Management API¶
EUDIPLO Management API main¶
API for managing credentials, sessions, keys, and configurations. All endpoints require OAuth2 authentication.
App¶
GET /api/version¶
Get service version
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
GET /api/frontend-config¶
Get frontend runtime configuration
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Tenant¶
GET /api/tenant¶
Get all tenants
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
[
{
"sessionConfig": {},
"statusListConfig": {},
"id": "string",
"name": "string",
"description": "string",
"status": "string",
"clients": [
{
"allowedPresentationConfigs": [
"age-verification",
"kyc-basic"
],
"allowedIssuanceConfigs": [
"pid",
"mdl"
],
"clientId": "string",
"secret": "string",
"tenantId": "string",
"description": "string",
"roles": [
"presentation:manage"
],
"tenant": null
}
]
}
]
POST /api/tenant¶
Initialize a tenant
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"statusListConfig": {},
"id": "string",
"name": "string",
"description": "string",
"sessionConfig": null,
"roles": [
"presentation:manage"
]
}
Schema of the request body
{
"type": "object",
"properties": {
"statusListConfig": {
"nullable": true,
"description": "Status list configuration for this tenant. Only affects newly created status lists.",
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/StatusListConfig"
}
]
},
"id": {
"type": "string",
"description": "The unique identifier for the tenant."
},
"name": {
"type": "string",
"description": "The name of the tenant."
},
"description": {
"type": "string",
"description": "The description of the tenant."
},
"sessionConfig": {
"description": "Session storage configuration. Controls TTL and cleanup behavior.",
"allOf": [
{
"$ref": "#/components/schemas/SessionStorageConfig"
}
]
},
"roles": {
"type": "array",
"items": {
"type": "string",
"enum": [
"presentation:manage",
"presentation:request",
"issuance:manage",
"issuance:offer",
"clients:manage",
"tenants:manage",
"registrar:manage"
]
}
}
},
"required": [
"id",
"name"
]
}
Responses
GET /api/tenant/{id}¶
Get a tenant by ID
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
{
"sessionConfig": {},
"statusListConfig": {},
"id": "string",
"name": "string",
"description": "string",
"status": "string",
"clients": [
{
"allowedPresentationConfigs": [
"age-verification",
"kyc-basic"
],
"allowedIssuanceConfigs": [
"pid",
"mdl"
],
"clientId": "string",
"secret": "string",
"tenantId": "string",
"description": "string",
"roles": [
"presentation:manage"
],
"tenant": null
}
]
}
Schema of the response body
{
"type": "object",
"properties": {
"sessionConfig": {
"nullable": true,
"description": "Session storage configuration for this tenant. Controls TTL and cleanup behavior.",
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/SessionStorageConfig"
}
]
},
"statusListConfig": {
"nullable": true,
"description": "Status list configuration for this tenant. Only affects newly created status lists.",
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/StatusListConfig"
}
]
},
"id": {
"type": "string",
"description": "The unique identifier for the tenant."
},
"name": {
"type": "string",
"description": "The name of the tenant."
},
"description": {
"type": "string",
"description": "The description of the tenant."
},
"status": {
"type": "string",
"description": "The current status of the tenant."
},
"clients": {
"description": "The clients associated with the tenant.",
"type": "array",
"items": {
"$ref": "#/components/schemas/ClientEntity"
}
}
},
"required": [
"id",
"name",
"status",
"clients"
]
}
PATCH /api/tenant/{id}¶
Update a tenant by ID
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Request body
{
"statusListConfig": {},
"name": "string",
"description": "string",
"sessionConfig": null,
"roles": [
"presentation:manage"
]
}
Schema of the request body
{
"type": "object",
"properties": {
"statusListConfig": {
"nullable": true,
"description": "Status list configuration for this tenant. Only affects newly created status lists.",
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/StatusListConfig"
}
]
},
"name": {
"type": "string",
"description": "The name of the tenant."
},
"description": {
"type": "string",
"description": "The description of the tenant."
},
"sessionConfig": {
"description": "Session storage configuration. Controls TTL and cleanup behavior.",
"allOf": [
{
"$ref": "#/components/schemas/SessionStorageConfig"
}
]
},
"roles": {
"type": "array",
"items": {
"type": "string",
"enum": [
"presentation:manage",
"presentation:request",
"issuance:manage",
"issuance:offer",
"clients:manage",
"tenants:manage",
"registrar:manage"
]
}
}
}
}
Responses
{
"sessionConfig": {},
"statusListConfig": {},
"id": "string",
"name": "string",
"description": "string",
"status": "string",
"clients": [
{
"allowedPresentationConfigs": [
"age-verification",
"kyc-basic"
],
"allowedIssuanceConfigs": [
"pid",
"mdl"
],
"clientId": "string",
"secret": "string",
"tenantId": "string",
"description": "string",
"roles": [
"presentation:manage"
],
"tenant": null
}
]
}
Schema of the response body
{
"type": "object",
"properties": {
"sessionConfig": {
"nullable": true,
"description": "Session storage configuration for this tenant. Controls TTL and cleanup behavior.",
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/SessionStorageConfig"
}
]
},
"statusListConfig": {
"nullable": true,
"description": "Status list configuration for this tenant. Only affects newly created status lists.",
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/StatusListConfig"
}
]
},
"id": {
"type": "string",
"description": "The unique identifier for the tenant."
},
"name": {
"type": "string",
"description": "The name of the tenant."
},
"description": {
"type": "string",
"description": "The description of the tenant."
},
"status": {
"type": "string",
"description": "The current status of the tenant."
},
"clients": {
"description": "The clients associated with the tenant.",
"type": "array",
"items": {
"$ref": "#/components/schemas/ClientEntity"
}
}
},
"required": [
"id",
"name",
"status",
"clients"
]
}
DELETE /api/tenant/{id}¶
Deletes a tenant by ID
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
Client¶
GET /api/client¶
Get all clients for a user
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
[
{
"allowedPresentationConfigs": [
"age-verification",
"kyc-basic"
],
"allowedIssuanceConfigs": [
"pid",
"mdl"
],
"clientId": "string",
"secret": "string",
"tenantId": "string",
"description": "string",
"roles": [
"presentation:manage"
],
"tenant": null
}
]
POST /api/client¶
Create a new client
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"allowedPresentationConfigs": [
"age-verification",
"kyc-basic"
],
"allowedIssuanceConfigs": [
"pid",
"mdl"
],
"clientId": "string",
"secret": "string",
"description": "string",
"roles": [
"presentation:manage"
]
}
Schema of the request body
{
"type": "object",
"properties": {
"allowedPresentationConfigs": {
"nullable": true,
"description": "List of presentation config IDs this client can use. If empty/null, all configs are allowed.",
"example": [
"age-verification",
"kyc-basic"
],
"type": "array",
"items": {
"type": "string"
}
},
"allowedIssuanceConfigs": {
"nullable": true,
"description": "List of issuance config IDs this client can use. If empty/null, all configs are allowed.",
"example": [
"pid",
"mdl"
],
"type": "array",
"items": {
"type": "string"
}
},
"clientId": {
"type": "string",
"description": "The unique identifier for the client."
},
"secret": {
"type": "string",
"description": "The secret key for the client."
},
"description": {
"type": "string",
"description": "The description of the client."
},
"roles": {
"description": "The roles assigned to the client.",
"type": "array",
"items": {
"type": "string",
"enum": [
"presentation:manage",
"presentation:request",
"issuance:manage",
"issuance:offer",
"clients:manage",
"tenants:manage",
"registrar:manage"
]
}
}
},
"required": [
"clientId",
"roles"
]
}
Responses
{
"allowedPresentationConfigs": [
"age-verification",
"kyc-basic"
],
"allowedIssuanceConfigs": [
"pid",
"mdl"
],
"clientId": "string",
"secret": "string",
"tenantId": "string",
"description": "string",
"roles": [
"presentation:manage"
],
"tenant": null
}
Schema of the response body
{
"type": "object",
"properties": {
"allowedPresentationConfigs": {
"nullable": true,
"description": "List of presentation config IDs this client can use. If empty/null, all configs are allowed.",
"example": [
"age-verification",
"kyc-basic"
],
"type": "array",
"items": {
"type": "string"
}
},
"allowedIssuanceConfigs": {
"nullable": true,
"description": "List of issuance config IDs this client can use. If empty/null, all configs are allowed.",
"example": [
"pid",
"mdl"
],
"type": "array",
"items": {
"type": "string"
}
},
"clientId": {
"type": "string",
"description": "The unique identifier for the client."
},
"secret": {
"type": "string",
"description": "The secret key for the client."
},
"tenantId": {
"type": "string",
"description": "The unique identifier for the tenant that the client belongs to. Only null for accounts that manage tenants, that do not belong to a client"
},
"description": {
"type": "string",
"description": "The description of the client."
},
"roles": {
"description": "The roles assigned to the client.",
"type": "array",
"items": {
"type": "string",
"enum": [
"presentation:manage",
"presentation:request",
"issuance:manage",
"issuance:offer",
"clients:manage",
"tenants:manage",
"registrar:manage"
]
}
},
"tenant": {
"description": "The tenant that the client belongs to.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
}
},
"required": [
"clientId",
"roles"
]
}
GET /api/client/{id}¶
Get a client by its id
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
{
"allowedPresentationConfigs": [
"age-verification",
"kyc-basic"
],
"allowedIssuanceConfigs": [
"pid",
"mdl"
],
"clientId": "string",
"secret": "string",
"tenantId": "string",
"description": "string",
"roles": [
"presentation:manage"
],
"tenant": null
}
Schema of the response body
{
"type": "object",
"properties": {
"allowedPresentationConfigs": {
"nullable": true,
"description": "List of presentation config IDs this client can use. If empty/null, all configs are allowed.",
"example": [
"age-verification",
"kyc-basic"
],
"type": "array",
"items": {
"type": "string"
}
},
"allowedIssuanceConfigs": {
"nullable": true,
"description": "List of issuance config IDs this client can use. If empty/null, all configs are allowed.",
"example": [
"pid",
"mdl"
],
"type": "array",
"items": {
"type": "string"
}
},
"clientId": {
"type": "string",
"description": "The unique identifier for the client."
},
"secret": {
"type": "string",
"description": "The secret key for the client."
},
"tenantId": {
"type": "string",
"description": "The unique identifier for the tenant that the client belongs to. Only null for accounts that manage tenants, that do not belong to a client"
},
"description": {
"type": "string",
"description": "The description of the client."
},
"roles": {
"description": "The roles assigned to the client.",
"type": "array",
"items": {
"type": "string",
"enum": [
"presentation:manage",
"presentation:request",
"issuance:manage",
"issuance:offer",
"clients:manage",
"tenants:manage",
"registrar:manage"
]
}
},
"tenant": {
"description": "The tenant that the client belongs to.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
}
},
"required": [
"clientId",
"roles"
]
}
PATCH /api/client/{id}¶
Update a client by its id
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Request body
{
"allowedPresentationConfigs": [
"age-verification",
"kyc-basic"
],
"allowedIssuanceConfigs": [
"pid",
"mdl"
],
"description": "string",
"roles": [
"presentation:manage"
]
}
Schema of the request body
{
"type": "object",
"properties": {
"allowedPresentationConfigs": {
"nullable": true,
"description": "List of presentation config IDs this client can use. If empty/null, all configs are allowed.",
"example": [
"age-verification",
"kyc-basic"
],
"type": "array",
"items": {
"type": "string"
}
},
"allowedIssuanceConfigs": {
"nullable": true,
"description": "List of issuance config IDs this client can use. If empty/null, all configs are allowed.",
"example": [
"pid",
"mdl"
],
"type": "array",
"items": {
"type": "string"
}
},
"description": {
"type": "string",
"description": "The description of the client."
},
"roles": {
"description": "The roles assigned to the client.",
"type": "array",
"items": {
"type": "string",
"enum": [
"presentation:manage",
"presentation:request",
"issuance:manage",
"issuance:offer",
"clients:manage",
"tenants:manage",
"registrar:manage"
]
}
}
},
"required": [
"roles"
]
}
Responses
DELETE /api/client/{id}¶
Get a client by its id
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
GET /api/client/{id}/secret¶
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
POST /api/client/{id}/rotate-secret¶
Rotate (regenerate) a client's secret. Returns the new secret for one-time display - save it immediately!
Users with tenants:manage role can rotate secrets for any client.
Users with clients:manage role can only rotate secrets for clients in their tenant.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
status-list-config¶
GET /api/status-list-config¶
Get status list configuration
Description
Returns the current status list configuration for the tenant. Fields not set use global defaults.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the response body
{
"type": "object",
"properties": {
"capacity": {
"type": "number",
"description": "The capacity of the status list. If not set, uses global STATUS_CAPACITY.",
"example": 10000,
"minimum": 100
},
"bits": {
"type": "number",
"description": "Bits per status entry: 1 (valid/revoked), 2 (with suspended), 4/8 (extended). If not set, uses global STATUS_BITS.",
"enum": [
1,
2,
4,
8
],
"default": 1
},
"ttl": {
"type": "number",
"description": "TTL in seconds for the status list JWT. If not set, uses global STATUS_TTL.",
"example": 3600,
"minimum": 60
},
"immediateUpdate": {
"type": "boolean",
"description": "If true, regenerate JWT immediately on status changes. If false (default), use lazy regeneration on TTL expiry.",
"default": false
},
"enableAggregation": {
"type": "boolean",
"description": "If true, include aggregation_uri in status list JWTs for pre-fetching support (default: true).",
"default": true
}
}
}
PUT /api/status-list-config¶
Update status list configuration
Description
Update the status list configuration. Changes only affect newly created status lists. Set a field to null to reset to global default.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the request body
{
"type": "object",
"properties": {
"capacity": {
"type": "number",
"nullable": true,
"description": "The capacity of the status list. Set to null to reset to global default.",
"minimum": 100,
"example": 10000
},
"bits": {
"type": "number",
"nullable": true,
"description": "Bits per status entry. Set to null to reset to global default.",
"enum": [
1,
2,
4,
8
]
},
"ttl": {
"type": "number",
"nullable": true,
"description": "TTL in seconds for the status list JWT. Set to null to reset to global default.",
"minimum": 60,
"example": 3600
},
"immediateUpdate": {
"type": "boolean",
"nullable": true,
"description": "If true, regenerate JWT on every status change. Set to null to reset to default (false)."
},
"enableAggregation": {
"type": "boolean",
"nullable": true,
"description": "If true, include aggregation_uri in status list JWTs for pre-fetching support. Set to null to reset to default (true)."
}
}
}
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the response body
{
"type": "object",
"properties": {
"capacity": {
"type": "number",
"description": "The capacity of the status list. If not set, uses global STATUS_CAPACITY.",
"example": 10000,
"minimum": 100
},
"bits": {
"type": "number",
"description": "Bits per status entry: 1 (valid/revoked), 2 (with suspended), 4/8 (extended). If not set, uses global STATUS_BITS.",
"enum": [
1,
2,
4,
8
],
"default": 1
},
"ttl": {
"type": "number",
"description": "TTL in seconds for the status list JWT. If not set, uses global STATUS_TTL.",
"example": 3600,
"minimum": 60
},
"immediateUpdate": {
"type": "boolean",
"description": "If true, regenerate JWT immediately on status changes. If false (default), use lazy regeneration on TTL expiry.",
"default": false
},
"enableAggregation": {
"type": "boolean",
"description": "If true, include aggregation_uri in status list JWTs for pre-fetching support (default: true).",
"default": true
}
}
}
DELETE /api/status-list-config¶
Reset status list configuration
Description
Reset the status list configuration to global defaults. Only affects newly created status lists.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
status-lists¶
GET /api/status-lists¶
List all status lists
Description
Returns all status lists for the tenant, including their capacity and usage.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
[
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"tenantId": "root",
"credentialConfigurationId": "org.iso.18013.5.1.mDL",
"keyChainId": "my-status-list-keychain",
"bits": 1,
"capacity": 10000,
"usedEntries": 150,
"availableEntries": 9850,
"uri": "https://example.com/demo/status-management/status-list/550e8400-e29b-41d4-a716-446655440000",
"createdAt": "2024-01-15T10:30:00.000Z",
"expiresAt": "2024-01-15T11:30:00.000Z"
}
]
POST /api/status-lists¶
Create a status list
Description
Creates a new status list. Optionally bind it to a specific credential configuration and/or certificate.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"credentialConfigurationId": "org.iso.18013.5.1.mDL",
"keyChainId": "my-status-list-keychain",
"bits": 1,
"capacity": 100000
}
Schema of the request body
{
"type": "object",
"properties": {
"credentialConfigurationId": {
"type": "string",
"description": "Credential configuration ID to bind this list exclusively to. Leave empty for a shared list.",
"example": "org.iso.18013.5.1.mDL"
},
"keyChainId": {
"type": "string",
"description": "Key chain ID to use for signing. Leave empty to use the tenant's default StatusList key chain.",
"example": "my-status-list-keychain"
},
"bits": {
"type": "number",
"description": "Bits per status value. More bits allow more status states. Defaults to tenant configuration.",
"enum": [
1,
2,
4,
8
],
"example": 1
},
"capacity": {
"type": "number",
"description": "Maximum number of credential status entries. Defaults to tenant configuration.",
"minimum": 1000,
"example": 100000
}
}
}
Responses
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"tenantId": "root",
"credentialConfigurationId": "org.iso.18013.5.1.mDL",
"keyChainId": "my-status-list-keychain",
"bits": 1,
"capacity": 10000,
"usedEntries": 150,
"availableEntries": 9850,
"uri": "https://example.com/demo/status-management/status-list/550e8400-e29b-41d4-a716-446655440000",
"createdAt": "2024-01-15T10:30:00.000Z",
"expiresAt": "2024-01-15T11:30:00.000Z"
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the status list",
"example": "550e8400-e29b-41d4-a716-446655440000"
},
"tenantId": {
"type": "string",
"description": "The tenant ID",
"example": "root"
},
"credentialConfigurationId": {
"type": "string",
"nullable": true,
"description": "Credential configuration ID this list is bound to. Null means shared.",
"example": "org.iso.18013.5.1.mDL"
},
"keyChainId": {
"type": "string",
"nullable": true,
"description": "Key chain ID used for signing. Null means using the tenant's default.",
"example": "my-status-list-keychain"
},
"bits": {
"type": "number",
"description": "Bits per status value",
"enum": [
1,
2,
4,
8
],
"example": 1
},
"capacity": {
"type": "number",
"description": "Total capacity of the status list",
"example": 10000
},
"usedEntries": {
"type": "number",
"description": "Number of entries in use",
"example": 150
},
"availableEntries": {
"type": "number",
"description": "Number of available entries",
"example": 9850
},
"uri": {
"type": "string",
"description": "The public URI for this status list",
"example": "https://example.com/demo/status-management/status-list/550e8400-e29b-41d4-a716-446655440000"
},
"createdAt": {
"format": "date-time",
"type": "string",
"description": "Creation timestamp",
"example": "2024-01-15T10:30:00.000Z"
},
"expiresAt": {
"format": "date-time",
"type": "string",
"nullable": true,
"description": "JWT expiration timestamp. Null if JWT has not been generated yet.",
"example": "2024-01-15T11:30:00.000Z"
}
},
"required": [
"id",
"tenantId",
"bits",
"capacity",
"usedEntries",
"availableEntries",
"uri",
"createdAt"
]
}
GET /api/status-lists/{listId}¶
Get a status list
Description
Returns details for a specific status list.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
listId |
path | string | No | The status list ID |
Responses
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"tenantId": "root",
"credentialConfigurationId": "org.iso.18013.5.1.mDL",
"keyChainId": "my-status-list-keychain",
"bits": 1,
"capacity": 10000,
"usedEntries": 150,
"availableEntries": 9850,
"uri": "https://example.com/demo/status-management/status-list/550e8400-e29b-41d4-a716-446655440000",
"createdAt": "2024-01-15T10:30:00.000Z",
"expiresAt": "2024-01-15T11:30:00.000Z"
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the status list",
"example": "550e8400-e29b-41d4-a716-446655440000"
},
"tenantId": {
"type": "string",
"description": "The tenant ID",
"example": "root"
},
"credentialConfigurationId": {
"type": "string",
"nullable": true,
"description": "Credential configuration ID this list is bound to. Null means shared.",
"example": "org.iso.18013.5.1.mDL"
},
"keyChainId": {
"type": "string",
"nullable": true,
"description": "Key chain ID used for signing. Null means using the tenant's default.",
"example": "my-status-list-keychain"
},
"bits": {
"type": "number",
"description": "Bits per status value",
"enum": [
1,
2,
4,
8
],
"example": 1
},
"capacity": {
"type": "number",
"description": "Total capacity of the status list",
"example": 10000
},
"usedEntries": {
"type": "number",
"description": "Number of entries in use",
"example": 150
},
"availableEntries": {
"type": "number",
"description": "Number of available entries",
"example": 9850
},
"uri": {
"type": "string",
"description": "The public URI for this status list",
"example": "https://example.com/demo/status-management/status-list/550e8400-e29b-41d4-a716-446655440000"
},
"createdAt": {
"format": "date-time",
"type": "string",
"description": "Creation timestamp",
"example": "2024-01-15T10:30:00.000Z"
},
"expiresAt": {
"format": "date-time",
"type": "string",
"nullable": true,
"description": "JWT expiration timestamp. Null if JWT has not been generated yet.",
"example": "2024-01-15T11:30:00.000Z"
}
},
"required": [
"id",
"tenantId",
"bits",
"capacity",
"usedEntries",
"availableEntries",
"uri",
"createdAt"
]
}
PATCH /api/status-lists/{listId}¶
Update a status list
Description
Update a status list's credential configuration binding and/or certificate.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
listId |
path | string | No | The status list ID |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the request body
{
"type": "object",
"properties": {
"credentialConfigurationId": {
"type": "string",
"nullable": true,
"description": "Credential configuration ID to bind this list exclusively to. Set to null to make this a shared list.",
"example": "org.iso.18013.5.1.mDL"
},
"keyChainId": {
"type": "string",
"nullable": true,
"description": "Key chain ID to use for signing. Set to null to use the tenant's default StatusList key chain.",
"example": "my-status-list-keychain"
}
}
}
Responses
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"tenantId": "root",
"credentialConfigurationId": "org.iso.18013.5.1.mDL",
"keyChainId": "my-status-list-keychain",
"bits": 1,
"capacity": 10000,
"usedEntries": 150,
"availableEntries": 9850,
"uri": "https://example.com/demo/status-management/status-list/550e8400-e29b-41d4-a716-446655440000",
"createdAt": "2024-01-15T10:30:00.000Z",
"expiresAt": "2024-01-15T11:30:00.000Z"
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the status list",
"example": "550e8400-e29b-41d4-a716-446655440000"
},
"tenantId": {
"type": "string",
"description": "The tenant ID",
"example": "root"
},
"credentialConfigurationId": {
"type": "string",
"nullable": true,
"description": "Credential configuration ID this list is bound to. Null means shared.",
"example": "org.iso.18013.5.1.mDL"
},
"keyChainId": {
"type": "string",
"nullable": true,
"description": "Key chain ID used for signing. Null means using the tenant's default.",
"example": "my-status-list-keychain"
},
"bits": {
"type": "number",
"description": "Bits per status value",
"enum": [
1,
2,
4,
8
],
"example": 1
},
"capacity": {
"type": "number",
"description": "Total capacity of the status list",
"example": 10000
},
"usedEntries": {
"type": "number",
"description": "Number of entries in use",
"example": 150
},
"availableEntries": {
"type": "number",
"description": "Number of available entries",
"example": 9850
},
"uri": {
"type": "string",
"description": "The public URI for this status list",
"example": "https://example.com/demo/status-management/status-list/550e8400-e29b-41d4-a716-446655440000"
},
"createdAt": {
"format": "date-time",
"type": "string",
"description": "Creation timestamp",
"example": "2024-01-15T10:30:00.000Z"
},
"expiresAt": {
"format": "date-time",
"type": "string",
"nullable": true,
"description": "JWT expiration timestamp. Null if JWT has not been generated yet.",
"example": "2024-01-15T11:30:00.000Z"
}
},
"required": [
"id",
"tenantId",
"bits",
"capacity",
"usedEntries",
"availableEntries",
"uri",
"createdAt"
]
}
DELETE /api/status-lists/{listId}¶
Delete a status list
Description
Delete a status list. Only allowed if no credentials are using it.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
listId |
path | string | No | The status list ID |
Responses
Session¶
GET /api/session¶
Retrieves all sessions.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
[
{
"status": "active",
"id": "string",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z",
"expiresAt": "2022-04-13T15:42:05.901Z",
"useDcApi": true,
"tenantId": "string",
"tenant": null,
"authorization_code": "string",
"refresh_token": "string",
"refresh_token_expires_at": "2022-04-13T15:42:05.901Z",
"request_uri": "string",
"auth_queries": null,
"offer": {},
"offerUrl": "string",
"credentialPayload": null,
"webhookEndpointId": "string",
"notifications": [
{}
],
"requestId": "string",
"requestUrl": "string",
"requestObject": "string",
"credentials": [
{}
],
"vp_nonce": "string",
"clientId": "string",
"walletNonce": "string",
"responseCode": "string",
"responseUri": "string",
"redirectUri": "string",
"parsedWebhook": null,
"transaction_data": [
{
"type": "string",
"credential_ids": [
"string"
]
}
],
"externalIssuer": "string",
"externalSubject": "string",
"errorReason": "string"
}
]
GET /api/session/{id}¶
Retrieves the session information for a given session ID.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No | The session ID |
Responses
{
"status": "active",
"id": "string",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z",
"expiresAt": "2022-04-13T15:42:05.901Z",
"useDcApi": true,
"tenantId": "string",
"tenant": null,
"authorization_code": "string",
"refresh_token": "string",
"refresh_token_expires_at": "2022-04-13T15:42:05.901Z",
"request_uri": "string",
"auth_queries": null,
"offer": {},
"offerUrl": "string",
"credentialPayload": null,
"webhookEndpointId": "string",
"notifications": [
{}
],
"requestId": "string",
"requestUrl": "string",
"requestObject": "string",
"credentials": [
{}
],
"vp_nonce": "string",
"clientId": "string",
"walletNonce": "string",
"responseCode": "string",
"responseUri": "string",
"redirectUri": "string",
"parsedWebhook": null,
"transaction_data": [
{
"type": "string",
"credential_ids": [
"string"
]
}
],
"externalIssuer": "string",
"externalSubject": "string",
"errorReason": "string"
}
Schema of the response body
{
"type": "object",
"properties": {
"status": {
"description": "Status of the session.",
"enum": [
"active",
"fetched",
"completed",
"expired",
"failed"
],
"type": "string"
},
"id": {
"type": "string",
"description": "Unique identifier for the session."
},
"createdAt": {
"format": "date-time",
"type": "string",
"description": "The timestamp when the request was created."
},
"updatedAt": {
"format": "date-time",
"type": "string",
"description": "The timestamp when the request was last updated."
},
"expiresAt": {
"format": "date-time",
"type": "string",
"description": "The timestamp when the request is set to expire."
},
"useDcApi": {
"type": "boolean",
"description": "Flag indicating whether to use the DC API for the presentation request."
},
"tenantId": {
"type": "string",
"description": "Tenant ID for multi-tenancy support."
},
"tenant": {
"description": "The tenant that owns this object.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
},
"authorization_code": {
"type": "string"
},
"refresh_token": {
"type": "string",
"description": "Refresh token for the session - used to obtain a new access token."
},
"refresh_token_expires_at": {
"format": "date-time",
"type": "string",
"description": "Expiration timestamp for the refresh token.\nUsed to validate refresh_token grant requests."
},
"request_uri": {
"type": "string",
"description": "Request URI from the authorization request."
},
"auth_queries": {
"description": "Authorization queries associated with the session.\nEncrypted at rest.",
"allOf": [
{
"$ref": "#/components/schemas/AuthorizeQueries"
}
]
},
"offer": {
"description": "Credential offer object containing details about the credential offer or presentation request.\nEncrypted at rest.",
"type": "object"
},
"offerUrl": {
"type": "string",
"description": "Offer URL for the credential offer."
},
"credentialPayload": {
"description": "Credential payload containing the offer request details.\nEncrypted at rest - may contain sensitive claim data.",
"allOf": [
{
"$ref": "#/components/schemas/OfferRequestDto"
}
]
},
"webhookEndpointId": {
"type": "string",
"description": "ID of the webhook endpoint to notify about issuance status."
},
"notifications": {
"description": "Notifications associated with the session.",
"type": "array",
"items": {
"type": "object"
}
},
"requestId": {
"type": "string"
},
"requestUrl": {
"type": "string",
"description": "The URL of the presentation auth request."
},
"requestObject": {
"type": "string",
"description": "Signed presentation auth request."
},
"credentials": {
"description": "Verified credentials from the presentation process.\nEncrypted at rest - contains personal information.",
"type": "array",
"items": {
"type": "object"
}
},
"vp_nonce": {
"type": "string",
"description": "Noncce from the Verifiable Presentation request."
},
"clientId": {
"type": "string",
"description": "Client ID used in the OID4VP authorization request."
},
"walletNonce": {
"type": "string",
"description": "Cryptographic random nonce used in wallet-facing URLs (response_uri, request_uri, state).\nPer OID4VP spec Section 13.3, this separates the wallet-facing identifier (request-id)\nfrom the frontend-facing session ID (transaction-id) to prevent session fixation."
},
"responseCode": {
"type": "string",
"description": "Cryptographic random code generated after successful VP Token processing.\nPer OID4VP spec Section 13.3, included in redirect_uri so only the legitimate\nfrontend (which receives the redirect) can confirm the session completed."
},
"responseUri": {
"type": "string",
"description": "Response URI used in the OID4VP authorization request."
},
"redirectUri": {
"type": "string",
"nullable": true,
"description": "Redirect URI to which the user-agent should be redirected after the presentation is completed."
},
"parsedWebhook": {
"description": "Where to send the claims webhook response.",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"transaction_data": {
"description": "Transaction data to include in the OID4VP authorization request.\nCan be overridden per-request from the presentation configuration.",
"type": "array",
"items": {
"$ref": "#/components/schemas/TransactionData"
}
},
"externalIssuer": {
"type": "string"
},
"externalSubject": {
"type": "string",
"description": "The subject (sub) from the external authorization server token.\nUsed to identify the user at the external AS."
},
"errorReason": {
"type": "string",
"description": "Error reason if the session failed.\nStores the error message when status is 'failed'."
}
},
"required": [
"status",
"id",
"createdAt",
"updatedAt",
"useDcApi",
"tenantId",
"tenant",
"notifications"
]
}
DELETE /api/session/{id}¶
Deletes a session by its ID
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
GET /api/session/{id}/logs¶
Get session log entries
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No | The session ID |
Responses
POST /api/session/revoke¶
Update the status of the credentials of a specific session.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the request body
{
"type": "object",
"properties": {
"sessionId": {
"type": "string",
"description": "The session ID of the user"
},
"credentialConfigurationId": {
"type": "string",
"description": "The ID of the credential configuration\nThis is optional, if not provided, all credentials will be revoked of the session."
},
"status": {
"type": "number",
"description": "The status of the credential\n0 = valid, 1 = revoked, 2 = suspended"
}
},
"required": [
"sessionId",
"status"
]
}
Responses
GET /api/session-config¶
Get session storage configuration
Description
Returns the session storage configuration for the current tenant.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the response body
{
"type": "object",
"properties": {
"ttlSeconds": {
"type": "number",
"description": "Time-to-live for sessions in seconds. If not set, uses global SESSION_TTL.",
"example": 86400,
"minimum": 60
},
"cleanupMode": {
"type": "string",
"description": "Cleanup mode: 'full' deletes everything, 'anonymize' keeps metadata but removes PII.",
"enum": [
"full",
"anonymize"
],
"default": "full"
}
}
}
PUT /api/session-config¶
Update session storage configuration
Description
Updates the session storage configuration for the current tenant.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the request body
{
"type": "object",
"properties": {
"ttlSeconds": {
"type": "number",
"nullable": true,
"description": "Time-to-live for sessions in seconds. Set to null to use global default.",
"minimum": 60,
"example": 86400
},
"cleanupMode": {
"description": "Cleanup mode: 'full' deletes everything, 'anonymize' keeps metadata but removes PII.",
"enum": [
"full",
"anonymize"
],
"type": "string",
"default": "full"
}
}
}
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the response body
{
"type": "object",
"properties": {
"ttlSeconds": {
"type": "number",
"description": "Time-to-live for sessions in seconds. If not set, uses global SESSION_TTL.",
"example": 86400,
"minimum": 60
},
"cleanupMode": {
"type": "string",
"description": "Cleanup mode: 'full' deletes everything, 'anonymize' keeps metadata but removes PII.",
"enum": [
"full",
"anonymize"
],
"default": "full"
}
}
}
DELETE /api/session-config¶
Reset session storage configuration
Description
Resets the session storage configuration to use global defaults.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
Session Events¶
GET /api/session/{id}/events¶
Subscribe to session status updates
Description
Server-Sent Events endpoint for real-time session status updates. Requires JWT authentication via query parameter.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
id |
path | string | No | Session ID to subscribe to | |
token |
query | string | No | JWT access token for authentication |
Responses
Issuer¶
GET /api/issuer/config¶
Returns the issuance configurations for this tenant. Creates a default one if it does not exist.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
{
"signingKeyId": "string",
"chainedAs": {},
"refreshTokenEnabled": true,
"credentialResponseEncryption": true,
"refreshTokenExpiresInSeconds": 10.12,
"tenant": null,
"authServers": [
"string"
],
"batchSize": 10.12,
"dPopRequired": true,
"walletAttestationRequired": true,
"walletProviderTrustLists": [
"string"
],
"preferredAuthServer": "string",
"display": [
{
"name": "string",
"locale": "string",
"logo": {
"uri": "string",
"alt_text": "string"
}
}
],
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
}
Schema of the response body
{
"type": "object",
"properties": {
"signingKeyId": {
"type": "string",
"description": "Key ID for signing access tokens. If unset, the default signing key is used."
},
"chainedAs": {
"nullable": true,
"description": "Configuration for Chained Authorization Server mode.\nWhen enabled, EUDIPLO acts as an OAuth AS facade, delegating user authentication\nto an upstream OIDC provider while issuing its own tokens with issuer_state.",
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/ChainedAsConfig"
}
]
},
"refreshTokenEnabled": {
"type": "boolean",
"description": "Whether refresh tokens should be issued for OID4VCI token responses.",
"default": true
},
"credentialResponseEncryption": {
"type": "boolean",
"description": "Whether `credential_response_encryption` should be advertised in the credential issuer metadata.",
"default": false
},
"refreshTokenExpiresInSeconds": {
"type": "number",
"description": "Refresh token lifetime in seconds. Defaults to 2592000 (30 days).",
"default": 2592000,
"nullable": true
},
"tenant": {
"description": "The tenant that owns this object.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
},
"authServers": {
"description": "Authentication server URL for the issuance process.",
"type": "array",
"items": {
"type": "string"
}
},
"batchSize": {
"type": "number",
"description": "Value to determine the amount of credentials that are issued in a batch.\nDefault is 1."
},
"dPopRequired": {
"type": "boolean",
"description": "Indicates whether DPoP is required for the issuance process. Default value is true."
},
"walletAttestationRequired": {
"type": "boolean",
"description": "Indicates whether wallet attestation is required for the token endpoint.\nWhen enabled, wallets must provide OAuth-Client-Attestation headers.\nDefault value is false."
},
"walletProviderTrustLists": {
"description": "URLs of trust lists containing trusted wallet providers.\nThe wallet attestation's X.509 certificate will be validated against these trust lists.\nIf empty and walletAttestationRequired is true, all wallet providers are rejected.",
"type": "array",
"items": {
"type": "string"
}
},
"preferredAuthServer": {
"type": "string",
"description": "The URL of the preferred authorization server for wallet-initiated flows.\nWhen set, this AS is placed first in the `authorization_servers` array\nof the credential issuer metadata, signaling wallets to use it by default.\nMust match one of the configured auth servers, the chained AS URL, or \"built-in\"."
},
"display": {
"type": "array",
"items": {
"$ref": "#/components/schemas/DisplayInfo"
}
},
"createdAt": {
"format": "date-time",
"type": "string",
"description": "The timestamp when the VP request was created."
},
"updatedAt": {
"format": "date-time",
"type": "string",
"description": "The timestamp when the VP request was last updated."
}
},
"required": [
"tenant",
"display",
"createdAt",
"updatedAt"
]
}
POST /api/issuer/config¶
Stores the issuance configuration for this tenant.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"signingKeyId": "string",
"chainedAs": {},
"refreshTokenEnabled": true,
"credentialResponseEncryption": true,
"refreshTokenExpiresInSeconds": 10.12,
"authServers": [
"string"
],
"batchSize": 10.12,
"dPopRequired": true,
"walletAttestationRequired": true,
"walletProviderTrustLists": [
"string"
],
"preferredAuthServer": "string",
"display": [
{
"name": "string",
"locale": "string",
"logo": {
"uri": "string",
"alt_text": "string"
}
}
]
}
Schema of the request body
{
"type": "object",
"properties": {
"signingKeyId": {
"type": "string",
"description": "Key ID for signing access tokens. If unset, the default signing key is used."
},
"chainedAs": {
"nullable": true,
"description": "Configuration for Chained Authorization Server mode.\nWhen enabled, EUDIPLO acts as an OAuth AS facade, delegating user authentication\nto an upstream OIDC provider while issuing its own tokens with issuer_state.",
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/ChainedAsConfig"
}
]
},
"refreshTokenEnabled": {
"type": "boolean",
"description": "Whether refresh tokens should be issued for OID4VCI token responses.",
"default": true
},
"credentialResponseEncryption": {
"type": "boolean",
"description": "Whether `credential_response_encryption` should be advertised in the credential issuer metadata.",
"default": false
},
"refreshTokenExpiresInSeconds": {
"type": "number",
"description": "Refresh token lifetime in seconds. Defaults to 2592000 (30 days).",
"default": 2592000,
"nullable": true
},
"authServers": {
"description": "Authentication server URL for the issuance process.",
"type": "array",
"items": {
"type": "string"
}
},
"batchSize": {
"type": "number",
"description": "Value to determine the amount of credentials that are issued in a batch.\nDefault is 1."
},
"dPopRequired": {
"type": "boolean",
"description": "Indicates whether DPoP is required for the issuance process. Default value is true."
},
"walletAttestationRequired": {
"type": "boolean",
"description": "Indicates whether wallet attestation is required for the token endpoint.\nWhen enabled, wallets must provide OAuth-Client-Attestation headers.\nDefault value is false."
},
"walletProviderTrustLists": {
"description": "URLs of trust lists containing trusted wallet providers.\nThe wallet attestation's X.509 certificate will be validated against these trust lists.\nIf empty and walletAttestationRequired is true, all wallet providers are rejected.",
"type": "array",
"items": {
"type": "string"
}
},
"preferredAuthServer": {
"type": "string",
"description": "The URL of the preferred authorization server for wallet-initiated flows.\nWhen set, this AS is placed first in the `authorization_servers` array\nof the credential issuer metadata, signaling wallets to use it by default.\nMust match one of the configured auth servers, the chained AS URL, or \"built-in\"."
},
"display": {
"type": "array",
"items": {
"$ref": "#/components/schemas/DisplayInfo"
}
}
},
"required": [
"display"
]
}
Responses
GET /api/issuer/credentials¶
Returns the credential configurations for this tenant.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
[
{
"vct": {},
"iaeActions": "",
"embeddedDisclosurePolicy": {},
"id": "string",
"description": "string",
"tenant": null,
"config": {
"keyAttestationsRequired": null,
"format": "mso_mdoc",
"display": [
{
"name": "string",
"description": "string",
"locale": "string",
"background_color": "string",
"text_color": "string",
"background_image": {
"uri": "string"
},
"logo": null
}
],
"scope": "string",
"docType": "string",
"namespace": "string",
"claimsByNamespace": {},
"claimsMetadata": [
{
"path": [
"given_name"
],
"mandatory": true,
"display": [
{
"name": "Given Name",
"locale": "en-US"
}
]
}
]
},
"claims": {},
"attributeProviderId": "string",
"attributeProvider": {
"auth": null,
"id": "string",
"tenantId": "string",
"tenant": {
"sessionConfig": {},
"statusListConfig": {},
"id": "string",
"name": "string",
"description": "string",
"status": "string",
"clients": [
{
"allowedPresentationConfigs": [
"age-verification",
"kyc-basic"
],
"allowedIssuanceConfigs": [
"pid",
"mdl"
],
"clientId": "string",
"secret": "string",
"tenantId": "string",
"description": "string",
"roles": [
"presentation:manage"
],
"tenant": null
}
]
},
"name": "string",
"description": "string",
"url": "string"
},
"webhookEndpointId": "string",
"webhookEndpoint": {
"auth": null,
"id": "string",
"tenantId": "string",
"tenant": null,
"name": "string",
"description": "string",
"url": "string"
},
"disclosureFrame": {},
"keyBinding": true,
"keyChainId": "string",
"keyChain": {
"id": "string",
"tenantId": "string",
"tenant": null,
"description": "string",
"usageType": "access",
"usage": "sign",
"kmsProvider": "string",
"externalKeyId": "string",
"rootKey": {},
"rootCertificate": "string",
"activeKey": {},
"activeCertificate": "string",
"rotationEnabled": true,
"rotationIntervalDays": 10.12,
"certValidityDays": 10.12,
"lastRotatedAt": "2022-04-13T15:42:05.901Z",
"previousKey": {},
"previousCertificate": "string",
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"statusManagement": true,
"lifeTime": 10.12,
"schema": {}
}
]
POST /api/issuer/credentials¶
Stores the credential configuration for this tenant.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"vct": {},
"iaeActions": "",
"embeddedDisclosurePolicy": {},
"id": "string",
"description": "string",
"config": {
"keyAttestationsRequired": null,
"format": "mso_mdoc",
"display": [
{
"name": "string",
"description": "string",
"locale": "string",
"background_color": "string",
"text_color": "string",
"background_image": {
"uri": "string"
},
"logo": null
}
],
"scope": "string",
"docType": "string",
"namespace": "string",
"claimsByNamespace": {},
"claimsMetadata": [
{
"path": [
"given_name"
],
"mandatory": true,
"display": [
{
"name": "Given Name",
"locale": "en-US"
}
]
}
]
},
"claims": {},
"attributeProviderId": "string",
"webhookEndpointId": "string",
"disclosureFrame": {},
"keyBinding": true,
"keyChainId": "string",
"statusManagement": true,
"lifeTime": 10.12,
"schema": {}
}
Schema of the request body
{
"type": "object",
"properties": {
"vct": {
"type": "object",
"description": "VCT as a URI string (e.g., urn:eudi:pid:de:1) or as an object for EUDIPLO-hosted VCT",
"nullable": true,
"oneOf": [
{
"type": "string",
"description": "VCT URI string"
},
{
"$ref": "#/components/schemas/VCT"
}
]
},
"iaeActions": {
"type": "array",
"nullable": true,
"description": "List of IAE actions to execute before credential issuance",
"example": "",
"items": {
"oneOf": [
{
"$ref": "#/components/schemas/IaeActionOpenid4vpPresentation"
},
{
"$ref": "#/components/schemas/IaeActionRedirectToWeb"
}
]
}
},
"embeddedDisclosurePolicy": {
"nullable": true,
"description": "Embedded disclosure policy (discriminated union by `policy`).\nThe discriminator makes class-transformer instantiate the right subclass,\nand then class-validator runs that subclass’s rules.",
"oneOf": [
{
"$ref": "#/components/schemas/AttestationBasedPolicy"
},
{
"$ref": "#/components/schemas/NoneTrustPolicy"
},
{
"$ref": "#/components/schemas/AllowListPolicy"
},
{
"$ref": "#/components/schemas/RootOfTrustPolicy"
}
],
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/EmbeddedDisclosurePolicy"
}
]
},
"id": {
"type": "string"
},
"description": {
"type": "string",
"nullable": true
},
"config": {
"$ref": "#/components/schemas/IssuerMetadataCredentialConfig"
},
"claims": {
"type": "object",
"nullable": true
},
"attributeProviderId": {
"type": "string",
"nullable": true,
"description": "Reference to the attribute provider used for fetching claims.\nOptional: if set, claims will be fetched from this provider during issuance."
},
"webhookEndpointId": {
"type": "string",
"nullable": true,
"description": "Reference to the webhook endpoint used for notifications.\nOptional: if set, notifications will be sent to this endpoint."
},
"disclosureFrame": {
"type": "object",
"nullable": true
},
"keyBinding": {
"type": "boolean"
},
"keyChainId": {
"type": "string",
"description": "Reference to the key chain used for signing.\nOptional: if not specified, the default attestation key chain will be used."
},
"statusManagement": {
"type": "boolean"
},
"lifeTime": {
"type": "number"
},
"schema": {
"nullable": true,
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/SchemaResponse"
}
]
}
},
"required": [
"id",
"config"
]
}
Responses
GET /api/issuer/credentials/{id}¶
Returns a specific credential configuration by ID.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
{
"vct": {},
"iaeActions": "",
"embeddedDisclosurePolicy": {},
"id": "string",
"description": "string",
"tenant": null,
"config": {
"keyAttestationsRequired": null,
"format": "mso_mdoc",
"display": [
{
"name": "string",
"description": "string",
"locale": "string",
"background_color": "string",
"text_color": "string",
"background_image": {
"uri": "string"
},
"logo": null
}
],
"scope": "string",
"docType": "string",
"namespace": "string",
"claimsByNamespace": {},
"claimsMetadata": [
{
"path": [
"given_name"
],
"mandatory": true,
"display": [
{
"name": "Given Name",
"locale": "en-US"
}
]
}
]
},
"claims": {},
"attributeProviderId": "string",
"attributeProvider": {
"auth": null,
"id": "string",
"tenantId": "string",
"tenant": {
"sessionConfig": {},
"statusListConfig": {},
"id": "string",
"name": "string",
"description": "string",
"status": "string",
"clients": [
{
"allowedPresentationConfigs": [
"age-verification",
"kyc-basic"
],
"allowedIssuanceConfigs": [
"pid",
"mdl"
],
"clientId": "string",
"secret": "string",
"tenantId": "string",
"description": "string",
"roles": [
"presentation:manage"
],
"tenant": null
}
]
},
"name": "string",
"description": "string",
"url": "string"
},
"webhookEndpointId": "string",
"webhookEndpoint": {
"auth": null,
"id": "string",
"tenantId": "string",
"tenant": null,
"name": "string",
"description": "string",
"url": "string"
},
"disclosureFrame": {},
"keyBinding": true,
"keyChainId": "string",
"keyChain": {
"id": "string",
"tenantId": "string",
"tenant": null,
"description": "string",
"usageType": "access",
"usage": "sign",
"kmsProvider": "string",
"externalKeyId": "string",
"rootKey": {},
"rootCertificate": "string",
"activeKey": {},
"activeCertificate": "string",
"rotationEnabled": true,
"rotationIntervalDays": 10.12,
"certValidityDays": 10.12,
"lastRotatedAt": "2022-04-13T15:42:05.901Z",
"previousKey": {},
"previousCertificate": "string",
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"statusManagement": true,
"lifeTime": 10.12,
"schema": {}
}
Schema of the response body
{
"type": "object",
"properties": {
"vct": {
"type": "object",
"description": "VCT as a URI string (e.g., urn:eudi:pid:de:1) or as an object for EUDIPLO-hosted VCT",
"nullable": true,
"oneOf": [
{
"type": "string",
"description": "VCT URI string"
},
{
"$ref": "#/components/schemas/VCT"
}
]
},
"iaeActions": {
"type": "array",
"nullable": true,
"description": "List of IAE actions to execute before credential issuance",
"example": "",
"items": {
"oneOf": [
{
"$ref": "#/components/schemas/IaeActionOpenid4vpPresentation"
},
{
"$ref": "#/components/schemas/IaeActionRedirectToWeb"
}
]
}
},
"embeddedDisclosurePolicy": {
"nullable": true,
"description": "Embedded disclosure policy (discriminated union by `policy`).\nThe discriminator makes class-transformer instantiate the right subclass,\nand then class-validator runs that subclass’s rules.",
"oneOf": [
{
"$ref": "#/components/schemas/AttestationBasedPolicy"
},
{
"$ref": "#/components/schemas/NoneTrustPolicy"
},
{
"$ref": "#/components/schemas/AllowListPolicy"
},
{
"$ref": "#/components/schemas/RootOfTrustPolicy"
}
],
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/EmbeddedDisclosurePolicy"
}
]
},
"id": {
"type": "string"
},
"description": {
"type": "string",
"nullable": true
},
"tenant": {
"description": "The tenant that owns this object.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
},
"config": {
"$ref": "#/components/schemas/IssuerMetadataCredentialConfig"
},
"claims": {
"type": "object",
"nullable": true
},
"attributeProviderId": {
"type": "string",
"nullable": true,
"description": "Reference to the attribute provider used for fetching claims.\nOptional: if set, claims will be fetched from this provider during issuance."
},
"attributeProvider": {
"$ref": "#/components/schemas/AttributeProviderEntity"
},
"webhookEndpointId": {
"type": "string",
"nullable": true,
"description": "Reference to the webhook endpoint used for notifications.\nOptional: if set, notifications will be sent to this endpoint."
},
"webhookEndpoint": {
"$ref": "#/components/schemas/WebhookEndpointEntity"
},
"disclosureFrame": {
"type": "object",
"nullable": true
},
"keyBinding": {
"type": "boolean"
},
"keyChainId": {
"type": "string",
"description": "Reference to the key chain used for signing.\nOptional: if not specified, the default attestation key chain will be used."
},
"keyChain": {
"$ref": "#/components/schemas/KeyChainEntity"
},
"statusManagement": {
"type": "boolean"
},
"lifeTime": {
"type": "number"
},
"schema": {
"nullable": true,
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/SchemaResponse"
}
]
}
},
"required": [
"id",
"tenant",
"config"
]
}
PATCH /api/issuer/credentials/{id}¶
Updates a credential configuration by ID.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Request body
{
"vct": {},
"iaeActions": "",
"embeddedDisclosurePolicy": {},
"id": "string",
"description": "string",
"config": {
"keyAttestationsRequired": null,
"format": "mso_mdoc",
"display": [
{
"name": "string",
"description": "string",
"locale": "string",
"background_color": "string",
"text_color": "string",
"background_image": {
"uri": "string"
},
"logo": null
}
],
"scope": "string",
"docType": "string",
"namespace": "string",
"claimsByNamespace": {},
"claimsMetadata": [
{
"path": [
"given_name"
],
"mandatory": true,
"display": [
{
"name": "Given Name",
"locale": "en-US"
}
]
}
]
},
"claims": {},
"attributeProviderId": "string",
"webhookEndpointId": "string",
"disclosureFrame": {},
"keyBinding": true,
"keyChainId": "string",
"statusManagement": true,
"lifeTime": 10.12,
"schema": {}
}
Schema of the request body
{
"type": "object",
"properties": {
"vct": {
"type": "object",
"description": "VCT as a URI string (e.g., urn:eudi:pid:de:1) or as an object for EUDIPLO-hosted VCT",
"nullable": true,
"oneOf": [
{
"type": "string",
"description": "VCT URI string"
},
{
"$ref": "#/components/schemas/VCT"
}
]
},
"iaeActions": {
"type": "array",
"nullable": true,
"description": "List of IAE actions to execute before credential issuance",
"example": "",
"items": {
"oneOf": [
{
"$ref": "#/components/schemas/IaeActionOpenid4vpPresentation"
},
{
"$ref": "#/components/schemas/IaeActionRedirectToWeb"
}
]
}
},
"embeddedDisclosurePolicy": {
"nullable": true,
"description": "Embedded disclosure policy (discriminated union by `policy`).\nThe discriminator makes class-transformer instantiate the right subclass,\nand then class-validator runs that subclass’s rules.",
"oneOf": [
{
"$ref": "#/components/schemas/AttestationBasedPolicy"
},
{
"$ref": "#/components/schemas/NoneTrustPolicy"
},
{
"$ref": "#/components/schemas/AllowListPolicy"
},
{
"$ref": "#/components/schemas/RootOfTrustPolicy"
}
],
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/EmbeddedDisclosurePolicy"
}
]
},
"id": {
"type": "string"
},
"description": {
"type": "string",
"nullable": true
},
"config": {
"$ref": "#/components/schemas/IssuerMetadataCredentialConfig"
},
"claims": {
"type": "object",
"nullable": true
},
"attributeProviderId": {
"type": "string",
"nullable": true,
"description": "Reference to the attribute provider used for fetching claims.\nOptional: if set, claims will be fetched from this provider during issuance."
},
"webhookEndpointId": {
"type": "string",
"nullable": true,
"description": "Reference to the webhook endpoint used for notifications.\nOptional: if set, notifications will be sent to this endpoint."
},
"disclosureFrame": {
"type": "object",
"nullable": true
},
"keyBinding": {
"type": "boolean"
},
"keyChainId": {
"type": "string",
"description": "Reference to the key chain used for signing.\nOptional: if not specified, the default attestation key chain will be used."
},
"statusManagement": {
"type": "boolean"
},
"lifeTime": {
"type": "number"
},
"schema": {
"nullable": true,
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/SchemaResponse"
}
]
}
}
}
Responses
DELETE /api/issuer/credentials/{id}¶
Deletes an credential configuration.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
GET /api/issuer/attribute-providers¶
List all attribute providers
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
POST /api/issuer/attribute-providers¶
Create a new attribute provider
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the request body
{
"type": "object",
"properties": {
"auth": {
"oneOf": [
{
"$ref": "#/components/schemas/WebHookAuthConfigNone"
},
{
"$ref": "#/components/schemas/WebHookAuthConfigHeader"
}
]
},
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"description": {
"type": "string",
"nullable": true
},
"url": {
"type": "string"
}
},
"required": [
"auth",
"id",
"name",
"url"
]
}
Responses
GET /api/issuer/attribute-providers/{id}¶
Get an attribute provider by ID
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
PATCH /api/issuer/attribute-providers/{id}¶
Update an attribute provider
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the request body
{
"type": "object",
"properties": {
"auth": {
"oneOf": [
{
"$ref": "#/components/schemas/WebHookAuthConfigNone"
},
{
"$ref": "#/components/schemas/WebHookAuthConfigHeader"
}
]
},
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"description": {
"type": "string",
"nullable": true
},
"url": {
"type": "string"
}
}
}
Responses
DELETE /api/issuer/attribute-providers/{id}¶
Delete an attribute provider
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
GET /api/issuer/webhook-endpoints¶
List all webhook endpoints
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
POST /api/issuer/webhook-endpoints¶
Create a new webhook endpoint
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the request body
{
"type": "object",
"properties": {
"auth": {
"oneOf": [
{
"$ref": "#/components/schemas/WebHookAuthConfigNone"
},
{
"$ref": "#/components/schemas/WebHookAuthConfigHeader"
}
]
},
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"description": {
"type": "string",
"nullable": true
},
"url": {
"type": "string"
}
},
"required": [
"auth",
"id",
"name",
"url"
]
}
Responses
GET /api/issuer/webhook-endpoints/{id}¶
Get a webhook endpoint by ID
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
PATCH /api/issuer/webhook-endpoints/{id}¶
Update a webhook endpoint
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the request body
{
"type": "object",
"properties": {
"auth": {
"oneOf": [
{
"$ref": "#/components/schemas/WebHookAuthConfigNone"
},
{
"$ref": "#/components/schemas/WebHookAuthConfigHeader"
}
]
},
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"description": {
"type": "string",
"nullable": true
},
"url": {
"type": "string"
}
}
}
Responses
DELETE /api/issuer/webhook-endpoints/{id}¶
Delete a webhook endpoint
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
POST /api/issuer/offer¶
Create an offer for a credential.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
Schema of the request body
{
"type": "object",
"properties": {
"response_type": {
"enum": [
"uri",
"dc-api"
],
"type": "string",
"examples": [
{
"value": "qrcode"
}
],
"description": "The type of response expected for the offer request."
},
"credentialClaims": {
"type": "object",
"description": "Credential claims configuration per credential. Keys must match credentialConfigurationIds.",
"properties": {
"additionalProperties": {
"oneOf": [
{
"type": "object",
"properties": {
"type": {
"type": "string",
"enum": [
"inline"
]
},
"claims": {
"type": "object",
"additionalProperties": true
}
},
"required": [
"type",
"claims"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"enum": [
"attributeProvider"
]
},
"attributeProviderId": {
"type": "string"
}
},
"required": [
"type",
"attributeProviderId"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"enum": [
"webhook"
]
},
"webhook": {
"type": "object",
"properties": {
"url": {
"type": "string"
},
"auth": {
"type": "object"
}
},
"required": [
"url"
]
}
},
"required": [
"type",
"webhook"
]
}
]
}
},
"example": {
"citizen": {
"type": "inline",
"claims": {
"given_name": "John",
"family_name": "Doe"
}
}
}
},
"flow": {
"description": "The flow type for the offer request.",
"enum": [
"authorization_code",
"pre_authorized_code"
],
"type": "string"
},
"tx_code": {
"type": "string",
"description": "Transaction code for pre-authorized code flow."
},
"tx_code_description": {
"type": "string",
"description": "Description for the transaction code (e.g., \"Please enter the PIN sent to your email\")."
},
"credentialConfigurationIds": {
"description": "List of credential configuration ids to be included in the offer.",
"type": "array",
"items": {
"type": "string"
}
},
"authorization_server": {
"type": "string",
"description": "Optional authorization server to be used for this issuance flow."
},
"webhookEndpointId": {
"type": "string",
"description": "ID of the webhook endpoint to notify about the status of the issuance process."
}
},
"required": [
"response_type",
"flow",
"credentialConfigurationIds"
]
}
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
POST /api/issuer/deferred/{transactionId}/complete¶
Complete a deferred credential transaction
Description
Completes a pending deferred credential transaction by providing the claims. The credential will be generated and marked as ready for wallet retrieval.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
transactionId |
path | string | No |
Request body
Schema of the request body
{
"type": "object",
"properties": {
"claims": {
"type": "object",
"description": "Claims to include in the credential. The structure should match the credential configuration's expected claims.",
"example": {
"given_name": "John",
"family_name": "Doe",
"birthdate": "1990-01-15"
}
}
},
"required": [
"claims"
]
}
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the response body
{
"type": "object",
"properties": {
"transactionId": {
"type": "string",
"description": "The transaction ID"
},
"status": {
"description": "The new status of the transaction",
"enum": [
"pending",
"ready",
"retrieved",
"expired",
"failed"
],
"type": "string"
},
"message": {
"type": "string",
"description": "Optional message"
}
},
"required": [
"transactionId",
"status"
]
}
POST /api/issuer/deferred/{transactionId}/fail¶
Fail a deferred credential transaction
Description
Marks a deferred credential transaction as failed. The wallet will receive an invalid_transaction_id error when attempting retrieval.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
transactionId |
path | string | No |
Request body
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the response body
{
"type": "object",
"properties": {
"transactionId": {
"type": "string",
"description": "The transaction ID"
},
"status": {
"description": "The new status of the transaction",
"enum": [
"pending",
"ready",
"retrieved",
"expired",
"failed"
],
"type": "string"
},
"message": {
"type": "string",
"description": "Optional message"
}
},
"required": [
"transactionId",
"status"
]
}
POST /api/trust-list¶
Creates a new trust list for the tenant
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"description": "string",
"data": {},
"entities": [
null
],
"id": "string",
"keyChainId": "string"
}
Schema of the request body
{
"type": "object",
"properties": {
"description": {
"type": "string"
},
"data": {
"type": "object",
"description": "The full trust list JSON (generated LoTE structure)"
},
"entities": {
"type": "array",
"items": {
"oneOf": [
{
"$ref": "#/components/schemas/InternalTrustListEntity"
},
{
"$ref": "#/components/schemas/ExternalTrustListEntity"
}
],
"discriminator": {
"propertyName": "type",
"mapping": {
"internal": "#/components/schemas/InternalTrustListEntity",
"external": "#/components/schemas/ExternalTrustListEntity"
}
}
}
},
"id": {
"type": "string"
},
"keyChainId": {
"type": "string"
}
},
"required": [
"entities"
]
}
Responses
{
"id": "string",
"description": "string",
"tenantId": "string",
"tenant": null,
"keyChainId": "string",
"keyChain": {
"id": "string",
"tenantId": "string",
"tenant": null,
"description": "string",
"usageType": "access",
"usage": "sign",
"kmsProvider": "string",
"externalKeyId": "string",
"rootKey": {},
"rootCertificate": "string",
"activeKey": {},
"activeCertificate": "string",
"rotationEnabled": true,
"rotationIntervalDays": 10.12,
"certValidityDays": 10.12,
"lastRotatedAt": "2022-04-13T15:42:05.901Z",
"previousKey": {},
"previousCertificate": "string",
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"data": {},
"entityConfig": [
{}
],
"sequenceNumber": 10.12,
"jwt": "string",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the trust list"
},
"description": {
"type": "string"
},
"tenantId": {
"type": "string",
"description": "The tenant ID for which the VP request is made."
},
"tenant": {
"description": "The tenant that owns this object.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
},
"keyChainId": {
"type": "string"
},
"keyChain": {
"$ref": "#/components/schemas/KeyChainEntity"
},
"data": {
"type": "object",
"description": "The full trust list JSON (generated LoTE structure)"
},
"entityConfig": {
"description": "The original entity configuration used to create this trust list.\nStored for round-tripping when editing.",
"type": "array",
"items": {
"type": "object"
}
},
"sequenceNumber": {
"type": "number",
"description": "The sequence number for versioning (incremented on updates)"
},
"jwt": {
"type": "string",
"description": "The signed JWT representation of this trust list"
},
"createdAt": {
"format": "date-time",
"type": "string"
},
"updatedAt": {
"format": "date-time",
"type": "string"
}
},
"required": [
"id",
"tenantId",
"tenant",
"keyChainId",
"keyChain",
"sequenceNumber",
"jwt",
"createdAt",
"updatedAt"
]
}
GET /api/trust-list¶
Returns all trust lists for the tenant
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
[
{
"id": "string",
"description": "string",
"tenantId": "string",
"tenant": null,
"keyChainId": "string",
"keyChain": {
"id": "string",
"tenantId": "string",
"tenant": null,
"description": "string",
"usageType": "access",
"usage": "sign",
"kmsProvider": "string",
"externalKeyId": "string",
"rootKey": {},
"rootCertificate": "string",
"activeKey": {},
"activeCertificate": "string",
"rotationEnabled": true,
"rotationIntervalDays": 10.12,
"certValidityDays": 10.12,
"lastRotatedAt": "2022-04-13T15:42:05.901Z",
"previousKey": {},
"previousCertificate": "string",
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"data": {},
"entityConfig": [
{}
],
"sequenceNumber": 10.12,
"jwt": "string",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
}
]
GET /api/trust-list/{id}¶
Returns the trust list by id for the tenant
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
{
"id": "string",
"description": "string",
"tenantId": "string",
"tenant": null,
"keyChainId": "string",
"keyChain": {
"id": "string",
"tenantId": "string",
"tenant": null,
"description": "string",
"usageType": "access",
"usage": "sign",
"kmsProvider": "string",
"externalKeyId": "string",
"rootKey": {},
"rootCertificate": "string",
"activeKey": {},
"activeCertificate": "string",
"rotationEnabled": true,
"rotationIntervalDays": 10.12,
"certValidityDays": 10.12,
"lastRotatedAt": "2022-04-13T15:42:05.901Z",
"previousKey": {},
"previousCertificate": "string",
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"data": {},
"entityConfig": [
{}
],
"sequenceNumber": 10.12,
"jwt": "string",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the trust list"
},
"description": {
"type": "string"
},
"tenantId": {
"type": "string",
"description": "The tenant ID for which the VP request is made."
},
"tenant": {
"description": "The tenant that owns this object.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
},
"keyChainId": {
"type": "string"
},
"keyChain": {
"$ref": "#/components/schemas/KeyChainEntity"
},
"data": {
"type": "object",
"description": "The full trust list JSON (generated LoTE structure)"
},
"entityConfig": {
"description": "The original entity configuration used to create this trust list.\nStored for round-tripping when editing.",
"type": "array",
"items": {
"type": "object"
}
},
"sequenceNumber": {
"type": "number",
"description": "The sequence number for versioning (incremented on updates)"
},
"jwt": {
"type": "string",
"description": "The signed JWT representation of this trust list"
},
"createdAt": {
"format": "date-time",
"type": "string"
},
"updatedAt": {
"format": "date-time",
"type": "string"
}
},
"required": [
"id",
"tenantId",
"tenant",
"keyChainId",
"keyChain",
"sequenceNumber",
"jwt",
"createdAt",
"updatedAt"
]
}
PUT /api/trust-list/{id}¶
Updates a trust list with new entities Creates a new version for audit and regenerates the JWT
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Request body
{
"description": "string",
"data": {},
"entities": [
null
],
"id": "string",
"keyChainId": "string"
}
Schema of the request body
{
"type": "object",
"properties": {
"description": {
"type": "string"
},
"data": {
"type": "object",
"description": "The full trust list JSON (generated LoTE structure)"
},
"entities": {
"type": "array",
"items": {
"oneOf": [
{
"$ref": "#/components/schemas/InternalTrustListEntity"
},
{
"$ref": "#/components/schemas/ExternalTrustListEntity"
}
],
"discriminator": {
"propertyName": "type",
"mapping": {
"internal": "#/components/schemas/InternalTrustListEntity",
"external": "#/components/schemas/ExternalTrustListEntity"
}
}
}
},
"id": {
"type": "string"
},
"keyChainId": {
"type": "string"
}
},
"required": [
"entities"
]
}
Responses
{
"id": "string",
"description": "string",
"tenantId": "string",
"tenant": null,
"keyChainId": "string",
"keyChain": {
"id": "string",
"tenantId": "string",
"tenant": null,
"description": "string",
"usageType": "access",
"usage": "sign",
"kmsProvider": "string",
"externalKeyId": "string",
"rootKey": {},
"rootCertificate": "string",
"activeKey": {},
"activeCertificate": "string",
"rotationEnabled": true,
"rotationIntervalDays": 10.12,
"certValidityDays": 10.12,
"lastRotatedAt": "2022-04-13T15:42:05.901Z",
"previousKey": {},
"previousCertificate": "string",
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"data": {},
"entityConfig": [
{}
],
"sequenceNumber": 10.12,
"jwt": "string",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the trust list"
},
"description": {
"type": "string"
},
"tenantId": {
"type": "string",
"description": "The tenant ID for which the VP request is made."
},
"tenant": {
"description": "The tenant that owns this object.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
},
"keyChainId": {
"type": "string"
},
"keyChain": {
"$ref": "#/components/schemas/KeyChainEntity"
},
"data": {
"type": "object",
"description": "The full trust list JSON (generated LoTE structure)"
},
"entityConfig": {
"description": "The original entity configuration used to create this trust list.\nStored for round-tripping when editing.",
"type": "array",
"items": {
"type": "object"
}
},
"sequenceNumber": {
"type": "number",
"description": "The sequence number for versioning (incremented on updates)"
},
"jwt": {
"type": "string",
"description": "The signed JWT representation of this trust list"
},
"createdAt": {
"format": "date-time",
"type": "string"
},
"updatedAt": {
"format": "date-time",
"type": "string"
}
},
"required": [
"id",
"tenantId",
"tenant",
"keyChainId",
"keyChain",
"sequenceNumber",
"jwt",
"createdAt",
"updatedAt"
]
}
DELETE /api/trust-list/{id}¶
Deletes a trust list
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
GET /api/trust-list/{id}/export¶
Exports the trust list in LoTE format
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
{
"description": "string",
"data": {},
"entities": [
null
],
"id": "string",
"keyChainId": "string"
}
Schema of the response body
{
"type": "object",
"properties": {
"description": {
"type": "string"
},
"data": {
"type": "object",
"description": "The full trust list JSON (generated LoTE structure)"
},
"entities": {
"type": "array",
"items": {
"oneOf": [
{
"$ref": "#/components/schemas/InternalTrustListEntity"
},
{
"$ref": "#/components/schemas/ExternalTrustListEntity"
}
],
"discriminator": {
"propertyName": "type",
"mapping": {
"internal": "#/components/schemas/InternalTrustListEntity",
"external": "#/components/schemas/ExternalTrustListEntity"
}
}
}
},
"id": {
"type": "string"
},
"keyChainId": {
"type": "string"
}
},
"required": [
"entities"
]
}
GET /api/trust-list/{id}/versions¶
Returns the version history for a trust list
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
[
{
"id": "string",
"trustListId": "string",
"trustList": {
"id": "string",
"description": "string",
"tenantId": "string",
"tenant": null,
"keyChainId": "string",
"keyChain": {
"id": "string",
"tenantId": "string",
"tenant": null,
"description": "string",
"usageType": "access",
"usage": "sign",
"kmsProvider": "string",
"externalKeyId": "string",
"rootKey": {},
"rootCertificate": "string",
"activeKey": {},
"activeCertificate": "string",
"rotationEnabled": true,
"rotationIntervalDays": 10.12,
"certValidityDays": 10.12,
"lastRotatedAt": "2022-04-13T15:42:05.901Z",
"previousKey": {},
"previousCertificate": "string",
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"data": {},
"entityConfig": [
{}
],
"sequenceNumber": 10.12,
"jwt": "string",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"tenantId": "string",
"sequenceNumber": 10.12,
"data": {},
"entityConfig": {},
"jwt": "string",
"createdAt": "2022-04-13T15:42:05.901Z"
}
]
GET /api/trust-list/{id}/versions/{versionId}¶
Returns a specific version of a trust list
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No | ||
versionId |
path | string | No |
Responses
{
"id": "string",
"trustListId": "string",
"trustList": {
"id": "string",
"description": "string",
"tenantId": "string",
"tenant": null,
"keyChainId": "string",
"keyChain": {
"id": "string",
"tenantId": "string",
"tenant": null,
"description": "string",
"usageType": "access",
"usage": "sign",
"kmsProvider": "string",
"externalKeyId": "string",
"rootKey": {},
"rootCertificate": "string",
"activeKey": {},
"activeCertificate": "string",
"rotationEnabled": true,
"rotationIntervalDays": 10.12,
"certValidityDays": 10.12,
"lastRotatedAt": "2022-04-13T15:42:05.901Z",
"previousKey": {},
"previousCertificate": "string",
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"data": {},
"entityConfig": [
{}
],
"sequenceNumber": 10.12,
"jwt": "string",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"tenantId": "string",
"sequenceNumber": 10.12,
"data": {},
"entityConfig": {},
"jwt": "string",
"createdAt": "2022-04-13T15:42:05.901Z"
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string"
},
"trustListId": {
"type": "string"
},
"trustList": {
"$ref": "#/components/schemas/TrustList"
},
"tenantId": {
"type": "string"
},
"sequenceNumber": {
"type": "number",
"description": "The sequence number at the time this version was created"
},
"data": {
"type": "object",
"description": "The full trust list JSON at this version"
},
"entityConfig": {
"type": "object",
"description": "The entity configuration at this version"
},
"jwt": {
"type": "string",
"description": "The signed JWT at this version"
},
"createdAt": {
"format": "date-time",
"type": "string"
}
},
"required": [
"id",
"trustListId",
"trustList",
"tenantId",
"sequenceNumber",
"data",
"jwt",
"createdAt"
]
}
Verifier¶
GET /api/verifier/config¶
Returns the presentation request configurations.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
[
{
"registrationCertCache": "",
"id": "string",
"tenant": null,
"description": "string",
"lifeTime": 10.12,
"dcql_query": null,
"transaction_data": [
{
"type": "string",
"credential_ids": [
"string"
]
}
],
"registrationCert": {},
"webhook": {},
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z",
"attached": [
{
"format": "string",
"data": {},
"credential_ids": [
"string"
]
}
],
"redirectUri": "https://example.com/callback?session={sessionId}",
"accessKeyChainId": "string"
}
]
POST /api/verifier/config¶
Store a presentation request configuration. If it already exists, it will be updated.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"id": "string",
"description": "string",
"lifeTime": 10.12,
"dcql_query": null,
"transaction_data": [
{
"type": "string",
"credential_ids": [
"string"
]
}
],
"registrationCert": {},
"webhook": {},
"attached": [
{
"format": "string",
"data": {},
"credential_ids": [
"string"
]
}
],
"redirectUri": "https://example.com/callback?session={sessionId}",
"accessKeyChainId": "string"
}
Schema of the request body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the VP request."
},
"description": {
"type": "string",
"nullable": true,
"description": "Description of the presentation configuration."
},
"lifeTime": {
"type": "number",
"description": "Lifetime how long the presentation request is valid after creation, in seconds."
},
"dcql_query": {
"description": "The DCQL query to be used for the VP request.",
"allOf": [
{
"$ref": "#/components/schemas/DCQL"
}
]
},
"transaction_data": {
"type": "array",
"items": {
"$ref": "#/components/schemas/TransactionData"
}
},
"registrationCert": {
"nullable": true,
"description": "The registration certificate request containing the necessary details.",
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/RegistrationCertificateRequest"
}
]
},
"webhook": {
"nullable": true,
"description": "Optional webhook URL to receive the response.",
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"attached": {
"nullable": true,
"description": "Attestation that should be attached",
"type": "array",
"items": {
"$ref": "#/components/schemas/PresentationAttachment"
}
},
"redirectUri": {
"type": "string",
"nullable": true,
"description": "Redirect URI to which the user-agent should be redirected after the presentation is completed.\nYou can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID.",
"example": "https://example.com/callback?session={sessionId}"
},
"accessKeyChainId": {
"type": "string",
"nullable": true,
"description": "Optional ID of the access certificate to use for signing the presentation request.\nIf not provided, the default access certificate for the tenant will be used.\n\nNote: This is intentionally NOT a TypeORM relationship because CertEntity uses\na composite primary key (id + tenantId), and SQLite cannot create foreign keys\nthat reference only part of a composite primary key. The relationship is handled\nat the application level in the service layer."
}
},
"required": [
"id",
"dcql_query"
]
}
Responses
{
"registrationCertCache": "",
"id": "string",
"tenant": null,
"description": "string",
"lifeTime": 10.12,
"dcql_query": null,
"transaction_data": [
{
"type": "string",
"credential_ids": [
"string"
]
}
],
"registrationCert": {},
"webhook": {},
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z",
"attached": [
{
"format": "string",
"data": {},
"credential_ids": [
"string"
]
}
],
"redirectUri": "https://example.com/callback?session={sessionId}",
"accessKeyChainId": "string"
}
Schema of the response body
{
"type": "object",
"properties": {
"registrationCertCache": {
"type": "object",
"nullable": true,
"description": "Server-managed cache of the materialized registration certificate. Read-only; values supplied by clients are ignored.",
"example": "",
"readOnly": true,
"additionalProperties": true
},
"id": {
"type": "string",
"description": "Unique identifier for the VP request."
},
"tenant": {
"description": "The tenant that owns this object.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
},
"description": {
"type": "string",
"nullable": true,
"description": "Description of the presentation configuration."
},
"lifeTime": {
"type": "number",
"description": "Lifetime how long the presentation request is valid after creation, in seconds."
},
"dcql_query": {
"description": "The DCQL query to be used for the VP request.",
"allOf": [
{
"$ref": "#/components/schemas/DCQL"
}
]
},
"transaction_data": {
"type": "array",
"items": {
"$ref": "#/components/schemas/TransactionData"
}
},
"registrationCert": {
"nullable": true,
"description": "The registration certificate request containing the necessary details.",
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/RegistrationCertificateRequest"
}
]
},
"webhook": {
"nullable": true,
"description": "Optional webhook URL to receive the response.",
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"createdAt": {
"format": "date-time",
"type": "string",
"description": "The timestamp when the VP request was created."
},
"updatedAt": {
"format": "date-time",
"type": "string",
"description": "The timestamp when the VP request was last updated."
},
"attached": {
"nullable": true,
"description": "Attestation that should be attached",
"type": "array",
"items": {
"$ref": "#/components/schemas/PresentationAttachment"
}
},
"redirectUri": {
"type": "string",
"nullable": true,
"description": "Redirect URI to which the user-agent should be redirected after the presentation is completed.\nYou can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID.",
"example": "https://example.com/callback?session={sessionId}"
},
"accessKeyChainId": {
"type": "string",
"nullable": true,
"description": "Optional ID of the access certificate to use for signing the presentation request.\nIf not provided, the default access certificate for the tenant will be used.\n\nNote: This is intentionally NOT a TypeORM relationship because CertEntity uses\na composite primary key (id + tenantId), and SQLite cannot create foreign keys\nthat reference only part of a composite primary key. The relationship is handled\nat the application level in the service layer."
}
},
"required": [
"id",
"tenant",
"dcql_query",
"createdAt",
"updatedAt"
]
}
POST /api/verifier/config/issuer-metadata/resolve¶
Resolve external issuer metadata
Description
Fetches OpenID4VCI credential issuer metadata from an external issuer URL on the server side.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Responses
GET /api/verifier/config/{id}¶
Get a presentation request configuration by its ID.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
{
"registrationCertCache": "",
"id": "string",
"tenant": null,
"description": "string",
"lifeTime": 10.12,
"dcql_query": null,
"transaction_data": [
{
"type": "string",
"credential_ids": [
"string"
]
}
],
"registrationCert": {},
"webhook": {},
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z",
"attached": [
{
"format": "string",
"data": {},
"credential_ids": [
"string"
]
}
],
"redirectUri": "https://example.com/callback?session={sessionId}",
"accessKeyChainId": "string"
}
Schema of the response body
{
"type": "object",
"properties": {
"registrationCertCache": {
"type": "object",
"nullable": true,
"description": "Server-managed cache of the materialized registration certificate. Read-only; values supplied by clients are ignored.",
"example": "",
"readOnly": true,
"additionalProperties": true
},
"id": {
"type": "string",
"description": "Unique identifier for the VP request."
},
"tenant": {
"description": "The tenant that owns this object.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
},
"description": {
"type": "string",
"nullable": true,
"description": "Description of the presentation configuration."
},
"lifeTime": {
"type": "number",
"description": "Lifetime how long the presentation request is valid after creation, in seconds."
},
"dcql_query": {
"description": "The DCQL query to be used for the VP request.",
"allOf": [
{
"$ref": "#/components/schemas/DCQL"
}
]
},
"transaction_data": {
"type": "array",
"items": {
"$ref": "#/components/schemas/TransactionData"
}
},
"registrationCert": {
"nullable": true,
"description": "The registration certificate request containing the necessary details.",
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/RegistrationCertificateRequest"
}
]
},
"webhook": {
"nullable": true,
"description": "Optional webhook URL to receive the response.",
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"createdAt": {
"format": "date-time",
"type": "string",
"description": "The timestamp when the VP request was created."
},
"updatedAt": {
"format": "date-time",
"type": "string",
"description": "The timestamp when the VP request was last updated."
},
"attached": {
"nullable": true,
"description": "Attestation that should be attached",
"type": "array",
"items": {
"$ref": "#/components/schemas/PresentationAttachment"
}
},
"redirectUri": {
"type": "string",
"nullable": true,
"description": "Redirect URI to which the user-agent should be redirected after the presentation is completed.\nYou can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID.",
"example": "https://example.com/callback?session={sessionId}"
},
"accessKeyChainId": {
"type": "string",
"nullable": true,
"description": "Optional ID of the access certificate to use for signing the presentation request.\nIf not provided, the default access certificate for the tenant will be used.\n\nNote: This is intentionally NOT a TypeORM relationship because CertEntity uses\na composite primary key (id + tenantId), and SQLite cannot create foreign keys\nthat reference only part of a composite primary key. The relationship is handled\nat the application level in the service layer."
}
},
"required": [
"id",
"tenant",
"dcql_query",
"createdAt",
"updatedAt"
]
}
PATCH /api/verifier/config/{id}¶
Update a presentation request configuration by its ID.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Request body
{
"id": "string",
"description": "string",
"lifeTime": 10.12,
"dcql_query": null,
"transaction_data": [
{
"type": "string",
"credential_ids": [
"string"
]
}
],
"registrationCert": {},
"webhook": {},
"attached": [
{
"format": "string",
"data": {},
"credential_ids": [
"string"
]
}
],
"redirectUri": "https://example.com/callback?session={sessionId}",
"accessKeyChainId": "string"
}
Schema of the request body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the VP request."
},
"description": {
"type": "string",
"nullable": true,
"description": "Description of the presentation configuration."
},
"lifeTime": {
"type": "number",
"description": "Lifetime how long the presentation request is valid after creation, in seconds."
},
"dcql_query": {
"description": "The DCQL query to be used for the VP request.",
"allOf": [
{
"$ref": "#/components/schemas/DCQL"
}
]
},
"transaction_data": {
"type": "array",
"items": {
"$ref": "#/components/schemas/TransactionData"
}
},
"registrationCert": {
"nullable": true,
"description": "The registration certificate request containing the necessary details.",
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/RegistrationCertificateRequest"
}
]
},
"webhook": {
"nullable": true,
"description": "Optional webhook URL to receive the response.",
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"attached": {
"nullable": true,
"description": "Attestation that should be attached",
"type": "array",
"items": {
"$ref": "#/components/schemas/PresentationAttachment"
}
},
"redirectUri": {
"type": "string",
"nullable": true,
"description": "Redirect URI to which the user-agent should be redirected after the presentation is completed.\nYou can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID.",
"example": "https://example.com/callback?session={sessionId}"
},
"accessKeyChainId": {
"type": "string",
"nullable": true,
"description": "Optional ID of the access certificate to use for signing the presentation request.\nIf not provided, the default access certificate for the tenant will be used.\n\nNote: This is intentionally NOT a TypeORM relationship because CertEntity uses\na composite primary key (id + tenantId), and SQLite cannot create foreign keys\nthat reference only part of a composite primary key. The relationship is handled\nat the application level in the service layer."
}
}
}
Responses
{
"registrationCertCache": "",
"id": "string",
"tenant": null,
"description": "string",
"lifeTime": 10.12,
"dcql_query": null,
"transaction_data": [
{
"type": "string",
"credential_ids": [
"string"
]
}
],
"registrationCert": {},
"webhook": {},
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z",
"attached": [
{
"format": "string",
"data": {},
"credential_ids": [
"string"
]
}
],
"redirectUri": "https://example.com/callback?session={sessionId}",
"accessKeyChainId": "string"
}
Schema of the response body
{
"type": "object",
"properties": {
"registrationCertCache": {
"type": "object",
"nullable": true,
"description": "Server-managed cache of the materialized registration certificate. Read-only; values supplied by clients are ignored.",
"example": "",
"readOnly": true,
"additionalProperties": true
},
"id": {
"type": "string",
"description": "Unique identifier for the VP request."
},
"tenant": {
"description": "The tenant that owns this object.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
},
"description": {
"type": "string",
"nullable": true,
"description": "Description of the presentation configuration."
},
"lifeTime": {
"type": "number",
"description": "Lifetime how long the presentation request is valid after creation, in seconds."
},
"dcql_query": {
"description": "The DCQL query to be used for the VP request.",
"allOf": [
{
"$ref": "#/components/schemas/DCQL"
}
]
},
"transaction_data": {
"type": "array",
"items": {
"$ref": "#/components/schemas/TransactionData"
}
},
"registrationCert": {
"nullable": true,
"description": "The registration certificate request containing the necessary details.",
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/RegistrationCertificateRequest"
}
]
},
"webhook": {
"nullable": true,
"description": "Optional webhook URL to receive the response.",
"type": "object",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"createdAt": {
"format": "date-time",
"type": "string",
"description": "The timestamp when the VP request was created."
},
"updatedAt": {
"format": "date-time",
"type": "string",
"description": "The timestamp when the VP request was last updated."
},
"attached": {
"nullable": true,
"description": "Attestation that should be attached",
"type": "array",
"items": {
"$ref": "#/components/schemas/PresentationAttachment"
}
},
"redirectUri": {
"type": "string",
"nullable": true,
"description": "Redirect URI to which the user-agent should be redirected after the presentation is completed.\nYou can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID.",
"example": "https://example.com/callback?session={sessionId}"
},
"accessKeyChainId": {
"type": "string",
"nullable": true,
"description": "Optional ID of the access certificate to use for signing the presentation request.\nIf not provided, the default access certificate for the tenant will be used.\n\nNote: This is intentionally NOT a TypeORM relationship because CertEntity uses\na composite primary key (id + tenantId), and SQLite cannot create foreign keys\nthat reference only part of a composite primary key. The relationship is handled\nat the application level in the service layer."
}
},
"required": [
"id",
"tenant",
"dcql_query",
"createdAt",
"updatedAt"
]
}
DELETE /api/verifier/config/{id}¶
Deletes a presentation request configuration by its ID.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
POST /api/verifier/config/{id}/registration-cert/reissue¶
Reissue the registration certificate cache
Description
Bypasses the embedded registration-certificate cache and re-resolves it from the configured registrar.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
POST /api/verifier/offer¶
Create an presentation request that can be sent to the user
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
Schema of the request body
{
"type": "object",
"properties": {
"response_type": {
"type": "string",
"description": "The type of response expected from the presentation request.",
"enum": [
"uri",
"dc-api"
]
},
"requestId": {
"type": "string",
"description": "Identifier of the presentation configuration"
},
"webhook": {
"description": "Webhook configuration to receive the response.\nIf not provided, the configured webhook from the configuration will be used.",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"redirectUri": {
"type": "string",
"description": "Optional redirect URI to which the user-agent should be redirected after the presentation is completed.\nYou can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID.",
"example": "https://example.com/callback?session={sessionId}"
},
"transaction_data": {
"description": "Optional transaction data to include in the OID4VP request.\nIf provided, this will override the transaction_data from the presentation configuration.",
"type": "array",
"items": {
"$ref": "#/components/schemas/TransactionData"
}
}
},
"required": [
"response_type",
"requestId"
]
}
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Cache Management¶
GET /api/cache/stats¶
Get cache statistics
Description
Returns statistics about the trust list and status list caches.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
DELETE /api/cache¶
Clear all caches
Description
Clears both trust list and status list caches. Next verification will fetch fresh data.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
DELETE /api/cache/trust-list¶
Clear trust list cache
Description
Clears the trust list cache. Next verification will fetch fresh trust lists.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
DELETE /api/cache/status-list¶
Clear status list cache
Description
Clears the status list (revocation) cache. Next status check will fetch fresh status lists.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
Registrar¶
GET /api/registrar/config¶
Get registrar configuration
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
{
"registrarUrl": "https://sandbox.eudi-wallet.org/api",
"oidcUrl": "https://auth.example.com/realms/my-realm",
"clientId": "registrar-client",
"clientSecret": "string",
"username": "admin@example.com",
"registrationCertificateDefaults": {},
"hasPassword": true
}
Schema of the response body
{
"type": "object",
"properties": {
"registrarUrl": {
"type": "string",
"description": "The base URL of the registrar API",
"format": "uri",
"example": "https://sandbox.eudi-wallet.org/api"
},
"oidcUrl": {
"type": "string",
"description": "The OIDC issuer URL for authentication (e.g., Keycloak realm URL)",
"format": "uri",
"example": "https://auth.example.com/realms/my-realm"
},
"clientId": {
"type": "string",
"description": "The OIDC client ID for the registrar",
"example": "registrar-client"
},
"clientSecret": {
"type": "string",
"description": "The OIDC client secret (optional, for confidential clients)"
},
"username": {
"type": "string",
"description": "The username for OIDC login",
"example": "admin@example.com"
},
"registrationCertificateDefaults": {
"type": "object",
"nullable": true,
"description": "Optional default values merged into registration certificate creation requests (for example privacy_policy, support_uri, provided_attestations)",
"additionalProperties": true
},
"hasPassword": {
"type": "boolean",
"description": "Indicates whether a password is configured (actual password is never returned)",
"example": true
}
},
"required": [
"registrarUrl",
"oidcUrl",
"clientId",
"username",
"hasPassword"
]
}
POST /api/registrar/config¶
Create or replace registrar configuration
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"registrarUrl": "https://sandbox.eudi-wallet.org/api",
"oidcUrl": "https://auth.example.com/realms/my-realm",
"clientId": "registrar-client",
"clientSecret": "string",
"username": "admin@example.com",
"password": "string",
"registrationCertificateDefaults": {}
}
Schema of the request body
{
"type": "object",
"properties": {
"registrarUrl": {
"type": "string",
"description": "The base URL of the registrar API",
"format": "uri",
"example": "https://sandbox.eudi-wallet.org/api"
},
"oidcUrl": {
"type": "string",
"description": "The OIDC issuer URL for authentication (e.g., Keycloak realm URL)",
"format": "uri",
"example": "https://auth.example.com/realms/my-realm"
},
"clientId": {
"type": "string",
"description": "The OIDC client ID for the registrar",
"example": "registrar-client"
},
"clientSecret": {
"type": "string",
"description": "The OIDC client secret (optional, for confidential clients)"
},
"username": {
"type": "string",
"description": "The username for OIDC login",
"example": "admin@example.com"
},
"password": {
"type": "string",
"description": "The password for OIDC login (stored in plaintext)"
},
"registrationCertificateDefaults": {
"type": "object",
"nullable": true,
"description": "Optional default values merged into registration certificate creation requests (for example privacy_policy, support_uri, provided_attestations)",
"additionalProperties": true
}
},
"required": [
"registrarUrl",
"oidcUrl",
"clientId",
"username",
"password"
]
}
Responses
{
"registrarUrl": "https://sandbox.eudi-wallet.org/api",
"oidcUrl": "https://auth.example.com/realms/my-realm",
"clientId": "registrar-client",
"clientSecret": "string",
"username": "admin@example.com",
"registrationCertificateDefaults": {},
"hasPassword": true
}
Schema of the response body
{
"type": "object",
"properties": {
"registrarUrl": {
"type": "string",
"description": "The base URL of the registrar API",
"format": "uri",
"example": "https://sandbox.eudi-wallet.org/api"
},
"oidcUrl": {
"type": "string",
"description": "The OIDC issuer URL for authentication (e.g., Keycloak realm URL)",
"format": "uri",
"example": "https://auth.example.com/realms/my-realm"
},
"clientId": {
"type": "string",
"description": "The OIDC client ID for the registrar",
"example": "registrar-client"
},
"clientSecret": {
"type": "string",
"description": "The OIDC client secret (optional, for confidential clients)"
},
"username": {
"type": "string",
"description": "The username for OIDC login",
"example": "admin@example.com"
},
"registrationCertificateDefaults": {
"type": "object",
"nullable": true,
"description": "Optional default values merged into registration certificate creation requests (for example privacy_policy, support_uri, provided_attestations)",
"additionalProperties": true
},
"hasPassword": {
"type": "boolean",
"description": "Indicates whether a password is configured (actual password is never returned)",
"example": true
}
},
"required": [
"registrarUrl",
"oidcUrl",
"clientId",
"username",
"hasPassword"
]
}
PATCH /api/registrar/config¶
Update registrar configuration
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"registrarUrl": "https://sandbox.eudi-wallet.org/api",
"oidcUrl": "https://auth.example.com/realms/my-realm",
"clientId": "registrar-client",
"clientSecret": "string",
"username": "admin@example.com",
"password": "string",
"registrationCertificateDefaults": {}
}
Schema of the request body
{
"type": "object",
"properties": {
"registrarUrl": {
"type": "string",
"description": "The base URL of the registrar API",
"format": "uri",
"example": "https://sandbox.eudi-wallet.org/api"
},
"oidcUrl": {
"type": "string",
"description": "The OIDC issuer URL for authentication (e.g., Keycloak realm URL)",
"format": "uri",
"example": "https://auth.example.com/realms/my-realm"
},
"clientId": {
"type": "string",
"description": "The OIDC client ID for the registrar",
"example": "registrar-client"
},
"clientSecret": {
"type": "string",
"description": "The OIDC client secret (optional, for confidential clients)"
},
"username": {
"type": "string",
"description": "The username for OIDC login",
"example": "admin@example.com"
},
"password": {
"type": "string",
"description": "The password for OIDC login (stored in plaintext)"
},
"registrationCertificateDefaults": {
"type": "object",
"nullable": true,
"description": "Optional default values merged into registration certificate creation requests (for example privacy_policy, support_uri, provided_attestations)",
"additionalProperties": true
}
}
}
Responses
{
"registrarUrl": "https://sandbox.eudi-wallet.org/api",
"oidcUrl": "https://auth.example.com/realms/my-realm",
"clientId": "registrar-client",
"clientSecret": "string",
"username": "admin@example.com",
"registrationCertificateDefaults": {},
"hasPassword": true
}
Schema of the response body
{
"type": "object",
"properties": {
"registrarUrl": {
"type": "string",
"description": "The base URL of the registrar API",
"format": "uri",
"example": "https://sandbox.eudi-wallet.org/api"
},
"oidcUrl": {
"type": "string",
"description": "The OIDC issuer URL for authentication (e.g., Keycloak realm URL)",
"format": "uri",
"example": "https://auth.example.com/realms/my-realm"
},
"clientId": {
"type": "string",
"description": "The OIDC client ID for the registrar",
"example": "registrar-client"
},
"clientSecret": {
"type": "string",
"description": "The OIDC client secret (optional, for confidential clients)"
},
"username": {
"type": "string",
"description": "The username for OIDC login",
"example": "admin@example.com"
},
"registrationCertificateDefaults": {
"type": "object",
"nullable": true,
"description": "Optional default values merged into registration certificate creation requests (for example privacy_policy, support_uri, provided_attestations)",
"additionalProperties": true
},
"hasPassword": {
"type": "boolean",
"description": "Indicates whether a password is configured (actual password is never returned)",
"example": true
}
},
"required": [
"registrarUrl",
"oidcUrl",
"clientId",
"username",
"hasPassword"
]
}
DELETE /api/registrar/config¶
Delete registrar configuration
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
POST /api/registrar/access-certificate¶
Create an access certificate for a key
Description
Creates an access certificate at the registrar for the specified key. Requires a relying party to be already registered at the registrar. The certificate is automatically stored in EUDIPLO.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Key Chain¶
GET /api/key-chain/providers¶
Get available KMS providers
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
{
"providers": [
{
"name": "main-vault",
"type": "vault",
"description": "Production HashiCorp Vault",
"capabilities": null
}
],
"default": "db"
}
Schema of the response body
{
"type": "object",
"properties": {
"providers": {
"description": "Detailed info for each registered KMS provider.",
"type": "array",
"items": {
"$ref": "#/components/schemas/KmsProviderInfoDto"
}
},
"default": {
"type": "string",
"description": "The default KMS provider name.",
"example": "db"
}
},
"required": [
"providers",
"default"
]
}
GET /api/key-chain¶
List all key chains for the tenant
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
[
{
"id": "string",
"usageType": "access",
"type": "standalone",
"description": "string",
"kmsProvider": "string",
"rootCertificate": null,
"activePublicKey": null,
"activeCertificate": null,
"previousPublicKey": null,
"previousCertificate": null,
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"rotationPolicy": null,
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
}
]
POST /api/key-chain¶
Create a new key chain
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"usageType": "attestation",
"type": "internalChain",
"description": "Production credential signing key",
"kmsProvider": "vault",
"rotationPolicy": null
}
Schema of the request body
{
"type": "object",
"properties": {
"usageType": {
"enum": [
"access",
"attestation",
"trustList",
"statusList",
"encrypt"
],
"type": "string",
"description": "Usage type determines the purpose of this key chain (access, attestation, etc.).",
"example": "attestation"
},
"type": {
"enum": [
"standalone",
"internalChain"
],
"type": "string",
"description": "Type of key chain to create.",
"example": "internalChain"
},
"description": {
"type": "string",
"description": "Human-readable description for the key chain.",
"example": "Production credential signing key"
},
"kmsProvider": {
"type": "string",
"description": "KMS provider to use (defaults to the configured default provider).",
"example": "vault"
},
"rotationPolicy": {
"description": "Rotation policy configuration. Only applicable for the signing key (root CA never rotates).",
"allOf": [
{
"$ref": "#/components/schemas/RotationPolicyCreateDto"
}
]
}
},
"required": [
"usageType",
"type"
]
}
Responses
GET /api/key-chain/{id}¶
Get a key chain by ID
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
{
"id": "string",
"usageType": "access",
"type": "standalone",
"description": "string",
"kmsProvider": "string",
"rootCertificate": null,
"activePublicKey": null,
"activeCertificate": null,
"previousPublicKey": null,
"previousCertificate": null,
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"rotationPolicy": null,
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the key chain."
},
"usageType": {
"enum": [
"access",
"attestation",
"trustList",
"statusList",
"encrypt"
],
"type": "string",
"description": "Usage type of the key chain."
},
"type": {
"enum": [
"standalone",
"internalChain"
],
"type": "string",
"description": "Type of key chain (standalone or internalChain)."
},
"description": {
"type": "string",
"description": "Human-readable description."
},
"kmsProvider": {
"type": "string",
"description": "KMS provider used for this key chain."
},
"rootCertificate": {
"description": "Root CA certificate (only for internalChain type).",
"allOf": [
{
"$ref": "#/components/schemas/CertificateInfoDto"
}
]
},
"activePublicKey": {
"description": "Active signing key's public key info.",
"allOf": [
{
"$ref": "#/components/schemas/PublicKeyInfoDto"
}
]
},
"activeCertificate": {
"description": "Active signing key's certificate. Not present for encryption keys.",
"allOf": [
{
"$ref": "#/components/schemas/CertificateInfoDto"
}
]
},
"previousPublicKey": {
"description": "Previous signing key's public key info (if in grace period).",
"allOf": [
{
"$ref": "#/components/schemas/PublicKeyInfoDto"
}
]
},
"previousCertificate": {
"description": "Previous signing key's certificate (if in grace period).",
"allOf": [
{
"$ref": "#/components/schemas/CertificateInfoDto"
}
]
},
"previousKeyExpiry": {
"format": "date-time",
"type": "string",
"description": "Previous key expiry date."
},
"rotationPolicy": {
"description": "Rotation policy configuration.",
"allOf": [
{
"$ref": "#/components/schemas/RotationPolicyResponseDto"
}
]
},
"createdAt": {
"format": "date-time",
"type": "string",
"description": "Timestamp when the key chain was created."
},
"updatedAt": {
"format": "date-time",
"type": "string",
"description": "Timestamp when the key chain was last updated."
}
},
"required": [
"id",
"usageType",
"type",
"kmsProvider",
"activePublicKey",
"rotationPolicy",
"createdAt",
"updatedAt"
]
}
PUT /api/key-chain/{id}¶
Update key chain metadata and rotation policy
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the request body
{
"type": "object",
"properties": {
"description": {
"type": "string",
"description": "Human-readable description for the key chain."
},
"rotationPolicy": {
"description": "Rotation policy configuration.",
"allOf": [
{
"$ref": "#/components/schemas/RotationPolicyUpdateDto"
}
]
},
"activeCertificate": {
"type": "string",
"description": "Active certificate chain in PEM format. Used for external certificate updates."
}
}
}
Responses
DELETE /api/key-chain/{id}¶
Delete a key chain
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
GET /api/key-chain/{id}/export¶
Export a key chain in config-import format
Description
Returns the key chain including private key material in the same format used by config import JSON files.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
{
"id": "string",
"description": "string",
"usageType": "access",
"key": null,
"crt": [
"string"
],
"kmsProvider": "string",
"rotationPolicy": null
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Key chain ID."
},
"description": {
"type": "string",
"description": "Human-readable description."
},
"usageType": {
"enum": [
"access",
"attestation",
"trustList",
"statusList",
"encrypt"
],
"type": "string",
"description": "Usage type for this key chain."
},
"key": {
"description": "The private key in JWK format (EC).",
"allOf": [
{
"$ref": "#/components/schemas/ExportEcJwk"
}
]
},
"crt": {
"description": "Certificate chain in PEM format (leaf first, then intermediates/CA).",
"type": "array",
"items": {
"type": "string"
}
},
"kmsProvider": {
"type": "string",
"description": "KMS provider name."
},
"rotationPolicy": {
"description": "Rotation policy.",
"allOf": [
{
"$ref": "#/components/schemas/ExportRotationPolicyDto"
}
]
}
},
"required": [
"id",
"usageType",
"key"
]
}
POST /api/key-chain/import¶
Import an existing key chain
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"id": "string",
"key": null,
"description": "string",
"usageType": "access",
"crt": [
"string"
],
"kmsProvider": "string",
"rotationPolicy": null
}
Schema of the request body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "ID for the key chain. If not provided, a new UUID will be generated."
},
"key": {
"description": "The private key in JWK format.",
"allOf": [
{
"$ref": "#/components/schemas/EcJwk"
}
]
},
"description": {
"type": "string",
"description": "Human-readable description."
},
"usageType": {
"enum": [
"access",
"attestation",
"trustList",
"statusList",
"encrypt"
],
"type": "string",
"description": "Usage type for this key chain."
},
"crt": {
"description": "Certificate chain in PEM format (leaf first, then intermediates/CA).",
"type": "array",
"items": {
"type": "string"
}
},
"kmsProvider": {
"type": "string",
"description": "KMS provider to use. Defaults to 'db'."
},
"rotationPolicy": {
"description": "Rotation policy. When enabled, the imported key becomes a root CA and a new leaf key is generated.",
"allOf": [
{
"$ref": "#/components/schemas/RotationPolicyImportDto"
}
]
}
},
"required": [
"key",
"usageType"
]
}
Responses
POST /api/key-chain/{id}/rotate¶
Rotate the signing key in a key chain
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
Storage¶
POST /api/storage¶
Upload files that belong to a tenant like images
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Responses
Schemas¶
AllowListPolicy¶
| Name | Type | Description |
|---|---|---|
policy |
string | |
values |
Array<string> |
ApiKeyConfig¶
| Name | Type | Description |
|---|---|---|
headerName |
string | The name of the header where the API key will be sent. |
value |
string | The value of the API key to be sent in the header. |
AttestationBasedPolicy¶
| Name | Type | Description |
|---|---|---|
policy |
string | |
values |
Array<PolicyCredential> |
AttributeProviderEntity¶
| Name | Type | Description |
|---|---|---|
auth |
||
description |
string | null | |
id |
string | |
name |
string | |
tenant |
TenantEntity | |
tenantId |
string | |
url |
string |
AuthenticationMethodAuth¶
| Name | Type | Description |
|---|---|---|
config |
AuthenticationUrlConfig | |
method |
string |
AuthenticationMethodNone¶
| Name | Type | Description |
|---|---|---|
method |
string |
AuthenticationMethodPresentation¶
| Name | Type | Description |
|---|---|---|
config |
PresentationDuringIssuanceConfig | |
method |
string |
AuthenticationUrlConfig¶
| Name | Type | Description |
|---|---|---|
url |
string | The URL used in the OID4VCI authorized code flow. This URL is where users will be redirected for authentication. |
webhook |
Optional webhook configuration for authentication callbacks |
AuthorizationResponse¶
| Name | Type | Description |
|---|---|---|
error |
string | |
error_description |
string | Human-readable description of the error. |
error_uri |
string | URI with additional information about the error. |
response |
string | The response string containing the authorization details (JWE-encrypted VP token). Required for success responses, absent for error responses. |
sendResponse |
boolean | When set to true, the authorization response will be sent to the client. |
state |
string | State value from the authorization request (for correlation). |
AuthorizeQueries¶
| Name | Type | Description |
|---|---|---|
auth_session |
string | |
authorization_details |
RFC 9396 authorization details. When passed via application/x-www-form-urlencoded (PAR) the value is a JSON string; when passed inside a signed request object it can already be an array. | |
client_id |
string | |
code_challenge |
string | |
code_challenge_method |
string | |
dpop_jkt |
string | |
issuer_state |
string | |
redirect_uri |
string | |
request_uri |
string | |
resource |
string | |
response_type |
string | |
scope |
string | |
state |
string |
CertificateInfoDto¶
| Name | Type | Description |
|---|---|---|
issuer |
string | Certificate issuer (CN). |
notAfter |
string(date-time) | Certificate not after date. |
notBefore |
string(date-time) | Certificate not before date. |
pem |
string | Certificate in PEM format. |
serialNumber |
string | Serial number. |
subject |
string | Certificate subject (CN). |
ChainedAsConfig¶
| Name | Type | Description |
|---|---|---|
enabled |
boolean | Enable chained AS mode |
requireDPoP |
boolean | Require DPoP binding for tokens |
token |
Token configuration | |
upstream |
Upstream OIDC provider configuration |
ChainedAsErrorResponseDto¶
| Name | Type | Description |
|---|---|---|
error |
string | Error code |
error_description |
string | Human-readable error description |
ChainedAsParResponseDto¶
| Name | Type | Description |
|---|---|---|
expires_in |
number | The lifetime of the request URI in seconds |
request_uri |
string | The request URI to use at the authorization endpoint |
ChainedAsTokenConfig¶
| Name | Type | Description |
|---|---|---|
lifetimeSeconds |
number | Access token lifetime in seconds |
signingKeyId |
string | Key ID for token signing |
ChainedAsTokenRequestDto¶
| Name | Type | Description |
|---|---|---|
client_id |
string | Client identifier |
code |
string | Authorization code received in the callback (authorization_code grant) |
code_verifier |
string | PKCE code verifier |
grant_type |
string | Grant type ('authorization_code' or 'refresh_token') |
redirect_uri |
string | Redirect URI (must match the one used in PAR) |
refresh_token |
string | Refresh token (refresh_token grant) |
ChainedAsTokenResponseDto¶
| Name | Type | Description |
|---|---|---|
access_token |
string | The access token |
authorization_details |
Array<> | Authorized credential configurations |
c_nonce |
string | C_NONCE for credential request |
c_nonce_expires_in |
number | C_NONCE lifetime in seconds |
expires_in |
number | Token lifetime in seconds |
refresh_token |
string | Refresh token (issued when refresh tokens are enabled) |
scope |
string | Scope granted |
token_type |
string | Token type (Bearer or DPoP) |
ClaimDisplayInfo¶
| Name | Type | Description |
|---|---|---|
locale |
string | Locale identifier (e.g., en-US, de-DE) |
name |
string | Human-readable name for the claim |
ClaimMetadata¶
| Name | Type | Description |
|---|---|---|
display |
Array<ClaimDisplayInfo> | Display information for the claim in different locales |
mandatory |
boolean | Whether this claim must be disclosed |
path |
Array<string> | Path to the claim. For SD-JWT: JSONPath-like array. For mDOC: [namespace, claim_name] |
ClaimsQuery¶
| Name | Type | Description |
|---|---|---|
id |
string | |
path |
Array<string> | |
values |
Array<string> |
ClientCredentialsDto¶
| Name | Type | Description |
|---|---|---|
client_id |
string | |
client_secret |
string | |
grant_type |
string |
ClientEntity¶
| Name | Type | Description |
|---|---|---|
allowedIssuanceConfigs |
Array<string> | List of issuance config IDs this client can use. If empty/null, all configs are allowed. |
allowedPresentationConfigs |
Array<string> | List of presentation config IDs this client can use. If empty/null, all configs are allowed. |
clientId |
string | The unique identifier for the client. |
description |
string | The description of the client. |
roles |
Array<string> | The roles assigned to the client. |
secret |
string | The secret key for the client. |
tenant |
The tenant that the client belongs to. | |
tenantId |
string | The unique identifier for the tenant that the client belongs to. Only null for accounts that manage tenants, that do not belong to a client |
ClientSecretResponseDto¶
| Name | Type | Description |
|---|---|---|
secret |
string |
CompleteDeferredDto¶
| Name | Type | Description |
|---|---|---|
claims |
Example: {'given_name': 'John', 'family_name': 'Doe', 'birthdate': '1990-01-15'} |
Claims to include in the credential. The structure should match the credential configuration's expected claims. |
CreateAccessCertificateDto¶
| Name | Type | Description |
|---|---|---|
keyId |
string | The ID of the key to create an access certificate for |
CreateAttributeProviderDto¶
| Name | Type | Description |
|---|---|---|
auth |
||
description |
string | null | |
id |
string | |
name |
string | |
url |
string |
CreateClientDto¶
| Name | Type | Description |
|---|---|---|
allowedIssuanceConfigs |
Array<string> | List of issuance config IDs this client can use. If empty/null, all configs are allowed. |
allowedPresentationConfigs |
Array<string> | List of presentation config IDs this client can use. If empty/null, all configs are allowed. |
clientId |
string | The unique identifier for the client. |
description |
string | The description of the client. |
roles |
Array<string> | The roles assigned to the client. |
secret |
string | The secret key for the client. |
CreateRegistrarConfigDto¶
| Name | Type | Description |
|---|---|---|
clientId |
string | The OIDC client ID for the registrar |
clientSecret |
string | The OIDC client secret (optional, for confidential clients) |
oidcUrl |
string(uri) | The OIDC issuer URL for authentication (e.g., Keycloak realm URL) |
password |
string | The password for OIDC login (stored in plaintext) |
registrarUrl |
string(uri) | The base URL of the registrar API |
registrationCertificateDefaults |
Optional default values merged into registration certificate creation requests (for example privacy_policy, support_uri, provided_attestations) | |
username |
string | The username for OIDC login |
CreateStatusListDto¶
| Name | Type | Description |
|---|---|---|
bits |
number | Bits per status value. More bits allow more status states. Defaults to tenant configuration. |
capacity |
number | Maximum number of credential status entries. Defaults to tenant configuration. |
credentialConfigurationId |
string | Credential configuration ID to bind this list exclusively to. Leave empty for a shared list. |
keyChainId |
string | Key chain ID to use for signing. Leave empty to use the tenant's default StatusList key chain. |
CreateTenantDto¶
| Name | Type | Description |
|---|---|---|
description |
string | The description of the tenant. |
id |
string | The unique identifier for the tenant. |
name |
string | The name of the tenant. |
roles |
Array<string> | |
sessionConfig |
Session storage configuration. Controls TTL and cleanup behavior. | |
statusListConfig |
Status list configuration for this tenant. Only affects newly created status lists. |
CreateWebhookEndpointDto¶
| Name | Type | Description |
|---|---|---|
auth |
||
description |
string | null | |
id |
string | |
name |
string | |
url |
string |
CredentialConfig¶
| Name | Type | Description |
|---|---|---|
attributeProvider |
AttributeProviderEntity | |
attributeProviderId |
string | null | Reference to the attribute provider used for fetching claims. Optional: if set, claims will be fetched from this provider during issuance. |
claims |
||
config |
IssuerMetadataCredentialConfig | |
description |
string | null | |
disclosureFrame |
||
embeddedDisclosurePolicy |
Embedded disclosure policy (discriminated union by `policy`). The discriminator makes class-transformer instantiate the right subclass, and then class-validator runs that subclass’s rules. | |
iaeActions |
Array<> | List of IAE actions to execute before credential issuance |
id |
string | |
keyBinding |
boolean | |
keyChain |
KeyChainEntity | |
keyChainId |
string | Reference to the key chain used for signing. Optional: if not specified, the default attestation key chain will be used. |
lifeTime |
number | |
schema |
||
statusManagement |
boolean | |
tenant |
The tenant that owns this object. | |
vct |
VCT as a URI string (e.g., urn:eudi:pid:de:1) or as an object for EUDIPLO-hosted VCT | |
webhookEndpoint |
WebhookEndpointEntity | |
webhookEndpointId |
string | null | Reference to the webhook endpoint used for notifications. Optional: if set, notifications will be sent to this endpoint. |
CredentialConfigCreate¶
| Name | Type | Description |
|---|---|---|
attributeProviderId |
string | null | Reference to the attribute provider used for fetching claims. Optional: if set, claims will be fetched from this provider during issuance. |
claims |
||
config |
IssuerMetadataCredentialConfig | |
description |
string | null | |
disclosureFrame |
||
embeddedDisclosurePolicy |
Embedded disclosure policy (discriminated union by `policy`). The discriminator makes class-transformer instantiate the right subclass, and then class-validator runs that subclass’s rules. | |
iaeActions |
Array<> | List of IAE actions to execute before credential issuance |
id |
string | |
keyBinding |
boolean | |
keyChainId |
string | Reference to the key chain used for signing. Optional: if not specified, the default attestation key chain will be used. |
lifeTime |
number | |
schema |
||
statusManagement |
boolean | |
vct |
VCT as a URI string (e.g., urn:eudi:pid:de:1) or as an object for EUDIPLO-hosted VCT | |
webhookEndpointId |
string | null | Reference to the webhook endpoint used for notifications. Optional: if set, notifications will be sent to this endpoint. |
CredentialConfigUpdate¶
| Name | Type | Description |
|---|---|---|
attributeProviderId |
string | null | Reference to the attribute provider used for fetching claims. Optional: if set, claims will be fetched from this provider during issuance. |
claims |
||
config |
IssuerMetadataCredentialConfig | |
description |
string | null | |
disclosureFrame |
||
embeddedDisclosurePolicy |
Embedded disclosure policy (discriminated union by `policy`). The discriminator makes class-transformer instantiate the right subclass, and then class-validator runs that subclass’s rules. | |
iaeActions |
Array<> | List of IAE actions to execute before credential issuance |
id |
string | |
keyBinding |
boolean | |
keyChainId |
string | Reference to the key chain used for signing. Optional: if not specified, the default attestation key chain will be used. |
lifeTime |
number | |
schema |
||
statusManagement |
boolean | |
vct |
VCT as a URI string (e.g., urn:eudi:pid:de:1) or as an object for EUDIPLO-hosted VCT | |
webhookEndpointId |
string | null | Reference to the webhook endpoint used for notifications. Optional: if set, notifications will be sent to this endpoint. |
CredentialQuery¶
| Name | Type | Description |
|---|---|---|
claims |
Array<ClaimsQuery> | |
format |
string | |
id |
string | |
meta |
||
multiple |
boolean | |
trusted_authorities |
Array<TrustedAuthorityQuery> |
CredentialSetQuery¶
| Name | Type | Description |
|---|---|---|
options |
Array<Array<string>> | |
required |
boolean |
DCQL¶
| Name | Type | Description |
|---|---|---|
credential_sets |
Array<CredentialSetQuery> | |
credentials |
Array<CredentialQuery> |
DeferredCredentialRequestDto¶
| Name | Type | Description |
|---|---|---|
transaction_id |
string | The transaction identifier previously returned by the Credential Endpoint |
DeferredOperationResponse¶
| Name | Type | Description |
|---|---|---|
message |
string | Optional message |
status |
string | The new status of the transaction |
transactionId |
string | The transaction ID |
Display¶
| Name | Type | Description |
|---|---|---|
background_color |
string | |
background_image |
DisplayImage | |
description |
string | |
locale |
string | |
logo |
DisplayImage | |
name |
string | |
text_color |
string |
DisplayImage¶
| Name | Type | Description |
|---|---|---|
uri |
string |
DisplayInfo¶
| Name | Type | Description |
|---|---|---|
locale |
string | |
logo |
DisplayLogo | |
name |
string |
DisplayLogo¶
| Name | Type | Description |
|---|---|---|
alt_text |
string | |
uri |
string |
EC_Public¶
| Name | Type | Description |
|---|---|---|
crv |
string | The algorithm intended for use with the key, such as 'ES256'. |
kty |
string | The key type, which is always 'EC' for Elliptic Curve keys. |
x |
string | The x coordinate of the EC public key. |
y |
string | The y coordinate of the EC public key. |
EcJwk¶
| Name | Type | Description |
|---|---|---|
alg |
string | |
crv |
string | |
d |
string | |
kid |
string | |
kty |
string | |
x |
string | |
y |
string |
EmbeddedDisclosurePolicy¶
| Name | Type | Description |
|---|---|---|
policy |
string |
ExportEcJwk¶
| Name | Type | Description |
|---|---|---|
alg |
string | Algorithm |
crv |
string | Curve |
d |
string | Private key (base64url) |
kid |
string | Key ID |
kty |
string | Key type |
x |
string | X coordinate (base64url) |
y |
string | Y coordinate (base64url) |
ExportRotationPolicyDto¶
| Name | Type | Description |
|---|---|---|
certValidityDays |
number | Certificate validity in days. |
enabled |
boolean | Whether rotation is enabled. |
intervalDays |
number | Rotation interval in days. |
ExternalTrustListEntity¶
| Name | Type | Description |
|---|---|---|
info |
TrustListEntityInfo | |
issuerCertPem |
string | |
revocationCertPem |
string | |
type |
string |
FailDeferredDto¶
| Name | Type | Description |
|---|---|---|
error |
string | Optional error message explaining why the issuance failed |
FileUploadDto¶
| Name | Type | Description |
|---|---|---|
file |
string(binary) |
FrontendConfigResponseDto¶
| Name | Type | Description |
|---|---|---|
grafana |
Grafana observability configuration |
GrafanaConfigDto¶
| Name | Type | Description |
|---|---|---|
lokiUid |
string | UID of the Loki data source in Grafana |
tempoUid |
string | UID of the Tempo data source in Grafana |
url |
string | Base URL of the Grafana instance |
IaeActionOpenid4vpPresentation¶
| Name | Type | Description |
|---|---|---|
label |
string | Optional label for this step (for display purposes) |
presentationConfigId |
string | ID of the presentation configuration to use for this step |
type |
string | Action type discriminator |
IaeActionRedirectToWeb¶
| Name | Type | Description |
|---|---|---|
callbackUrl |
string(uri) | URL where the external service should redirect back after completion. If not provided, the service must call back to the IAE endpoint. |
description |
string | Description of what the user should do on the web page (for wallet display) |
label |
string | Optional label for this step (for display purposes) |
type |
string | Action type discriminator |
url |
string(uri) | URL to redirect the user to for web-based interaction |
ImportTenantDto¶
| Name | Type | Description |
|---|---|---|
description |
string | The description of the tenant. |
name |
string | The name of the tenant. |
InteractiveAuthorizationCodeResponseDto¶
| Name | Type | Description |
|---|---|---|
code |
string | Authorization code |
status |
string | Response status |
InteractiveAuthorizationErrorResponseDto¶
| Name | Type | Description |
|---|---|---|
error |
string | OAuth error code |
error_description |
string | Human-readable error description |
InteractiveAuthorizationRequestDto¶
| Name | Type | Description |
|---|---|---|
auth_session |
string | Auth session identifier (for follow-up request) |
authorization_details |
Authorization details | |
client_id |
string | Client identifier (for initial request) |
code_challenge |
string | PKCE code challenge |
code_challenge_method |
string | PKCE code challenge method |
code_verifier |
string | PKCE code verifier (for follow-up request) |
interaction_types_supported |
string | Comma-separated list of supported interaction types (for initial request) |
issuer_state |
string | Issuer state from credential offer |
openid4vp_response |
string | OpenID4VP response (for follow-up request) |
redirect_uri |
string | Redirect URI (for initial request) |
request |
string | JAR request JWT (by value) |
request_uri |
string | JAR request URI (by reference) |
response_type |
string | Response type (for initial request) |
scope |
string | OAuth scope |
state |
string | State parameter |
InternalTrustListEntity¶
| Name | Type | Description |
|---|---|---|
info |
TrustListEntityInfo | |
issuerKeyChainId |
string | |
revocationKeyChainId |
string | |
type |
string |
IssuanceConfig¶
| Name | Type | Description |
|---|---|---|
authServers |
Array<string> | Authentication server URL for the issuance process. |
batchSize |
number | Value to determine the amount of credentials that are issued in a batch. Default is 1. |
chainedAs |
Configuration for Chained Authorization Server mode. When enabled, EUDIPLO acts as an OAuth AS facade, delegating user authentication to an upstream OIDC provider while issuing its own tokens with issuer_state. | |
createdAt |
string(date-time) | The timestamp when the VP request was created. |
credentialResponseEncryption |
boolean | Whether `credential_response_encryption` should be advertised in the credential issuer metadata. |
display |
Array<DisplayInfo> | |
dPopRequired |
boolean | Indicates whether DPoP is required for the issuance process. Default value is true. |
preferredAuthServer |
string | The URL of the preferred authorization server for wallet-initiated flows. When set, this AS is placed first in the `authorization_servers` array of the credential issuer metadata, signaling wallets to use it by default. Must match one of the configured auth servers, the chained AS URL, or "built-in". |
refreshTokenEnabled |
boolean | Whether refresh tokens should be issued for OID4VCI token responses. |
refreshTokenExpiresInSeconds |
number | null | Refresh token lifetime in seconds. Defaults to 2592000 (30 days). |
signingKeyId |
string | Key ID for signing access tokens. If unset, the default signing key is used. |
tenant |
The tenant that owns this object. | |
updatedAt |
string(date-time) | The timestamp when the VP request was last updated. |
walletAttestationRequired |
boolean | Indicates whether wallet attestation is required for the token endpoint. When enabled, wallets must provide OAuth-Client-Attestation headers. Default value is false. |
walletProviderTrustLists |
Array<string> | URLs of trust lists containing trusted wallet providers. The wallet attestation's X.509 certificate will be validated against these trust lists. If empty and walletAttestationRequired is true, all wallet providers are rejected. |
IssuanceDto¶
| Name | Type | Description |
|---|---|---|
authServers |
Array<string> | Authentication server URL for the issuance process. |
batchSize |
number | Value to determine the amount of credentials that are issued in a batch. Default is 1. |
chainedAs |
Configuration for Chained Authorization Server mode. When enabled, EUDIPLO acts as an OAuth AS facade, delegating user authentication to an upstream OIDC provider while issuing its own tokens with issuer_state. | |
credentialResponseEncryption |
boolean | Whether `credential_response_encryption` should be advertised in the credential issuer metadata. |
display |
Array<DisplayInfo> | |
dPopRequired |
boolean | Indicates whether DPoP is required for the issuance process. Default value is true. |
preferredAuthServer |
string | The URL of the preferred authorization server for wallet-initiated flows. When set, this AS is placed first in the `authorization_servers` array of the credential issuer metadata, signaling wallets to use it by default. Must match one of the configured auth servers, the chained AS URL, or "built-in". |
refreshTokenEnabled |
boolean | Whether refresh tokens should be issued for OID4VCI token responses. |
refreshTokenExpiresInSeconds |
number | null | Refresh token lifetime in seconds. Defaults to 2592000 (30 days). |
signingKeyId |
string | Key ID for signing access tokens. If unset, the default signing key is used. |
walletAttestationRequired |
boolean | Indicates whether wallet attestation is required for the token endpoint. When enabled, wallets must provide OAuth-Client-Attestation headers. Default value is false. |
walletProviderTrustLists |
Array<string> | URLs of trust lists containing trusted wallet providers. The wallet attestation's X.509 certificate will be validated against these trust lists. If empty and walletAttestationRequired is true, all wallet providers are rejected. |
IssuerMetadataCredentialConfig¶
| Name | Type | Description |
|---|---|---|
claimsByNamespace |
Claims organized by namespace for mDOC credentials. Allows specifying claims across multiple namespaces. Only applicable when format is "mso_mdoc". Example: { "org.iso.18013.5.1": { "given_name": "John", "family_name": "Doe" }, "org.iso.18013.5.1.aamva": { "DHS_compliance": "F" } } | |
claimsMetadata |
Array<ClaimMetadata> | Claims metadata for wallet rendering. Follows the OID4VCI credential_metadata.claims specification. Each claim includes a path (JSONPath-like array), optional mandatory flag, and display information with multi-language support. Example: [ { "path": ["given_name"], "mandatory": false, "display": [{ "name": "Given Name", "locale": "en-US" }] }, { "path": ["address", "street_address"], "display": [{ "name": "Street Address", "locale": "en-US" }] } ] |
display |
Array<Display> | |
docType |
string | Document type for mDOC credentials (e.g., "org.iso.18013.5.1.mDL"). Only applicable when format is "mso_mdoc". |
format |
string | |
keyAttestationsRequired |
Key attestation requirements for JWT proofs for this credential. When set, this is published in proof_types_supported.jwt.key_attestations_required for this specific credential configuration. | |
namespace |
string | Namespace for mDOC credentials (e.g., "org.iso.18013.5.1"). Only applicable when format is "mso_mdoc". Used when claims are provided as a flat object. |
scope |
string |
JwksResponseDto¶
| Name | Type | Description |
|---|---|---|
keys |
Array<EC_Public> | An array of EC public keys in JWK format. |
KeyAttestationsRequired¶
| Name | Type | Description |
|---|---|---|
key_storage |
Array<string> | List of required key storage types (e.g., iso_18045_high, iso_18045_moderate) |
user_authentication |
Array<string> | List of required user authentication types (e.g., iso_18045_high, iso_18045_moderate) |
KeyChainCreateDto¶
| Name | Type | Description |
|---|---|---|
description |
string | Human-readable description for the key chain. |
kmsProvider |
string | KMS provider to use (defaults to the configured default provider). |
rotationPolicy |
Rotation policy configuration. Only applicable for the signing key (root CA never rotates). | |
type |
string | Type of key chain to create. |
usageType |
string | Usage type determines the purpose of this key chain (access, attestation, etc.). |
KeyChainEntity¶
| Name | Type | Description |
|---|---|---|
activeCertificate |
string | Certificate for the active signing key in PEM format. Either CA-signed (if rootKey exists) or self-signed. |
activeKey |
||
certValidityDays |
number | Certificate validity in days when generating new certificates. |
createdAt |
string(date-time) | |
description |
string | Human-readable description of the key chain. |
externalKeyId |
string | External key identifier for cloud KMS providers. This field stores the provider-specific key reference for the active signing key. |
id |
string | Unique identifier for the key chain. This is the ID referenced by other entities (e.g., issuance config's signingKeyId). |
kmsProvider |
string | The KMS provider used for this key chain. References a configured KMS provider name. |
lastRotatedAt |
string(date-time) | Timestamp of when the key was last rotated. |
previousCertificate |
string | Certificate for the previous signing key in PEM format. |
previousKey |
||
previousKeyExpiry |
string(date-time) | Expiry date for the previous key. After this date, the previous key should be deleted. |
rootCertificate |
string | Root CA certificate in PEM format. Self-signed certificate for the root CA key. |
rootKey |
||
rotationEnabled |
boolean | |
rotationIntervalDays |
number | Rotation interval in days. Key material will be rotated after this many days. |
tenant |
The tenant that owns this key chain. | |
tenantId |
string | Tenant ID for the key chain. |
updatedAt |
string(date-time) | The timestamp when the key chain was last updated. |
usage |
string | The usage type of the keys (sign or encrypt). |
usageType |
string | The purpose/role of this key chain in the system. |
KeyChainExportDto¶
| Name | Type | Description |
|---|---|---|
crt |
Array<string> | Certificate chain in PEM format (leaf first, then intermediates/CA). |
description |
string | Human-readable description. |
id |
string | Key chain ID. |
key |
The private key in JWK format (EC). | |
kmsProvider |
string | KMS provider name. |
rotationPolicy |
Rotation policy. | |
usageType |
string | Usage type for this key chain. |
KeyChainImportDto¶
| Name | Type | Description |
|---|---|---|
crt |
Array<string> | Certificate chain in PEM format (leaf first, then intermediates/CA). |
description |
string | Human-readable description. |
id |
string | ID for the key chain. If not provided, a new UUID will be generated. |
key |
The private key in JWK format. | |
kmsProvider |
string | KMS provider to use. Defaults to 'db'. |
rotationPolicy |
Rotation policy. When enabled, the imported key becomes a root CA and a new leaf key is generated. | |
usageType |
string | Usage type for this key chain. |
KeyChainResponseDto¶
| Name | Type | Description |
|---|---|---|
activeCertificate |
Active signing key's certificate. Not present for encryption keys. | |
activePublicKey |
Active signing key's public key info. | |
createdAt |
string(date-time) | Timestamp when the key chain was created. |
description |
string | Human-readable description. |
id |
string | Unique identifier for the key chain. |
kmsProvider |
string | KMS provider used for this key chain. |
previousCertificate |
Previous signing key's certificate (if in grace period). | |
previousKeyExpiry |
string(date-time) | Previous key expiry date. |
previousPublicKey |
Previous signing key's public key info (if in grace period). | |
rootCertificate |
Root CA certificate (only for internalChain type). | |
rotationPolicy |
Rotation policy configuration. | |
type |
string | Type of key chain (standalone or internalChain). |
updatedAt |
string(date-time) | Timestamp when the key chain was last updated. |
usageType |
string | Usage type of the key chain. |
KeyChainUpdateDto¶
| Name | Type | Description |
|---|---|---|
activeCertificate |
string | Active certificate chain in PEM format. Used for external certificate updates. |
description |
string | Human-readable description for the key chain. |
rotationPolicy |
Rotation policy configuration. |
KmsProviderCapabilitiesDto¶
| Name | Type | Description |
|---|---|---|
canCreate |
boolean | Whether the provider supports generating new keys. |
canDelete |
boolean | Whether the provider supports deleting keys. |
canImport |
boolean | Whether the provider supports importing existing keys. |
KmsProviderInfoDto¶
| Name | Type | Description |
|---|---|---|
capabilities |
Capabilities of this provider. | |
description |
string | Human-readable description of this provider instance. |
name |
string | Unique provider ID (matches the id in kms.json). |
type |
string | Type of the KMS provider (db, vault, aws-kms). |
KmsProvidersResponseDto¶
| Name | Type | Description |
|---|---|---|
default |
string | The default KMS provider name. |
providers |
Array<KmsProviderInfoDto> | Detailed info for each registered KMS provider. |
NoneTrustPolicy¶
| Name | Type | Description |
|---|---|---|
policy |
string |
NotificationRequestDto¶
| Name | Type | Description |
|---|---|---|
event |
||
notification_id |
string |
Object¶
OfferRequestDto¶
| Name | Type | Description |
|---|---|---|
authorization_server |
string | Optional authorization server to be used for this issuance flow. |
credentialClaims |
Example: {'citizen': {'type': 'inline', 'claims': {'given_name': 'John', 'family_name': 'Doe'}}} |
Credential claims configuration per credential. Keys must match credentialConfigurationIds. |
credentialConfigurationIds |
Array<string> | List of credential configuration ids to be included in the offer. |
flow |
string | The flow type for the offer request. |
response_type |
string | The type of response expected for the offer request. |
tx_code |
string | Transaction code for pre-authorized code flow. |
tx_code_description |
string | Description for the transaction code (e.g., "Please enter the PIN sent to your email"). |
webhookEndpointId |
string | ID of the webhook endpoint to notify about the status of the issuance process. |
OfferResponse¶
| Name | Type | Description |
|---|---|---|
crossDeviceUri |
string | URI for cross-device flows (no redirect after completion) |
session |
string | |
uri |
string |
ParResponseDto¶
| Name | Type | Description |
|---|---|---|
expires_in |
number | The expiration time for the request URI in seconds. |
request_uri |
string | The request URI for the Pushed Authorization Request. |
PolicyCredential¶
| Name | Type | Description |
|---|---|---|
claims |
Array<ClaimsQuery> | |
credential_sets |
Array<CredentialSetQuery> | |
credentials |
Array<CredentialQuery> |
PresentationAttachment¶
| Name | Type | Description |
|---|---|---|
credential_ids |
Array<string> | |
data |
||
format |
string |
PresentationConfig¶
| Name | Type | Description |
|---|---|---|
accessKeyChainId |
string | null | Optional ID of the access certificate to use for signing the presentation request. If not provided, the default access certificate for the tenant will be used. Note: This is intentionally NOT a TypeORM relationship because CertEntity uses a composite primary key (id + tenantId), and SQLite cannot create foreign keys that reference only part of a composite primary key. The relationship is handled at the application level in the service layer. |
attached |
Array<PresentationAttachment> | Attestation that should be attached |
createdAt |
string(date-time) | The timestamp when the VP request was created. |
dcql_query |
The DCQL query to be used for the VP request. | |
description |
string | null | Description of the presentation configuration. |
id |
string | Unique identifier for the VP request. |
lifeTime |
number | Lifetime how long the presentation request is valid after creation, in seconds. |
redirectUri |
string | null | Redirect URI to which the user-agent should be redirected after the presentation is completed. You can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID. |
registrationCert |
The registration certificate request containing the necessary details. | |
registrationCertCache |
Server-managed cache of the materialized registration certificate. Read-only; values supplied by clients are ignored. | |
tenant |
The tenant that owns this object. | |
transaction_data |
Array<TransactionData> | |
updatedAt |
string(date-time) | The timestamp when the VP request was last updated. |
webhook |
Optional webhook URL to receive the response. |
PresentationConfigCreateDto¶
| Name | Type | Description |
|---|---|---|
accessKeyChainId |
string | null | Optional ID of the access certificate to use for signing the presentation request. If not provided, the default access certificate for the tenant will be used. Note: This is intentionally NOT a TypeORM relationship because CertEntity uses a composite primary key (id + tenantId), and SQLite cannot create foreign keys that reference only part of a composite primary key. The relationship is handled at the application level in the service layer. |
attached |
Array<PresentationAttachment> | Attestation that should be attached |
dcql_query |
The DCQL query to be used for the VP request. | |
description |
string | null | Description of the presentation configuration. |
id |
string | Unique identifier for the VP request. |
lifeTime |
number | Lifetime how long the presentation request is valid after creation, in seconds. |
redirectUri |
string | null | Redirect URI to which the user-agent should be redirected after the presentation is completed. You can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID. |
registrationCert |
The registration certificate request containing the necessary details. | |
transaction_data |
Array<TransactionData> | |
webhook |
Optional webhook URL to receive the response. |
PresentationConfigUpdateDto¶
| Name | Type | Description |
|---|---|---|
accessKeyChainId |
string | null | Optional ID of the access certificate to use for signing the presentation request. If not provided, the default access certificate for the tenant will be used. Note: This is intentionally NOT a TypeORM relationship because CertEntity uses a composite primary key (id + tenantId), and SQLite cannot create foreign keys that reference only part of a composite primary key. The relationship is handled at the application level in the service layer. |
attached |
Array<PresentationAttachment> | Attestation that should be attached |
dcql_query |
The DCQL query to be used for the VP request. | |
description |
string | null | Description of the presentation configuration. |
id |
string | Unique identifier for the VP request. |
lifeTime |
number | Lifetime how long the presentation request is valid after creation, in seconds. |
redirectUri |
string | null | Redirect URI to which the user-agent should be redirected after the presentation is completed. You can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID. |
registrationCert |
The registration certificate request containing the necessary details. | |
transaction_data |
Array<TransactionData> | |
webhook |
Optional webhook URL to receive the response. |
PresentationDuringIssuanceConfig¶
| Name | Type | Description |
|---|---|---|
type |
string | Link to the presentation configuration that is relevant for the issuance process |
PresentationRequest¶
| Name | Type | Description |
|---|---|---|
redirectUri |
string | Optional redirect URI to which the user-agent should be redirected after the presentation is completed. You can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID. |
requestId |
string | Identifier of the presentation configuration |
response_type |
string | The type of response expected from the presentation request. |
transaction_data |
Array<TransactionData> | Optional transaction data to include in the OID4VP request. If provided, this will override the transaction_data from the presentation configuration. |
webhook |
Webhook configuration to receive the response. If not provided, the configured webhook from the configuration will be used. |
PublicKeyInfoDto¶
| Name | Type | Description |
|---|---|---|
alg |
string | Key algorithm (e.g., ES256). |
crv |
string | Curve (for EC keys). |
kid |
string | Key ID. |
kty |
string | Key type (e.g., EC). |
RegistrarConfigResponseDto¶
| Name | Type | Description |
|---|---|---|
clientId |
string | The OIDC client ID for the registrar |
clientSecret |
string | The OIDC client secret (optional, for confidential clients) |
hasPassword |
boolean | Indicates whether a password is configured (actual password is never returned) |
oidcUrl |
string(uri) | The OIDC issuer URL for authentication (e.g., Keycloak realm URL) |
registrarUrl |
string(uri) | The base URL of the registrar API |
registrationCertificateDefaults |
Optional default values merged into registration certificate creation requests (for example privacy_policy, support_uri, provided_attestations) | |
username |
string | The username for OIDC login |
RegistrationCertificateBody¶
| Name | Type | Description |
|---|---|---|
credentials |
Array<> | |
intermediary |
string | |
privacy_policy |
string | |
provided_attestations |
Array<> | |
purpose |
Array<RegistrationCertificatePurpose> | |
support_uri |
string |
RegistrationCertificatePurpose¶
| Name | Type | Description |
|---|---|---|
lang |
string | |
value |
string |
RegistrationCertificateRequest¶
| Name | Type | Description |
|---|---|---|
body |
Registration certificate creation payload. This is merged with tenant-level registrar defaults when a certificate is created. | |
id |
string | Optional registrar-side certificate identifier. If provided and still valid, EUDIPLO reuses it instead of creating a new certificate. |
jwt |
string | Optional pre-existing registration certificate JWT. If provided, EUDIPLO forwards it as-is and does not create a new one. |
ResolveIssuerMetadataDto¶
| Name | Type | Description |
|---|---|---|
issuerUrl |
string(uri) | Issuer URL or full OpenID4VCI metadata URL to resolve server-side. |
RoleDto¶
| Name | Type | Description |
|---|---|---|
role |
string | OAuth2 roles |
RootOfTrustPolicy¶
| Name | Type | Description |
|---|---|---|
policy |
string | |
values |
string |
RotationPolicyCreateDto¶
| Name | Type | Description |
|---|---|---|
certValidityDays |
number | Certificate validity in days. Defaults to rotation interval + 30 days grace period. |
enabled |
boolean | Whether automatic key rotation is enabled. |
intervalDays |
number | Rotation interval in days. Required when enabled is true. |
RotationPolicyImportDto¶
| Name | Type | Description |
|---|---|---|
certValidityDays |
number | Certificate validity in days. |
enabled |
boolean | Whether rotation is enabled. When true, the imported key becomes a root CA. |
intervalDays |
number | Rotation interval in days. |
RotationPolicyResponseDto¶
| Name | Type | Description |
|---|---|---|
certValidityDays |
number | Certificate validity in days. |
enabled |
boolean | Whether automatic key rotation is enabled. |
intervalDays |
number | Rotation interval in days. |
nextRotationAt |
string(date-time) | Next scheduled rotation date. |
RotationPolicyUpdateDto¶
| Name | Type | Description |
|---|---|---|
certValidityDays |
number | Certificate validity in days. |
enabled |
boolean | Whether automatic key rotation is enabled. |
intervalDays |
number | Rotation interval in days. |
SchemaResponse¶
| Name | Type | Description |
|---|---|---|
$schema |
string | |
description |
string | |
properties |
||
required |
Array<string> | |
title |
string | |
type |
string |
Session¶
| Name | Type | Description |
|---|---|---|
auth_queries |
Authorization queries associated with the session. Encrypted at rest. | |
authorization_code |
string | |
clientId |
string | Client ID used in the OID4VP authorization request. |
createdAt |
string(date-time) | The timestamp when the request was created. |
credentialPayload |
Credential payload containing the offer request details. Encrypted at rest - may contain sensitive claim data. | |
credentials |
Array<> | Verified credentials from the presentation process. Encrypted at rest - contains personal information. |
errorReason |
string | Error reason if the session failed. Stores the error message when status is 'failed'. |
expiresAt |
string(date-time) | The timestamp when the request is set to expire. |
externalIssuer |
string | |
externalSubject |
string | The subject (sub) from the external authorization server token. Used to identify the user at the external AS. |
id |
string | Unique identifier for the session. |
notifications |
Array<> | Notifications associated with the session. |
offer |
Credential offer object containing details about the credential offer or presentation request. Encrypted at rest. | |
offerUrl |
string | Offer URL for the credential offer. |
parsedWebhook |
Where to send the claims webhook response. | |
redirectUri |
string | null | Redirect URI to which the user-agent should be redirected after the presentation is completed. |
refresh_token |
string | Refresh token for the session - used to obtain a new access token. |
refresh_token_expires_at |
string(date-time) | Expiration timestamp for the refresh token. Used to validate refresh_token grant requests. |
request_uri |
string | Request URI from the authorization request. |
requestId |
string | |
requestObject |
string | Signed presentation auth request. |
requestUrl |
string | The URL of the presentation auth request. |
responseCode |
string | Cryptographic random code generated after successful VP Token processing. Per OID4VP spec Section 13.3, included in redirect_uri so only the legitimate frontend (which receives the redirect) can confirm the session completed. |
responseUri |
string | Response URI used in the OID4VP authorization request. |
status |
string | Status of the session. |
tenant |
The tenant that owns this object. | |
tenantId |
string | Tenant ID for multi-tenancy support. |
transaction_data |
Array<TransactionData> | Transaction data to include in the OID4VP authorization request. Can be overridden per-request from the presentation configuration. |
updatedAt |
string(date-time) | The timestamp when the request was last updated. |
useDcApi |
boolean | Flag indicating whether to use the DC API for the presentation request. |
vp_nonce |
string | Noncce from the Verifiable Presentation request. |
walletNonce |
string | Cryptographic random nonce used in wallet-facing URLs (response_uri, request_uri, state). Per OID4VP spec Section 13.3, this separates the wallet-facing identifier (request-id) from the frontend-facing session ID (transaction-id) to prevent session fixation. |
webhookEndpointId |
string | ID of the webhook endpoint to notify about issuance status. |
SessionLogEntryResponseDto¶
| Name | Type | Description |
|---|---|---|
detail |
Additional structured detail | |
id |
string | Log entry ID |
level |
string | Log level |
message |
string | Log message |
sessionId |
string | Session ID |
stage |
string | Flow stage |
timestamp |
string(date-time) | Timestamp of the log entry |
SessionStorageConfig¶
| Name | Type | Description |
|---|---|---|
cleanupMode |
string | Cleanup mode: 'full' deletes everything, 'anonymize' keeps metadata but removes PII. |
ttlSeconds |
number | Time-to-live for sessions in seconds. If not set, uses global SESSION_TTL. |
StatusListAggregationDto¶
| Name | Type | Description |
|---|---|---|
status_lists |
Array<string> | Array of status list token URIs |
StatusListConfig¶
| Name | Type | Description |
|---|---|---|
bits |
number | Bits per status entry: 1 (valid/revoked), 2 (with suspended), 4/8 (extended). If not set, uses global STATUS_BITS. |
capacity |
number | The capacity of the status list. If not set, uses global STATUS_CAPACITY. |
enableAggregation |
boolean | If true, include aggregation_uri in status list JWTs for pre-fetching support (default: true). |
immediateUpdate |
boolean | If true, regenerate JWT immediately on status changes. If false (default), use lazy regeneration on TTL expiry. |
ttl |
number | TTL in seconds for the status list JWT. If not set, uses global STATUS_TTL. |
StatusListImportDto¶
| Name | Type | Description |
|---|---|---|
bits |
number | Bits per status value. If not provided, uses tenant or global defaults. |
capacity |
number | Capacity of the status list. If not provided, uses tenant or global defaults. |
credentialConfigurationId |
string | null | Credential configuration ID to bind this list exclusively to. Leave empty for a shared list. |
id |
string | Unique identifier for the status list |
keyChainId |
string | Key chain ID to use for signing. Leave empty to use the tenant's default StatusList key chain. |
StatusListResponseDto¶
| Name | Type | Description |
|---|---|---|
availableEntries |
number | Number of available entries |
bits |
number | Bits per status value |
capacity |
number | Total capacity of the status list |
createdAt |
string(date-time) | Creation timestamp |
credentialConfigurationId |
string | null | Credential configuration ID this list is bound to. Null means shared. |
expiresAt |
string(date-time) | null | JWT expiration timestamp. Null if JWT has not been generated yet. |
id |
string | Unique identifier for the status list |
keyChainId |
string | null | Key chain ID used for signing. Null means using the tenant's default. |
tenantId |
string | The tenant ID |
uri |
string | The public URI for this status list |
usedEntries |
number | Number of entries in use |
StatusUpdateDto¶
| Name | Type | Description |
|---|---|---|
credentialConfigurationId |
string | The ID of the credential configuration This is optional, if not provided, all credentials will be revoked of the session. |
sessionId |
string | The session ID of the user |
status |
number | The status of the credential 0 = valid, 1 = revoked, 2 = suspended |
TenantEntity¶
| Name | Type | Description |
|---|---|---|
clients |
Array<ClientEntity> | The clients associated with the tenant. |
description |
string | The description of the tenant. |
id |
string | The unique identifier for the tenant. |
name |
string | The name of the tenant. |
sessionConfig |
Session storage configuration for this tenant. Controls TTL and cleanup behavior. | |
status |
string | The current status of the tenant. |
statusListConfig |
Status list configuration for this tenant. Only affects newly created status lists. |
TokenResponse¶
| Name | Type | Description |
|---|---|---|
access_token |
string | |
expires_in |
number | |
refresh_token |
string | |
token_type |
string |
TransactionData¶
| Name | Type | Description |
|---|---|---|
credential_ids |
Array<string> | |
type |
string |
TrustedAuthorityQuery¶
| Name | Type | Description |
|---|---|---|
type |
string | |
values |
Array<string> |
TrustList¶
| Name | Type | Description |
|---|---|---|
createdAt |
string(date-time) | |
data |
The full trust list JSON (generated LoTE structure) | |
description |
string | |
entityConfig |
Array<> | The original entity configuration used to create this trust list. Stored for round-tripping when editing. |
id |
string | Unique identifier for the trust list |
jwt |
string | The signed JWT representation of this trust list |
keyChain |
KeyChainEntity | |
keyChainId |
string | |
sequenceNumber |
number | The sequence number for versioning (incremented on updates) |
tenant |
The tenant that owns this object. | |
tenantId |
string | The tenant ID for which the VP request is made. |
updatedAt |
string(date-time) |
TrustListCreateDto¶
| Name | Type | Description |
|---|---|---|
data |
The full trust list JSON (generated LoTE structure) | |
description |
string | |
entities |
Array<> | |
id |
string | |
keyChainId |
string |
TrustListEntityInfo¶
| Name | Type | Description |
|---|---|---|
contactUri |
string | |
country |
string | |
lang |
string | |
locality |
string | |
name |
string | |
postalCode |
string | |
streetAddress |
string | |
uri |
string |
TrustListVersion¶
| Name | Type | Description |
|---|---|---|
createdAt |
string(date-time) | |
data |
The full trust list JSON at this version | |
entityConfig |
The entity configuration at this version | |
id |
string | |
jwt |
string | The signed JWT at this version |
sequenceNumber |
number | The sequence number at the time this version was created |
tenantId |
string | |
trustList |
TrustList | |
trustListId |
string |
UpdateAttributeProviderDto¶
| Name | Type | Description |
|---|---|---|
auth |
||
description |
string | null | |
id |
string | |
name |
string | |
url |
string |
UpdateClientDto¶
| Name | Type | Description |
|---|---|---|
allowedIssuanceConfigs |
Array<string> | List of issuance config IDs this client can use. If empty/null, all configs are allowed. |
allowedPresentationConfigs |
Array<string> | List of presentation config IDs this client can use. If empty/null, all configs are allowed. |
description |
string | The description of the client. |
roles |
Array<string> | The roles assigned to the client. |
UpdateRegistrarConfigDto¶
| Name | Type | Description |
|---|---|---|
clientId |
string | The OIDC client ID for the registrar |
clientSecret |
string | The OIDC client secret (optional, for confidential clients) |
oidcUrl |
string(uri) | The OIDC issuer URL for authentication (e.g., Keycloak realm URL) |
password |
string | The password for OIDC login (stored in plaintext) |
registrarUrl |
string(uri) | The base URL of the registrar API |
registrationCertificateDefaults |
Optional default values merged into registration certificate creation requests (for example privacy_policy, support_uri, provided_attestations) | |
username |
string | The username for OIDC login |
UpdateSessionConfigDto¶
| Name | Type | Description |
|---|---|---|
cleanupMode |
string | Cleanup mode: 'full' deletes everything, 'anonymize' keeps metadata but removes PII. |
ttlSeconds |
number | null | Time-to-live for sessions in seconds. Set to null to use global default. |
UpdateStatusListConfigDto¶
| Name | Type | Description |
|---|---|---|
bits |
number | null | Bits per status entry. Set to null to reset to global default. |
capacity |
number | null | The capacity of the status list. Set to null to reset to global default. |
enableAggregation |
boolean | null | If true, include aggregation_uri in status list JWTs for pre-fetching support. Set to null to reset to default (true). |
immediateUpdate |
boolean | null | If true, regenerate JWT on every status change. Set to null to reset to default (false). |
ttl |
number | null | TTL in seconds for the status list JWT. Set to null to reset to global default. |
UpdateStatusListDto¶
| Name | Type | Description |
|---|---|---|
credentialConfigurationId |
string | null | Credential configuration ID to bind this list exclusively to. Set to null to make this a shared list. |
keyChainId |
string | null | Key chain ID to use for signing. Set to null to use the tenant's default StatusList key chain. |
UpdateTenantDto¶
| Name | Type | Description |
|---|---|---|
description |
string | The description of the tenant. |
name |
string | The name of the tenant. |
roles |
Array<string> | |
sessionConfig |
Session storage configuration. Controls TTL and cleanup behavior. | |
statusListConfig |
Status list configuration for this tenant. Only affects newly created status lists. |
UpdateWebhookEndpointDto¶
| Name | Type | Description |
|---|---|---|
auth |
||
description |
string | null | |
id |
string | |
name |
string | |
url |
string |
UpstreamOidcConfig¶
| Name | Type | Description |
|---|---|---|
clientId |
string | The client ID registered with the upstream provider |
clientSecret |
string | The client secret for confidential clients |
issuer |
string(uri) | The OIDC issuer URL of the upstream provider |
scopes |
Array<string> | Scopes to request from the upstream provider |
VCT¶
| Name | Type | Description |
|---|---|---|
description |
string | |
extends |
string | |
extends#integrity |
string | |
name |
string | |
schema_uri |
string | |
schema_uri#integrity |
string | |
vct |
string |
WebHookAuthConfigHeader¶
| Name | Type | Description |
|---|---|---|
config |
Configuration for API key authentication. This is required if the type is 'apiKey'. | |
type |
string | The type of authentication used for the webhook. |
WebHookAuthConfigNone¶
| Name | Type | Description |
|---|---|---|
type |
string | The type of authentication used for the webhook. |
WebhookConfig¶
| Name | Type | Description |
|---|---|---|
auth |
Optional authentication configuration for the webhook. If not provided, no authentication will be used. | |
includeRawTokensFor |
Array<string> | List of credential IDs to include raw tokens for (e.g., ['sca_credential']) |
url |
string | The URL to which the webhook will send notifications. |
WebhookEndpointEntity¶
| Name | Type | Description |
|---|---|---|
auth |
||
description |
string | null | |
id |
string | |
name |
string | |
tenant |
TenantEntity | |
tenantId |
string | |
url |
string |
Security schemes¶
| Name | Type | Scheme | Description |
|---|---|---|---|
| oauth2 | oauth2 |
More documentation¶
Documentation
For more information: https://openwallet-foundation-labs.github.io/eudiplo/latest/
Protocol API¶
EUDIPLO Protocol API main¶
Wallet-facing protocol endpoints for OID4VCI, OID4VP, and related standards. These endpoints are public and secured at the protocol level (DPoP, Wallet Attestation, etc.).
App¶
GET /¶
Main endpoint providing service info
Responses
GET /health¶
Endpoint to check the health of the service.
Responses
{
"status": "ok",
"info": {
"database": {
"status": "up"
}
},
"error": {},
"details": {
"database": {
"status": "up"
}
}
}
Schema of the response body
{
"type": "object",
"properties": {
"status": {
"type": "string",
"example": "ok"
},
"info": {
"type": "object",
"example": {
"database": {
"status": "up"
}
},
"additionalProperties": {
"type": "object",
"required": [
"status"
],
"properties": {
"status": {
"type": "string"
}
},
"additionalProperties": true
},
"nullable": true
},
"error": {
"type": "object",
"example": {},
"additionalProperties": {
"type": "object",
"required": [
"status"
],
"properties": {
"status": {
"type": "string"
}
},
"additionalProperties": true
},
"nullable": true
},
"details": {
"type": "object",
"example": {
"database": {
"status": "up"
}
},
"additionalProperties": {
"type": "object",
"required": [
"status"
],
"properties": {
"status": {
"type": "string"
}
},
"additionalProperties": true
}
}
}
}
{
"status": "error",
"info": {
"database": {
"status": "up"
}
},
"error": {
"redis": {
"status": "down",
"message": "Could not connect"
}
},
"details": {
"database": {
"status": "up"
},
"redis": {
"status": "down",
"message": "Could not connect"
}
}
}
Schema of the response body
{
"type": "object",
"properties": {
"status": {
"type": "string",
"example": "error"
},
"info": {
"type": "object",
"example": {
"database": {
"status": "up"
}
},
"additionalProperties": {
"type": "object",
"required": [
"status"
],
"properties": {
"status": {
"type": "string"
}
},
"additionalProperties": true
},
"nullable": true
},
"error": {
"type": "object",
"example": {
"redis": {
"status": "down",
"message": "Could not connect"
}
},
"additionalProperties": {
"type": "object",
"required": [
"status"
],
"properties": {
"status": {
"type": "string"
}
},
"additionalProperties": true
},
"nullable": true
},
"details": {
"type": "object",
"example": {
"database": {
"status": "up"
},
"redis": {
"status": "down",
"message": "Could not connect"
}
},
"additionalProperties": {
"type": "object",
"required": [
"status"
],
"properties": {
"status": {
"type": "string"
}
},
"additionalProperties": true
}
}
}
}
Authentication¶
POST /oauth2/token¶
OAuth2 Token endpoint - supports client credentials flow only Accepts client credentials either in Authorization header (Basic auth) or request body
Request body
Responses
GET /.well-known/oauth-authorization-server¶
OIDC Discovery Configuration
Description
Returns the OpenID Connect discovery configuration for client credentials authentication.
Responses
GET /.well-known/jwks.json¶
JSON Web Key Set
Description
Returns the JSON Web Key Set for token verification.
Responses
Issuer¶
GET /issuers/{tenantId}/status-management/status-list/{listId}¶
Get the JWT for a specific status list.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
listId |
path | string | No | ||
tenantId |
path | string | No |
Responses
GET /issuers/{tenantId}/status-management/status-list-aggregation¶
Get all status list URIs
Description
Returns a list of all status list token URIs for the tenant. This allows relying parties to pre-fetch all status lists for offline validation. See RFC draft-ietf-oauth-status-list Section 9.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
tenantId |
path | string | No |
Responses
{
"status_lists": [
"https://example.com/tenant-123/status-management/status-list/list-1",
"https://example.com/tenant-123/status-management/status-list/list-2"
]
}
Schema of the response body
{
"type": "object",
"properties": {
"status_lists": {
"description": "Array of status list token URIs",
"example": [
"https://example.com/tenant-123/status-management/status-list/list-1",
"https://example.com/tenant-123/status-management/status-list/list-2"
],
"type": "array",
"items": {
"type": "string"
}
}
},
"required": [
"status_lists"
]
}
GET /issuers/{tenantId}/trust-list/{id}¶
Returns the JWT of the trust list
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
id |
path | string | No | ||
tenantId |
path | string | No |
Responses
OID4VCI¶
POST /issuers/{tenantId}/vci/credential¶
Endpoint to issue credentials
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
tenantId |
path | string | No |
Responses
POST /issuers/{tenantId}/vci/deferred_credential¶
Deferred Credential Endpoint
According to OID4VCI Section 9, this endpoint is used by the wallet to poll for credentials that were not immediately available.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
tenantId |
path | string | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Responses
POST /issuers/{tenantId}/vci/notification¶
Notification endpoint
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
tenantId |
path | string | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Responses
POST /issuers/{tenantId}/vci/nonce¶
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
tenantId |
path | string | No |
Responses
GET /issuers/{tenantId}/authorize¶
Endpoint to handle the Authorization Request.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
auth_session |
query | string | No | ||
authorization_details |
query | No | RFC 9396 authorization details. When passed via application/x-www-form-urlencoded (PAR) the value is a JSON string; when passed inside a signed request object it can already be an array. | ||
client_id |
query | string | No | ||
code_challenge |
query | string | No | ||
code_challenge_method |
query | string | No | ||
dpop_jkt |
query | string | No | ||
issuer_state |
query | string | No | ||
redirect_uri |
query | string | No | ||
request_uri |
query | string | No | ||
resource |
query | string | No | ||
response_type |
query | string | No | ||
scope |
query | string | No | ||
state |
query | string | No | ||
tenantId |
path | string | No |
Responses
POST /issuers/{tenantId}/authorize/par¶
Endpoint to handle the Pushed Authorization Request (PAR).
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth-client-attestation |
header | string | No | ||
oauth-client-attestation-pop |
header | string | No | ||
tenantId |
path | string | No |
Request body
{
"issuer_state": "string",
"response_type": "string",
"client_id": "string",
"redirect_uri": "string",
"resource": "string",
"scope": "string",
"code_challenge": "string",
"code_challenge_method": "string",
"dpop_jkt": "string",
"request_uri": "string",
"auth_session": "string",
"state": "string",
"authorization_details": {}
}
Schema of the request body
{
"type": "object",
"properties": {
"issuer_state": {
"type": "string"
},
"response_type": {
"type": "string"
},
"client_id": {
"type": "string"
},
"redirect_uri": {
"type": "string"
},
"resource": {
"type": "string"
},
"scope": {
"type": "string"
},
"code_challenge": {
"type": "string"
},
"code_challenge_method": {
"type": "string"
},
"dpop_jkt": {
"type": "string"
},
"request_uri": {
"type": "string"
},
"auth_session": {
"type": "string"
},
"state": {
"type": "string"
},
"authorization_details": {
"type": "object",
"description": "RFC 9396 authorization details. When passed via\napplication/x-www-form-urlencoded (PAR) the value is a JSON string; when\npassed inside a signed request object it can already be an array."
}
}
}
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the response body
POST /issuers/{tenantId}/authorize/token¶
Endpoint to validate the token request. This endpoint is used to exchange the authorization code for an access token.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
tenantId |
path | string | No |
Responses
POST /issuers/{tenantId}/authorize/challenge¶
Client Attestation Challenge Endpoint. Returns a nonce for inclusion in the Client Attestation PoP JWT.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
tenantId |
path | string | No |
Responses
POST /issuers/{tenantId}/authorize/interactive¶
Interactive Authorization Endpoint
Description
Handles interactive authorization requests during credential issuance.
Initial Request:
- Contains interaction_types_supported (e.g., "openid4vp_presentation,redirect_to_web")
- Response will indicate required interaction (OpenID4VP presentation or web redirect)
Follow-up Request:
- Contains auth_session from previous response
- Contains openid4vp_response (for presentation flow) or code_verifier (for web flow)
- Response will contain authorization code on success
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
origin |
header | string | No | ||
tenantId |
path | string | No |
Request body
{
"response_type": "string",
"client_id": "string",
"interaction_types_supported": "string",
"redirect_uri": "string",
"scope": "string",
"code_challenge": "string",
"code_challenge_method": "string",
"authorization_details": {},
"state": "string",
"issuer_state": "string",
"auth_session": "string",
"openid4vp_response": "string",
"code_verifier": "string",
"request": "string",
"request_uri": "string"
}
Schema of the request body
{
"type": "object",
"properties": {
"response_type": {
"type": "string",
"description": "Response type (for initial request)"
},
"client_id": {
"type": "string",
"description": "Client identifier (for initial request)"
},
"interaction_types_supported": {
"type": "string",
"description": "Comma-separated list of supported interaction types (for initial request)"
},
"redirect_uri": {
"type": "string",
"description": "Redirect URI (for initial request)"
},
"scope": {
"type": "string",
"description": "OAuth scope"
},
"code_challenge": {
"type": "string",
"description": "PKCE code challenge"
},
"code_challenge_method": {
"type": "string",
"description": "PKCE code challenge method"
},
"authorization_details": {
"type": "object",
"description": "Authorization details"
},
"state": {
"type": "string",
"description": "State parameter"
},
"issuer_state": {
"type": "string",
"description": "Issuer state from credential offer"
},
"auth_session": {
"type": "string",
"description": "Auth session identifier (for follow-up request)"
},
"openid4vp_response": {
"type": "string",
"description": "OpenID4VP response (for follow-up request)"
},
"code_verifier": {
"type": "string",
"description": "PKCE code verifier (for follow-up request)"
},
"request": {
"type": "string",
"description": "JAR request JWT (by value)"
},
"request_uri": {
"type": "string",
"description": "JAR request URI (by reference)"
}
}
}
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
{
"error": "invalid_request",
"error_description": "Missing required parameter: interaction_types_supported"
}
Schema of the response body
{
"type": "object",
"properties": {
"error": {
"type": "string",
"description": "OAuth error code",
"example": "invalid_request"
},
"error_description": {
"type": "string",
"description": "Human-readable error description",
"example": "Missing required parameter: interaction_types_supported"
}
},
"required": [
"error"
]
}
POST /issuers/{tenantId}/authorize/interactive/complete-web-auth/{authSession}¶
Complete web authorization
Description
Mark a web authorization session as completed after user interaction
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
authSession |
path | string | No | ||
tenantId |
path | string | No |
Responses
GET /issuers/{tenantId}/credentials-metadata/vct/{id}¶
Retrieves the VCT (Verifiable Credential Type) from the credentials service.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
id |
path | string | No | ||
tenantId |
path | string | No |
Responses
{
"vct": "string",
"name": "string",
"description": "string",
"extends": "string",
"extends#integrity": "string",
"schema_uri": "string",
"schema_uri#integrity": "string"
}
Schema of the response body
GET /.well-known/openid-credential-issuer/issuers/{tenantId}¶
Get OpenID4VCI issuer metadata
Description
Returns the OpenID4VCI issuer metadata.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
tenantId |
path | string | No |
Responses
GET /.well-known/oauth-authorization-server/issuers/{tenantId}¶
Authorization Server Metadata
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
tenantId |
path | string | No |
Responses
GET /.well-known/oauth-authorization-server/issuers/{tenantId}/chained-as¶
Chained Authorization Server Metadata (RFC 8414 alternative path format).
Supports discovery via /.well-known/oauth-authorization-server/:tenantId/chained-as
for wallets that construct the discovery URL per RFC 8414.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
tenantId |
path | string | No |
Responses
GET /.well-known/jwks.json/issuers/{tenantId}¶
Returns the JSON Web Key Set (JWKS) for the authorization server.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
tenantId |
path | string | No |
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
GET /.well-known/jwks.json/issuers/{tenantId}/chained-as¶
Returns the JSON Web Key Set (JWKS) for the Chained Authorization Server.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
tenantId |
path | string | No |
Responses
Chained AS¶
POST /issuers/{tenantId}/chained-as/par¶
Pushed Authorization Request
Description
Submit authorization request parameters. Returns a request_uri for use at the authorization endpoint.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
dpop |
header | string | No | ||
DPoP |
header | string | No | DPoP proof JWT | |
oauth-client-attestation |
header | string | No | ||
OAuth-Client-Attestation |
header | string | No | Wallet attestation JWT | |
oauth-client-attestation-pop |
header | string | No | ||
OAuth-Client-Attestation-PoP |
header | string | No | Wallet attestation proof-of-possession JWT | |
tenantId |
path | string | No | Tenant identifier |
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the response body
{
"type": "object",
"properties": {
"request_uri": {
"type": "string",
"description": "The request URI to use at the authorization endpoint",
"example": "urn:ietf:params:oauth:request_uri:abc123"
},
"expires_in": {
"type": "number",
"description": "The lifetime of the request URI in seconds",
"example": 600
}
},
"required": [
"request_uri",
"expires_in"
]
}
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
GET /issuers/{tenantId}/chained-as/authorize¶
Authorization endpoint
Description
Validates the request_uri from PAR and redirects to the upstream OIDC provider for authentication.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
client_id |
query | string | No | Client identifier | |
request_uri |
query | string | No | Request URI from PAR response | |
tenantId |
path | string | No | Tenant identifier |
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
GET /issuers/{tenantId}/chained-as/callback¶
Upstream OIDC callback
Description
Receives the authorization response from the upstream OIDC provider, exchanges the code, and redirects back to the wallet.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
code |
query | string | No | ||
error |
query | string | No | ||
error_description |
query | string | No | ||
state |
query | string | No | ||
tenantId |
path | string | No | Tenant identifier |
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
POST /issuers/{tenantId}/chained-as/token¶
Token endpoint
Description
Exchanges the authorization code for an access token containing issuer_state.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
dpop |
header | string | No | ||
DPoP |
header | string | No | DPoP proof JWT | |
tenantId |
path | string | No | Tenant identifier |
Request body
{
"grant_type": "authorization_code",
"code": "string",
"refresh_token": "string",
"client_id": "string",
"redirect_uri": "string",
"code_verifier": "string"
}
Schema of the request body
{
"type": "object",
"properties": {
"grant_type": {
"type": "string",
"description": "Grant type ('authorization_code' or 'refresh_token')",
"example": "authorization_code"
},
"code": {
"type": "string",
"description": "Authorization code received in the callback (authorization_code grant)"
},
"refresh_token": {
"type": "string",
"description": "Refresh token (refresh_token grant)"
},
"client_id": {
"type": "string",
"description": "Client identifier"
},
"redirect_uri": {
"type": "string",
"description": "Redirect URI (must match the one used in PAR)"
},
"code_verifier": {
"type": "string",
"description": "PKCE code verifier"
}
},
"required": [
"grant_type"
]
}
Responses
{
"access_token": "string",
"token_type": "DPoP",
"expires_in": 3600,
"scope": "string",
"authorization_details": [
{}
],
"c_nonce": "string",
"c_nonce_expires_in": 10.12,
"refresh_token": "string"
}
Schema of the response body
{
"type": "object",
"properties": {
"access_token": {
"type": "string",
"description": "The access token"
},
"token_type": {
"type": "string",
"description": "Token type (Bearer or DPoP)",
"example": "DPoP"
},
"expires_in": {
"type": "number",
"description": "Token lifetime in seconds",
"example": 3600
},
"scope": {
"type": "string",
"description": "Scope granted"
},
"authorization_details": {
"description": "Authorized credential configurations",
"type": "array",
"items": {
"type": "object"
}
},
"c_nonce": {
"type": "string",
"description": "C_NONCE for credential request"
},
"c_nonce_expires_in": {
"type": "number",
"description": "C_NONCE lifetime in seconds"
},
"refresh_token": {
"type": "string",
"description": "Refresh token (issued when refresh tokens are enabled)"
}
},
"required": [
"access_token",
"token_type",
"expires_in"
]
}
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
OID4VP¶
GET /presentations/{sessionId}/oid4vp/request¶
Returns the authorization request for a given requestId and session. Returns the cached request JWT if available, otherwise generates a new one. Per OID4VP spec section 5.10.1: Response MUST use Content-Type: application/oauth-authz-req+jwt
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
sessionId |
path | string | No |
Responses
POST /presentations/{sessionId}/oid4vp/request¶
Returns the authorization request for a given requestId and session. Returns the cached request JWT if available, otherwise generates a new one. Per OID4VP spec section 5.10.1: Response MUST use Content-Type: application/oauth-authz-req+jwt
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
sessionId |
path | string | No |
Responses
GET /presentations/{sessionId}/oid4vp/request/no-redirect¶
Returns the authorization request for a given requestId and session, but does not redirect in the end. Returns the cached request JWT if available, otherwise generates a new one. Per OID4VP spec section 5.10.1: Response MUST use Content-Type: application/oauth-authz-req+jwt
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
sessionId |
path | string | No |
Responses
POST /presentations/{sessionId}/oid4vp¶
Endpoint to receive the response from the wallet.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
sessionId |
path | string | No |
Request body
{
"response": "string",
"sendResponse": true,
"error": "string",
"error_description": "string",
"error_uri": "string",
"state": "string"
}
Schema of the request body
{
"type": "object",
"properties": {
"response": {
"type": "string",
"description": "The response string containing the authorization details (JWE-encrypted VP token).\nRequired for success responses, absent for error responses."
},
"sendResponse": {
"type": "boolean",
"description": "When set to true, the authorization response will be sent to the client."
},
"error": {
"type": "string"
},
"error_description": {
"type": "string",
"description": "Human-readable description of the error."
},
"error_uri": {
"type": "string",
"description": "URI with additional information about the error."
},
"state": {
"type": "string",
"description": "State value from the authorization request (for correlation)."
}
}
}
Responses
Storage¶
GET /storage/{key}¶
Get a file and stream it
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
key |
path | string | No |
Responses
Schemas¶
AllowListPolicy¶
| Name | Type | Description |
|---|---|---|
policy |
string | |
values |
Array<string> |
ApiKeyConfig¶
| Name | Type | Description |
|---|---|---|
headerName |
string | The name of the header where the API key will be sent. |
value |
string | The value of the API key to be sent in the header. |
AttestationBasedPolicy¶
| Name | Type | Description |
|---|---|---|
policy |
string | |
values |
Array<PolicyCredential> |
AttributeProviderEntity¶
| Name | Type | Description |
|---|---|---|
auth |
||
description |
string | null | |
id |
string | |
name |
string | |
tenant |
TenantEntity | |
tenantId |
string | |
url |
string |
AuthenticationMethodAuth¶
| Name | Type | Description |
|---|---|---|
config |
AuthenticationUrlConfig | |
method |
string |
AuthenticationMethodNone¶
| Name | Type | Description |
|---|---|---|
method |
string |
AuthenticationMethodPresentation¶
| Name | Type | Description |
|---|---|---|
config |
PresentationDuringIssuanceConfig | |
method |
string |
AuthenticationUrlConfig¶
| Name | Type | Description |
|---|---|---|
url |
string | The URL used in the OID4VCI authorized code flow. This URL is where users will be redirected for authentication. |
webhook |
Optional webhook configuration for authentication callbacks |
AuthorizationResponse¶
| Name | Type | Description |
|---|---|---|
error |
string | |
error_description |
string | Human-readable description of the error. |
error_uri |
string | URI with additional information about the error. |
response |
string | The response string containing the authorization details (JWE-encrypted VP token). Required for success responses, absent for error responses. |
sendResponse |
boolean | When set to true, the authorization response will be sent to the client. |
state |
string | State value from the authorization request (for correlation). |
AuthorizeQueries¶
| Name | Type | Description |
|---|---|---|
auth_session |
string | |
authorization_details |
RFC 9396 authorization details. When passed via application/x-www-form-urlencoded (PAR) the value is a JSON string; when passed inside a signed request object it can already be an array. | |
client_id |
string | |
code_challenge |
string | |
code_challenge_method |
string | |
dpop_jkt |
string | |
issuer_state |
string | |
redirect_uri |
string | |
request_uri |
string | |
resource |
string | |
response_type |
string | |
scope |
string | |
state |
string |
CertificateInfoDto¶
| Name | Type | Description |
|---|---|---|
issuer |
string | Certificate issuer (CN). |
notAfter |
string(date-time) | Certificate not after date. |
notBefore |
string(date-time) | Certificate not before date. |
pem |
string | Certificate in PEM format. |
serialNumber |
string | Serial number. |
subject |
string | Certificate subject (CN). |
ChainedAsConfig¶
| Name | Type | Description |
|---|---|---|
enabled |
boolean | Enable chained AS mode |
requireDPoP |
boolean | Require DPoP binding for tokens |
token |
Token configuration | |
upstream |
Upstream OIDC provider configuration |
ChainedAsErrorResponseDto¶
| Name | Type | Description |
|---|---|---|
error |
string | Error code |
error_description |
string | Human-readable error description |
ChainedAsParResponseDto¶
| Name | Type | Description |
|---|---|---|
expires_in |
number | The lifetime of the request URI in seconds |
request_uri |
string | The request URI to use at the authorization endpoint |
ChainedAsTokenConfig¶
| Name | Type | Description |
|---|---|---|
lifetimeSeconds |
number | Access token lifetime in seconds |
signingKeyId |
string | Key ID for token signing |
ChainedAsTokenRequestDto¶
| Name | Type | Description |
|---|---|---|
client_id |
string | Client identifier |
code |
string | Authorization code received in the callback (authorization_code grant) |
code_verifier |
string | PKCE code verifier |
grant_type |
string | Grant type ('authorization_code' or 'refresh_token') |
redirect_uri |
string | Redirect URI (must match the one used in PAR) |
refresh_token |
string | Refresh token (refresh_token grant) |
ChainedAsTokenResponseDto¶
| Name | Type | Description |
|---|---|---|
access_token |
string | The access token |
authorization_details |
Array<> | Authorized credential configurations |
c_nonce |
string | C_NONCE for credential request |
c_nonce_expires_in |
number | C_NONCE lifetime in seconds |
expires_in |
number | Token lifetime in seconds |
refresh_token |
string | Refresh token (issued when refresh tokens are enabled) |
scope |
string | Scope granted |
token_type |
string | Token type (Bearer or DPoP) |
ClaimDisplayInfo¶
| Name | Type | Description |
|---|---|---|
locale |
string | Locale identifier (e.g., en-US, de-DE) |
name |
string | Human-readable name for the claim |
ClaimMetadata¶
| Name | Type | Description |
|---|---|---|
display |
Array<ClaimDisplayInfo> | Display information for the claim in different locales |
mandatory |
boolean | Whether this claim must be disclosed |
path |
Array<string> | Path to the claim. For SD-JWT: JSONPath-like array. For mDOC: [namespace, claim_name] |
ClaimsQuery¶
| Name | Type | Description |
|---|---|---|
id |
string | |
path |
Array<string> | |
values |
Array<string> |
ClientCredentialsDto¶
| Name | Type | Description |
|---|---|---|
client_id |
string | |
client_secret |
string | |
grant_type |
string |
ClientEntity¶
| Name | Type | Description |
|---|---|---|
allowedIssuanceConfigs |
Array<string> | List of issuance config IDs this client can use. If empty/null, all configs are allowed. |
allowedPresentationConfigs |
Array<string> | List of presentation config IDs this client can use. If empty/null, all configs are allowed. |
clientId |
string | The unique identifier for the client. |
description |
string | The description of the client. |
roles |
Array<string> | The roles assigned to the client. |
secret |
string | The secret key for the client. |
tenant |
The tenant that the client belongs to. | |
tenantId |
string | The unique identifier for the tenant that the client belongs to. Only null for accounts that manage tenants, that do not belong to a client |
ClientSecretResponseDto¶
| Name | Type | Description |
|---|---|---|
secret |
string |
CompleteDeferredDto¶
| Name | Type | Description |
|---|---|---|
claims |
Example: {'given_name': 'John', 'family_name': 'Doe', 'birthdate': '1990-01-15'} |
Claims to include in the credential. The structure should match the credential configuration's expected claims. |
CreateAccessCertificateDto¶
| Name | Type | Description |
|---|---|---|
keyId |
string | The ID of the key to create an access certificate for |
CreateAttributeProviderDto¶
| Name | Type | Description |
|---|---|---|
auth |
||
description |
string | null | |
id |
string | |
name |
string | |
url |
string |
CreateClientDto¶
| Name | Type | Description |
|---|---|---|
allowedIssuanceConfigs |
Array<string> | List of issuance config IDs this client can use. If empty/null, all configs are allowed. |
allowedPresentationConfigs |
Array<string> | List of presentation config IDs this client can use. If empty/null, all configs are allowed. |
clientId |
string | The unique identifier for the client. |
description |
string | The description of the client. |
roles |
Array<string> | The roles assigned to the client. |
secret |
string | The secret key for the client. |
CreateRegistrarConfigDto¶
| Name | Type | Description |
|---|---|---|
clientId |
string | The OIDC client ID for the registrar |
clientSecret |
string | The OIDC client secret (optional, for confidential clients) |
oidcUrl |
string(uri) | The OIDC issuer URL for authentication (e.g., Keycloak realm URL) |
password |
string | The password for OIDC login (stored in plaintext) |
registrarUrl |
string(uri) | The base URL of the registrar API |
registrationCertificateDefaults |
Optional default values merged into registration certificate creation requests (for example privacy_policy, support_uri, provided_attestations) | |
username |
string | The username for OIDC login |
CreateStatusListDto¶
| Name | Type | Description |
|---|---|---|
bits |
number | Bits per status value. More bits allow more status states. Defaults to tenant configuration. |
capacity |
number | Maximum number of credential status entries. Defaults to tenant configuration. |
credentialConfigurationId |
string | Credential configuration ID to bind this list exclusively to. Leave empty for a shared list. |
keyChainId |
string | Key chain ID to use for signing. Leave empty to use the tenant's default StatusList key chain. |
CreateTenantDto¶
| Name | Type | Description |
|---|---|---|
description |
string | The description of the tenant. |
id |
string | The unique identifier for the tenant. |
name |
string | The name of the tenant. |
roles |
Array<string> | |
sessionConfig |
Session storage configuration. Controls TTL and cleanup behavior. | |
statusListConfig |
Status list configuration for this tenant. Only affects newly created status lists. |
CreateWebhookEndpointDto¶
| Name | Type | Description |
|---|---|---|
auth |
||
description |
string | null | |
id |
string | |
name |
string | |
url |
string |
CredentialConfig¶
| Name | Type | Description |
|---|---|---|
attributeProvider |
AttributeProviderEntity | |
attributeProviderId |
string | null | Reference to the attribute provider used for fetching claims. Optional: if set, claims will be fetched from this provider during issuance. |
claims |
||
config |
IssuerMetadataCredentialConfig | |
description |
string | null | |
disclosureFrame |
||
embeddedDisclosurePolicy |
Embedded disclosure policy (discriminated union by `policy`). The discriminator makes class-transformer instantiate the right subclass, and then class-validator runs that subclass’s rules. | |
iaeActions |
Array<> | List of IAE actions to execute before credential issuance |
id |
string | |
keyBinding |
boolean | |
keyChain |
KeyChainEntity | |
keyChainId |
string | Reference to the key chain used for signing. Optional: if not specified, the default attestation key chain will be used. |
lifeTime |
number | |
schema |
||
statusManagement |
boolean | |
tenant |
The tenant that owns this object. | |
vct |
VCT as a URI string (e.g., urn:eudi:pid:de:1) or as an object for EUDIPLO-hosted VCT | |
webhookEndpoint |
WebhookEndpointEntity | |
webhookEndpointId |
string | null | Reference to the webhook endpoint used for notifications. Optional: if set, notifications will be sent to this endpoint. |
CredentialConfigCreate¶
| Name | Type | Description |
|---|---|---|
attributeProviderId |
string | null | Reference to the attribute provider used for fetching claims. Optional: if set, claims will be fetched from this provider during issuance. |
claims |
||
config |
IssuerMetadataCredentialConfig | |
description |
string | null | |
disclosureFrame |
||
embeddedDisclosurePolicy |
Embedded disclosure policy (discriminated union by `policy`). The discriminator makes class-transformer instantiate the right subclass, and then class-validator runs that subclass’s rules. | |
iaeActions |
Array<> | List of IAE actions to execute before credential issuance |
id |
string | |
keyBinding |
boolean | |
keyChainId |
string | Reference to the key chain used for signing. Optional: if not specified, the default attestation key chain will be used. |
lifeTime |
number | |
schema |
||
statusManagement |
boolean | |
vct |
VCT as a URI string (e.g., urn:eudi:pid:de:1) or as an object for EUDIPLO-hosted VCT | |
webhookEndpointId |
string | null | Reference to the webhook endpoint used for notifications. Optional: if set, notifications will be sent to this endpoint. |
CredentialConfigUpdate¶
| Name | Type | Description |
|---|---|---|
attributeProviderId |
string | null | Reference to the attribute provider used for fetching claims. Optional: if set, claims will be fetched from this provider during issuance. |
claims |
||
config |
IssuerMetadataCredentialConfig | |
description |
string | null | |
disclosureFrame |
||
embeddedDisclosurePolicy |
Embedded disclosure policy (discriminated union by `policy`). The discriminator makes class-transformer instantiate the right subclass, and then class-validator runs that subclass’s rules. | |
iaeActions |
Array<> | List of IAE actions to execute before credential issuance |
id |
string | |
keyBinding |
boolean | |
keyChainId |
string | Reference to the key chain used for signing. Optional: if not specified, the default attestation key chain will be used. |
lifeTime |
number | |
schema |
||
statusManagement |
boolean | |
vct |
VCT as a URI string (e.g., urn:eudi:pid:de:1) or as an object for EUDIPLO-hosted VCT | |
webhookEndpointId |
string | null | Reference to the webhook endpoint used for notifications. Optional: if set, notifications will be sent to this endpoint. |
CredentialQuery¶
| Name | Type | Description |
|---|---|---|
claims |
Array<ClaimsQuery> | |
format |
string | |
id |
string | |
meta |
||
multiple |
boolean | |
trusted_authorities |
Array<TrustedAuthorityQuery> |
CredentialSetQuery¶
| Name | Type | Description |
|---|---|---|
options |
Array<Array<string>> | |
required |
boolean |
DCQL¶
| Name | Type | Description |
|---|---|---|
credential_sets |
Array<CredentialSetQuery> | |
credentials |
Array<CredentialQuery> |
DeferredCredentialRequestDto¶
| Name | Type | Description |
|---|---|---|
transaction_id |
string | The transaction identifier previously returned by the Credential Endpoint |
DeferredOperationResponse¶
| Name | Type | Description |
|---|---|---|
message |
string | Optional message |
status |
string | The new status of the transaction |
transactionId |
string | The transaction ID |
Display¶
| Name | Type | Description |
|---|---|---|
background_color |
string | |
background_image |
DisplayImage | |
description |
string | |
locale |
string | |
logo |
DisplayImage | |
name |
string | |
text_color |
string |
DisplayImage¶
| Name | Type | Description |
|---|---|---|
uri |
string |
DisplayInfo¶
| Name | Type | Description |
|---|---|---|
locale |
string | |
logo |
DisplayLogo | |
name |
string |
DisplayLogo¶
| Name | Type | Description |
|---|---|---|
alt_text |
string | |
uri |
string |
EC_Public¶
| Name | Type | Description |
|---|---|---|
crv |
string | The algorithm intended for use with the key, such as 'ES256'. |
kty |
string | The key type, which is always 'EC' for Elliptic Curve keys. |
x |
string | The x coordinate of the EC public key. |
y |
string | The y coordinate of the EC public key. |
EcJwk¶
| Name | Type | Description |
|---|---|---|
alg |
string | |
crv |
string | |
d |
string | |
kid |
string | |
kty |
string | |
x |
string | |
y |
string |
EmbeddedDisclosurePolicy¶
| Name | Type | Description |
|---|---|---|
policy |
string |
ExportEcJwk¶
| Name | Type | Description |
|---|---|---|
alg |
string | Algorithm |
crv |
string | Curve |
d |
string | Private key (base64url) |
kid |
string | Key ID |
kty |
string | Key type |
x |
string | X coordinate (base64url) |
y |
string | Y coordinate (base64url) |
ExportRotationPolicyDto¶
| Name | Type | Description |
|---|---|---|
certValidityDays |
number | Certificate validity in days. |
enabled |
boolean | Whether rotation is enabled. |
intervalDays |
number | Rotation interval in days. |
ExternalTrustListEntity¶
| Name | Type | Description |
|---|---|---|
info |
TrustListEntityInfo | |
issuerCertPem |
string | |
revocationCertPem |
string | |
type |
string |
FailDeferredDto¶
| Name | Type | Description |
|---|---|---|
error |
string | Optional error message explaining why the issuance failed |
FileUploadDto¶
| Name | Type | Description |
|---|---|---|
file |
string(binary) |
FrontendConfigResponseDto¶
| Name | Type | Description |
|---|---|---|
grafana |
Grafana observability configuration |
GrafanaConfigDto¶
| Name | Type | Description |
|---|---|---|
lokiUid |
string | UID of the Loki data source in Grafana |
tempoUid |
string | UID of the Tempo data source in Grafana |
url |
string | Base URL of the Grafana instance |
IaeActionOpenid4vpPresentation¶
| Name | Type | Description |
|---|---|---|
label |
string | Optional label for this step (for display purposes) |
presentationConfigId |
string | ID of the presentation configuration to use for this step |
type |
string | Action type discriminator |
IaeActionRedirectToWeb¶
| Name | Type | Description |
|---|---|---|
callbackUrl |
string(uri) | URL where the external service should redirect back after completion. If not provided, the service must call back to the IAE endpoint. |
description |
string | Description of what the user should do on the web page (for wallet display) |
label |
string | Optional label for this step (for display purposes) |
type |
string | Action type discriminator |
url |
string(uri) | URL to redirect the user to for web-based interaction |
ImportTenantDto¶
| Name | Type | Description |
|---|---|---|
description |
string | The description of the tenant. |
name |
string | The name of the tenant. |
InteractiveAuthorizationCodeResponseDto¶
| Name | Type | Description |
|---|---|---|
code |
string | Authorization code |
status |
string | Response status |
InteractiveAuthorizationErrorResponseDto¶
| Name | Type | Description |
|---|---|---|
error |
string | OAuth error code |
error_description |
string | Human-readable error description |
InteractiveAuthorizationRequestDto¶
| Name | Type | Description |
|---|---|---|
auth_session |
string | Auth session identifier (for follow-up request) |
authorization_details |
Authorization details | |
client_id |
string | Client identifier (for initial request) |
code_challenge |
string | PKCE code challenge |
code_challenge_method |
string | PKCE code challenge method |
code_verifier |
string | PKCE code verifier (for follow-up request) |
interaction_types_supported |
string | Comma-separated list of supported interaction types (for initial request) |
issuer_state |
string | Issuer state from credential offer |
openid4vp_response |
string | OpenID4VP response (for follow-up request) |
redirect_uri |
string | Redirect URI (for initial request) |
request |
string | JAR request JWT (by value) |
request_uri |
string | JAR request URI (by reference) |
response_type |
string | Response type (for initial request) |
scope |
string | OAuth scope |
state |
string | State parameter |
InternalTrustListEntity¶
| Name | Type | Description |
|---|---|---|
info |
TrustListEntityInfo | |
issuerKeyChainId |
string | |
revocationKeyChainId |
string | |
type |
string |
IssuanceConfig¶
| Name | Type | Description |
|---|---|---|
authServers |
Array<string> | Authentication server URL for the issuance process. |
batchSize |
number | Value to determine the amount of credentials that are issued in a batch. Default is 1. |
chainedAs |
Configuration for Chained Authorization Server mode. When enabled, EUDIPLO acts as an OAuth AS facade, delegating user authentication to an upstream OIDC provider while issuing its own tokens with issuer_state. | |
createdAt |
string(date-time) | The timestamp when the VP request was created. |
credentialResponseEncryption |
boolean | Whether `credential_response_encryption` should be advertised in the credential issuer metadata. |
display |
Array<DisplayInfo> | |
dPopRequired |
boolean | Indicates whether DPoP is required for the issuance process. Default value is true. |
preferredAuthServer |
string | The URL of the preferred authorization server for wallet-initiated flows. When set, this AS is placed first in the `authorization_servers` array of the credential issuer metadata, signaling wallets to use it by default. Must match one of the configured auth servers, the chained AS URL, or "built-in". |
refreshTokenEnabled |
boolean | Whether refresh tokens should be issued for OID4VCI token responses. |
refreshTokenExpiresInSeconds |
number | null | Refresh token lifetime in seconds. Defaults to 2592000 (30 days). |
signingKeyId |
string | Key ID for signing access tokens. If unset, the default signing key is used. |
tenant |
The tenant that owns this object. | |
updatedAt |
string(date-time) | The timestamp when the VP request was last updated. |
walletAttestationRequired |
boolean | Indicates whether wallet attestation is required for the token endpoint. When enabled, wallets must provide OAuth-Client-Attestation headers. Default value is false. |
walletProviderTrustLists |
Array<string> | URLs of trust lists containing trusted wallet providers. The wallet attestation's X.509 certificate will be validated against these trust lists. If empty and walletAttestationRequired is true, all wallet providers are rejected. |
IssuanceDto¶
| Name | Type | Description |
|---|---|---|
authServers |
Array<string> | Authentication server URL for the issuance process. |
batchSize |
number | Value to determine the amount of credentials that are issued in a batch. Default is 1. |
chainedAs |
Configuration for Chained Authorization Server mode. When enabled, EUDIPLO acts as an OAuth AS facade, delegating user authentication to an upstream OIDC provider while issuing its own tokens with issuer_state. | |
credentialResponseEncryption |
boolean | Whether `credential_response_encryption` should be advertised in the credential issuer metadata. |
display |
Array<DisplayInfo> | |
dPopRequired |
boolean | Indicates whether DPoP is required for the issuance process. Default value is true. |
preferredAuthServer |
string | The URL of the preferred authorization server for wallet-initiated flows. When set, this AS is placed first in the `authorization_servers` array of the credential issuer metadata, signaling wallets to use it by default. Must match one of the configured auth servers, the chained AS URL, or "built-in". |
refreshTokenEnabled |
boolean | Whether refresh tokens should be issued for OID4VCI token responses. |
refreshTokenExpiresInSeconds |
number | null | Refresh token lifetime in seconds. Defaults to 2592000 (30 days). |
signingKeyId |
string | Key ID for signing access tokens. If unset, the default signing key is used. |
walletAttestationRequired |
boolean | Indicates whether wallet attestation is required for the token endpoint. When enabled, wallets must provide OAuth-Client-Attestation headers. Default value is false. |
walletProviderTrustLists |
Array<string> | URLs of trust lists containing trusted wallet providers. The wallet attestation's X.509 certificate will be validated against these trust lists. If empty and walletAttestationRequired is true, all wallet providers are rejected. |
IssuerMetadataCredentialConfig¶
| Name | Type | Description |
|---|---|---|
claimsByNamespace |
Claims organized by namespace for mDOC credentials. Allows specifying claims across multiple namespaces. Only applicable when format is "mso_mdoc". Example: { "org.iso.18013.5.1": { "given_name": "John", "family_name": "Doe" }, "org.iso.18013.5.1.aamva": { "DHS_compliance": "F" } } | |
claimsMetadata |
Array<ClaimMetadata> | Claims metadata for wallet rendering. Follows the OID4VCI credential_metadata.claims specification. Each claim includes a path (JSONPath-like array), optional mandatory flag, and display information with multi-language support. Example: [ { "path": ["given_name"], "mandatory": false, "display": [{ "name": "Given Name", "locale": "en-US" }] }, { "path": ["address", "street_address"], "display": [{ "name": "Street Address", "locale": "en-US" }] } ] |
display |
Array<Display> | |
docType |
string | Document type for mDOC credentials (e.g., "org.iso.18013.5.1.mDL"). Only applicable when format is "mso_mdoc". |
format |
string | |
keyAttestationsRequired |
Key attestation requirements for JWT proofs for this credential. When set, this is published in proof_types_supported.jwt.key_attestations_required for this specific credential configuration. | |
namespace |
string | Namespace for mDOC credentials (e.g., "org.iso.18013.5.1"). Only applicable when format is "mso_mdoc". Used when claims are provided as a flat object. |
scope |
string |
JwksResponseDto¶
| Name | Type | Description |
|---|---|---|
keys |
Array<EC_Public> | An array of EC public keys in JWK format. |
KeyAttestationsRequired¶
| Name | Type | Description |
|---|---|---|
key_storage |
Array<string> | List of required key storage types (e.g., iso_18045_high, iso_18045_moderate) |
user_authentication |
Array<string> | List of required user authentication types (e.g., iso_18045_high, iso_18045_moderate) |
KeyChainCreateDto¶
| Name | Type | Description |
|---|---|---|
description |
string | Human-readable description for the key chain. |
kmsProvider |
string | KMS provider to use (defaults to the configured default provider). |
rotationPolicy |
Rotation policy configuration. Only applicable for the signing key (root CA never rotates). | |
type |
string | Type of key chain to create. |
usageType |
string | Usage type determines the purpose of this key chain (access, attestation, etc.). |
KeyChainEntity¶
| Name | Type | Description |
|---|---|---|
activeCertificate |
string | Certificate for the active signing key in PEM format. Either CA-signed (if rootKey exists) or self-signed. |
activeKey |
||
certValidityDays |
number | Certificate validity in days when generating new certificates. |
createdAt |
string(date-time) | |
description |
string | Human-readable description of the key chain. |
externalKeyId |
string | External key identifier for cloud KMS providers. This field stores the provider-specific key reference for the active signing key. |
id |
string | Unique identifier for the key chain. This is the ID referenced by other entities (e.g., issuance config's signingKeyId). |
kmsProvider |
string | The KMS provider used for this key chain. References a configured KMS provider name. |
lastRotatedAt |
string(date-time) | Timestamp of when the key was last rotated. |
previousCertificate |
string | Certificate for the previous signing key in PEM format. |
previousKey |
||
previousKeyExpiry |
string(date-time) | Expiry date for the previous key. After this date, the previous key should be deleted. |
rootCertificate |
string | Root CA certificate in PEM format. Self-signed certificate for the root CA key. |
rootKey |
||
rotationEnabled |
boolean | |
rotationIntervalDays |
number | Rotation interval in days. Key material will be rotated after this many days. |
tenant |
The tenant that owns this key chain. | |
tenantId |
string | Tenant ID for the key chain. |
updatedAt |
string(date-time) | The timestamp when the key chain was last updated. |
usage |
string | The usage type of the keys (sign or encrypt). |
usageType |
string | The purpose/role of this key chain in the system. |
KeyChainExportDto¶
| Name | Type | Description |
|---|---|---|
crt |
Array<string> | Certificate chain in PEM format (leaf first, then intermediates/CA). |
description |
string | Human-readable description. |
id |
string | Key chain ID. |
key |
The private key in JWK format (EC). | |
kmsProvider |
string | KMS provider name. |
rotationPolicy |
Rotation policy. | |
usageType |
string | Usage type for this key chain. |
KeyChainImportDto¶
| Name | Type | Description |
|---|---|---|
crt |
Array<string> | Certificate chain in PEM format (leaf first, then intermediates/CA). |
description |
string | Human-readable description. |
id |
string | ID for the key chain. If not provided, a new UUID will be generated. |
key |
The private key in JWK format. | |
kmsProvider |
string | KMS provider to use. Defaults to 'db'. |
rotationPolicy |
Rotation policy. When enabled, the imported key becomes a root CA and a new leaf key is generated. | |
usageType |
string | Usage type for this key chain. |
KeyChainResponseDto¶
| Name | Type | Description |
|---|---|---|
activeCertificate |
Active signing key's certificate. Not present for encryption keys. | |
activePublicKey |
Active signing key's public key info. | |
createdAt |
string(date-time) | Timestamp when the key chain was created. |
description |
string | Human-readable description. |
id |
string | Unique identifier for the key chain. |
kmsProvider |
string | KMS provider used for this key chain. |
previousCertificate |
Previous signing key's certificate (if in grace period). | |
previousKeyExpiry |
string(date-time) | Previous key expiry date. |
previousPublicKey |
Previous signing key's public key info (if in grace period). | |
rootCertificate |
Root CA certificate (only for internalChain type). | |
rotationPolicy |
Rotation policy configuration. | |
type |
string | Type of key chain (standalone or internalChain). |
updatedAt |
string(date-time) | Timestamp when the key chain was last updated. |
usageType |
string | Usage type of the key chain. |
KeyChainUpdateDto¶
| Name | Type | Description |
|---|---|---|
activeCertificate |
string | Active certificate chain in PEM format. Used for external certificate updates. |
description |
string | Human-readable description for the key chain. |
rotationPolicy |
Rotation policy configuration. |
KmsProviderCapabilitiesDto¶
| Name | Type | Description |
|---|---|---|
canCreate |
boolean | Whether the provider supports generating new keys. |
canDelete |
boolean | Whether the provider supports deleting keys. |
canImport |
boolean | Whether the provider supports importing existing keys. |
KmsProviderInfoDto¶
| Name | Type | Description |
|---|---|---|
capabilities |
Capabilities of this provider. | |
description |
string | Human-readable description of this provider instance. |
name |
string | Unique provider ID (matches the id in kms.json). |
type |
string | Type of the KMS provider (db, vault, aws-kms). |
KmsProvidersResponseDto¶
| Name | Type | Description |
|---|---|---|
default |
string | The default KMS provider name. |
providers |
Array<KmsProviderInfoDto> | Detailed info for each registered KMS provider. |
NoneTrustPolicy¶
| Name | Type | Description |
|---|---|---|
policy |
string |
NotificationRequestDto¶
| Name | Type | Description |
|---|---|---|
event |
||
notification_id |
string |
Object¶
OfferRequestDto¶
| Name | Type | Description |
|---|---|---|
authorization_server |
string | Optional authorization server to be used for this issuance flow. |
credentialClaims |
Example: {'citizen': {'type': 'inline', 'claims': {'given_name': 'John', 'family_name': 'Doe'}}} |
Credential claims configuration per credential. Keys must match credentialConfigurationIds. |
credentialConfigurationIds |
Array<string> | List of credential configuration ids to be included in the offer. |
flow |
string | The flow type for the offer request. |
response_type |
string | The type of response expected for the offer request. |
tx_code |
string | Transaction code for pre-authorized code flow. |
tx_code_description |
string | Description for the transaction code (e.g., "Please enter the PIN sent to your email"). |
webhookEndpointId |
string | ID of the webhook endpoint to notify about the status of the issuance process. |
OfferResponse¶
| Name | Type | Description |
|---|---|---|
crossDeviceUri |
string | URI for cross-device flows (no redirect after completion) |
session |
string | |
uri |
string |
ParResponseDto¶
| Name | Type | Description |
|---|---|---|
expires_in |
number | The expiration time for the request URI in seconds. |
request_uri |
string | The request URI for the Pushed Authorization Request. |
PolicyCredential¶
| Name | Type | Description |
|---|---|---|
claims |
Array<ClaimsQuery> | |
credential_sets |
Array<CredentialSetQuery> | |
credentials |
Array<CredentialQuery> |
PresentationAttachment¶
| Name | Type | Description |
|---|---|---|
credential_ids |
Array<string> | |
data |
||
format |
string |
PresentationConfig¶
| Name | Type | Description |
|---|---|---|
accessKeyChainId |
string | null | Optional ID of the access certificate to use for signing the presentation request. If not provided, the default access certificate for the tenant will be used. Note: This is intentionally NOT a TypeORM relationship because CertEntity uses a composite primary key (id + tenantId), and SQLite cannot create foreign keys that reference only part of a composite primary key. The relationship is handled at the application level in the service layer. |
attached |
Array<PresentationAttachment> | Attestation that should be attached |
createdAt |
string(date-time) | The timestamp when the VP request was created. |
dcql_query |
The DCQL query to be used for the VP request. | |
description |
string | null | Description of the presentation configuration. |
id |
string | Unique identifier for the VP request. |
lifeTime |
number | Lifetime how long the presentation request is valid after creation, in seconds. |
redirectUri |
string | null | Redirect URI to which the user-agent should be redirected after the presentation is completed. You can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID. |
registrationCert |
The registration certificate request containing the necessary details. | |
registrationCertCache |
Server-managed cache of the materialized registration certificate. Read-only; values supplied by clients are ignored. | |
tenant |
The tenant that owns this object. | |
transaction_data |
Array<TransactionData> | |
updatedAt |
string(date-time) | The timestamp when the VP request was last updated. |
webhook |
Optional webhook URL to receive the response. |
PresentationConfigCreateDto¶
| Name | Type | Description |
|---|---|---|
accessKeyChainId |
string | null | Optional ID of the access certificate to use for signing the presentation request. If not provided, the default access certificate for the tenant will be used. Note: This is intentionally NOT a TypeORM relationship because CertEntity uses a composite primary key (id + tenantId), and SQLite cannot create foreign keys that reference only part of a composite primary key. The relationship is handled at the application level in the service layer. |
attached |
Array<PresentationAttachment> | Attestation that should be attached |
dcql_query |
The DCQL query to be used for the VP request. | |
description |
string | null | Description of the presentation configuration. |
id |
string | Unique identifier for the VP request. |
lifeTime |
number | Lifetime how long the presentation request is valid after creation, in seconds. |
redirectUri |
string | null | Redirect URI to which the user-agent should be redirected after the presentation is completed. You can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID. |
registrationCert |
The registration certificate request containing the necessary details. | |
transaction_data |
Array<TransactionData> | |
webhook |
Optional webhook URL to receive the response. |
PresentationConfigUpdateDto¶
| Name | Type | Description |
|---|---|---|
accessKeyChainId |
string | null | Optional ID of the access certificate to use for signing the presentation request. If not provided, the default access certificate for the tenant will be used. Note: This is intentionally NOT a TypeORM relationship because CertEntity uses a composite primary key (id + tenantId), and SQLite cannot create foreign keys that reference only part of a composite primary key. The relationship is handled at the application level in the service layer. |
attached |
Array<PresentationAttachment> | Attestation that should be attached |
dcql_query |
The DCQL query to be used for the VP request. | |
description |
string | null | Description of the presentation configuration. |
id |
string | Unique identifier for the VP request. |
lifeTime |
number | Lifetime how long the presentation request is valid after creation, in seconds. |
redirectUri |
string | null | Redirect URI to which the user-agent should be redirected after the presentation is completed. You can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID. |
registrationCert |
The registration certificate request containing the necessary details. | |
transaction_data |
Array<TransactionData> | |
webhook |
Optional webhook URL to receive the response. |
PresentationDuringIssuanceConfig¶
| Name | Type | Description |
|---|---|---|
type |
string | Link to the presentation configuration that is relevant for the issuance process |
PresentationRequest¶
| Name | Type | Description |
|---|---|---|
redirectUri |
string | Optional redirect URI to which the user-agent should be redirected after the presentation is completed. You can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID. |
requestId |
string | Identifier of the presentation configuration |
response_type |
string | The type of response expected from the presentation request. |
transaction_data |
Array<TransactionData> | Optional transaction data to include in the OID4VP request. If provided, this will override the transaction_data from the presentation configuration. |
webhook |
Webhook configuration to receive the response. If not provided, the configured webhook from the configuration will be used. |
PublicKeyInfoDto¶
| Name | Type | Description |
|---|---|---|
alg |
string | Key algorithm (e.g., ES256). |
crv |
string | Curve (for EC keys). |
kid |
string | Key ID. |
kty |
string | Key type (e.g., EC). |
RegistrarConfigResponseDto¶
| Name | Type | Description |
|---|---|---|
clientId |
string | The OIDC client ID for the registrar |
clientSecret |
string | The OIDC client secret (optional, for confidential clients) |
hasPassword |
boolean | Indicates whether a password is configured (actual password is never returned) |
oidcUrl |
string(uri) | The OIDC issuer URL for authentication (e.g., Keycloak realm URL) |
registrarUrl |
string(uri) | The base URL of the registrar API |
registrationCertificateDefaults |
Optional default values merged into registration certificate creation requests (for example privacy_policy, support_uri, provided_attestations) | |
username |
string | The username for OIDC login |
RegistrationCertificateBody¶
| Name | Type | Description |
|---|---|---|
credentials |
Array<> | |
intermediary |
string | |
privacy_policy |
string | |
provided_attestations |
Array<> | |
purpose |
Array<RegistrationCertificatePurpose> | |
support_uri |
string |
RegistrationCertificatePurpose¶
| Name | Type | Description |
|---|---|---|
lang |
string | |
value |
string |
RegistrationCertificateRequest¶
| Name | Type | Description |
|---|---|---|
body |
Registration certificate creation payload. This is merged with tenant-level registrar defaults when a certificate is created. | |
id |
string | Optional registrar-side certificate identifier. If provided and still valid, EUDIPLO reuses it instead of creating a new certificate. |
jwt |
string | Optional pre-existing registration certificate JWT. If provided, EUDIPLO forwards it as-is and does not create a new one. |
ResolveIssuerMetadataDto¶
| Name | Type | Description |
|---|---|---|
issuerUrl |
string(uri) | Issuer URL or full OpenID4VCI metadata URL to resolve server-side. |
RoleDto¶
| Name | Type | Description |
|---|---|---|
role |
string | OAuth2 roles |
RootOfTrustPolicy¶
| Name | Type | Description |
|---|---|---|
policy |
string | |
values |
string |
RotationPolicyCreateDto¶
| Name | Type | Description |
|---|---|---|
certValidityDays |
number | Certificate validity in days. Defaults to rotation interval + 30 days grace period. |
enabled |
boolean | Whether automatic key rotation is enabled. |
intervalDays |
number | Rotation interval in days. Required when enabled is true. |
RotationPolicyImportDto¶
| Name | Type | Description |
|---|---|---|
certValidityDays |
number | Certificate validity in days. |
enabled |
boolean | Whether rotation is enabled. When true, the imported key becomes a root CA. |
intervalDays |
number | Rotation interval in days. |
RotationPolicyResponseDto¶
| Name | Type | Description |
|---|---|---|
certValidityDays |
number | Certificate validity in days. |
enabled |
boolean | Whether automatic key rotation is enabled. |
intervalDays |
number | Rotation interval in days. |
nextRotationAt |
string(date-time) | Next scheduled rotation date. |
RotationPolicyUpdateDto¶
| Name | Type | Description |
|---|---|---|
certValidityDays |
number | Certificate validity in days. |
enabled |
boolean | Whether automatic key rotation is enabled. |
intervalDays |
number | Rotation interval in days. |
SchemaResponse¶
| Name | Type | Description |
|---|---|---|
$schema |
string | |
description |
string | |
properties |
||
required |
Array<string> | |
title |
string | |
type |
string |
Session¶
| Name | Type | Description |
|---|---|---|
auth_queries |
Authorization queries associated with the session. Encrypted at rest. | |
authorization_code |
string | |
clientId |
string | Client ID used in the OID4VP authorization request. |
createdAt |
string(date-time) | The timestamp when the request was created. |
credentialPayload |
Credential payload containing the offer request details. Encrypted at rest - may contain sensitive claim data. | |
credentials |
Array<> | Verified credentials from the presentation process. Encrypted at rest - contains personal information. |
errorReason |
string | Error reason if the session failed. Stores the error message when status is 'failed'. |
expiresAt |
string(date-time) | The timestamp when the request is set to expire. |
externalIssuer |
string | |
externalSubject |
string | The subject (sub) from the external authorization server token. Used to identify the user at the external AS. |
id |
string | Unique identifier for the session. |
notifications |
Array<> | Notifications associated with the session. |
offer |
Credential offer object containing details about the credential offer or presentation request. Encrypted at rest. | |
offerUrl |
string | Offer URL for the credential offer. |
parsedWebhook |
Where to send the claims webhook response. | |
redirectUri |
string | null | Redirect URI to which the user-agent should be redirected after the presentation is completed. |
refresh_token |
string | Refresh token for the session - used to obtain a new access token. |
refresh_token_expires_at |
string(date-time) | Expiration timestamp for the refresh token. Used to validate refresh_token grant requests. |
request_uri |
string | Request URI from the authorization request. |
requestId |
string | |
requestObject |
string | Signed presentation auth request. |
requestUrl |
string | The URL of the presentation auth request. |
responseCode |
string | Cryptographic random code generated after successful VP Token processing. Per OID4VP spec Section 13.3, included in redirect_uri so only the legitimate frontend (which receives the redirect) can confirm the session completed. |
responseUri |
string | Response URI used in the OID4VP authorization request. |
status |
string | Status of the session. |
tenant |
The tenant that owns this object. | |
tenantId |
string | Tenant ID for multi-tenancy support. |
transaction_data |
Array<TransactionData> | Transaction data to include in the OID4VP authorization request. Can be overridden per-request from the presentation configuration. |
updatedAt |
string(date-time) | The timestamp when the request was last updated. |
useDcApi |
boolean | Flag indicating whether to use the DC API for the presentation request. |
vp_nonce |
string | Noncce from the Verifiable Presentation request. |
walletNonce |
string | Cryptographic random nonce used in wallet-facing URLs (response_uri, request_uri, state). Per OID4VP spec Section 13.3, this separates the wallet-facing identifier (request-id) from the frontend-facing session ID (transaction-id) to prevent session fixation. |
webhookEndpointId |
string | ID of the webhook endpoint to notify about issuance status. |
SessionLogEntryResponseDto¶
| Name | Type | Description |
|---|---|---|
detail |
Additional structured detail | |
id |
string | Log entry ID |
level |
string | Log level |
message |
string | Log message |
sessionId |
string | Session ID |
stage |
string | Flow stage |
timestamp |
string(date-time) | Timestamp of the log entry |
SessionStorageConfig¶
| Name | Type | Description |
|---|---|---|
cleanupMode |
string | Cleanup mode: 'full' deletes everything, 'anonymize' keeps metadata but removes PII. |
ttlSeconds |
number | Time-to-live for sessions in seconds. If not set, uses global SESSION_TTL. |
StatusListAggregationDto¶
| Name | Type | Description |
|---|---|---|
status_lists |
Array<string> | Array of status list token URIs |
StatusListConfig¶
| Name | Type | Description |
|---|---|---|
bits |
number | Bits per status entry: 1 (valid/revoked), 2 (with suspended), 4/8 (extended). If not set, uses global STATUS_BITS. |
capacity |
number | The capacity of the status list. If not set, uses global STATUS_CAPACITY. |
enableAggregation |
boolean | If true, include aggregation_uri in status list JWTs for pre-fetching support (default: true). |
immediateUpdate |
boolean | If true, regenerate JWT immediately on status changes. If false (default), use lazy regeneration on TTL expiry. |
ttl |
number | TTL in seconds for the status list JWT. If not set, uses global STATUS_TTL. |
StatusListImportDto¶
| Name | Type | Description |
|---|---|---|
bits |
number | Bits per status value. If not provided, uses tenant or global defaults. |
capacity |
number | Capacity of the status list. If not provided, uses tenant or global defaults. |
credentialConfigurationId |
string | null | Credential configuration ID to bind this list exclusively to. Leave empty for a shared list. |
id |
string | Unique identifier for the status list |
keyChainId |
string | Key chain ID to use for signing. Leave empty to use the tenant's default StatusList key chain. |
StatusListResponseDto¶
| Name | Type | Description |
|---|---|---|
availableEntries |
number | Number of available entries |
bits |
number | Bits per status value |
capacity |
number | Total capacity of the status list |
createdAt |
string(date-time) | Creation timestamp |
credentialConfigurationId |
string | null | Credential configuration ID this list is bound to. Null means shared. |
expiresAt |
string(date-time) | null | JWT expiration timestamp. Null if JWT has not been generated yet. |
id |
string | Unique identifier for the status list |
keyChainId |
string | null | Key chain ID used for signing. Null means using the tenant's default. |
tenantId |
string | The tenant ID |
uri |
string | The public URI for this status list |
usedEntries |
number | Number of entries in use |
StatusUpdateDto¶
| Name | Type | Description |
|---|---|---|
credentialConfigurationId |
string | The ID of the credential configuration This is optional, if not provided, all credentials will be revoked of the session. |
sessionId |
string | The session ID of the user |
status |
number | The status of the credential 0 = valid, 1 = revoked, 2 = suspended |
TenantEntity¶
| Name | Type | Description |
|---|---|---|
clients |
Array<ClientEntity> | The clients associated with the tenant. |
description |
string | The description of the tenant. |
id |
string | The unique identifier for the tenant. |
name |
string | The name of the tenant. |
sessionConfig |
Session storage configuration for this tenant. Controls TTL and cleanup behavior. | |
status |
string | The current status of the tenant. |
statusListConfig |
Status list configuration for this tenant. Only affects newly created status lists. |
TokenResponse¶
| Name | Type | Description |
|---|---|---|
access_token |
string | |
expires_in |
number | |
refresh_token |
string | |
token_type |
string |
TransactionData¶
| Name | Type | Description |
|---|---|---|
credential_ids |
Array<string> | |
type |
string |
TrustedAuthorityQuery¶
| Name | Type | Description |
|---|---|---|
type |
string | |
values |
Array<string> |
TrustList¶
| Name | Type | Description |
|---|---|---|
createdAt |
string(date-time) | |
data |
The full trust list JSON (generated LoTE structure) | |
description |
string | |
entityConfig |
Array<> | The original entity configuration used to create this trust list. Stored for round-tripping when editing. |
id |
string | Unique identifier for the trust list |
jwt |
string | The signed JWT representation of this trust list |
keyChain |
KeyChainEntity | |
keyChainId |
string | |
sequenceNumber |
number | The sequence number for versioning (incremented on updates) |
tenant |
The tenant that owns this object. | |
tenantId |
string | The tenant ID for which the VP request is made. |
updatedAt |
string(date-time) |
TrustListCreateDto¶
| Name | Type | Description |
|---|---|---|
data |
The full trust list JSON (generated LoTE structure) | |
description |
string | |
entities |
Array<> | |
id |
string | |
keyChainId |
string |
TrustListEntityInfo¶
| Name | Type | Description |
|---|---|---|
contactUri |
string | |
country |
string | |
lang |
string | |
locality |
string | |
name |
string | |
postalCode |
string | |
streetAddress |
string | |
uri |
string |
TrustListVersion¶
| Name | Type | Description |
|---|---|---|
createdAt |
string(date-time) | |
data |
The full trust list JSON at this version | |
entityConfig |
The entity configuration at this version | |
id |
string | |
jwt |
string | The signed JWT at this version |
sequenceNumber |
number | The sequence number at the time this version was created |
tenantId |
string | |
trustList |
TrustList | |
trustListId |
string |
UpdateAttributeProviderDto¶
| Name | Type | Description |
|---|---|---|
auth |
||
description |
string | null | |
id |
string | |
name |
string | |
url |
string |
UpdateClientDto¶
| Name | Type | Description |
|---|---|---|
allowedIssuanceConfigs |
Array<string> | List of issuance config IDs this client can use. If empty/null, all configs are allowed. |
allowedPresentationConfigs |
Array<string> | List of presentation config IDs this client can use. If empty/null, all configs are allowed. |
description |
string | The description of the client. |
roles |
Array<string> | The roles assigned to the client. |
UpdateRegistrarConfigDto¶
| Name | Type | Description |
|---|---|---|
clientId |
string | The OIDC client ID for the registrar |
clientSecret |
string | The OIDC client secret (optional, for confidential clients) |
oidcUrl |
string(uri) | The OIDC issuer URL for authentication (e.g., Keycloak realm URL) |
password |
string | The password for OIDC login (stored in plaintext) |
registrarUrl |
string(uri) | The base URL of the registrar API |
registrationCertificateDefaults |
Optional default values merged into registration certificate creation requests (for example privacy_policy, support_uri, provided_attestations) | |
username |
string | The username for OIDC login |
UpdateSessionConfigDto¶
| Name | Type | Description |
|---|---|---|
cleanupMode |
string | Cleanup mode: 'full' deletes everything, 'anonymize' keeps metadata but removes PII. |
ttlSeconds |
number | null | Time-to-live for sessions in seconds. Set to null to use global default. |
UpdateStatusListConfigDto¶
| Name | Type | Description |
|---|---|---|
bits |
number | null | Bits per status entry. Set to null to reset to global default. |
capacity |
number | null | The capacity of the status list. Set to null to reset to global default. |
enableAggregation |
boolean | null | If true, include aggregation_uri in status list JWTs for pre-fetching support. Set to null to reset to default (true). |
immediateUpdate |
boolean | null | If true, regenerate JWT on every status change. Set to null to reset to default (false). |
ttl |
number | null | TTL in seconds for the status list JWT. Set to null to reset to global default. |
UpdateStatusListDto¶
| Name | Type | Description |
|---|---|---|
credentialConfigurationId |
string | null | Credential configuration ID to bind this list exclusively to. Set to null to make this a shared list. |
keyChainId |
string | null | Key chain ID to use for signing. Set to null to use the tenant's default StatusList key chain. |
UpdateTenantDto¶
| Name | Type | Description |
|---|---|---|
description |
string | The description of the tenant. |
name |
string | The name of the tenant. |
roles |
Array<string> | |
sessionConfig |
Session storage configuration. Controls TTL and cleanup behavior. | |
statusListConfig |
Status list configuration for this tenant. Only affects newly created status lists. |
UpdateWebhookEndpointDto¶
| Name | Type | Description |
|---|---|---|
auth |
||
description |
string | null | |
id |
string | |
name |
string | |
url |
string |
UpstreamOidcConfig¶
| Name | Type | Description |
|---|---|---|
clientId |
string | The client ID registered with the upstream provider |
clientSecret |
string | The client secret for confidential clients |
issuer |
string(uri) | The OIDC issuer URL of the upstream provider |
scopes |
Array<string> | Scopes to request from the upstream provider |
VCT¶
| Name | Type | Description |
|---|---|---|
description |
string | |
extends |
string | |
extends#integrity |
string | |
name |
string | |
schema_uri |
string | |
schema_uri#integrity |
string | |
vct |
string |
WebHookAuthConfigHeader¶
| Name | Type | Description |
|---|---|---|
config |
Configuration for API key authentication. This is required if the type is 'apiKey'. | |
type |
string | The type of authentication used for the webhook. |
WebHookAuthConfigNone¶
| Name | Type | Description |
|---|---|---|
type |
string | The type of authentication used for the webhook. |
WebhookConfig¶
| Name | Type | Description |
|---|---|---|
auth |
Optional authentication configuration for the webhook. If not provided, no authentication will be used. | |
includeRawTokensFor |
Array<string> | List of credential IDs to include raw tokens for (e.g., ['sca_credential']) |
url |
string | The URL to which the webhook will send notifications. |
WebhookEndpointEntity¶
| Name | Type | Description |
|---|---|---|
auth |
||
description |
string | null | |
id |
string | |
name |
string | |
tenant |
TenantEntity | |
tenantId |
string | |
url |
string |
More documentation¶
Documentation
For more information: https://openwallet-foundation-labs.github.io/eudiplo/latest/