From 15e849a62d6b3a62f8fde6c4bd9b5c9518401358 Mon Sep 17 00:00:00 2001
From: Sander Kondratjev <sander.kondratjev@nortal.com>
Date: Mon, 13 Oct 2025 11:33:18 +0300
Subject: [PATCH 1/3] NFC-82 NFC signing support for web-eid example

Signed-off-by: Sander Kondratjev <sander.kondratjev@nortal.com>
---
 .github/workflows/maven-build-example.yml     |   14 +-
 example/README.md                             |   15 +-
 example/pom.xml                               |    8 +-
 .../config/ApplicationConfiguration.java      |    9 +-
 .../config/ValidationConfiguration.java       |   27 +-
 .../config/WebEidAuthTokenProperties.java     |   50 +
 ...ation.java => WebEidMobileProperties.java} |   20 +-
 .../eu/webeid/example/config/YAMLConfig.java  |   89 --
 .../security/WebEidAuthentication.java        |   40 +-
 .../WebEidAuthenticationProvider.java         |   15 +-
 .../security/WebEidMobileAuthInitFilter.java  |   19 +-
 .../ui/WebEidLoginPageGeneratingFilter.java   |   18 +-
 .../example/service/MobileSigningService.java |  149 +++
 .../example/service/SigningService.java       |    9 +-
 .../example/web/rest/SigningController.java   |   36 +-
 .../src/main/resources/application-dev.yaml   |    5 +-
 .../src/main/resources/application-prod.yaml  |    5 +-
 .../src/main/resources/static/css/main.css    |   22 +
 .../src/main/resources/static/js/errors.js    |    7 +-
 .../src/main/resources/static/js/payload.js   |   45 +
 .../src/main/resources/templates/index.html   | 1052 +++++++++--------
 .../resources/templates/webeid-callback.html  |   80 ++
 .../resources/templates/webeid-login.html     |  101 +-
 .../welcome-with-file-upload-support.html     |   60 +-
 .../src/main/resources/templates/welcome.html |  281 +++--
 .../security/WebEidAuthenticationTest.java    |    4 +-
 .../webeid/example/testutil/HttpHelper.java   |    2 +-
 .../src/test/resources/application-dev.yaml   |    5 +-
 pom.xml                                       |    2 +-
 29 files changed, 1312 insertions(+), 877 deletions(-)
 create mode 100644 example/src/main/java/eu/webeid/example/config/WebEidAuthTokenProperties.java
 rename example/src/main/java/eu/webeid/example/config/{ThymeleafWebAppConfiguration.java => WebEidMobileProperties.java} (70%)
 delete mode 100644 example/src/main/java/eu/webeid/example/config/YAMLConfig.java
 create mode 100644 example/src/main/java/eu/webeid/example/service/MobileSigningService.java
 create mode 100644 example/src/main/resources/static/js/payload.js
 create mode 100644 example/src/main/resources/templates/webeid-callback.html

diff --git a/.github/workflows/maven-build-example.yml b/.github/workflows/maven-build-example.yml
index 3893cbd4..8f044b2a 100644
--- a/.github/workflows/maven-build-example.yml
+++ b/.github/workflows/maven-build-example.yml
@@ -10,10 +10,6 @@ on:
       - 'example/**'
       - '.github/workflows/*example*'
 
-defaults:
-  run:
-    working-directory: ./example
-
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -33,9 +29,9 @@ jobs:
           key: ${{ runner.os }}-m2-v17-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/pom.xml') }}
           restore-keys: ${{ runner.os }}-m2-v17-${{ secrets.CACHE_VERSION }}
 
-      - name: Build
-        run: mvn --batch-mode compile
-
-      - name: Test and package
-        run: mvn --batch-mode package
+      - name: Install library
+        run: mvn -B -ntp install
 
+      - name: Build example project
+        working-directory: ./example
+        run: mvn -B -ntp package
diff --git a/example/README.md b/example/README.md
index 81938ac8..ed0c2cbb 100644
--- a/example/README.md
+++ b/example/README.md
@@ -82,6 +82,7 @@ When the application has started, open the _ngrok_ HTTPS URL in your preferred w
     - [Using DigiDoc4j in production mode with the `prod` profile](#using-digidoc4j-in-production-mode-with-the-prod-profile)
   + [Stateful and stateless authentication](#stateful-and-stateless-authentication)
   + [Assuring that the signing and authentication certificate subjects match](#assuring-that-the-signing-and-authentication-certificate-subjects-match)
+  + [Requesting the signing certificate in a separate step](#requesting-the-signing-certificate-in-a-separate-step)
 * [HTTPS support](#https-support)
   + [How to verify that HTTPS is configured properly](#how-to-verify-that-https-is-configured-properly)
 * [Deployment](#deployment)
@@ -119,7 +120,9 @@ The `src/main/java/eu/webeid/example` directory contains the Spring Boot applica
     -   `WebEidChallengeNonceFilter` for issuing the challenge nonce required by the authentication flow,
     -   `WebEidMobileAuthInitFilter` for issuing the challenge nonce and generating the deep link with the authentication request, used to initiate the mobile authentication flow,
     -   `WebEidAjaxLoginProcessingFilter` and `WebEidLoginPageGeneratingFilter` for handling login requests.
--   `service`: Web eID signing service implementation that uses DigiDoc4j, and DigiDoc4j runtime configuration,
+-   `service`: Web eID signing service implementation that uses DigiDoc4j, and DigiDoc4j runtime configuration.
+    -   `SigningService`: prepares ASiC-E containers and finalizes signatures.
+    -   `MobileSigningService`: orchestrates the mobile signing flow (builds mobile signing requests/responses) and supports requesting the signing certificate in a separate step when enabled by configuration.
 -   `web`: Spring Web MVC controller for the welcome page and Spring Web REST controller that provides a digital signing endpoint.
 
 The `src/resources` directory contains the resources used by the application:
@@ -177,6 +180,16 @@ A common alternative to stateful authentication is stateless authentication with
 
 It is usually required to verify that the signing certificate subject matches the authentication certificate subject by assuring that both ID codes match. This check is implemented at the beginning of the `SigningService.prepareContainer()` method.
 
+### Requesting the signing certificate in a separate step
+
+In some deployments, the signing certificate is not reused from the authentication flow. Instead, it is retrieved directly from the user’s ID-card during the signing process itself.
+
+This approach is useful when the signing process is performed without a prior authentication step. For example, in a mobile flow, the user may start signing directly without authenticating beforehand. In such cases, the signing certificate must be requested separately from the user’s ID-card before the signature can be created.
+
+When this mode is enabled in the configuration, the backend issues a separate request for the signing certificate using the `MobileSigningService`. The service communicates with the client to obtain the certificate before the signing container is prepared, ensuring that the correct certificate chain is available for the signature.
+
+This behavior is controlled by the `request-signing-cert` flag in the `application.yaml` configuration files (`application-dev.yaml`, `application-prod.yaml`). When the flag is set to **false**, the application explicitly requests the signing certificate during the signing process, demonstrating the separate signing certificate retrieval flow. When set to **true**, the signing uses the signing certificate that was already obtained during authentication, and no additional request is made.
+
 ## HTTPS support
 
 There are two ways of adding HTTPS support to a Spring Boot application:
diff --git a/example/pom.xml b/example/pom.xml
index b50adcec..d9f5d6a8 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -10,7 +10,7 @@
 	</parent>
 	<groupId>eu.webeid.example</groupId>
 	<artifactId>web-eid-springboot-example</artifactId>
-	<version>3.2.0</version>
+	<version>4.0.0-SNAPSHOT</version>
 	<name>web-eid-springboot-example</name>
 	<description>Example Spring Boot application that demonstrates how to use Web eID for authentication and digital
 		signing
@@ -19,7 +19,7 @@
 	<properties>
 		<java.version>17</java.version>
 		<maven-surefire-plugin.version>3.5.3</maven-surefire-plugin.version>
-		<webeid.version>3.2.0</webeid.version>
+		<webeid.version>4.0.0-SNAPSHOT</webeid.version>
 		<digidoc4j.version>6.0.1</digidoc4j.version>
 		<jmockit.version>1.44</jmockit.version> <!-- Keep version 1.44, otherwise mocking will fail. -->
 		<jib.version>3.4.6</jib.version>
@@ -38,6 +38,10 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-thymeleaf</artifactId>
 		</dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-validation</artifactId>
+        </dependency>
 
 		<dependency>
 			<groupId>org.digidoc4j</groupId>
diff --git a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
index c5a3a419..b46e5d08 100644
--- a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
@@ -28,6 +28,7 @@
 import eu.webeid.example.security.WebEidMobileAuthInitFilter;
 import eu.webeid.example.security.ui.WebEidLoginPageGeneratingFilter;
 import eu.webeid.security.challenge.ChallengeNonceGenerator;
+import org.springframework.boot.context.properties.ConfigurationPropertiesScan;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
@@ -39,9 +40,9 @@
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
 import org.thymeleaf.ITemplateEngine;
-import org.thymeleaf.web.servlet.JakartaServletWebApplication;
 
 @Configuration
+@ConfigurationPropertiesScan
 @EnableWebSecurity
 @EnableMethodSecurity(securedEnabled = true)
 public class ApplicationConfiguration {
@@ -53,7 +54,7 @@ public SecurityFilterChain filterChain(
         AuthenticationConfiguration authConfig,
         ChallengeNonceGenerator challengeNonceGenerator,
         ITemplateEngine templateEngine,
-        JakartaServletWebApplication webApp
+        WebEidMobileProperties webEidMobileProperties
     ) throws Exception {
         return http
             .authorizeHttpRequests(auth -> auth
@@ -62,9 +63,9 @@ public SecurityFilterChain filterChain(
                 .anyRequest().authenticated()
             )
             .authenticationProvider(webEidAuthenticationProvider)
-            .addFilterBefore(new WebEidMobileAuthInitFilter("/auth/mobile/init", "/auth/mobile/login", challengeNonceGenerator), UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(new WebEidMobileAuthInitFilter("/auth/mobile/init", "/auth/mobile/login", challengeNonceGenerator, webEidMobileProperties), UsernamePasswordAuthenticationFilter.class)
             .addFilterBefore(new WebEidChallengeNonceFilter("/auth/challenge", challengeNonceGenerator), UsernamePasswordAuthenticationFilter.class)
-            .addFilterBefore(new WebEidLoginPageGeneratingFilter("/auth/mobile/login", "/auth/login", templateEngine, webApp), UsernamePasswordAuthenticationFilter.class)
+            .addFilterBefore(new WebEidLoginPageGeneratingFilter("/auth/mobile/login", "/auth/login", templateEngine), UsernamePasswordAuthenticationFilter.class)
             .addFilterBefore(new WebEidAjaxLoginProcessingFilter("/auth/login", authConfig.getAuthenticationManager()), UsernamePasswordAuthenticationFilter.class)
             .logout(l -> l.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()))
             .headers(h -> h.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
diff --git a/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
index 15818229..805c8b1b 100644
--- a/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
@@ -79,24 +79,19 @@ public ChallengeNonceGenerator generator(ChallengeNonceStore challengeNonceStore
     }
 
     @Bean
-    public AuthTokenValidator validator(YAMLConfig yamlConfig) {
+    public AuthTokenValidator validator(WebEidAuthTokenProperties authTokenProperties) {
         try {
             return new AuthTokenValidatorBuilder()
-                .withSiteOrigin(URI.create(yamlConfig.getLocalOrigin()))
+                .withSiteOrigin(URI.create(authTokenProperties.validation().localOrigin()))
                 .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromCerFiles())
-                .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromTrustStore(yamlConfig))
-                .withOcspRequestTimeout(yamlConfig.getOcspRequestTimeout())
+                .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromTrustStore(authTokenProperties))
+                .withOcspRequestTimeout(authTokenProperties.validation().ocspRequestTimeout())
                 .build();
         } catch (JceException e) {
             throw new RuntimeException("Error building the Web eID auth token validator.", e);
         }
     }
 
-    @Bean
-    public YAMLConfig yamlConfig() {
-        return new YAMLConfig();
-    }
-
     private X509Certificate[] loadTrustedCACertificatesFromCerFiles() {
         List<X509Certificate> caCertificates = new ArrayList<>();
 
@@ -117,8 +112,7 @@ private X509Certificate[] loadTrustedCACertificatesFromCerFiles() {
 
         return caCertificates.toArray(new X509Certificate[0]);
     }
-
-    private X509Certificate[] loadTrustedCACertificatesFromTrustStore(YAMLConfig yamlConfig) {
+    private X509Certificate[] loadTrustedCACertificatesFromTrustStore(WebEidAuthTokenProperties authTokenProperties) {
         List<X509Certificate> caCertificates = new ArrayList<>();
 
         try (InputStream is = ValidationConfiguration.class.getResourceAsStream(CERTS_RESOURCE_PATH + activeProfile + "/" + TRUSTED_CERTIFICATES_JKS)) {
@@ -126,8 +120,14 @@ private X509Certificate[] loadTrustedCACertificatesFromTrustStore(YAMLConfig yam
                 LOG.info("Truststore file {} not found for {} profile", TRUSTED_CERTIFICATES_JKS, activeProfile);
                 return new X509Certificate[0];
             }
+
+            String trustStorePassword = authTokenProperties.validation().trustStorePassword();
+            if (trustStorePassword == null || trustStorePassword.isBlank()) {
+                throw new IllegalStateException("Truststore password must be configured because truststore exists for profile '" + activeProfile + "'.");
+            }
+
             KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
-            keystore.load(is, yamlConfig.getTrustStorePassword().toCharArray());
+            keystore.load(is, trustStorePassword.toCharArray());
             Enumeration<String> aliases = keystore.aliases();
             while (aliases.hasMoreElements()) {
                 String alias = aliases.nextElement();
@@ -140,7 +140,4 @@ private X509Certificate[] loadTrustedCACertificatesFromTrustStore(YAMLConfig yam
 
         return caCertificates.toArray(new X509Certificate[0]);
     }
-
-
-
 }
diff --git a/example/src/main/java/eu/webeid/example/config/WebEidAuthTokenProperties.java b/example/src/main/java/eu/webeid/example/config/WebEidAuthTokenProperties.java
new file mode 100644
index 00000000..dee2db56
--- /dev/null
+++ b/example/src/main/java/eu/webeid/example/config/WebEidAuthTokenProperties.java
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package eu.webeid.example.config;
+
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Pattern;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.boot.context.properties.bind.DefaultValue;
+import org.springframework.validation.annotation.Validated;
+
+import java.time.Duration;
+
+@Validated
+@ConfigurationProperties(prefix = "web-eid-auth-token")
+public record WebEidAuthTokenProperties(WebEidAuthTokenValidation validation) {
+
+    public record WebEidAuthTokenValidation(
+        @NotBlank
+        @Pattern(
+            regexp = "^https://[A-Za-z0-9.-]+(:\\d{1,5})?$",
+            message = "Origin URL must be in the form of 'https://' <hostname> [ ':' <port> ] and not end with a trailing slash"
+        )
+        String localOrigin,
+        String siteCertHash,
+        String trustStorePassword,
+        @DefaultValue("5s") Duration ocspRequestTimeout,
+        @NotNull Boolean useDigiDoc4jProdConfiguration) {
+    }
+}
diff --git a/example/src/main/java/eu/webeid/example/config/ThymeleafWebAppConfiguration.java b/example/src/main/java/eu/webeid/example/config/WebEidMobileProperties.java
similarity index 70%
rename from example/src/main/java/eu/webeid/example/config/ThymeleafWebAppConfiguration.java
rename to example/src/main/java/eu/webeid/example/config/WebEidMobileProperties.java
index 30f53b96..cc509b22 100644
--- a/example/src/main/java/eu/webeid/example/config/ThymeleafWebAppConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/WebEidMobileProperties.java
@@ -22,16 +22,14 @@
 
 package eu.webeid.example.config;
 
-import jakarta.servlet.ServletContext;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.thymeleaf.web.servlet.JakartaServletWebApplication;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Pattern;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.validation.annotation.Validated;
 
-@Configuration
-public class ThymeleafWebAppConfiguration {
-
-    @Bean
-    public JakartaServletWebApplication jakartaServletWebApplication(ServletContext servletContext) {
-        return JakartaServletWebApplication.buildApplication(servletContext);
-    }
+@Validated
+@ConfigurationProperties(prefix = "web-eid-mobile")
+public record WebEidMobileProperties(
+    @NotBlank @Pattern(regexp = "^.*(?:[^/]|://)$", message = "Base URI must not have a trailing slash") String baseRequestUri,
+    boolean requestSigningCert) {
 }
diff --git a/example/src/main/java/eu/webeid/example/config/YAMLConfig.java b/example/src/main/java/eu/webeid/example/config/YAMLConfig.java
deleted file mode 100644
index 1c3359ae..00000000
--- a/example/src/main/java/eu/webeid/example/config/YAMLConfig.java
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
- * Copyright (c) 2020-2025 Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-package eu.webeid.example.config;
-
-import java.time.Duration;
-import org.springframework.beans.factory.annotation.Value;
-import org.springframework.boot.context.properties.ConfigurationProperties;
-import org.springframework.boot.context.properties.EnableConfigurationProperties;
-import org.springframework.context.annotation.Configuration;
-
-@Configuration
-@EnableConfigurationProperties
-@ConfigurationProperties(prefix = "web-eid-auth-token.validation")
-public class YAMLConfig {
-
-    @Value("local-origin")
-    private String localOrigin;
-
-    @Value("site-cert-hash")
-    private String siteCertHash;
-
-    @Value("truststore-password")
-    private String trustStorePassword;
-
-    private Duration ocspRequestTimeout = Duration.ofSeconds(5L);
-
-    @Value("#{new Boolean('${web-eid-auth-token.validation.use-digidoc4j-prod-configuration}'.trim())}")
-    private Boolean useDigiDoc4jProdConfiguration;
-
-    public String getLocalOrigin() {
-        return localOrigin;
-    }
-
-    public void setLocalOrigin(String localOrigin) {
-        this.localOrigin = localOrigin;
-    }
-
-    public String getSiteCertHash() {
-        return siteCertHash;
-    }
-
-    public void setSiteCertHash(String siteCertHash) {
-        this.siteCertHash = siteCertHash;
-    }
-
-    public String getTrustStorePassword() {
-        return trustStorePassword;
-    }
-
-    public void setTrustStorePassword(String trustStorePassword) {
-        this.trustStorePassword = trustStorePassword;
-    }
-
-    public boolean getUseDigiDoc4jProdConfiguration() {
-        return useDigiDoc4jProdConfiguration;
-    }
-
-    public void setUseDigiDoc4jProdConfiguration(boolean useDigiDoc4jProdConfiguration) {
-        this.useDigiDoc4jProdConfiguration = useDigiDoc4jProdConfiguration;
-    }
-
-    public Duration getOcspRequestTimeout() {
-        return ocspRequestTimeout;
-    }
-
-    public void setOcspRequestTimeout(Duration ocspRequestTimeout) {
-        this.ocspRequestTimeout = ocspRequestTimeout;
-    }
-}
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java b/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
index 5ba3ebf7..5ab1a8b5 100644
--- a/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
@@ -22,7 +22,9 @@
 
 package eu.webeid.example.security;
 
+import eu.webeid.security.authtoken.SupportedSignatureAlgorithm;
 import eu.webeid.security.certificate.CertificateData;
+import org.springframework.lang.Nullable;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
@@ -36,21 +38,21 @@
 public class WebEidAuthentication extends PreAuthenticatedAuthenticationToken implements Authentication {
 
     private final String idCode;
+    private final transient String signingCertificate;
+    private final transient List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms;
 
-    public static Authentication fromCertificate(X509Certificate userCertificate, List<GrantedAuthority> authorities) throws CertificateEncodingException {
-        final String principalName = getPrincipalNameFromCertificate(userCertificate);
-        final String idCode = CertificateData.getSubjectIdCode(userCertificate)
-                .orElseThrow(() -> new CertificateEncodingException("Certificate does not contain subject ID code"));
-        return new WebEidAuthentication(principalName, idCode, authorities);
-    }
-
-    public String getIdCode() {
-        return idCode;
-    }
-
-    private WebEidAuthentication(String principalName, String idCode, List<GrantedAuthority> authorities) {
+    private WebEidAuthentication(String principalName, String idCode, String signingCertificate, List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms, List<GrantedAuthority> authorities) {
         super(principalName, idCode, authorities);
         this.idCode = idCode;
+        this.signingCertificate = signingCertificate;
+        this.supportedSignatureAlgorithms = supportedSignatureAlgorithms;
+    }
+
+    public static Authentication fromCertificate(X509Certificate userCertificate, @Nullable String signingCertificate, @Nullable List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms, List<GrantedAuthority> authorities) throws CertificateEncodingException {
+        final String principalName = getPrincipalNameFromCertificate(userCertificate);
+        final String idCode = CertificateData.getSubjectIdCode(userCertificate)
+            .orElseThrow(() -> new CertificateEncodingException("Certificate does not contain subject ID code"));
+        return new WebEidAuthentication(principalName, idCode, signingCertificate, supportedSignatureAlgorithms, authorities);
     }
 
     private static String getPrincipalNameFromCertificate(X509Certificate userCertificate) throws CertificateEncodingException {
@@ -62,10 +64,22 @@ private static String getPrincipalNameFromCertificate(X509Certificate userCertif
         } else {
             // Organization certificates do not have given name and surname fields.
             return CertificateData.getSubjectCN(userCertificate)
-                    .orElseThrow(() -> new CertificateEncodingException("Certificate does not contain subject CN"));
+                .orElseThrow(() -> new CertificateEncodingException("Certificate does not contain subject CN"));
         }
     }
 
+    public String getIdCode() {
+        return idCode;
+    }
+
+    public String getSigningCertificate() {
+        return signingCertificate;
+    }
+
+    public List<SupportedSignatureAlgorithm> getSupportedSignatureAlgorithms() {
+        return supportedSignatureAlgorithms;
+    }
+
     @Override
     public boolean equals(Object o) {
         if (!super.equals(o)) return false;
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAuthenticationProvider.java b/example/src/main/java/eu/webeid/example/security/WebEidAuthenticationProvider.java
index ad845dff..032564fb 100644
--- a/example/src/main/java/eu/webeid/example/security/WebEidAuthenticationProvider.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidAuthenticationProvider.java
@@ -22,6 +22,8 @@
 
 package eu.webeid.example.security;
 
+import eu.webeid.example.config.WebEidMobileProperties;
+import eu.webeid.security.authtoken.SupportedSignatureAlgorithm;
 import eu.webeid.security.authtoken.WebEidAuthToken;
 import eu.webeid.security.challenge.ChallengeNonceStore;
 import eu.webeid.security.exceptions.AuthTokenException;
@@ -54,10 +56,12 @@ public class WebEidAuthenticationProvider implements AuthenticationProvider {
 
     private final AuthTokenValidator tokenValidator;
     private final ChallengeNonceStore challengeNonceStore;
+    private final boolean requireSigningCert;
 
-    public WebEidAuthenticationProvider(AuthTokenValidator tokenValidator, ChallengeNonceStore challengeNonceStore) {
+    public WebEidAuthenticationProvider(AuthTokenValidator tokenValidator, ChallengeNonceStore challengeNonceStore, WebEidMobileProperties webEidMobileProperties) {
         this.tokenValidator = tokenValidator;
         this.challengeNonceStore = challengeNonceStore;
+        this.requireSigningCert = webEidMobileProperties.requestSigningCert();
     }
 
     @Override
@@ -72,7 +76,14 @@ public Authentication authenticate(Authentication auth) throws AuthenticationExc
         try {
             final String nonce = challengeNonceStore.getAndRemove().getBase64EncodedNonce();
             final X509Certificate userCertificate = tokenValidator.validate(authToken, nonce);
-            return WebEidAuthentication.fromCertificate(userCertificate, authorities);
+            final String signingCertificate = requireSigningCert
+                ? authToken.getUnverifiedSigningCertificate()
+                : null;
+            final List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms = requireSigningCert
+                ? authToken.getSupportedSignatureAlgorithms()
+                : null;
+
+            return WebEidAuthentication.fromCertificate(userCertificate, signingCertificate, supportedSignatureAlgorithms, authorities);
         } catch (AuthTokenException e) {
             throw new AuthenticationServiceException("Web eID token validation failed", e);
         } catch (CertificateEncodingException e) {
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java b/example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java
index fe198010..a9b2638d 100644
--- a/example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java
@@ -22,9 +22,13 @@
 
 package eu.webeid.example.security;
 
+import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.ObjectWriter;
+import com.fasterxml.jackson.databind.PropertyNamingStrategies;
+import com.fasterxml.jackson.databind.annotation.JsonNaming;
+import eu.webeid.example.config.WebEidMobileProperties;
 import eu.webeid.security.challenge.ChallengeNonceGenerator;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
@@ -47,11 +51,13 @@ public final class WebEidMobileAuthInitFilter extends OncePerRequestFilter {
     private final RequestMatcher requestMatcher;
     private final ChallengeNonceGenerator nonceGenerator;
     private final String mobileLoginPath;
+    private final WebEidMobileProperties webEidMobileProperties;
 
-    public WebEidMobileAuthInitFilter(String path, String mobileLoginPath, ChallengeNonceGenerator nonceGenerator) {
+    public WebEidMobileAuthInitFilter(String path, String mobileLoginPath, ChallengeNonceGenerator nonceGenerator, WebEidMobileProperties webEidMobileProperties) {
         this.requestMatcher = PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, path);
         this.nonceGenerator = nonceGenerator;
         this.mobileLoginPath = mobileLoginPath;
+        this.webEidMobileProperties = webEidMobileProperties;
     }
 
     @Override
@@ -69,7 +75,8 @@ protected void doFilterInternal(@NonNull HttpServletRequest request,
             .path(mobileLoginPath).build().toUriString();
 
         String payloadJson = OBJECT_WRITER.writeValueAsString(
-            new AuthPayload(challenge.getBase64EncodedNonce(), loginUri)
+            new AuthPayload(challenge.getBase64EncodedNonce(), loginUri,
+                webEidMobileProperties.requestSigningCert() ? Boolean.TRUE : null)
         );
         String encoded = Base64.getEncoder().encodeToString(payloadJson.getBytes(StandardCharsets.UTF_8));
         String eidAuthUri = "web-eid-mobile://auth#" + encoded;
@@ -78,9 +85,15 @@ protected void doFilterInternal(@NonNull HttpServletRequest request,
         OBJECT_WRITER.writeValue(response.getWriter(), new AuthUri(eidAuthUri));
     }
 
-    record AuthPayload(String challenge, @JsonProperty("login_uri") String loginUri) {
+    @JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    record AuthPayload(
+        String challenge,
+        String loginUri,
+        Boolean getSigningCertificate) {
     }
 
+    @JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)
     record AuthUri(@JsonProperty("auth_uri") String authUri) {
     }
 }
diff --git a/example/src/main/java/eu/webeid/example/security/ui/WebEidLoginPageGeneratingFilter.java b/example/src/main/java/eu/webeid/example/security/ui/WebEidLoginPageGeneratingFilter.java
index 48818340..3a7d0f54 100644
--- a/example/src/main/java/eu/webeid/example/security/ui/WebEidLoginPageGeneratingFilter.java
+++ b/example/src/main/java/eu/webeid/example/security/ui/WebEidLoginPageGeneratingFilter.java
@@ -33,11 +33,8 @@
 import org.springframework.security.web.servlet.util.matcher.PathPatternRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.web.filter.OncePerRequestFilter;
-import org.springframework.web.servlet.support.RequestContextUtils;
 import org.thymeleaf.ITemplateEngine;
-import org.thymeleaf.context.WebContext;
-import org.thymeleaf.web.IWebExchange;
-import org.thymeleaf.web.servlet.JakartaServletWebApplication;
+import org.thymeleaf.context.Context;
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
@@ -47,18 +44,15 @@ public final class WebEidLoginPageGeneratingFilter extends OncePerRequestFilter
     private final RequestMatcher requestMatcher;
     private final String loginProcessingPath;
     private final ITemplateEngine templateEngine;
-    private final JakartaServletWebApplication webApp;
 
     public WebEidLoginPageGeneratingFilter(
         String path,
         String loginProcessingPath,
-        ITemplateEngine templateEngine,
-        JakartaServletWebApplication webApp
+        ITemplateEngine templateEngine
     ) {
         this.requestMatcher = PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.GET, path);
         this.loginProcessingPath = loginProcessingPath;
         this.templateEngine = templateEngine;
-        this.webApp = webApp;
     }
 
     @Override
@@ -74,16 +68,14 @@ protected void doFilterInternal(@NonNull HttpServletRequest request, @NonNull Ht
             csrf = (CsrfToken) request.getAttribute("_csrf");
         }
 
-        String html = renderTemplate(request, response, csrf);
+        String html = renderTemplate(csrf);
         response.setCharacterEncoding(StandardCharsets.UTF_8.name());
         response.setContentType(MediaType.TEXT_HTML_VALUE);
         response.getWriter().write(html);
     }
 
-    private String renderTemplate(HttpServletRequest request, HttpServletResponse response, CsrfToken csrf) {
-        IWebExchange exchange = webApp.buildExchange(request, response);
-        var locale = RequestContextUtils.getLocale(request);
-        var ctx = new WebContext(exchange, locale);
+    private String renderTemplate(CsrfToken csrf) {
+        var ctx = new Context();
         ctx.setVariable("loginProcessingPath", loginProcessingPath);
         ctx.setVariable("csrfHeaderName", csrf != null ? csrf.getHeaderName() : "X-CSRF-TOKEN");
         ctx.setVariable("csrfToken", csrf != null ? csrf.getToken() : "");
diff --git a/example/src/main/java/eu/webeid/example/service/MobileSigningService.java b/example/src/main/java/eu/webeid/example/service/MobileSigningService.java
new file mode 100644
index 00000000..161c3835
--- /dev/null
+++ b/example/src/main/java/eu/webeid/example/service/MobileSigningService.java
@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package eu.webeid.example.service;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectWriter;
+import com.fasterxml.jackson.databind.PropertyNamingStrategies;
+import com.fasterxml.jackson.databind.annotation.JsonNaming;
+import eu.webeid.example.config.WebEidMobileProperties;
+import eu.webeid.example.security.WebEidAuthentication;
+import eu.webeid.example.service.dto.CertificateDTO;
+import eu.webeid.example.service.dto.DigestDTO;
+import eu.webeid.example.service.dto.SignatureAlgorithmDTO;
+import eu.webeid.security.authtoken.SupportedSignatureAlgorithm;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
+import org.springframework.web.util.UriComponentsBuilder;
+
+import java.io.IOException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.util.Base64;
+import java.util.List;
+import java.util.Objects;
+
+@Component
+public class MobileSigningService {
+    public static final String CERTIFICATE_RESPONSE_PATH = "/sign/mobile/certificate";
+    public static final String SIGNATURE_RESPONSE_PATH = "/sign/mobile/signature";
+    public static final String WEB_EID_MOBILE_SIGN_PATH = "sign";
+    public static final String WEB_EID_GET_CERT_PATH = "cert";
+    private static final Logger LOG = LoggerFactory.getLogger(MobileSigningService.class);
+    private static final ObjectWriter OBJECT_WRITER = new ObjectMapper().writerFor(RequestObject.class);
+    private final SigningService signingService;
+    private final WebEidMobileProperties webEidMobileProperties;
+
+    public MobileSigningService(SigningService signingService, WebEidMobileProperties webEidMobileProperties) {
+        this.signingService = signingService;
+        this.webEidMobileProperties = webEidMobileProperties;
+    }
+
+    public MobileInitRequest initCertificateOrSigningRequest(WebEidAuthentication authentication) throws IOException, CertificateException, NoSuchAlgorithmException {
+        String signingCertificate = authentication.getSigningCertificate();
+        List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms = authentication.getSupportedSignatureAlgorithms();
+        if (signingCertificate == null || supportedSignatureAlgorithms == null) {
+            return initCertificateRequest();
+        }
+        CertificateDTO certificateDTO = new CertificateDTO();
+        certificateDTO.setCertificate(signingCertificate);
+        certificateDTO.setSupportedSignatureAlgorithms(mapSupportedAlgorithms(supportedSignatureAlgorithms));
+        return initSigningRequest(authentication, certificateDTO);
+    }
+
+    public MobileInitRequest initSigningRequest(WebEidAuthentication authentication, CertificateDTO certificateDTO) throws IOException, CertificateException, NoSuchAlgorithmException {
+        Objects.requireNonNull(authentication, "authentication must not be null");
+        Objects.requireNonNull(certificateDTO, "certificateDTO must not be null");
+        final String responseUri = ServletUriComponentsBuilder.fromCurrentContextPath()
+            .path(SIGNATURE_RESPONSE_PATH)
+            .build()
+            .toUriString();
+        final DigestDTO digest = signingService.prepareContainer(certificateDTO, authentication);
+        final RequestObject initRequest = new RequestObject(
+            responseUri,
+            certificateDTO.getCertificate(),
+            digest.getHash(),
+            digest.getHashFunction());
+        final String payloadJson = OBJECT_WRITER.writeValueAsString(initRequest);
+        final String encoded = Base64.getUrlEncoder()
+            .withoutPadding()
+            .encodeToString(payloadJson.getBytes());
+        final String requestUri = getRequestUri(WEB_EID_MOBILE_SIGN_PATH, encoded);
+
+        return new MobileInitRequest(requestUri);
+    }
+
+    private MobileInitRequest initCertificateRequest() throws IOException {
+        final String responseUri = ServletUriComponentsBuilder.fromCurrentContextPath()
+            .path(CERTIFICATE_RESPONSE_PATH)
+            .build()
+            .toUriString();
+        final RequestObject initRequest = new RequestObject(responseUri, null, null, null);
+        final String payloadJson = OBJECT_WRITER.writeValueAsString(initRequest);
+        final String encoded = Base64.getUrlEncoder()
+            .withoutPadding()
+            .encodeToString(payloadJson.getBytes());
+        final String requestUri = getRequestUri(WEB_EID_GET_CERT_PATH, encoded);
+
+        return new MobileInitRequest(requestUri);
+    }
+
+    private String getRequestUri(String path, String encodedPayload) {
+        UriComponentsBuilder builder = UriComponentsBuilder.fromUriString(webEidMobileProperties.baseRequestUri());
+        if (webEidMobileProperties.baseRequestUri().startsWith("http")) {
+            builder.pathSegment(path);
+        } else {
+            builder.host(path);
+        }
+        return builder.fragment(encodedPayload).toUriString();
+    }
+
+    private List<SignatureAlgorithmDTO> mapSupportedAlgorithms(List<SupportedSignatureAlgorithm> algorithms) {
+        return algorithms.stream().map(ssa -> {
+            var dto = new SignatureAlgorithmDTO();
+            dto.setCryptoAlgorithm(ssa.getCryptoAlgorithm());
+            dto.setHashFunction(ssa.getHashFunction());
+            dto.setPaddingScheme(ssa.getPaddingScheme());
+            return dto;
+        }).toList();
+    }
+
+    @JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)
+    public record MobileInitRequest(
+        String requestUri
+    ) {
+    }
+
+    @JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    record RequestObject(
+        String responseUri,
+        String signingCertificate,
+        String hash,
+        String hashFunction
+    ) {
+    }
+}
diff --git a/example/src/main/java/eu/webeid/example/service/SigningService.java b/example/src/main/java/eu/webeid/example/service/SigningService.java
index dfbbc4b9..b1202dea 100644
--- a/example/src/main/java/eu/webeid/example/service/SigningService.java
+++ b/example/src/main/java/eu/webeid/example/service/SigningService.java
@@ -22,7 +22,7 @@
 
 package eu.webeid.example.service;
 
-import eu.webeid.example.config.YAMLConfig;
+import eu.webeid.example.config.WebEidAuthTokenProperties;
 import eu.webeid.example.security.WebEidAuthentication;
 import eu.webeid.example.service.dto.CertificateDTO;
 import eu.webeid.example.service.dto.DigestDTO;
@@ -67,13 +67,12 @@ public class SigningService {
     private static final String SESSION_ATTR_DATA = "data-to-sign";
     private static final Logger LOG = LoggerFactory.getLogger(SigningService.class);
     private final Configuration signingConfiguration;
-
     private final ObjectFactory<HttpSession> httpSessionFactory;
 
-    public SigningService(ObjectFactory<HttpSession> httpSessionFactory, YAMLConfig yamlConfig) {
+    public SigningService(ObjectFactory<HttpSession> httpSessionFactory, WebEidAuthTokenProperties authTokenProperties) {
         this.httpSessionFactory = httpSessionFactory;
-        signingConfiguration = Configuration.of(yamlConfig.getUseDigiDoc4jProdConfiguration() ?
-                Configuration.Mode.PROD : Configuration.Mode.TEST);
+        signingConfiguration = Configuration.of(authTokenProperties.validation().useDigiDoc4jProdConfiguration() ?
+            Configuration.Mode.PROD : Configuration.Mode.TEST);
         // Use automatic AIA OCSP URL selection from certificate for signatures.
         signingConfiguration.setPreferAiaOcsp(true);
     }
diff --git a/example/src/main/java/eu/webeid/example/web/rest/SigningController.java b/example/src/main/java/eu/webeid/example/web/rest/SigningController.java
index b6eccf17..2c36c46c 100644
--- a/example/src/main/java/eu/webeid/example/web/rest/SigningController.java
+++ b/example/src/main/java/eu/webeid/example/web/rest/SigningController.java
@@ -23,6 +23,8 @@
 package eu.webeid.example.web.rest;
 
 import eu.webeid.example.security.WebEidAuthentication;
+import eu.webeid.example.service.MobileSigningService;
+import eu.webeid.example.service.MobileSigningService.MobileInitRequest;
 import eu.webeid.example.service.SigningService;
 import eu.webeid.example.service.dto.CertificateDTO;
 import eu.webeid.example.service.dto.DigestDTO;
@@ -38,6 +40,7 @@
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.servlet.ModelAndView;
 
 import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
@@ -51,9 +54,11 @@
 public class SigningController {
 
     private final SigningService signingService;
+    private final MobileSigningService mobileSigningService;
 
-    public SigningController(SigningService signingService) {
+    public SigningController(SigningService signingService, MobileSigningService mobileSigningService) {
         this.signingService = signingService;
+        this.mobileSigningService = mobileSigningService;
     }
 
     @PostMapping("prepare")
@@ -61,11 +66,36 @@ public DigestDTO prepare(@RequestBody CertificateDTO data, WebEidAuthentication
         return signingService.prepareContainer(data, authentication);
     }
 
-    @PostMapping("sign")
-    public FileDTO sign(@RequestBody SignatureDTO data) {
+    @PostMapping("signature")
+    public FileDTO signature(@RequestBody SignatureDTO data) {
         return signingService.signContainer(data);
     }
 
+    @PostMapping("mobile/init")
+    public ResponseEntity<MobileInitRequest> mobileInit(WebEidAuthentication authentication) throws CertificateException, IOException, NoSuchAlgorithmException {
+        return ResponseEntity.ok(mobileSigningService.initCertificateOrSigningRequest(authentication));
+    }
+
+    @GetMapping("mobile/certificate")
+    public ModelAndView mobileCertificateResponse() {
+        return new ModelAndView("webeid-callback");
+    }
+
+    @PostMapping("mobile/certificate")
+    public ResponseEntity<MobileInitRequest> mobileCertificate(@RequestBody CertificateDTO certificateDTO, WebEidAuthentication authentication) throws CertificateException, IOException, NoSuchAlgorithmException {
+        return ResponseEntity.ok(mobileSigningService.initSigningRequest(authentication, certificateDTO));
+    }
+
+    @GetMapping("mobile/signature")
+    public ModelAndView mobileSignatureResponse() {
+        return new ModelAndView("webeid-callback");
+    }
+
+    @PostMapping("mobile/signature")
+    public ResponseEntity<FileDTO> mobileSignature(@RequestBody SignatureDTO signatureDTO) {
+        return ResponseEntity.ok(signingService.signContainer(signatureDTO));
+    }
+
     @GetMapping(value = "download", produces = "application/vnd.etsi.asic-e+zip")
     public ResponseEntity<Resource> download() throws IOException {
 
diff --git a/example/src/main/resources/application-dev.yaml b/example/src/main/resources/application-dev.yaml
index 9c637326..75db6ba0 100644
--- a/example/src/main/resources/application-dev.yaml
+++ b/example/src/main/resources/application-dev.yaml
@@ -1,4 +1,7 @@
 web-eid-auth-token:
   validation:
-    use-digidoc4j-prod-configuration: false
+    use-digi-doc4j-prod-configuration: false
     local-origin: "https://test.web-eid.eu"
+web-eid-mobile:
+  base-request-uri: "web-eid-mobile://"
+  request-signing-cert: false
diff --git a/example/src/main/resources/application-prod.yaml b/example/src/main/resources/application-prod.yaml
index 3868f350..c457453a 100644
--- a/example/src/main/resources/application-prod.yaml
+++ b/example/src/main/resources/application-prod.yaml
@@ -1,8 +1,11 @@
 web-eid-auth-token:
   validation:
-    use-digidoc4j-prod-configuration: true
+    use-digi-doc4j-prod-configuration: true
     local-origin: "https://web-eid.eu"
     truststore-password: "changeit"
+web-eid-mobile:
+    base-request-uri: "web-eid-mobile://"
+    request-signing-cert: false
 spring:
   thymeleaf:
     cache: true
diff --git a/example/src/main/resources/static/css/main.css b/example/src/main/resources/static/css/main.css
index 6e7f2b07..12b79bfe 100644
--- a/example/src/main/resources/static/css/main.css
+++ b/example/src/main/resources/static/css/main.css
@@ -116,3 +116,25 @@ body {
     background-color: transparent !important;
 }
 
+/* Mobile callback loading styles */
+.loading-page {
+    text-align: center;
+    padding-top: 3rem;
+    font-family: system-ui, sans-serif;
+}
+
+.spinner {
+    width: 40px;
+    height: 40px;
+    border: 4px solid #ccc;
+    border-top-color: #007bff;
+    border-radius: 50%;
+    animation: spin 1s linear infinite;
+    margin: 1rem auto;
+}
+
+@keyframes spin {
+    to {
+        transform: rotate(360deg);
+    }
+}
diff --git a/example/src/main/resources/static/js/errors.js b/example/src/main/resources/static/js/errors.js
index 7f42d5ff..80414751 100644
--- a/example/src/main/resources/static/js/errors.js
+++ b/example/src/main/resources/static/js/errors.js
@@ -32,10 +32,9 @@ export function hideErrorMessage() {
     alertUi.alert.style.display = "none";
 }
 
-export function showErrorMessage(error) {
-    const message = "Authentication failed";
+export function showErrorMessage(error, message = "Authentication failed") {
     const details =
-        `[Code]\n${error.code}` +
+        `[Code]\n${error.code ?? "UNKNOWN_ERROR"}` +
         `\n\n[Message]\n${error.message}` +
         (error.response ? `\n\n[response]\n${JSON.stringify(error.response, null, " ")}` : "");
 
@@ -56,4 +55,4 @@ export async function checkHttpError(response) {
         error.code = response.status;
         throw error;
     }
-}
\ No newline at end of file
+}
diff --git a/example/src/main/resources/static/js/payload.js b/example/src/main/resources/static/js/payload.js
new file mode 100644
index 00000000..4035e6c2
--- /dev/null
+++ b/example/src/main/resources/static/js/payload.js
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+export function parsePayload(context) {
+    const fragment = window.location.hash.slice(1);
+
+    if (!fragment) {
+        throw new Error(`Missing ${context} response payload`);
+    }
+
+    let payload;
+    try {
+        payload = JSON.parse(atob(fragment));
+    } catch (e) {
+        console.error(e);
+        throw new Error(`Failed to parse the ${context} response`);
+    }
+
+    if (payload.error) {
+        const error = new Error(payload.message ?? `${context} failed`);
+        error.code = payload.code;
+        throw error;
+    }
+
+    return payload;
+}
diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index 415e53f3..64dc882b 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -1,516 +1,624 @@
-<!DOCTYPE html>
+<!doctype html>
 <html lang="en">
-<head>
-    <meta charset="UTF-8"/>
-    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>
-    <meta id="csrftoken" name="csrftoken" th:content="${_csrf.token}"/>
-    <meta id="csrfheadername" name="csrfheadername" th:content="${_csrf.headerName}"/>
-
-    <title>Web eID: electronic ID smart cards on the Web</title>
-    <link rel="stylesheet" href="/css/bootstrap.min.css"/>
-    <link rel="stylesheet" href="/css/main.css"/>
-    <link rel="icon" type="image/x-icon" href="/img/favicon.ico">
-    <link rel="icon" type="image/png" sizes="16x16" href="/img/favicon-16x16.png">
-    <link rel="icon" type="image/png" sizes="32x32" href="/img/favicon-32x32.png">
-    <link rel="apple-touch-icon" sizes="180x180" href="/img/apple-touch-icon.png">
-    <link rel="icon" type="image/png" sizes="192x192" href="/img/android-chrome-192x192.png">
-    <link rel="icon" type="image/png" sizes="512x512" href="/img/android-chrome-512x512.png">
-</head>
-<body class="m-4">
-<div class="container">
-    <div class="row justify-content-md-center">
-        <div class="col-xs-12 col-md-8">
-            <h2>Web eID: electronic ID smart cards on the Web</h2>
-            <p>
-                The Web eID project enables usage of European Union electronic identity (eID) smart cards for
-                secure authentication and digital signing of documents on the web using public-key cryptography.
-            </p>
-            <p>
-                Estonian, Finnish, Latvian, Lithuanian, Belgian and Croatian eID cards are supported in the first phase,
-                but only Estonian eID card support is currently enabled in the test application below.
-            </p>
-            <p>
-                Please get in touch by email at help@ria.ee in case you need support with adding Web eID to your project
-                or want to add support for a new eID card to Web eID.
-            </p>
-            <p>The privacy policy of the test service is available <a href="/files/Web eID privacy policy.pdf">here</a>.
-            </p>
-
-            <hr/>
-            <h5>Web eID plugin status</h5>
-            <div>
-                <span id="plugin-status-icon" class="fw-bold me-2">⏳</span>
-                <span>Web eID plugin installed</span>
-            </div>
-            <div class="mb-1">
-                <span id="mobile-status-icon" class="fw-bold me-2">⏳</span>
-                <span>Accessed with a mobile device</span>
-            </div>
+    <head>
+        <meta charset="UTF-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
+        <meta id="csrftoken" name="csrftoken" th:content="${_csrf.token}" />
+        <meta id="csrfheadername" name="csrfheadername" th:content="${_csrf.headerName}" />
+
+        <title>Web eID: electronic ID smart cards on the Web</title>
+        <link rel="stylesheet" href="/css/bootstrap.min.css" />
+        <link rel="stylesheet" href="/css/main.css" />
+        <link rel="icon" type="image/x-icon" href="/img/favicon.ico" />
+        <link rel="icon" type="image/png" sizes="16x16" href="/img/favicon-16x16.png" />
+        <link rel="icon" type="image/png" sizes="32x32" href="/img/favicon-32x32.png" />
+        <link rel="apple-touch-icon" sizes="180x180" href="/img/apple-touch-icon.png" />
+        <link rel="icon" type="image/png" sizes="192x192" href="/img/android-chrome-192x192.png" />
+        <link rel="icon" type="image/png" sizes="512x512" href="/img/android-chrome-512x512.png" />
+    </head>
+    <body class="m-4">
+        <div class="container">
+            <div class="row justify-content-md-center">
+                <div class="col-xs-12 col-md-8">
+                    <h2>Web eID: electronic ID smart cards on the Web</h2>
+                    <p>
+                        The Web eID project enables usage of European Union electronic identity (eID) smart cards for
+                        secure authentication and digital signing of documents on the web using public-key cryptography.
+                    </p>
+                    <p>
+                        Estonian, Finnish, Latvian, Lithuanian, Belgian and Croatian eID cards are supported in the
+                        first phase, but only Estonian eID card support is currently enabled in the test application
+                        below.
+                    </p>
+                    <p>
+                        Please get in touch by email at help@ria.ee in case you need support with adding Web eID to your
+                        project or want to add support for a new eID card to Web eID.
+                    </p>
+                    <p>
+                        The privacy policy of the test service is available
+                        <a href="/files/Web eID privacy policy.pdf">here</a>.
+                    </p>
+
+                    <hr />
+                    <h5>Web eID plugin status</h5>
+                    <div>
+                        <span id="plugin-status-icon" class="fw-bold me-2">⏳</span>
+                        <span>Web eID plugin installed</span>
+                    </div>
+                    <div class="mb-1">
+                        <span id="mobile-status-icon" class="fw-bold me-2">⏳</span>
+                        <span>Accessed with a mobile device</span>
+                    </div>
 
-            <hr/>
-            <h4>Table of contents</h4>
-            <ul>
-                <li><a href="#usage-with-plugin">Usage with Web eID plugin</a>
+                    <hr />
+                    <h4>Table of contents</h4>
                     <ul>
-                        <li><a href="#uninstallation">Uninstallation</a></li>
-                        <li><a href="#debugging-and-logs">Debugging and logs</a></li>
-                        <li><a href="#documentation">Documentation</a></li>
-                        <li><a href="#for-developers">For developers</a></li>
-                    </ul>
-                </li>
-                <li><a href="#usage-without-plugin">Usage without Web eID plugin</a>
-                    <ul>
-                        <li><a href="#documentation-mobile">Documentation</a></li>
-                    </ul>
-                </li>
-            </ul>
-
-            <hr/>
-            <h3><a id="usage-with-plugin"></a>Usage with Web eID plugin</h3>
-            <p>The recommended way of installing Web eID is by installing
-                <a href="https://www.id.ee/en/article/install-id-software/">the latest Open-EID ID-software package</a>.
-                In case you do not need or want to install the Open-EID package, install the latest Web eID packages in
-                Firefox, Chrome, Edge or Safari according to the following instructions:
-            </p>
-            <ol>
-                <li>
-                    Download and run the Web eID native app and browser extension installer:
-                    <ul>
-                        <li>on <b>Ubuntu Linux</b>, for Firefox and Chrome, download and execute the<br>
-                            <a href="/scripts/install-web-eid.sh"><code>install-web-eid.sh</code></a>
-                            script from the console with<br>
-                            <code>wget -O - https://<span th:text="${serverName}"/>/scripts/install-web-eid.sh
-                                | bash</code><br>
-                            Note: as of the 2.5 version, Web eID supports Firefox installed via Snap.
-                        </li>
-                        <li>on <b>macOS</b> 13 or later, for Firefox and Chrome from
-                            <a href="https://installer.id.ee/media/web-eid/web-eid_2.7.0.660.dmg">here</a>,
-                        </li>
-                        <li>on <b>macOS</b> 13 or later, for Safari, install the extension from
-                            <a href="https://apps.apple.com/ee/app/web-eid/id1576665083">App Store</a>,
+                        <li>
+                            <a href="#usage-with-plugin">Usage with Web eID plugin</a>
+                            <ul>
+                                <li><a href="#uninstallation">Uninstallation</a></li>
+                                <li><a href="#debugging-and-logs">Debugging and logs</a></li>
+                                <li><a href="#documentation">Documentation</a></li>
+                                <li><a href="#for-developers">For developers</a></li>
+                            </ul>
                         </li>
-                        <li>on <b>Windows</b> 10, Windows 11, Windows Server 2019, Windows Server 2022, Windows Server
-                            2025 for Firefox, Chrome and Edge from
-                            <a href="https://installer.id.ee/media/web-eid/web-eid_2.7.0.906.x64.exe">here</a>.
+                        <li>
+                            <a href="#usage-without-plugin">Usage without Web eID plugin</a>
+                            <ul>
+                                <li><a href="#documentation-mobile">Documentation</a></li>
+                            </ul>
                         </li>
                     </ul>
-                </li>
-                <li>
-                    The installer will install the browser extension for all supported browsers automatically.
-                    The extension must be manually enabled from either the extension installation pop-up that appears in
-                    the browser or from the browser extensions management page and may need browser restart under
-                    certain circumstances.
-                </li>
-            </ol>
-            <p>Testing:</p>
-            <ol>
-                <li>
-                    Attach a smart card reader to the computer and insert the eID card into the reader.
-                </li>
-                <li>Click <i>Authenticate</i> below.</li>
-            </ol>
-
-            <div id="error-message" class="alert alert-danger" style="display: none;" role="alert">
-                <div class="message"></div>
-                <pre class="details"></pre>
-            </div>
-            <p class="text-center p-4">
-                <button id="webeid-auth-button" class="btn btn-primary">Authenticate</button>
-            </p>
-
-            <hr/>
-            <div class="accordion accordion-flush" id="accordionInfo">
-                <div class="accordion-item border-0">
-                    <h4 class="accordion-header" id="headingUninstall">
-                        <a id="uninstallation"></a>
-                        <button class="accordion-button collapsed ps-0" type="button" data-bs-toggle="collapse"
-                                data-bs-target="#collapseUninstall" aria-expanded="false"
-                                aria-controls="collapseUninstall">
-                            Uninstallation
-                        </button>
-                    </h4>
-                    <div id="collapseUninstall" class="accordion-collapse collapse" aria-labelledby="headingUninstall"
-                         data-bs-parent="#accordionInfo">
-                        <div class="accordion-body ps-0">
-                            <p>The uninstaller will remove the browser extension from all supported browsers
-                                automatically.</p>
-
-                            <h5>Ubuntu Linux</h5>
-                            <p>Uninstall the Web eID software either using the Ubuntu Software Center or from the
-                                console with<br>
-                                <code>sudo apt purge web-eid</code></p>
-
-                            <h5>macOS</h5>
-                            <p>To uninstall the Web eID software, do the following:</p>
-                            <ol>
-                                <li>download the Web eID native app and browser extension installer as instructed
-                                    above,
-                                </li>
-                                <li>open the downloaded file,</li>
-                                <li>open <i>Terminal</i>,</li>
-                                <li>drag and drop <code>uninstall.sh</code> from the downloaded file to the
-                                    <i>Terminal</i> window,
-                                </li>
-                                <li>press <i>Enter</i> and <i>Y</i>,</li>
-                                <li>enter your password.</li>
-                            </ol>
 
-                            <h5>Windows</h5>
-                            <p>Uninstall the Web eID software using <i>Add or remove programs</i>.</p>
-                        </div>
-                    </div>
-                </div>
-                <div class="accordion-item border-0">
-                    <h4 class="accordion-header" id="headingDebugging">
-                        <a id="debugging-and-logs"></a>
-                        <button class="accordion-button collapsed ps-0" type="button" data-bs-toggle="collapse"
-                                data-bs-target="#collapseDebugging" aria-expanded="false"
-                                aria-controls="collapseDebugging">
-                            Debugging and logs
-                        </button>
-                    </h4>
-                    <div id="collapseDebugging" class="accordion-collapse collapse" aria-labelledby="headingDebugging"
-                         data-bs-parent="#accordionInfo">
-                        <div class="accordion-body ps-0">
+                    <hr />
+                    <h3><a id="usage-with-plugin"></a>Usage with Web eID plugin</h3>
+                    <p>
+                        The recommended way of installing Web eID is by installing
+                        <a href="https://www.id.ee/en/article/install-id-software/"
+                            >the latest Open-EID ID-software package</a
+                        >. In case you do not need or want to install the Open-EID package, install the latest Web eID
+                        packages in Firefox, Chrome, Edge or Safari according to the following instructions:
+                    </p>
+                    <ol>
+                        <li>
+                            Download and run the Web eID native app and browser extension installer:
                             <ul>
                                 <li>
-                                    To debug the extension, open the extension page and select
-                                    <i>Inspect</i> to open browser developer tools in extension mode. You can examine
-                                    extension
-                                    logs in the <i>Console</i> tab, put breakpoints in extension code in the
-                                    <i>Debugger</i> tab
-                                    and inspect extension network communication in the <i>Network</i> tab.
+                                    on <b>Ubuntu Linux</b>, for Firefox and Chrome, download and execute the<br />
+                                    <a href="/scripts/install-web-eid.sh"><code>install-web-eid.sh</code></a>
+                                    script from the console with<br />
+                                    <code
+                                        >wget -O - https://<span th:text="${serverName}" />/scripts/install-web-eid.sh |
+                                        bash</code
+                                    ><br />
+                                    Note: as of the 2.5 version, Web eID supports Firefox installed via Snap.
                                 </li>
                                 <li>
-                                    To enable logging in the extension companion native app,
-                                    <ul>
-                                        <li>in Linux, run the following command in the console:<br>
-                                            <code>echo 'logging=true' > ~/.config/RIA/web-eid.conf</code>
-                                        </li>
-                                        <li>in macOS, run the following command in the console:<br>
-                                            <code>defaults write \</code><br>
-                                            <code>&nbsp;&nbsp;"$HOME/Library/Containers/eu.web-eid.web-eid/Data/Library/Preferences/eu.web-eid.web-eid.plist"
-                                                \</code><br>
-                                            <code>&nbsp;&nbsp;logging true</code><br>
-                                            <code>defaults write
-                                                "$HOME/Library/Containers/eu.web-eid.web-eid-safari/Data/Library/Preferences/eu.web-eid.web-eid-safari.plist"
-                                                \</code><br>
-                                            <code>&nbsp;&nbsp;logging true</code><br>
-                                        </li>
-                                        <li>in Windows, add the following registry key:<br>
-                                            <code>[HKEY_CURRENT_USER\SOFTWARE\RIA\web-eid]</code><br>
-                                            <code>"logging"="true"</code>
-                                        </li>
-                                    </ul>
+                                    on <b>macOS</b> 13 or later, for Firefox and Chrome from
+                                    <a href="https://installer.id.ee/media/web-eid/web-eid_2.7.0.660.dmg">here</a>,
                                 </li>
                                 <li>
-                                    The native app logs are stored in
-                                    <ul>
-                                        <li><code>~/.local/share/RIA/web-eid/web-eid.log</code> in Linux</li>
-                                        <li><code>~/Library/Containers/eu.web-eid.web-eid/Data/Library/Application\
-                                            Support/RIA/web-eid/web-eid.log</code> in macOS
-                                        </li>
-                                        <li><code>~/Library/Containers/eu.web-eid.web-eid-safari/Data/Library/Application\
-                                            Support/RIA/web-eid-safari/web-eid-safari.log</code> of Safari in macOS
-                                        </li>
-                                        <li>
-                                            <code>C:/Users/&lt;USER&gt;/AppData/Local/RIA/web-eid/web-eid.log</code> in
-                                            Windows.
-                                        </li>
-                                    </ul>
+                                    on <b>macOS</b> 13 or later, for Safari, install the extension from
+                                    <a href="https://apps.apple.com/ee/app/web-eid/id1576665083">App Store</a>,
                                 </li>
                                 <li>
-                                    You can verify if debugging works by executing the native application
-                                    <code>web-eid</code>
-                                    manually,
-                                    there will be an informative message in the logs.
+                                    on <b>Windows</b> 10, Windows 11, Windows Server 2019, Windows Server 2022, Windows
+                                    Server 2025 for Firefox, Chrome and Edge from
+                                    <a href="https://installer.id.ee/media/web-eid/web-eid_2.7.0.906.x64.exe">here</a>.
                                 </li>
                             </ul>
-                        </div>
+                        </li>
+                        <li>
+                            The installer will install the browser extension for all supported browsers automatically.
+                            The extension must be manually enabled from either the extension installation pop-up that
+                            appears in the browser or from the browser extensions management page and may need browser
+                            restart under certain circumstances.
+                        </li>
+                    </ol>
+                    <p>Testing:</p>
+                    <ol>
+                        <li>Attach a smart card reader to the computer and insert the eID card into the reader.</li>
+                        <li>Click <i>Authenticate</i> below.</li>
+                    </ol>
+
+                    <div id="error-message" class="alert alert-danger" style="display: none" role="alert">
+                        <div class="message"></div>
+                        <pre class="details"></pre>
                     </div>
-                </div>
-                <div class="accordion-item border-0">
-                    <h4 class="accordion-header" id="headingDocumentation">
-                        <button class="accordion-button collapsed ps-0" id="documentation" type="button"
-                                data-bs-toggle="collapse" data-bs-target="#collapseDocumentation" aria-expanded="false"
-                                aria-controls="collapseDocumentation">
-                            Documentation
-                        </button>
-                    </h4>
-                    <div id="collapseDocumentation" class="accordion-collapse collapse"
-                         aria-labelledby="headingDocumentation" data-bs-parent="#accordionInfo">
-                        <div class="accordion-body ps-0">
-                            <p>
-                                Technical overview of the solution is available in the project
-                                <a href="https://github.com/web-eid/web-eid-system-architecture-doc">system architecture
-                                    document</a>.
-                                Overview of authentication token validation implementation in the back end is available
-                                in the
-                                <i>web-eid-authtoken-validation-java</i> Java library
-                                <a href="https://github.com/web-eid/web-eid-authtoken-validation-java#authentication-token-validation">README</a>.
-                            </p>
-                            <p>
-                                Security analysis of the solution is available
-                                <a href="https://web-eid.github.io/web-eid-cybernetica-analysis/webextensions-main.pdf">in
-                                    this
-                                    document</a>.
-                            </p>
+                    <p class="text-center p-4">
+                        <button id="webeid-auth-button" class="btn btn-primary">Authenticate</button>
+                    </p>
+
+                    <hr />
+                    <div class="accordion accordion-flush" id="accordionInfo">
+                        <div class="accordion-item border-0">
+                            <h4 class="accordion-header" id="headingUninstall">
+                                <a id="uninstallation"></a>
+                                <button
+                                    class="accordion-button collapsed ps-0"
+                                    type="button"
+                                    data-bs-toggle="collapse"
+                                    data-bs-target="#collapseUninstall"
+                                    aria-expanded="false"
+                                    aria-controls="collapseUninstall"
+                                >
+                                    Uninstallation
+                                </button>
+                            </h4>
+                            <div
+                                id="collapseUninstall"
+                                class="accordion-collapse collapse"
+                                aria-labelledby="headingUninstall"
+                                data-bs-parent="#accordionInfo"
+                            >
+                                <div class="accordion-body ps-0">
+                                    <p>
+                                        The uninstaller will remove the browser extension from all supported browsers
+                                        automatically.
+                                    </p>
+
+                                    <h5>Ubuntu Linux</h5>
+                                    <p>
+                                        Uninstall the Web eID software either using the Ubuntu Software Center or from
+                                        the console with<br />
+                                        <code>sudo apt purge web-eid</code>
+                                    </p>
+
+                                    <h5>macOS</h5>
+                                    <p>To uninstall the Web eID software, do the following:</p>
+                                    <ol>
+                                        <li>
+                                            download the Web eID native app and browser extension installer as
+                                            instructed above,
+                                        </li>
+                                        <li>open the downloaded file,</li>
+                                        <li>open <i>Terminal</i>,</li>
+                                        <li>
+                                            drag and drop <code>uninstall.sh</code> from the downloaded file to the
+                                            <i>Terminal</i> window,
+                                        </li>
+                                        <li>press <i>Enter</i> and <i>Y</i>,</li>
+                                        <li>enter your password.</li>
+                                    </ol>
+
+                                    <h5>Windows</h5>
+                                    <p>Uninstall the Web eID software using <i>Add or remove programs</i>.</p>
+                                </div>
+                            </div>
                         </div>
-                    </div>
-                </div>
-                <div class="accordion-item border-0">
-                    <h4 class="accordion-header" id="headingDevelopers">
-                        <button class="accordion-button collapsed ps-0" id="for-developers" type="button"
-                                data-bs-toggle="collapse" data-bs-target="#collapseDevelopers" aria-expanded="false"
-                                aria-controls="collapseDevelopers">
-                            For developers
-                        </button>
-                    </h4>
-                    <div id="collapseDevelopers" class="accordion-collapse collapse" aria-labelledby="headingDevelopers"
-                         data-bs-parent="#accordionInfo">
-                        <div class="accordion-body ps-0">
-                            <p>
-                                Currently the Web eID back-end libraries are available for Java, .NET and PHP web
-                                applications.
-                            </p>
-                            <p>
-                                To implement authentication and digital signing with Web eID in a Java, .NET or PHP web
-                                application,
-                                you need to
-                            </p>
-                            <ul>
-                                <li>use the <i>web-eid.js</i> JavaScript library in the front end of the web application
-                                    according to the instructions
-                                    <a href="https://github.com/web-eid/web-eid.js#quickstart">here</a>,
-                                </li>
-                                <li>for authentication
+                        <div class="accordion-item border-0">
+                            <h4 class="accordion-header" id="headingDebugging">
+                                <a id="debugging-and-logs"></a>
+                                <button
+                                    class="accordion-button collapsed ps-0"
+                                    type="button"
+                                    data-bs-toggle="collapse"
+                                    data-bs-target="#collapseDebugging"
+                                    aria-expanded="false"
+                                    aria-controls="collapseDebugging"
+                                >
+                                    Debugging and logs
+                                </button>
+                            </h4>
+                            <div
+                                id="collapseDebugging"
+                                class="accordion-collapse collapse"
+                                aria-labelledby="headingDebugging"
+                                data-bs-parent="#accordionInfo"
+                            >
+                                <div class="accordion-body ps-0">
                                     <ul>
-                                        <li>in Java use the <i>web-eid-authtoken-validation-java</i> library in
-                                            the back end of the web application according to the instructions
-                                            <a href="https://github.com/web-eid/web-eid-authtoken-validation-java#quickstart">here</a>,
+                                        <li>
+                                            To debug the extension, open the extension page and select
+                                            <i>Inspect</i> to open browser developer tools in extension mode. You can
+                                            examine extension logs in the <i>Console</i> tab, put breakpoints in
+                                            extension code in the <i>Debugger</i> tab and inspect extension network
+                                            communication in the <i>Network</i> tab.
+                                        </li>
+                                        <li>
+                                            To enable logging in the extension companion native app,
+                                            <ul>
+                                                <li>
+                                                    in Linux, run the following command in the console:<br />
+                                                    <code>echo 'logging=true' > ~/.config/RIA/web-eid.conf</code>
+                                                </li>
+                                                <li>
+                                                    in macOS, run the following command in the console:<br />
+                                                    <code>defaults write \</code><br />
+                                                    <code
+                                                        >&nbsp;&nbsp;"$HOME/Library/Containers/eu.web-eid.web-eid/Data/Library/Preferences/eu.web-eid.web-eid.plist"
+                                                        \</code
+                                                    ><br />
+                                                    <code>&nbsp;&nbsp;logging true</code><br />
+                                                    <code
+                                                        >defaults write
+                                                        "$HOME/Library/Containers/eu.web-eid.web-eid-safari/Data/Library/Preferences/eu.web-eid.web-eid-safari.plist"
+                                                        \</code
+                                                    ><br />
+                                                    <code>&nbsp;&nbsp;logging true</code><br />
+                                                </li>
+                                                <li>
+                                                    in Windows, add the following registry key:<br />
+                                                    <code>[HKEY_CURRENT_USER\SOFTWARE\RIA\web-eid]</code><br />
+                                                    <code>"logging"="true"</code>
+                                                </li>
+                                            </ul>
                                         </li>
-                                        <li>in .NET/C# use the <i>web-eid-authtoken-validation-dotnet</i> library
-                                            according to the
-                                            instructions
-                                            <a href="https://github.com/web-eid/web-eid-authtoken-validation-dotnet#quickstart">here</a>
+                                        <li>
+                                            The native app logs are stored in
+                                            <ul>
+                                                <li><code>~/.local/share/RIA/web-eid/web-eid.log</code> in Linux</li>
+                                                <li>
+                                                    <code
+                                                        >~/Library/Containers/eu.web-eid.web-eid/Data/Library/Application\
+                                                        Support/RIA/web-eid/web-eid.log</code
+                                                    >
+                                                    in macOS
+                                                </li>
+                                                <li>
+                                                    <code
+                                                        >~/Library/Containers/eu.web-eid.web-eid-safari/Data/Library/Application\
+                                                        Support/RIA/web-eid-safari/web-eid-safari.log</code
+                                                    >
+                                                    of Safari in macOS
+                                                </li>
+                                                <li>
+                                                    <code
+                                                        >C:/Users/&lt;USER&gt;/AppData/Local/RIA/web-eid/web-eid.log</code
+                                                    >
+                                                    in Windows.
+                                                </li>
+                                            </ul>
                                         </li>
-                                        <li>in PHP use the <i>web-eid-authtoken-validation-php</i> library according to
-                                            the
-                                            instructions
-                                            <a href="https://github.com/web-eid/web-eid-authtoken-validation-php#quickstart">here</a>
+                                        <li>
+                                            You can verify if debugging works by executing the native application
+                                            <code>web-eid</code>
+                                            manually, there will be an informative message in the logs.
                                         </li>
                                     </ul>
-                                </li>
-                                <li>for digital signing
+                                </div>
+                            </div>
+                        </div>
+                        <div class="accordion-item border-0">
+                            <h4 class="accordion-header" id="headingDocumentation">
+                                <button
+                                    class="accordion-button collapsed ps-0"
+                                    id="documentation"
+                                    type="button"
+                                    data-bs-toggle="collapse"
+                                    data-bs-target="#collapseDocumentation"
+                                    aria-expanded="false"
+                                    aria-controls="collapseDocumentation"
+                                >
+                                    Documentation
+                                </button>
+                            </h4>
+                            <div
+                                id="collapseDocumentation"
+                                class="accordion-collapse collapse"
+                                aria-labelledby="headingDocumentation"
+                                data-bs-parent="#accordionInfo"
+                            >
+                                <div class="accordion-body ps-0">
+                                    <p>
+                                        Technical overview of the solution is available in the project
+                                        <a href="https://github.com/web-eid/web-eid-system-architecture-doc"
+                                            >system architecture document</a
+                                        >. Overview of authentication token validation implementation in the back end is
+                                        available in the <i>web-eid-authtoken-validation-java</i> Java library
+                                        <a
+                                            href="https://github.com/web-eid/web-eid-authtoken-validation-java#authentication-token-validation"
+                                            >README</a
+                                        >.
+                                    </p>
+                                    <p>
+                                        Security analysis of the solution is available
+                                        <a
+                                            href="https://web-eid.github.io/web-eid-cybernetica-analysis/webextensions-main.pdf"
+                                            >in this document</a
+                                        >.
+                                    </p>
+                                </div>
+                            </div>
+                        </div>
+                        <div class="accordion-item border-0">
+                            <h4 class="accordion-header" id="headingDevelopers">
+                                <button
+                                    class="accordion-button collapsed ps-0"
+                                    id="for-developers"
+                                    type="button"
+                                    data-bs-toggle="collapse"
+                                    data-bs-target="#collapseDevelopers"
+                                    aria-expanded="false"
+                                    aria-controls="collapseDevelopers"
+                                >
+                                    For developers
+                                </button>
+                            </h4>
+                            <div
+                                id="collapseDevelopers"
+                                class="accordion-collapse collapse"
+                                aria-labelledby="headingDevelopers"
+                                data-bs-parent="#accordionInfo"
+                            >
+                                <div class="accordion-body ps-0">
+                                    <p>
+                                        Currently the Web eID back-end libraries are available for Java, .NET and PHP
+                                        web applications.
+                                    </p>
+                                    <p>
+                                        To implement authentication and digital signing with Web eID in a Java, .NET or
+                                        PHP web application, you need to
+                                    </p>
                                     <ul>
-                                        <li>in Java use the <i>digidoc4j</i> library in the back end of the web
+                                        <li>
+                                            use the <i>web-eid.js</i> JavaScript library in the front end of the web
                                             application according to the instructions
-                                            <a href="https://github.com/web-eid/web-eid-authtoken-validation-java/tree/main/example#integration-with-digidoc4j-components">here</a>,
+                                            <a href="https://github.com/web-eid/web-eid.js#quickstart">here</a>,
                                         </li>
-                                        <li>in .NET/C# use the <i>libdigidocpp</i> library in the back end of the web
-                                            application according to the instructions
-                                            <a href="https://github.com/web-eid/web-eid-asp-dotnet-example#3-setup-the-libdigidocpp-library-for-signing">here</a>.
+                                        <li>
+                                            for authentication
+                                            <ul>
+                                                <li>
+                                                    in Java use the <i>web-eid-authtoken-validation-java</i> library in
+                                                    the back end of the web application according to the instructions
+                                                    <a
+                                                        href="https://github.com/web-eid/web-eid-authtoken-validation-java#quickstart"
+                                                        >here</a
+                                                    >,
+                                                </li>
+                                                <li>
+                                                    in .NET/C# use the
+                                                    <i>web-eid-authtoken-validation-dotnet</i> library according to the
+                                                    instructions
+                                                    <a
+                                                        href="https://github.com/web-eid/web-eid-authtoken-validation-dotnet#quickstart"
+                                                        >here</a
+                                                    >
+                                                </li>
+                                                <li>
+                                                    in PHP use the <i>web-eid-authtoken-validation-php</i> library
+                                                    according to the instructions
+                                                    <a
+                                                        href="https://github.com/web-eid/web-eid-authtoken-validation-php#quickstart"
+                                                        >here</a
+                                                    >
+                                                </li>
+                                            </ul>
+                                        </li>
+                                        <li>
+                                            for digital signing
+                                            <ul>
+                                                <li>
+                                                    in Java use the <i>digidoc4j</i> library in the back end of the web
+                                                    application according to the instructions
+                                                    <a
+                                                        href="https://github.com/web-eid/web-eid-authtoken-validation-java/tree/main/example#integration-with-digidoc4j-components"
+                                                        >here</a
+                                                    >,
+                                                </li>
+                                                <li>
+                                                    in .NET/C# use the <i>libdigidocpp</i> library in the back end of
+                                                    the web application according to the instructions
+                                                    <a
+                                                        href="https://github.com/web-eid/web-eid-asp-dotnet-example#3-setup-the-libdigidocpp-library-for-signing"
+                                                        >here</a
+                                                    >.
+                                                </li>
+                                            </ul>
                                         </li>
                                     </ul>
-                                </li>
-                            </ul>
-                            <p>
-                                The full source code of an example Spring Boot web application that uses Web eID for
-                                authentication
-                                and digital signing is available
-                                <a href="https://github.com/web-eid/web-eid-authtoken-validation-java/tree/main/example">here</a>.
-                                The .NET/C# version of the example is available
-                                <a href="https://github.com/web-eid/web-eid-asp-dotnet-example">here</a>.
-                                The PHP version of the example is available
-                                <a href="https://github.com/web-eid/web-eid-authtoken-validation-php/tree/main/example">here</a>.
-                            </p>
+                                    <p>
+                                        The full source code of an example Spring Boot web application that uses Web eID
+                                        for authentication and digital signing is available
+                                        <a
+                                            href="https://github.com/web-eid/web-eid-authtoken-validation-java/tree/main/example"
+                                            >here</a
+                                        >. The .NET/C# version of the example is available
+                                        <a href="https://github.com/web-eid/web-eid-asp-dotnet-example">here</a>. The
+                                        PHP version of the example is available
+                                        <a
+                                            href="https://github.com/web-eid/web-eid-authtoken-validation-php/tree/main/example"
+                                            >here</a
+                                        >.
+                                    </p>
+                                </div>
+                            </div>
                         </div>
                     </div>
-                </div>
-            </div>
-
-            <hr/>
-            <h3><a id="usage-without-plugin"></a>Usage without Web eID plugin</h3>
-            <p>The Web eID solution can also be used without installing the Web eID native app and browser extension.
-                This includes devices like mobile phones, tablets, and some Chromebooks, where the Web eID plugin cannot
-                currently be installed.
-            </p>
-            <p class="text-center p-4">
-                <button id="webeid-mobile-auth-button" class="btn btn-primary">Authenticate</button>
-            </p>
-
-            <hr/>
-            <div class="accordion accordion-flush" id="accordionMobileInfo">
-                <div class="accordion-item border-0">
-                    <h4 class="accordion-header" id="headingDocumentationMobile">
-                        <button class="accordion-button collapsed ps-0" id="documentation-mobile" type="button"
-                                data-bs-toggle="collapse" data-bs-target="#collapseDocumentationMobile"
-                                aria-expanded="false"
-                                aria-controls="collapseDocumentationMobile">
-                            Documentation
-                        </button>
-                    </h4>
-                    <div id="collapseDocumentationMobile" class="accordion-collapse collapse"
-                         aria-labelledby="headingDocumentationMobile" data-bs-parent="#accordionMobileInfo">
-                        <div class="accordion-body ps-0">
-                            <p>
-                                Technical overview of the solution is available in the project
-                                <a href="https://github.com/web-eid/web-eid-for-mobile-architecture-doc">system
-                                    architecture document</a>.
-                                Overview of authentication token validation implementation in the back end is available
-                                in the
-                                <i>web-eid-authtoken-validation-java</i> Java library
-                                <a href="https://github.com/web-eid/web-eid-authtoken-validation-java#authentication-token-validation">README</a>.
-                            </p>
 
+                    <hr />
+                    <h3><a id="usage-without-plugin"></a>Usage without Web eID plugin</h3>
+                    <p>
+                        The Web eID solution can also be used without installing the Web eID native app and browser
+                        extension. This includes devices like mobile phones, tablets, and some Chromebooks, where the
+                        Web eID plugin cannot currently be installed.
+                    </p>
+                    <p class="text-center p-4">
+                        <button id="webeid-mobile-auth-button" class="btn btn-primary">Authenticate</button>
+                    </p>
+
+                    <hr />
+                    <div class="accordion accordion-flush" id="accordionMobileInfo">
+                        <div class="accordion-item border-0">
+                            <h4 class="accordion-header" id="headingDocumentationMobile">
+                                <button
+                                    class="accordion-button collapsed ps-0"
+                                    id="documentation-mobile"
+                                    type="button"
+                                    data-bs-toggle="collapse"
+                                    data-bs-target="#collapseDocumentationMobile"
+                                    aria-expanded="false"
+                                    aria-controls="collapseDocumentationMobile"
+                                >
+                                    Documentation
+                                </button>
+                            </h4>
+                            <div
+                                id="collapseDocumentationMobile"
+                                class="accordion-collapse collapse"
+                                aria-labelledby="headingDocumentationMobile"
+                                data-bs-parent="#accordionMobileInfo"
+                            >
+                                <div class="accordion-body ps-0">
+                                    <p>
+                                        Technical overview of the solution is available in the project
+                                        <a href="https://github.com/web-eid/web-eid-for-mobile-architecture-doc"
+                                            >system architecture document</a
+                                        >. Overview of authentication token validation implementation in the back end is
+                                        available in the <i>web-eid-authtoken-validation-java</i> Java library
+                                        <a
+                                            href="https://github.com/web-eid/web-eid-authtoken-validation-java#authentication-token-validation"
+                                            >README</a
+                                        >.
+                                    </p>
+                                </div>
+                            </div>
                         </div>
                     </div>
                 </div>
             </div>
         </div>
-    </div>
-</div>
-
-<div class="eu-logo-fixed" onmouseout="this.style.display = 'none'">
-    <img src="/img/eu-fund-flags.svg" alt="EU fund flags">
-</div>
-
-<script src="/js/bootstrap.bundle.min.js"></script>
 
-<script type="module">
-    "use strict";
-    import * as webeid from "/js/web-eid.js";
-    import {hideErrorMessage, showErrorMessage, checkHttpError} from "/js/errors.js";
-
-    hideErrorMessage();
-
-    const authButton = document.querySelector("#webeid-auth-button");
-    const authMobileButton = document.querySelector("#webeid-mobile-auth-button");
-
-    const csrfToken = document.querySelector('#csrftoken').content;
-    const csrfHeaderName = document.querySelector('#csrfheadername').content;
-
-    const lang = new URLSearchParams(window.location.search).get("lang") || "en";
-
-    authMobileButton.addEventListener("click", async () => {
-        hideErrorMessage();
+        <div class="eu-logo-fixed" onmouseout="this.style.display = 'none'">
+            <img src="/img/eu-fund-flags.svg" alt="EU fund flags" />
+        </div>
 
-        if (!isMobileDevice()) {
-            showErrorMessage({
-                code: "MOBILE_ONLY",
-                message: "Mobile authentication is only available on mobile devices."
-            });
-            return;
-        }
-
-        authMobileButton.disabled = true;
-
-        try {
-            const resp = await fetch("/auth/mobile/init", {
-                method: "POST",
-                headers: {
-                    "Content-Type": "application/json",
-                    [csrfHeaderName]: csrfToken,
-                },
-                credentials: "include"
+        <script src="/js/bootstrap.bundle.min.js"></script>
+
+        <script type="module">
+            "use strict";
+            import * as webeid from "/js/web-eid.js";
+            import { hideErrorMessage, showErrorMessage, checkHttpError } from "/js/errors.js";
+
+            hideErrorMessage();
+
+            const authButton = document.querySelector("#webeid-auth-button");
+            const authMobileButton = document.querySelector("#webeid-mobile-auth-button");
+
+            const csrfToken = document.querySelector("#csrftoken").content;
+            const csrfHeaderName = document.querySelector("#csrfheadername").content;
+
+            const lang = new URLSearchParams(window.location.search).get("lang") || "en";
+
+            authMobileButton.addEventListener("click", async () => {
+                hideErrorMessage();
+
+                if (!isMobileDevice()) {
+                    showErrorMessage({
+                        code: "MOBILE_ONLY",
+                        message: "Mobile authentication is only available on mobile devices."
+                    });
+                    return;
+                }
+
+                authMobileButton.disabled = true;
+
+                try {
+                    const resp = await fetch("/auth/mobile/init", {
+                        method: "POST",
+                        headers: {
+                            "Content-Type": "application/json",
+                            [csrfHeaderName]: csrfToken
+                        },
+                        credentials: "include"
+                    });
+
+                    await checkHttpError(resp);
+                    const { auth_uri } = await resp.json();
+                    window.location.href = auth_uri;
+                } catch (error) {
+                    showErrorMessage(error);
+                    throw error;
+                } finally {
+                    authMobileButton.disabled = false;
+                }
             });
 
-            await checkHttpError(resp);
-            const {auth_uri} = await resp.json();
-            window.location.href = auth_uri;
-        } catch (error) {
-            showErrorMessage(error);
-            throw error;
-        } finally {
-            authMobileButton.disabled = false;
-        }
-    });
-
-    authButton.addEventListener("click", async () => {
-        hideErrorMessage();
-        authButton.disabled = true;
-
-        try {
-            const challengeResponse = await fetch("/auth/challenge", {
-                method: "POST",
-                headers: {
-                    "Content-Type": "application/json",
-                    [csrfHeaderName]: csrfToken
-                },
-                credentials: "include"
+            authButton.addEventListener("click", async () => {
+                hideErrorMessage();
+                authButton.disabled = true;
+
+                try {
+                    const challengeResponse = await fetch("/auth/challenge", {
+                        method: "POST",
+                        headers: {
+                            "Content-Type": "application/json",
+                            [csrfHeaderName]: csrfToken
+                        },
+                        credentials: "include"
+                    });
+                    await checkHttpError(challengeResponse);
+                    const { nonce } = await challengeResponse.json();
+
+                    const authToken = await webeid.authenticate(nonce, { lang });
+
+                    const authTokenResponse = await fetch("/auth/login", {
+                        method: "POST",
+                        headers: {
+                            "Content-Type": "application/json",
+                            [csrfHeaderName]: csrfToken
+                        },
+                        body: JSON.stringify(authToken)
+                    });
+                    await checkHttpError(authTokenResponse);
+                    const authTokenResult = await authTokenResponse.json();
+
+                    console.log("Authentication successful! Result:", authTokenResult);
+
+                    window.location.href = "/welcome";
+                } catch (error) {
+                    showErrorMessage(error);
+                    throw error;
+                } finally {
+                    authButton.disabled = false;
+                }
             });
-            await checkHttpError(challengeResponse);
-            const {nonce} = await challengeResponse.json();
-
-            const authToken = await webeid.authenticate(nonce, {lang});
-
-            const authTokenResponse = await fetch("/auth/login", {
-                method: "POST",
-                headers: {
-                    "Content-Type": "application/json",
-                    [csrfHeaderName]: csrfToken
-                },
-                body: JSON.stringify(authToken)
+
+            function isMobileDevice() {
+                const hasTouch = "ontouchstart" in window || navigator.maxTouchPoints > 0;
+                const isSmallScreen = window.innerWidth <= 768;
+                const userAgentRegex = /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i;
+                return (hasTouch && isSmallScreen) || userAgentRegex.test(navigator.userAgent);
+            }
+
+            async function isWebEidPluginInstalled() {
+                try {
+                    await webeid.status();
+                    return true;
+                } catch (error) {
+                    return false;
+                }
+            }
+
+            async function updateStatusIndicators() {
+                const pluginStatusIcon = document.getElementById("plugin-status-icon");
+                const mobileStatusIcon = document.getElementById("mobile-status-icon");
+
+                if (await isWebEidPluginInstalled()) {
+                    pluginStatusIcon.textContent = "✓";
+                    pluginStatusIcon.className = "fw-bold me-2 text-success";
+                } else {
+                    pluginStatusIcon.textContent = "✗";
+                    pluginStatusIcon.className = "fw-bold me-2 text-danger";
+                }
+
+                if (isMobileDevice()) {
+                    mobileStatusIcon.textContent = "✓";
+                    mobileStatusIcon.className = "fw-bold me-2 text-success";
+                } else {
+                    mobileStatusIcon.textContent = "✗";
+                    mobileStatusIcon.className = "fw-bold me-2 text-danger";
+                }
+            }
+
+            document.addEventListener("DOMContentLoaded", function () {
+                updateStatusIndicators();
+                setTimeout(function () {
+                    document.querySelector(".eu-logo-fixed").style.display = "none";
+                }, 7000);
             });
-            await checkHttpError(authTokenResponse);
-            const authTokenResult = await authTokenResponse.json();
-
-            console.log("Authentication successful! Result:", authTokenResult);
-
-            window.location.href = "/welcome";
-
-        } catch (error) {
-            showErrorMessage(error);
-            throw error;
-        } finally {
-            authButton.disabled = false;
-        }
-    });
-
-    function isMobileDevice() {
-        const hasTouch = 'ontouchstart' in window || navigator.maxTouchPoints > 0;
-        const isSmallScreen = window.innerWidth <= 768;
-        const userAgentRegex = /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i;
-        return (hasTouch && isSmallScreen) || userAgentRegex.test(navigator.userAgent);
-    }
-
-    async function isWebEidPluginInstalled() {
-        try {
-            await webeid.status();
-            return true;
-        } catch (error) {
-            return false;
-        }
-    }
-
-    async function updateStatusIndicators() {
-        const pluginStatusIcon = document.getElementById('plugin-status-icon');
-        const mobileStatusIcon = document.getElementById('mobile-status-icon');
-
-        if (await isWebEidPluginInstalled()) {
-            pluginStatusIcon.textContent = '✓';
-            pluginStatusIcon.className = 'fw-bold me-2 text-success';
-        } else {
-            pluginStatusIcon.textContent = '✗';
-            pluginStatusIcon.className = 'fw-bold me-2 text-danger';
-        }
-
-        if (isMobileDevice()) {
-            mobileStatusIcon.textContent = '✓';
-            mobileStatusIcon.className = 'fw-bold me-2 text-success';
-        } else {
-            mobileStatusIcon.textContent = '✗';
-            mobileStatusIcon.className = 'fw-bold me-2 text-danger';
-        }
-    }
-
-    document.addEventListener('DOMContentLoaded', function () {
-        updateStatusIndicators();
-        setTimeout(function () {
-            document.querySelector(".eu-logo-fixed").style.display = 'none'
-        }, 7000)
-    });
-    //# sourceURL=index.js
-</script>
-</body>
+            //# sourceURL=index.js
+        </script>
+    </body>
 </html>
diff --git a/example/src/main/resources/templates/webeid-callback.html b/example/src/main/resources/templates/webeid-callback.html
new file mode 100644
index 00000000..cbc6fc49
--- /dev/null
+++ b/example/src/main/resources/templates/webeid-callback.html
@@ -0,0 +1,80 @@
+<!doctype html>
+<html lang="en" xmlns:th="http://www.thymeleaf.org">
+    <head>
+        <meta charset="UTF-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1" />
+        <meta http-equiv="Cache-Control" content="no-store" />
+        <meta id="csrftoken" name="csrftoken" th:content="${_csrf.token}" />
+        <meta id="csrfheadername" name="csrfheadername" th:content="${_csrf.headerName}" />
+        <title>Completing signing…</title>
+        <link rel="stylesheet" href="/css/bootstrap.min.css" />
+        <link rel="stylesheet" href="/css/main.css" />
+    </head>
+
+    <body class="loading-page">
+        <div id="spinner-message">
+            <h2>Completing signing…</h2>
+            <div class="spinner"></div>
+        </div>
+        <div id="error-message" class="alert alert-danger" style="display: none" role="alert">
+            <div class="message"></div>
+            <pre class="details"></pre>
+        </div>
+
+        <p class="text-center p-4" style="display: none" id="error-actions">
+            <button id="back-button" class="btn btn-primary">Back</button>
+        </p>
+
+        <script type="module">
+            import { showErrorMessage, checkHttpError } from "/js/errors.js";
+            import { parsePayload } from "/js/payload.js";
+
+            // Using an async IIFE for mobile WebView compatibility:
+            // top-level await is not supported in some mobile browsers/WebViews.
+            (async () => {
+                const payload = parsePayload("Signing");
+                const path = window.location.pathname;
+                const allowedEndpoints = ["/sign/mobile/certificate", "/sign/mobile/signature"];
+                if (!allowedEndpoints.includes(path)) {
+                    const error = new Error("Unexpected callback path: " + path);
+                    error.code = "INVALID_CALLBACK_PATH";
+                    throw error;
+                }
+
+                const endpoint = path;
+                const csrfHeaderName = document.querySelector("#csrfheadername").content;
+                const csrfToken = document.querySelector("#csrftoken").content;
+                const response = await fetch(endpoint, {
+                    method: "POST",
+                    headers: {
+                        "Content-Type": "application/json",
+                        [csrfHeaderName]: csrfToken
+                    },
+                    credentials: "include",
+                    body: JSON.stringify(payload)
+                });
+                await checkHttpError(response);
+
+                const result = await response.json();
+                if (endpoint.endsWith("/certificate")) {
+                    const { request_uri } = result;
+                    window.location.replace(request_uri);
+                    return;
+                }
+
+                window.location.replace("/welcome?signed=" + encodeURIComponent(result.name));
+            })().catch((error) => {
+                console.error(error);
+                showErrorMessage(error, "Signing failed");
+                const spinner = document.querySelector("#spinner-message");
+                spinner.style.display = "none";
+                const actions = document.getElementById("error-actions");
+                const goBackButton = document.getElementById("back-button");
+                actions.style.display = "block";
+                goBackButton.addEventListener("click", () => {
+                    window.location.replace("/welcome?error=webeid-callback");
+                });
+            });
+        </script>
+    </body>
+</html>
diff --git a/example/src/main/resources/templates/webeid-login.html b/example/src/main/resources/templates/webeid-login.html
index 828dc8ef..68bfd695 100644
--- a/example/src/main/resources/templates/webeid-login.html
+++ b/example/src/main/resources/templates/webeid-login.html
@@ -1,67 +1,42 @@
 <!doctype html>
 <html lang="en">
-<head>
-    <meta charset="utf-8">
-    <title>Signing you in…</title>
-</head>
-<body>
-<div id="error-message" class="alert alert-danger" style="display: none;" role="alert">
-    <div class="message"></div>
-    <pre class="details"></pre>
-</div>
-
-<script type="module" th:inline="javascript">
-    import { showErrorMessage } from "/js/errors.js";
-
-    // Using an async IIFE for mobile WebView compatibility:
-    // top-level await is not supported in some mobile browsers/WebViews.
-    (async function () {
-        const frag = location.hash ? location.hash.substring(1) : "";
-        if (!frag) {
-            showErrorMessage({ code: "UNKNOWN_ERROR", message: "Missing authentication payload" });
-            return;
-        }
-
-        let payload;
-        try {
-            payload = JSON.parse(atob(frag));
-        } catch (e) {
-            console.error("Failed to parse payload", e);
-            showErrorMessage({ code: "UNKNOWN_ERROR", message: "Failed to parse authentication payload" });
-            return;
-        }
-
-        if (payload.error) {
-            showErrorMessage({
-                code: payload.code ?? "UNKNOWN_ERROR",
-                message: payload.message ?? "Authentication failed"
+    <head>
+        <meta charset="utf-8" />
+        <title>Signing you in…</title>
+        <link rel="stylesheet" href="/css/bootstrap.min.css" />
+        <link rel="stylesheet" href="/css/main.css" />
+    </head>
+    <body>
+        <div id="error-message" class="alert alert-danger" style="display: none" role="alert">
+            <div class="message"></div>
+            <pre class="details"></pre>
+        </div>
+
+        <script type="module" th:inline="javascript">
+            import { showErrorMessage, checkHttpError } from "/js/errors.js";
+            import { parsePayload } from "/js/payload.js";
+
+            // Using an async IIFE for mobile WebView compatibility:
+            // top-level await is not supported in some mobile browsers/WebViews.
+            (async function () {
+                const payload = parsePayload("Authentication");
+                const authToken = payload["auth_token"];
+                const response = await fetch(/*[[${loginProcessingPath}]]*/, {
+                    method: "POST",
+                    headers: {
+                        "Content-Type": "application/json",
+                        "X-CSRF-TOKEN": /*[[${csrfToken}]]*/
+                    },
+                    body: JSON.stringify(authToken),
+                    credentials: "include"
+                });
+                await checkHttpError(response);
+
+                window.location.replace("/welcome");
+            })().catch((error) => {
+                console.error(error);
+                showErrorMessage(error);
             });
-            return;
-        }
-
-        const authToken = payload["auth-token"];
-
-        try {
-            const response = await fetch(/*[[${loginProcessingPath}]]*/, {
-                method: "POST",
-                headers: {
-                    "Content-Type": "application/json",
-                    "X-CSRF-TOKEN": /*[[${csrfToken}]]*/
-                },
-                body: JSON.stringify(authToken),
-                credentials: "include"
-            });
-
-            if (!response.ok) {
-                throw new Error("HTTP " + response.status);
-            }
-
-            window.location.replace("/welcome");
-        } catch (error) {
-            console.error(error);
-            showErrorMessage(error);
-        }
-    })();
-</script>
-</body>
+        </script>
+    </body>
 </html>
diff --git a/example/src/main/resources/templates/welcome-with-file-upload-support.html b/example/src/main/resources/templates/welcome-with-file-upload-support.html
index f17a01e4..e88725da 100644
--- a/example/src/main/resources/templates/welcome-with-file-upload-support.html
+++ b/example/src/main/resources/templates/welcome-with-file-upload-support.html
@@ -1,38 +1,36 @@
-<!DOCTYPE html>
+<!doctype html>
 <html lang="en" xmlns:th="http://www.thymeleaf.org">
     <head>
         <meta charset="UTF-8" />
         <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
         <title>Welcome!</title>
-        <link
-            href="/css/bootstrap.min.css"
-            rel="stylesheet"
-        />
-        <link
-            href="/css/main.css"
-            rel="stylesheet"
-        />
+        <link href="/css/bootstrap.min.css" rel="stylesheet" />
+        <link href="/css/main.css" rel="stylesheet" />
     </head>
     <body class="m-4">
         <div class="container">
             <div class="row justify-content-md-center">
-                <div class="col-xs-12 col-md-8" style="padding-top: 3rem;">
+                <div class="col-xs-12 col-md-8" style="padding-top: 3rem">
                     <p class="text-end p-4">
                         <button id="webeid-logout-button" class="btn btn-primary">Logout</button>
                     </p>
-                    <div style="text-align: center;">
+                    <div style="text-align: center">
                         <h2 class="adding-signature">Sign a document</h2>
                         <p th:text="'Welcome, ' + ${principalName} + '!'" class="welcome-line"></p>
                     </div>
                     <div id="file-name"></div>
                     <p class="text-center p-4">
-                        <button id="webeid-sign-button" class="btn btn-primary" style="display: none;">Sign container</button>
-                        <button id="webeid-download-button" class="btn btn-success" style="display: none;">Download container</button>
+                        <button id="webeid-sign-button" class="btn btn-primary" style="display: none">
+                            Sign container
+                        </button>
+                        <button id="webeid-download-button" class="btn btn-success" style="display: none">
+                            Download container
+                        </button>
                     </p>
                 </div>
             </div>
         </div>
-        <div id="error-message" class="alert alert-danger" style="display: none;" role="alert">
+        <div id="error-message" class="alert alert-danger" style="display: none" role="alert">
             <div class="message"></div>
             <pre class="details"></pre>
         </div>
@@ -49,42 +47,36 @@ <h2 class="adding-signature">Sign a document</h2>
             const fileUploadInput = document.querySelector("#webeid-upload-file");
             const fileNameText = document.querySelector("#file-name");
 
-            fileUploadArea.classList.add( 'has-advanced-upload' );
+            fileUploadArea.classList.add("has-advanced-upload");
 
-            ['drag', 'dragstart', 'dragend', 'dragover', 'dragenter', 'dragleave', 'drop'].forEach( function( event )
-            {
-                fileUploadArea.addEventListener( event, function( e )
-                {
+            ["drag", "dragstart", "dragend", "dragover", "dragenter", "dragleave", "drop"].forEach(function (event) {
+                fileUploadArea.addEventListener(event, function (e) {
                     // preventing the unwanted behaviours
                     e.preventDefault();
                     e.stopPropagation();
                 });
             });
-            ['dragover', 'dragenter'].forEach( function( event )
-            {
-                fileUploadArea.addEventListener( event, function()
-                {
-                    fileUploadArea.classList.add('is-dragover');
+            ["dragover", "dragenter"].forEach(function (event) {
+                fileUploadArea.addEventListener(event, function () {
+                    fileUploadArea.classList.add("is-dragover");
                 });
             });
-            ['dragleave', 'dragend', 'drop'].forEach( function( event )
-            {
-                fileUploadArea.addEventListener( event, function()
-                {
-                    fileUploadArea.classList.remove('is-dragover');
+            ["dragleave", "dragend", "drop"].forEach(function (event) {
+                fileUploadArea.addEventListener(event, function () {
+                    fileUploadArea.classList.remove("is-dragover");
                 });
             });
 
             async function uploadFile(file) {
-                const formData  = new FormData();
-                formData.append("file", file)
+                const formData = new FormData();
+                formData.append("file", file);
 
                 const response = await fetch("/sign/upload", {
-                    method: 'POST',
+                    method: "POST",
                     body: formData
                 });
 
-                response.json().then(data => {
+                response.json().then((data) => {
                     signButton.removeAttribute("style");
                     fileNameText.textContent = "File uploaded: " + data.name;
                     downloadButton.setAttribute("style", "display: none;");
@@ -109,7 +101,7 @@ <h2 class="adding-signature">Sign a document</h2>
             signButton.addEventListener("click", async () => {
                 const options = {
                     postPrepareSigningUrl: window.location.origin + "/sign/prepare",
-                    postFinalizeSigningUrl: window.location.origin + "/sign/sign"
+                    postFinalizeSigningUrl: window.location.origin + "/sign/signature"
                 };
 
                 hideErrorMessage();
diff --git a/example/src/main/resources/templates/welcome.html b/example/src/main/resources/templates/welcome.html
index 6bf14a5a..65372365 100644
--- a/example/src/main/resources/templates/welcome.html
+++ b/example/src/main/resources/templates/welcome.html
@@ -1,137 +1,164 @@
-<!DOCTYPE html>
+<!doctype html>
 <html lang="en" xmlns:th="http://www.thymeleaf.org">
-<head>
-    <meta charset="UTF-8"/>
-    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>
-
-    <meta id="csrftoken" name="csrftoken" th:content="${_csrf.token}"/>
-    <meta id="csrfheadername" name="csrfheadername" th:content="${_csrf.headerName}"/>
-
-    <title>Welcome!</title>
-    <link
-            href="/css/bootstrap.min.css"
-            rel="stylesheet"
-    />
-    <link
-            href="/css/main.css"
-            rel="stylesheet"
-    />
-</head>
-<body class="m-4">
-<div class="container">
-    <div class="row justify-content-md-center">
-        <div class="col-xs-12 col-md-8" style="padding-top: 3rem;">
-            <p class="text-end p-4">
-                <button id="webeid-logout-button" class="btn btn-primary">Logout</button>
-            </p>
-            <div style="text-align: center;">
-                <h2 class="adding-signature">Digital signing</h2>
-                <p th:text="'Welcome, ' + ${principalName} + '!'" class="welcome-line"></p>
+    <head>
+        <meta charset="UTF-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
+
+        <meta id="csrftoken" name="csrftoken" th:content="${_csrf.token}" />
+        <meta id="csrfheadername" name="csrfheadername" th:content="${_csrf.headerName}" />
+
+        <title>Welcome!</title>
+        <link href="/css/bootstrap.min.css" rel="stylesheet" />
+        <link href="/css/main.css" rel="stylesheet" />
+    </head>
+    <body class="m-4">
+        <div class="container">
+            <div class="row justify-content-md-center">
+                <div class="col-xs-12 col-md-8" style="padding-top: 3rem">
+                    <p class="text-end p-4">
+                        <button id="webeid-logout-button" class="btn btn-primary">Logout</button>
+                    </p>
+                    <div style="text-align: center">
+                        <h2 class="adding-signature">Digital signing</h2>
+                        <p th:text="'Welcome, ' + ${principalName} + '!'" class="welcome-line"></p>
+                    </div>
+
+                    <div id="file-name"></div>
+
+                    <div id="example-document">
+                        <p class="p-4">
+                            To test digital signing, you can sign the following document by clicking
+                            <i>Sign document </i> below:
+                        </p>
+                        <iframe src="/files/example-for-signing.txt" width="100%" height="200"></iframe>
+                    </div>
+
+                    <div id="error-message" class="alert alert-danger" style="display: none" role="alert">
+                        <div class="message"></div>
+                        <pre class="details"></pre>
+                    </div>
+                    <p class="text-center p-4">
+                        <button id="webeid-sign-button" class="btn btn-primary">Sign document</button>
+                        <button id="webeid-download-button" class="btn btn-success" style="display: none">
+                            Download container
+                        </button>
+                    </p>
+                </div>
             </div>
-
-            <div id="file-name"></div>
-
-            <div id="example-document">
-                <p class="p-4">To test digital signing, you can sign the following document by clicking
-                    <i>Sign document </i> below:</p>
-                <iframe src="/files/example-for-signing.txt" width="100%" height="200"></iframe>
-            </div>
-
-            <div id="error-message" class="alert alert-danger" style="display: none;" role="alert">
-                <div class="message"></div>
-                <pre class="details"></pre>
-            </div>
-            <p class="text-center p-4">
-                <button id="webeid-sign-button" class="btn btn-primary">Sign document</button>
-                <button id="webeid-download-button" class="btn btn-success" style="display: none;">Download container
-                </button>
-            </p>
         </div>
-    </div>
-</div>
-
-<script type="module">
-    "use strict";
-    import * as webeid from "/js/web-eid.js";
-    import {hideErrorMessage, showErrorMessage, checkHttpError} from "/js/errors.js";
 
-    const signButton = document.querySelector("#webeid-sign-button");
-    const downloadButton = document.querySelector("#webeid-download-button");
+        <script type="module">
+            "use strict";
+            import * as webeid from "/js/web-eid.js";
+            import { hideErrorMessage, showErrorMessage, checkHttpError } from "/js/errors.js";
+
+            const signButton = document.querySelector("#webeid-sign-button");
+            const downloadButton = document.querySelector("#webeid-download-button");
+
+            const fileNameText = document.querySelector("#file-name");
+            const exampleDocument = document.querySelector("#example-document");
+
+            const csrfToken = document.querySelector("#csrftoken").content;
+            const csrfHeaderName = document.querySelector("#csrfheadername").content;
+
+            document.querySelector("#webeid-logout-button").addEventListener("click", async () => {
+                await fetch("/logout", {
+                    method: "POST",
+                    headers: {
+                        "Content-Type": "application/json",
+                        [csrfHeaderName]: csrfToken
+                    }
+                });
+                window.location.href = "/";
+            });
 
-    const fileNameText = document.querySelector("#file-name");
-    const exampleDocument = document.querySelector("#example-document");
+            downloadButton.addEventListener("click", async () => {
+                window.location.href = "/sign/download";
+            });
 
-    const csrfToken = document.querySelector('#csrftoken').content;
-    const csrfHeaderName = document.querySelector('#csrfheadername').content;
+            const lang = new URLSearchParams(window.location.search).get("lang") || "en";
+
+            signButton.addEventListener("click", async () => {
+                hideErrorMessage();
+                signButton.disabled = true;
+
+                const isMobile = isMobileDevice();
+
+                try {
+                    if (isMobile) {
+                        const initMobileSignResponse = await fetch("/sign/mobile/init", {
+                            method: "POST",
+                            headers: {
+                                "Content-Type": "application/json",
+                                [csrfHeaderName]: csrfToken
+                            }
+                        });
+
+                        await checkHttpError(initMobileSignResponse);
+                        const { request_uri } = await initMobileSignResponse.json();
+                        window.location.href = request_uri;
+                    } else {
+                        const { certificate, supportedSignatureAlgorithms } = await webeid.getSigningCertificate({
+                            lang
+                        });
+
+                        const prepareSigningResponse = await fetch("/sign/prepare", {
+                            method: "POST",
+                            headers: {
+                                "Content-Type": "application/json",
+                                [csrfHeaderName]: csrfToken
+                            },
+                            body: JSON.stringify({ certificate, supportedSignatureAlgorithms })
+                        });
+                        await checkHttpError(prepareSigningResponse);
+                        const { hash, hashFunction } = await prepareSigningResponse.json();
+
+                        const { signatureAlgorithm, signature } = await webeid.sign(certificate, hash, hashFunction, {
+                            lang
+                        });
+
+                        const finalizeSigningResponse = await fetch("/sign/signature", {
+                            method: "POST",
+                            headers: {
+                                "Content-Type": "application/json",
+                                [csrfHeaderName]: csrfToken
+                            },
+                            body: JSON.stringify({ signature, signatureAlgorithm })
+                        });
+                        await checkHttpError(finalizeSigningResponse);
+                        const signResult = await finalizeSigningResponse.json();
+
+                        signButton.style.display = "none";
+                        document.querySelector("#example-document").style.display = "none";
+                        downloadButton.style.display = "inline-block";
+                        document.querySelector("#file-name").textContent = "Signature added: " + signResult.name;
+                    }
+                } catch (error) {
+                    showErrorMessage(error);
+                    throw error;
+                } finally {
+                    signButton.disabled = false;
+                }
+            });
 
-    document.querySelector("#webeid-logout-button").addEventListener("click", async () => {
-        await fetch("/logout", {
-            method: "POST",
-            headers: {
-                "Content-Type": "application/json",
-                [csrfHeaderName]: csrfToken
+            function isMobileDevice() {
+                const hasTouch = "ontouchstart" in window || navigator.maxTouchPoints > 0;
+                const isSmallScreen = window.innerWidth <= 768;
+                const userAgentRegex = /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i;
+                return (hasTouch && isSmallScreen) || userAgentRegex.test(navigator.userAgent);
             }
-        });
-        window.location.href = "/";
-    });
-
-    downloadButton.addEventListener("click", async () => {
-        window.location.href = "/sign/download";
-    });
-
-    const lang = new URLSearchParams(window.location.search).get("lang") || "en";
-
-    signButton.addEventListener("click", async () => {
-        hideErrorMessage();
-        signButton.disabled = true;
-
-        try {
-            const {
-                certificate,
-                supportedSignatureAlgorithms,
-            } = await webeid.getSigningCertificate({lang});
-
-            const prepareSigningResponse = await fetch("/sign/prepare", {
-                method: "POST",
-                headers: {
-                    "Content-Type": "application/json",
-                    [csrfHeaderName]: csrfToken
-                },
-                body: JSON.stringify({certificate, supportedSignatureAlgorithms}),
-            });
-            await checkHttpError(prepareSigningResponse);
-            const {
-                hash,
-                hashFunction
-            } = await prepareSigningResponse.json();
-
-            const {
-                signatureAlgorithm,
-                signature,
-            } = await webeid.sign(certificate, hash, hashFunction, {lang});
-
-            const finalizeSigningResponse = await fetch("/sign/sign", {
-                method: "POST",
-                headers: {
-                    "Content-Type": "application/json",
-                    [csrfHeaderName]: csrfToken
-                },
-                body: JSON.stringify({signature, signatureAlgorithm}),
+
+            document.addEventListener("DOMContentLoaded", () => {
+                const urlParams = new URLSearchParams(window.location.search);
+                const signedFile = urlParams.get("signed");
+
+                if (signedFile) {
+                    document.querySelector("#webeid-sign-button").style.display = "none";
+                    document.querySelector("#example-document").style.display = "none";
+                    document.querySelector("#webeid-download-button").style.display = "inline-block";
+                    document.querySelector("#file-name").textContent = "Signature added: " + signedFile;
+                }
             });
-            await checkHttpError(finalizeSigningResponse);
-            const signResult = await finalizeSigningResponse.json();
-
-            signButton.setAttribute("style", "display: none;");
-            exampleDocument.setAttribute("style", "display: none;");
-            downloadButton.removeAttribute("style");
-            fileNameText.textContent = "Signature added: " + signResult.name;
-        } catch (error) {
-            showErrorMessage(error);
-            throw error;
-        } finally {
-            signButton.disabled = false;
-        }
-    });
-</script>
-</body>
+        </script>
+    </body>
 </html>
diff --git a/example/src/test/java/eu/webeid/example/security/WebEidAuthenticationTest.java b/example/src/test/java/eu/webeid/example/security/WebEidAuthenticationTest.java
index 1da776b6..4cbaee26 100644
--- a/example/src/test/java/eu/webeid/example/security/WebEidAuthenticationTest.java
+++ b/example/src/test/java/eu/webeid/example/security/WebEidAuthenticationTest.java
@@ -38,8 +38,8 @@ class WebEidAuthenticationTest {
     @Test
     void whenOrganizationCertificate_thenSucceeds() throws Exception {
         final X509Certificate certificate = CertificateLoader.decodeCertificateFromBase64(ORGANIZATION_CERT);
-        final Authentication authentication = WebEidAuthentication.fromCertificate(certificate, Collections.emptyList());
+        final Authentication authentication = WebEidAuthentication.fromCertificate(certificate, null, null, Collections.emptyList());
         assertThat(authentication.getPrincipal()).isEqualTo("Testijad.ee isikutuvastus");
     }
 
-}
\ No newline at end of file
+}
diff --git a/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java b/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
index 49506298..20054b43 100644
--- a/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
+++ b/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
@@ -82,7 +82,7 @@ public static MockHttpServletResponse sign(DefaultMockMvcBuilder mvcBuilder, Moc
         // @formatter:off
         return mvcBuilder
                 .build()
-                .perform(post("/sign/sign")
+                .perform(post("/sign/signature")
                         .session(session)
                         .with(csrf())
                         .contentType(MediaType.APPLICATION_JSON)
diff --git a/example/src/test/resources/application-dev.yaml b/example/src/test/resources/application-dev.yaml
index 5e607661..bb677b34 100644
--- a/example/src/test/resources/application-dev.yaml
+++ b/example/src/test/resources/application-dev.yaml
@@ -1,4 +1,7 @@
 web-eid-auth-token:
   validation:
-    use-digidoc4j-prod-configuration: false
+    use-digi-doc4j-prod-configuration: false
     local-origin: "https://ria.ee"
+web-eid-mobile:
+    base-request-uri: "web-eid-mobile://"
+    request-signing-cert: false
diff --git a/pom.xml b/pom.xml
index 2816da7c..1c55efef 100644
--- a/pom.xml
+++ b/pom.xml
@@ -5,7 +5,7 @@
     <modelVersion>4.0.0</modelVersion>
     <artifactId>authtoken-validation</artifactId>
     <groupId>eu.webeid.security</groupId>
-    <version>3.2.0</version>
+    <version>4.0.0-SNAPSHOT</version>
     <packaging>jar</packaging>
     <name>authtoken-validation</name>
     <description>Web eID authentication token validation library for Java</description>

From 015b69d3ce768da98373f22dd4957efc06d9a965 Mon Sep 17 00:00:00 2001
From: Mart Aarma <mart.aarma@nortal.com>
Date: Wed, 12 Nov 2025 11:18:59 +0200
Subject: [PATCH 2/3] NFC-46 Check null authToken

Signed-off-by: Sander Kondratjev sander.kondratjev@nortal.com
---
 .../security/validator/AuthTokenValidatorManager.java     | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/main/java/eu/webeid/security/validator/AuthTokenValidatorManager.java b/src/main/java/eu/webeid/security/validator/AuthTokenValidatorManager.java
index 887161ee..0b23f884 100644
--- a/src/main/java/eu/webeid/security/validator/AuthTokenValidatorManager.java
+++ b/src/main/java/eu/webeid/security/validator/AuthTokenValidatorManager.java
@@ -35,6 +35,7 @@
 
 import java.io.IOException;
 import java.security.cert.X509Certificate;
+import java.util.Objects;
 
 /**
  * Provides the default implementation of {@link AuthTokenValidator}.
@@ -46,10 +47,10 @@ final class AuthTokenValidatorManager implements AuthTokenValidator {
     private final AuthTokenVersionValidatorFactory tokenValidatorFactory;
 
     // Use human-readable meaningful names for token length limits.
-    private final int TOKEN_MIN_LENGTH = 100;
-    private final int TOKEN_MAX_LENGTH = 10000;
+    private static final int TOKEN_MIN_LENGTH = 100;
+    private static final int TOKEN_MAX_LENGTH = 10000;
 
-    private final ObjectReader TOKEN_READER = new ObjectMapper().readerFor(WebEidAuthToken.class);
+    private static final ObjectReader TOKEN_READER = new ObjectMapper().readerFor(WebEidAuthToken.class);
 
     AuthTokenValidatorManager(AuthTokenValidationConfiguration configuration, OcspClient ocspClient)
         throws JceException {
@@ -72,6 +73,7 @@ public WebEidAuthToken parse(String authToken) throws AuthTokenException {
     @Override
     public X509Certificate validate(WebEidAuthToken authToken, String currentChallengeNonce) throws AuthTokenException {
         try {
+            Objects.requireNonNull(authToken, "authToken must not be null");
             LOG.info("Starting token validation");
             return tokenValidatorFactory
                 .getValidatorFor(authToken.getFormat())

From 2ec0a4161f99941eae6c948c5fe6acd64d550ecf Mon Sep 17 00:00:00 2001
From: Mart Aarma <mart.aarma@nortal.com>
Date: Wed, 12 Nov 2025 14:09:49 +0200
Subject: [PATCH 3/3] NFC-47 Authentication flow fixes and updates

Signed-off-by: Sander Kondratjev sander.kondratjev@nortal.com
---
 .../security/WebEidMobileAuthInitFilter.java     | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java b/example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java
index a9b2638d..00c8b32c 100644
--- a/example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidMobileAuthInitFilter.java
@@ -41,12 +41,14 @@
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.web.filter.OncePerRequestFilter;
 import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
+import org.springframework.web.util.UriComponentsBuilder;
 
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 
 public final class WebEidMobileAuthInitFilter extends OncePerRequestFilter {
+    private static final String WEB_EID_MOBILE_AUTH_PATH = "auth";
     private static final ObjectWriter OBJECT_WRITER = new ObjectMapper().writer();
     private final RequestMatcher requestMatcher;
     private final ChallengeNonceGenerator nonceGenerator;
@@ -79,10 +81,20 @@ protected void doFilterInternal(@NonNull HttpServletRequest request,
                 webEidMobileProperties.requestSigningCert() ? Boolean.TRUE : null)
         );
         String encoded = Base64.getEncoder().encodeToString(payloadJson.getBytes(StandardCharsets.UTF_8));
-        String eidAuthUri = "web-eid-mobile://auth#" + encoded;
+        String authUri = getAuthUri(encoded);
 
         response.setContentType(MediaType.APPLICATION_JSON_VALUE);
-        OBJECT_WRITER.writeValue(response.getWriter(), new AuthUri(eidAuthUri));
+        OBJECT_WRITER.writeValue(response.getWriter(), new AuthUri(authUri));
+    }
+
+    private String getAuthUri(String encodedPayload) {
+        UriComponentsBuilder builder = UriComponentsBuilder.fromUriString(webEidMobileProperties.baseRequestUri());
+        if (webEidMobileProperties.baseRequestUri().startsWith("http")) {
+            builder.pathSegment(WEB_EID_MOBILE_AUTH_PATH);
+        } else {
+            builder.host(WEB_EID_MOBILE_AUTH_PATH);
+        }
+        return builder.fragment(encodedPayload).toUriString();
     }
 
     @JsonNaming(PropertyNamingStrategies.SnakeCaseStrategy.class)