Native SDK Wrapper Guide
The native wrappers let existing FDx SDK Pro applications target SecuGen Connect with minimal code change. Linux, macOS, and Windows ship a shared C API matching the legacy SGFPM_* signatures; Android ships a Java JSGFPLib class with the same lifecycle. Each wrapper is a thin client that forwards to the local Connect bridge over HTTP.
All wrappers are thin clients. They translate FDx-SDK-style calls into bridge HTTP calls against http://127.0.0.1:4499 and translate bridge responses back into SGFDxErrorCode values. There is no native binary replacement for sgfplib.dll / libsgfplib — the Connect bridge owns the device.
The wrapper family
| Repository | Platform | Language / surface | Version |
|---|---|---|---|
sdk-fdxsdkpro-connect-Linux | Linux | C API (SGFPM_*) | 0.2.1 |
sdk-fdxsdkpro-connect-macOS | macOS | C API (SGFPM_*) | 0.2.1 |
sdk-fdxsdkpro-connect-Windows | Windows | C API (SGFPM_*) + C++ shim | 0.2.1 |
sdk-fdxsdkpro-connect-android | Android | Java (JSGFPLib) | 0.2.1 |
The Linux, macOS, and Windows wrappers compile from a byte-identical shared C source tree (src/sgfplib.c); only the build system and packaging differ per platform (Makefile on Linux/macOS, CMake / build.bat on Windows). The browser/TypeScript wrapper (sdk-webapi-connect) is covered separately in the WebAPI Migration Guide.
v0.2.1 — bridge endpoint migration. All wrappers now default to http://127.0.0.1:4499. Earlier builds targeted the legacy https://127.0.0.1:8765; the restructured Connect bridge serves plain HTTP on loopback (primary port 4499, fallback range 4499→4494), so a wrapper pinned to the old port/scheme fails at the transport layer (TLS handshake against a plain-HTTP server / connection refused on 8765).
Transport
- Default base URL:
http://127.0.0.1:4499— plain HTTP on loopback. Mainstream installs do not require a Local-CA cert. - Override:
SGFPM_Connect_SetBridgeBaseURL()(C) /SetBridgeBaseURL()(Java) repoints the wrapper at a non-default host — for example an HTTPS LAN / kiosk bridge. BothhttpandhttpsURLs are accepted. - Session: the wrapper obtains and refreshes a short-lived bearer token via
POST /v1/session/starttransparently — callers never handle the token.
Endpoint mapping
The wrappers call the bridge's standard /v1 REST endpoints:
| Wrapper operation | Bridge endpoint |
|---|---|
| Init / readiness probe · version | GET /v1/health |
| Device enumeration / info | GET /v1/info |
| Session bootstrap (transparent) | POST /v1/session/start |
| Capture + template extraction | POST /v1/fingerprint/capture |
| 1:1 match / score | POST /v1/match/score |
Capture and template creation are served by a single POST /v1/fingerprint/capture call — it returns both the image (when requested) and the extracted template, so SGFPM_CreateTemplate reuses the capture response rather than a separate extract round-trip.
Not served by the current bridge: WSQ
SGFPM_EncodeWSQ / SGFPM_DecodeWSQ (and the Android WSQEncode / WSQDecode) remain in the API for source compatibility, but the restructured bridge exposes no /v1/wsq/* route — capture returns raw8 / png image bytes only. These calls receive an HTTP 404/501 and return SGFDX_ERROR_NO_LONGER_SUPPORTED. The functions are deliberately kept (not removed) so existing code compiles unchanged, and they will begin working automatically if a future bridge re-introduces WSQ.
Error handling
HTTP / API failures are mapped to representative SGFDxErrorCode values.
| Underlying failure | SGFDxErrorCode |
|---|---|
| Bridge unreachable / init failed | SGFDX_ERROR_INITIALIZE_FAILED |
| Timeout | SGFDX_ERROR_TIME_OUT |
| Device not found | SGFDX_ERROR_DEVICE_NOT_FOUND |
| Bad request / invalid param | SGFDX_ERROR_INVALID_PARAM |
| WSQ route absent on the bridge | SGFDX_ERROR_NO_LONGER_SUPPORTED |
Android specifics
The Android wrapper (SecuGen.FDxSDKPro.JSGFPLib) uses OkHttp and is otherwise API-compatible with the C lifecycle (Init, OpenDevice, GetImage, CreateTemplate, MatchTemplate, GetMatchingScore, …). Because the default transport is now cleartext HTTP to loopback, Android's network-security policy (API 28+) blocks it without an explicit opt-in:
- The AAR ships a network-security-config scoped to
127.0.0.1/localhostonly — not a blanketandroid:usesCleartextTraffic="true"— referenced from the library manifest's<application>. - Manifest-merger caveat: a consuming app that declares its own
networkSecurityConfigoverrides the library's (the merger cannot combine two competing configs). Such apps must add a127.0.0.1cleartext rule themselves. - Pointing
SetBridgeBaseURL()at anhttpsLAN host avoids the cleartext requirement entirely; the OkHttp client trusts the loopback / configured host for that override path. INTERNETpermission is required (declared by the library manifest).
Migration strategy
- Keep the existing flow:
Create → Init → Open → Capture / CreateTemplate → Match → Close. - Confirm the Connect bridge is reachable at
http://127.0.0.1:4499(or your configured override URL). - For templates generated outside the wrapper, set the template format with
SGFPM_SetTemplateFormatbefore matching. - Validate with one end-to-end capture + match scenario before real-device rollout.
Validation checklist
- Bridge reachable at
http://127.0.0.1:4499(or the configured override) —GET /v1/healthreturns{"ok":true}. SGFPM_InitreturnsSGFDX_ERROR_NONE.SGFPM_EnumerateDevicereturns at least one device.- Two captures produce a match score and a boolean match result.
- Error path: stop the bridge and verify
SGFDX_ERROR_INITIALIZE_FAILED; disconnect the device and verifySGFDX_ERROR_DEVICE_NOT_FOUND. - Android: confirm the loopback cleartext rule is active (capture succeeds on API 28+), or that an
httpsoverride is configured.
Lifecycle parallelism
Every wrapper preserves the legacy FDx SDK Pro lifecycle — only the binding mechanism changes:
// Legacy FDx SDK Pro (native C)
HSGFPM h; SGFPM_Create(&h);
SGFPM_Init(h, SG_DEV_AUTO);
SGFPM_OpenDevice(h, 0);
SGFPM_GetImage(h, buf);
SGFPM_CreateTemplate(h, NULL, buf, tpl1);
// ... second capture ...
SGFPM_GetMatchingScore(h, tpl1, tpl2, &score);
SGFPM_CloseDevice(h);
// SecuGen Connect — same C API, bridge-backed (http://127.0.0.1:4499)
HSGFPM h; SGFPM_Create(&h);
SGFPM_Init(h, SG_DEV_AUTO); // → GET /v1/health (+ POST /v1/session/start transparently)
SGFPM_OpenDevice(h, 0); // → GET /v1/info
SGFPM_GetImage(h, buf); // → POST /v1/fingerprint/capture
SGFPM_CreateTemplate(h, NULL, buf, tpl1); // template returned by the same capture call
// ... second capture ...
SGFPM_GetMatchingScore(h, tpl1, tpl2, &score); // → POST /v1/match/score
SGFPM_CloseDevice(h);
Application code keeps the same call sequence, the same constants, and the same response semantics. The wrapper handles session lifecycle, authentication, transport (HTTP by default, HTTPS for a configured LAN host), and error-code translation internally.