Proclamation

4notify Canada · Canada Gazette

PROCLAIMED · GCKey · Sign-In Partner

Proclamation No.

PRO-CA-004

Date

2026-05-27

Status

In force

Category

Digital government

GCKey, Sign-In Partner and one-time passcode delivery for Canadians accessing federal services online

Millions of Canadians sign in to federal services through GCKey or a Sign-In Partner (their bank's credentials). These gateways front CRA, Service Canada, IRCC and other departments. 4notify integrates with the federal notification rails and delivers appointment reminders, benefit notices and one-time passcodes — with the Social Insurance Number always redacted.

PushSMSEmail

Preamble

Section 1 — Pursuant to the Privacy Act and the Treasury Board Standard on Identity and Credential Assurance, this Proclamation governs the delivery of GCKey and Sign-In Partner authentication and service notifications.

Statutory Basis

Privacy Act (R.S.C. 1985, c. P-21)

Federal handling of personal information, including identifiers used for digital authentication.

TBS Standard on Identity and Credential Assurance

Assurance levels for GCKey and Sign-In Partner credentials and second-factor delivery.

PIPEDA (Part 1)

Consent and safeguard obligations where commercial activity intersects federal credential flows.

Implementation

Federal rails integration

4notify integrates with the GCKey and Sign-In Partner notification gateway; quarterly penetration testing applies.

SIN redaction

The delivery envelope carries only a hashed Social Insurance Number (SHA-256 + salt); the plaintext identifier stays in the departmental system.

Three-channel tier

Service ready → push (60s) → SMS (2 min) → email (5 min); the citizen's preference is honoured from their account profile.

One-time passcode delivery

GCKey and Sign-In Partner OTPs land within a 60-second window; on an SMS failure email is the fallback.

Delivery Envelope

json
{
  "event": "gov.gckey.passcode",
  "sin_hash": "sha256:salt:7f2a9b...",
  "service": "service-canada",
  "service_label": "Service Canada — EI claim",
  "channels": ["push", "sms", "email"],
  "tier_window_minutes": 5
}

Sample Message

PushSubject: Your code is ready

GCKey: Your sign-in code is 482193. Valid for 5 minutes. If you did not request this, do not share it and contact Service Canada.

Compliance Checklist

GCKey / Sign-In Partner gateway integration active
SIN redaction (SHA-256 + salt) enforced at the envelope
Citizen channel preference honoured from account profile
OTP P50 ≤ 4 seconds measured across carriers

The 4notify difference

4notify is the only A2P provider with native GCKey and Sign-In Partner integration, SIN redaction at the envelope and a Privacy-Act-aligned federal notification template library.

Frequently Asked Questions

Can 4notify see a citizen's Social Insurance Number?

No. The delivery envelope carries only a hashed SIN; the department keeps the plaintext identifier and resolves the hash locally.

Does this work for Sign-In Partner (bank credential) logins?

Yes — whether the citizen uses GCKey or signs in with their bank as a Sign-In Partner, the second-factor passcode is delivered through the same envelope on their preferred channel.

Proclaimed by

4notify Operations Office

2026-05-27 · PRO-CA-004

Start for free

14 days, no card required. Weekday support in English.

Try 4notify Talk to the team

Other Proclamations in this Edition

PRO-CA-001 · Banking & Payments

Interac e-Transfer authentication: one-time passcode delivery to Canadian bank customers across Rogers, Bell and Telus

PRO-CA-002 · Telecommunications

CRTC numbering, alphanumeric Sender ID and short-code provisioning for A2P SMS traffic into Canada

PRO-CA-003 · Tax

CRA My Business Account, GST/HST filing and e-invoicing notifications for Canadian businesses

PRO-CA-005 · Privacy