentication device: handles end-user authentication, implemented as a custom mobile app which embeds the Guardian mobile SDK.
The flow supports the use of Rich Authorization Requests RFC9396 to provide contextual information to authenticating and/or authorizing users. This enables the CIBA flow to support a number of powerful use cases driven by backend client applications, such as:
Customer authentication by headless devices or devices/applications with limited interaction capabilities.
Customer authentication in call-centre scenarios.
Authorising sensitive operations on behalf of yourself or a third-party e.g. a customer service Agent, an autonomous AI Agent.
For more details, see the product documentation.
Fetched April 21, 2026