EUDIPLO Service API main¶
This is the API documentation for the EUDIPLO Service, which provides credential issuance and verification services
App¶
GET /¶
Main endpoint providing service info
Responses
GET /health¶
Endpoint to check the health of the service.
Responses
{
"status": "ok",
"info": {
"database": {
"status": "up"
}
},
"error": {},
"details": {
"database": {
"status": "up"
}
}
}
Schema of the response body
{
"type": "object",
"properties": {
"status": {
"type": "string",
"example": "ok"
},
"info": {
"type": "object",
"example": {
"database": {
"status": "up"
}
},
"additionalProperties": {
"type": "object",
"required": [
"status"
],
"properties": {
"status": {
"type": "string"
}
},
"additionalProperties": true
},
"nullable": true
},
"error": {
"type": "object",
"example": {},
"additionalProperties": {
"type": "object",
"required": [
"status"
],
"properties": {
"status": {
"type": "string"
}
},
"additionalProperties": true
},
"nullable": true
},
"details": {
"type": "object",
"example": {
"database": {
"status": "up"
}
},
"additionalProperties": {
"type": "object",
"required": [
"status"
],
"properties": {
"status": {
"type": "string"
}
},
"additionalProperties": true
}
}
}
}
{
"status": "error",
"info": {
"database": {
"status": "up"
}
},
"error": {
"redis": {
"status": "down",
"message": "Could not connect"
}
},
"details": {
"database": {
"status": "up"
},
"redis": {
"status": "down",
"message": "Could not connect"
}
}
}
Schema of the response body
{
"type": "object",
"properties": {
"status": {
"type": "string",
"example": "error"
},
"info": {
"type": "object",
"example": {
"database": {
"status": "up"
}
},
"additionalProperties": {
"type": "object",
"required": [
"status"
],
"properties": {
"status": {
"type": "string"
}
},
"additionalProperties": true
},
"nullable": true
},
"error": {
"type": "object",
"example": {
"redis": {
"status": "down",
"message": "Could not connect"
}
},
"additionalProperties": {
"type": "object",
"required": [
"status"
],
"properties": {
"status": {
"type": "string"
}
},
"additionalProperties": true
},
"nullable": true
},
"details": {
"type": "object",
"example": {
"database": {
"status": "up"
},
"redis": {
"status": "down",
"message": "Could not connect"
}
},
"additionalProperties": {
"type": "object",
"required": [
"status"
],
"properties": {
"status": {
"type": "string"
}
},
"additionalProperties": true
}
}
}
}
Tenant¶
GET /tenant¶
Get all tenants
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
[
{
"sessionConfig": null,
"statusListConfig": null,
"id": "string",
"name": "string",
"description": "string",
"status": "string",
"clients": [
{
"allowedPresentationConfigs": [
"age-verification",
"kyc-basic"
],
"allowedIssuanceConfigs": [
"pid",
"mdl"
],
"clientId": "string",
"secret": "string",
"tenantId": "string",
"description": "string",
"roles": [
"presentation:manage"
],
"tenant": null
}
]
}
]
POST /tenant¶
Initialize a tenant
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"statusListConfig": null,
"sessionConfig": null,
"roles": [
"presentation:manage"
],
"id": "string",
"name": "string",
"description": "string"
}
Schema of the request body
{
"type": "object",
"properties": {
"statusListConfig": {
"nullable": true,
"description": "Status list configuration for this tenant. Only affects newly created status lists.",
"allOf": [
{
"$ref": "#/components/schemas/StatusListConfig"
}
]
},
"sessionConfig": {
"description": "Session storage configuration. Controls TTL and cleanup behavior.",
"allOf": [
{
"$ref": "#/components/schemas/SessionStorageConfig"
}
]
},
"roles": {
"type": "array",
"items": {
"type": "string",
"enum": [
"presentation:manage",
"presentation:request",
"issuance:manage",
"issuance:offer",
"clients:manage",
"tenants:manage",
"registrar:manage"
]
}
},
"id": {
"type": "string",
"description": "The unique identifier for the tenant."
},
"name": {
"type": "string",
"description": "The name of the tenant."
},
"description": {
"type": "string",
"description": "The description of the tenant."
}
},
"required": [
"id",
"name"
]
}
Responses
GET /tenant/{id}¶
Get a tenant by ID
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
{
"sessionConfig": null,
"statusListConfig": null,
"id": "string",
"name": "string",
"description": "string",
"status": "string",
"clients": [
{
"allowedPresentationConfigs": [
"age-verification",
"kyc-basic"
],
"allowedIssuanceConfigs": [
"pid",
"mdl"
],
"clientId": "string",
"secret": "string",
"tenantId": "string",
"description": "string",
"roles": [
"presentation:manage"
],
"tenant": null
}
]
}
Schema of the response body
{
"type": "object",
"properties": {
"sessionConfig": {
"nullable": true,
"description": "Session storage configuration for this tenant. Controls TTL and cleanup behavior.",
"allOf": [
{
"$ref": "#/components/schemas/SessionStorageConfig"
}
]
},
"statusListConfig": {
"nullable": true,
"description": "Status list configuration for this tenant. Only affects newly created status lists.",
"allOf": [
{
"$ref": "#/components/schemas/StatusListConfig"
}
]
},
"id": {
"type": "string",
"description": "The unique identifier for the tenant."
},
"name": {
"type": "string",
"description": "The name of the tenant."
},
"description": {
"type": "string",
"description": "The description of the tenant."
},
"status": {
"type": "string",
"description": "The current status of the tenant."
},
"clients": {
"description": "The clients associated with the tenant.",
"type": "array",
"items": {
"$ref": "#/components/schemas/ClientEntity"
}
}
},
"required": [
"id",
"name",
"status",
"clients"
]
}
PATCH /tenant/{id}¶
Update a tenant by ID
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Request body
{
"statusListConfig": null,
"sessionConfig": null,
"name": "string",
"description": "string",
"roles": [
"presentation:manage"
]
}
Schema of the request body
{
"type": "object",
"properties": {
"statusListConfig": {
"nullable": true,
"description": "Status list configuration for this tenant. Only affects newly created status lists.",
"allOf": [
{
"$ref": "#/components/schemas/StatusListConfig"
}
]
},
"sessionConfig": {
"description": "Session storage configuration. Controls TTL and cleanup behavior.",
"allOf": [
{
"$ref": "#/components/schemas/SessionStorageConfig"
}
]
},
"name": {
"type": "string",
"description": "The name of the tenant."
},
"description": {
"type": "string",
"description": "The description of the tenant."
},
"roles": {
"type": "array",
"items": {
"type": "string",
"enum": [
"presentation:manage",
"presentation:request",
"issuance:manage",
"issuance:offer",
"clients:manage",
"tenants:manage",
"registrar:manage"
]
}
}
}
}
Responses
{
"sessionConfig": null,
"statusListConfig": null,
"id": "string",
"name": "string",
"description": "string",
"status": "string",
"clients": [
{
"allowedPresentationConfigs": [
"age-verification",
"kyc-basic"
],
"allowedIssuanceConfigs": [
"pid",
"mdl"
],
"clientId": "string",
"secret": "string",
"tenantId": "string",
"description": "string",
"roles": [
"presentation:manage"
],
"tenant": null
}
]
}
Schema of the response body
{
"type": "object",
"properties": {
"sessionConfig": {
"nullable": true,
"description": "Session storage configuration for this tenant. Controls TTL and cleanup behavior.",
"allOf": [
{
"$ref": "#/components/schemas/SessionStorageConfig"
}
]
},
"statusListConfig": {
"nullable": true,
"description": "Status list configuration for this tenant. Only affects newly created status lists.",
"allOf": [
{
"$ref": "#/components/schemas/StatusListConfig"
}
]
},
"id": {
"type": "string",
"description": "The unique identifier for the tenant."
},
"name": {
"type": "string",
"description": "The name of the tenant."
},
"description": {
"type": "string",
"description": "The description of the tenant."
},
"status": {
"type": "string",
"description": "The current status of the tenant."
},
"clients": {
"description": "The clients associated with the tenant.",
"type": "array",
"items": {
"$ref": "#/components/schemas/ClientEntity"
}
}
},
"required": [
"id",
"name",
"status",
"clients"
]
}
DELETE /tenant/{id}¶
Deletes a tenant by ID
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
Client¶
GET /client¶
Get all clients for a user
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
[
{
"allowedPresentationConfigs": [
"age-verification",
"kyc-basic"
],
"allowedIssuanceConfigs": [
"pid",
"mdl"
],
"clientId": "string",
"secret": "string",
"tenantId": "string",
"description": "string",
"roles": [
"presentation:manage"
],
"tenant": null
}
]
POST /client¶
Create a new client
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"allowedPresentationConfigs": [
"age-verification",
"kyc-basic"
],
"allowedIssuanceConfigs": [
"pid",
"mdl"
],
"clientId": "string",
"secret": "string",
"description": "string",
"roles": [
"presentation:manage"
]
}
Schema of the request body
{
"type": "object",
"properties": {
"allowedPresentationConfigs": {
"nullable": true,
"description": "List of presentation config IDs this client can use. If empty/null, all configs are allowed.",
"example": [
"age-verification",
"kyc-basic"
],
"type": "array",
"items": {
"type": "string"
}
},
"allowedIssuanceConfigs": {
"nullable": true,
"description": "List of issuance config IDs this client can use. If empty/null, all configs are allowed.",
"example": [
"pid",
"mdl"
],
"type": "array",
"items": {
"type": "string"
}
},
"clientId": {
"type": "string",
"description": "The unique identifier for the client."
},
"secret": {
"type": "string",
"description": "The secret key for the client."
},
"description": {
"type": "string",
"description": "The description of the client."
},
"roles": {
"type": "array",
"description": "The roles assigned to the client.",
"items": {
"type": "string",
"enum": [
"presentation:manage",
"presentation:request",
"issuance:manage",
"issuance:offer",
"clients:manage",
"tenants:manage",
"registrar:manage"
]
}
}
},
"required": [
"clientId",
"roles"
]
}
Responses
{
"allowedPresentationConfigs": [
"age-verification",
"kyc-basic"
],
"allowedIssuanceConfigs": [
"pid",
"mdl"
],
"clientId": "string",
"secret": "string",
"tenantId": "string",
"description": "string",
"roles": [
"presentation:manage"
],
"tenant": null
}
Schema of the response body
{
"type": "object",
"properties": {
"allowedPresentationConfigs": {
"nullable": true,
"description": "List of presentation config IDs this client can use. If empty/null, all configs are allowed.",
"example": [
"age-verification",
"kyc-basic"
],
"type": "array",
"items": {
"type": "string"
}
},
"allowedIssuanceConfigs": {
"nullable": true,
"description": "List of issuance config IDs this client can use. If empty/null, all configs are allowed.",
"example": [
"pid",
"mdl"
],
"type": "array",
"items": {
"type": "string"
}
},
"clientId": {
"type": "string",
"description": "The unique identifier for the client."
},
"secret": {
"type": "string",
"description": "The secret key for the client."
},
"tenantId": {
"type": "string",
"description": "The unique identifier for the tenant that the client belongs to. Only null for accounts that manage tenants, that do not belong to a client"
},
"description": {
"type": "string",
"description": "The description of the client."
},
"roles": {
"description": "The roles assigned to the client.",
"type": "array",
"items": {
"type": "string",
"enum": [
"presentation:manage",
"presentation:request",
"issuance:manage",
"issuance:offer",
"clients:manage",
"tenants:manage",
"registrar:manage"
]
}
},
"tenant": {
"description": "The tenant that the client belongs to.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
}
},
"required": [
"clientId",
"roles"
]
}
GET /client/{id}¶
Get a client by its id
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
{
"allowedPresentationConfigs": [
"age-verification",
"kyc-basic"
],
"allowedIssuanceConfigs": [
"pid",
"mdl"
],
"clientId": "string",
"secret": "string",
"tenantId": "string",
"description": "string",
"roles": [
"presentation:manage"
],
"tenant": null
}
Schema of the response body
{
"type": "object",
"properties": {
"allowedPresentationConfigs": {
"nullable": true,
"description": "List of presentation config IDs this client can use. If empty/null, all configs are allowed.",
"example": [
"age-verification",
"kyc-basic"
],
"type": "array",
"items": {
"type": "string"
}
},
"allowedIssuanceConfigs": {
"nullable": true,
"description": "List of issuance config IDs this client can use. If empty/null, all configs are allowed.",
"example": [
"pid",
"mdl"
],
"type": "array",
"items": {
"type": "string"
}
},
"clientId": {
"type": "string",
"description": "The unique identifier for the client."
},
"secret": {
"type": "string",
"description": "The secret key for the client."
},
"tenantId": {
"type": "string",
"description": "The unique identifier for the tenant that the client belongs to. Only null for accounts that manage tenants, that do not belong to a client"
},
"description": {
"type": "string",
"description": "The description of the client."
},
"roles": {
"description": "The roles assigned to the client.",
"type": "array",
"items": {
"type": "string",
"enum": [
"presentation:manage",
"presentation:request",
"issuance:manage",
"issuance:offer",
"clients:manage",
"tenants:manage",
"registrar:manage"
]
}
},
"tenant": {
"description": "The tenant that the client belongs to.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
}
},
"required": [
"clientId",
"roles"
]
}
PATCH /client/{id}¶
Update a client by its id
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Request body
{
"allowedPresentationConfigs": [
"age-verification",
"kyc-basic"
],
"allowedIssuanceConfigs": [
"pid",
"mdl"
],
"description": "string",
"roles": [
"presentation:manage"
]
}
Schema of the request body
{
"type": "object",
"properties": {
"allowedPresentationConfigs": {
"nullable": true,
"description": "List of presentation config IDs this client can use. If empty/null, all configs are allowed.",
"example": [
"age-verification",
"kyc-basic"
],
"type": "array",
"items": {
"type": "string"
}
},
"allowedIssuanceConfigs": {
"nullable": true,
"description": "List of issuance config IDs this client can use. If empty/null, all configs are allowed.",
"example": [
"pid",
"mdl"
],
"type": "array",
"items": {
"type": "string"
}
},
"description": {
"type": "string",
"description": "The description of the client."
},
"roles": {
"type": "array",
"description": "The roles assigned to the client.",
"items": {
"type": "string",
"enum": [
"presentation:manage",
"presentation:request",
"issuance:manage",
"issuance:offer",
"clients:manage",
"tenants:manage",
"registrar:manage"
]
}
}
},
"required": [
"roles"
]
}
Responses
DELETE /client/{id}¶
Get a client by its id
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
GET /client/{id}/secret¶
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
POST /client/{id}/rotate-secret¶
Rotate (regenerate) a client's secret. Returns the new secret for one-time display - save it immediately!
Users with tenants:manage role can rotate secrets for any client.
Users with clients:manage role can only rotate secrets for clients in their tenant.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
status-list-config¶
GET /status-list-config¶
Get status list configuration
Description
Returns the current status list configuration for the tenant. Fields not set use global defaults.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the response body
{
"type": "object",
"properties": {
"capacity": {
"type": "number",
"description": "The capacity of the status list. If not set, uses global STATUS_CAPACITY.",
"example": 10000,
"minimum": 100
},
"bits": {
"type": "number",
"description": "Bits per status entry: 1 (valid/revoked), 2 (with suspended), 4/8 (extended). If not set, uses global STATUS_BITS.",
"enum": [
1,
2,
4,
8
],
"default": 1
},
"ttl": {
"type": "number",
"description": "TTL in seconds for the status list JWT. If not set, uses global STATUS_TTL.",
"example": 3600,
"minimum": 60
},
"immediateUpdate": {
"type": "boolean",
"description": "If true, regenerate JWT immediately on status changes. If false (default), use lazy regeneration on TTL expiry.",
"default": false
},
"enableAggregation": {
"type": "boolean",
"description": "If true, include aggregation_uri in status list JWTs for pre-fetching support (default: true).",
"default": true
}
}
}
PUT /status-list-config¶
Update status list configuration
Description
Update the status list configuration. Changes only affect newly created status lists. Set a field to null to reset to global default.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the request body
{
"type": "object",
"properties": {
"capacity": {
"type": "number",
"nullable": true,
"description": "The capacity of the status list. Set to null to reset to global default.",
"minimum": 100,
"example": 10000
},
"bits": {
"type": "number",
"nullable": true,
"description": "Bits per status entry. Set to null to reset to global default.",
"enum": [
1,
2,
4,
8
]
},
"ttl": {
"type": "number",
"nullable": true,
"description": "TTL in seconds for the status list JWT. Set to null to reset to global default.",
"minimum": 60,
"example": 3600
},
"immediateUpdate": {
"type": "boolean",
"nullable": true,
"description": "If true, regenerate JWT on every status change. Set to null to reset to default (false)."
},
"enableAggregation": {
"type": "boolean",
"nullable": true,
"description": "If true, include aggregation_uri in status list JWTs for pre-fetching support. Set to null to reset to default (true)."
}
}
}
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the response body
{
"type": "object",
"properties": {
"capacity": {
"type": "number",
"description": "The capacity of the status list. If not set, uses global STATUS_CAPACITY.",
"example": 10000,
"minimum": 100
},
"bits": {
"type": "number",
"description": "Bits per status entry: 1 (valid/revoked), 2 (with suspended), 4/8 (extended). If not set, uses global STATUS_BITS.",
"enum": [
1,
2,
4,
8
],
"default": 1
},
"ttl": {
"type": "number",
"description": "TTL in seconds for the status list JWT. If not set, uses global STATUS_TTL.",
"example": 3600,
"minimum": 60
},
"immediateUpdate": {
"type": "boolean",
"description": "If true, regenerate JWT immediately on status changes. If false (default), use lazy regeneration on TTL expiry.",
"default": false
},
"enableAggregation": {
"type": "boolean",
"description": "If true, include aggregation_uri in status list JWTs for pre-fetching support (default: true).",
"default": true
}
}
}
DELETE /status-list-config¶
Reset status list configuration
Description
Reset the status list configuration to global defaults. Only affects newly created status lists.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
status-lists¶
GET /status-lists¶
List all status lists
Description
Returns all status lists for the tenant, including their capacity and usage.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
[
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"tenantId": "root",
"credentialConfigurationId": "org.iso.18013.5.1.mDL",
"keyChainId": "my-status-list-keychain",
"bits": 1,
"capacity": 10000,
"usedEntries": 150,
"availableEntries": 9850,
"uri": "https://example.com/demo/status-management/status-list/550e8400-e29b-41d4-a716-446655440000",
"createdAt": "2024-01-15T10:30:00.000Z",
"expiresAt": "2024-01-15T11:30:00.000Z"
}
]
POST /status-lists¶
Create a status list
Description
Creates a new status list. Optionally bind it to a specific credential configuration and/or certificate.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"credentialConfigurationId": "org.iso.18013.5.1.mDL",
"keyChainId": "my-status-list-keychain",
"bits": 1,
"capacity": 100000
}
Schema of the request body
{
"type": "object",
"properties": {
"credentialConfigurationId": {
"type": "string",
"description": "Credential configuration ID to bind this list exclusively to. Leave empty for a shared list.",
"example": "org.iso.18013.5.1.mDL"
},
"keyChainId": {
"type": "string",
"description": "Key chain ID to use for signing. Leave empty to use the tenant's default StatusList key chain.",
"example": "my-status-list-keychain"
},
"bits": {
"type": "number",
"description": "Bits per status value. More bits allow more status states. Defaults to tenant configuration.",
"enum": [
1,
2,
4,
8
],
"example": 1
},
"capacity": {
"type": "number",
"description": "Maximum number of credential status entries. Defaults to tenant configuration.",
"minimum": 1000,
"example": 100000
}
}
}
Responses
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"tenantId": "root",
"credentialConfigurationId": "org.iso.18013.5.1.mDL",
"keyChainId": "my-status-list-keychain",
"bits": 1,
"capacity": 10000,
"usedEntries": 150,
"availableEntries": 9850,
"uri": "https://example.com/demo/status-management/status-list/550e8400-e29b-41d4-a716-446655440000",
"createdAt": "2024-01-15T10:30:00.000Z",
"expiresAt": "2024-01-15T11:30:00.000Z"
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the status list",
"example": "550e8400-e29b-41d4-a716-446655440000"
},
"tenantId": {
"type": "string",
"description": "The tenant ID",
"example": "root"
},
"credentialConfigurationId": {
"type": "string",
"nullable": true,
"description": "Credential configuration ID this list is bound to. Null means shared.",
"example": "org.iso.18013.5.1.mDL"
},
"keyChainId": {
"type": "string",
"nullable": true,
"description": "Key chain ID used for signing. Null means using the tenant's default.",
"example": "my-status-list-keychain"
},
"bits": {
"type": "number",
"description": "Bits per status value",
"enum": [
1,
2,
4,
8
],
"example": 1
},
"capacity": {
"type": "number",
"description": "Total capacity of the status list",
"example": 10000
},
"usedEntries": {
"type": "number",
"description": "Number of entries in use",
"example": 150
},
"availableEntries": {
"type": "number",
"description": "Number of available entries",
"example": 9850
},
"uri": {
"type": "string",
"description": "The public URI for this status list",
"example": "https://example.com/demo/status-management/status-list/550e8400-e29b-41d4-a716-446655440000"
},
"createdAt": {
"format": "date-time",
"type": "string",
"description": "Creation timestamp",
"example": "2024-01-15T10:30:00.000Z"
},
"expiresAt": {
"format": "date-time",
"type": "string",
"nullable": true,
"description": "JWT expiration timestamp. Null if JWT has not been generated yet.",
"example": "2024-01-15T11:30:00.000Z"
}
},
"required": [
"id",
"tenantId",
"bits",
"capacity",
"usedEntries",
"availableEntries",
"uri",
"createdAt"
]
}
GET /status-lists/{listId}¶
Get a status list
Description
Returns details for a specific status list.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
listId |
path | string | No | The status list ID |
Responses
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"tenantId": "root",
"credentialConfigurationId": "org.iso.18013.5.1.mDL",
"keyChainId": "my-status-list-keychain",
"bits": 1,
"capacity": 10000,
"usedEntries": 150,
"availableEntries": 9850,
"uri": "https://example.com/demo/status-management/status-list/550e8400-e29b-41d4-a716-446655440000",
"createdAt": "2024-01-15T10:30:00.000Z",
"expiresAt": "2024-01-15T11:30:00.000Z"
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the status list",
"example": "550e8400-e29b-41d4-a716-446655440000"
},
"tenantId": {
"type": "string",
"description": "The tenant ID",
"example": "root"
},
"credentialConfigurationId": {
"type": "string",
"nullable": true,
"description": "Credential configuration ID this list is bound to. Null means shared.",
"example": "org.iso.18013.5.1.mDL"
},
"keyChainId": {
"type": "string",
"nullable": true,
"description": "Key chain ID used for signing. Null means using the tenant's default.",
"example": "my-status-list-keychain"
},
"bits": {
"type": "number",
"description": "Bits per status value",
"enum": [
1,
2,
4,
8
],
"example": 1
},
"capacity": {
"type": "number",
"description": "Total capacity of the status list",
"example": 10000
},
"usedEntries": {
"type": "number",
"description": "Number of entries in use",
"example": 150
},
"availableEntries": {
"type": "number",
"description": "Number of available entries",
"example": 9850
},
"uri": {
"type": "string",
"description": "The public URI for this status list",
"example": "https://example.com/demo/status-management/status-list/550e8400-e29b-41d4-a716-446655440000"
},
"createdAt": {
"format": "date-time",
"type": "string",
"description": "Creation timestamp",
"example": "2024-01-15T10:30:00.000Z"
},
"expiresAt": {
"format": "date-time",
"type": "string",
"nullable": true,
"description": "JWT expiration timestamp. Null if JWT has not been generated yet.",
"example": "2024-01-15T11:30:00.000Z"
}
},
"required": [
"id",
"tenantId",
"bits",
"capacity",
"usedEntries",
"availableEntries",
"uri",
"createdAt"
]
}
PATCH /status-lists/{listId}¶
Update a status list
Description
Update a status list's credential configuration binding and/or certificate.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
listId |
path | string | No | The status list ID |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the request body
{
"type": "object",
"properties": {
"credentialConfigurationId": {
"type": "string",
"nullable": true,
"description": "Credential configuration ID to bind this list exclusively to. Set to null to make this a shared list.",
"example": "org.iso.18013.5.1.mDL"
},
"keyChainId": {
"type": "string",
"nullable": true,
"description": "Key chain ID to use for signing. Set to null to use the tenant's default StatusList key chain.",
"example": "my-status-list-keychain"
}
}
}
Responses
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"tenantId": "root",
"credentialConfigurationId": "org.iso.18013.5.1.mDL",
"keyChainId": "my-status-list-keychain",
"bits": 1,
"capacity": 10000,
"usedEntries": 150,
"availableEntries": 9850,
"uri": "https://example.com/demo/status-management/status-list/550e8400-e29b-41d4-a716-446655440000",
"createdAt": "2024-01-15T10:30:00.000Z",
"expiresAt": "2024-01-15T11:30:00.000Z"
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the status list",
"example": "550e8400-e29b-41d4-a716-446655440000"
},
"tenantId": {
"type": "string",
"description": "The tenant ID",
"example": "root"
},
"credentialConfigurationId": {
"type": "string",
"nullable": true,
"description": "Credential configuration ID this list is bound to. Null means shared.",
"example": "org.iso.18013.5.1.mDL"
},
"keyChainId": {
"type": "string",
"nullable": true,
"description": "Key chain ID used for signing. Null means using the tenant's default.",
"example": "my-status-list-keychain"
},
"bits": {
"type": "number",
"description": "Bits per status value",
"enum": [
1,
2,
4,
8
],
"example": 1
},
"capacity": {
"type": "number",
"description": "Total capacity of the status list",
"example": 10000
},
"usedEntries": {
"type": "number",
"description": "Number of entries in use",
"example": 150
},
"availableEntries": {
"type": "number",
"description": "Number of available entries",
"example": 9850
},
"uri": {
"type": "string",
"description": "The public URI for this status list",
"example": "https://example.com/demo/status-management/status-list/550e8400-e29b-41d4-a716-446655440000"
},
"createdAt": {
"format": "date-time",
"type": "string",
"description": "Creation timestamp",
"example": "2024-01-15T10:30:00.000Z"
},
"expiresAt": {
"format": "date-time",
"type": "string",
"nullable": true,
"description": "JWT expiration timestamp. Null if JWT has not been generated yet.",
"example": "2024-01-15T11:30:00.000Z"
}
},
"required": [
"id",
"tenantId",
"bits",
"capacity",
"usedEntries",
"availableEntries",
"uri",
"createdAt"
]
}
DELETE /status-lists/{listId}¶
Delete a status list
Description
Delete a status list. Only allowed if no credentials are using it.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
listId |
path | string | No | The status list ID |
Responses
Session¶
GET /session¶
Retrieves all sessions.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
[
{
"status": "active",
"id": "string",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z",
"expiresAt": "2022-04-13T15:42:05.901Z",
"useDcApi": true,
"tenantId": "string",
"tenant": null,
"authorization_code": "string",
"request_uri": "string",
"auth_queries": null,
"offer": {},
"offerUrl": "string",
"credentialPayload": null,
"notifyWebhook": null,
"notifications": [
{}
],
"requestId": "string",
"requestUrl": "string",
"requestObject": "string",
"credentials": [
{}
],
"vp_nonce": "string",
"clientId": "string",
"responseUri": "string",
"redirectUri": "string",
"parsedWebhook": null,
"transaction_data": [
{
"type": "string",
"credential_ids": [
"string"
]
}
],
"externalIssuer": "string",
"externalSubject": "string"
}
]
GET /session/{id}¶
Retrieves the session information for a given session ID.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No | The session ID |
Responses
{
"status": "active",
"id": "string",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z",
"expiresAt": "2022-04-13T15:42:05.901Z",
"useDcApi": true,
"tenantId": "string",
"tenant": null,
"authorization_code": "string",
"request_uri": "string",
"auth_queries": null,
"offer": {},
"offerUrl": "string",
"credentialPayload": null,
"notifyWebhook": null,
"notifications": [
{}
],
"requestId": "string",
"requestUrl": "string",
"requestObject": "string",
"credentials": [
{}
],
"vp_nonce": "string",
"clientId": "string",
"responseUri": "string",
"redirectUri": "string",
"parsedWebhook": null,
"transaction_data": [
{
"type": "string",
"credential_ids": [
"string"
]
}
],
"externalIssuer": "string",
"externalSubject": "string"
}
Schema of the response body
{
"type": "object",
"properties": {
"status": {
"description": "Status of the session.",
"enum": [
"active",
"fetched",
"completed",
"expired",
"failed"
],
"type": "string"
},
"id": {
"type": "string",
"description": "Unique identifier for the session."
},
"createdAt": {
"format": "date-time",
"type": "string",
"description": "The timestamp when the request was created."
},
"updatedAt": {
"format": "date-time",
"type": "string",
"description": "The timestamp when the request was last updated."
},
"expiresAt": {
"format": "date-time",
"type": "string",
"description": "The timestamp when the request is set to expire."
},
"useDcApi": {
"type": "boolean",
"description": "Flag indicating whether to use the DC API for the presentation request."
},
"tenantId": {
"type": "string",
"description": "Tenant ID for multi-tenancy support."
},
"tenant": {
"description": "The tenant that owns this object.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
},
"authorization_code": {
"type": "string"
},
"request_uri": {
"type": "string",
"description": "Request URI from the authorization request."
},
"auth_queries": {
"description": "Authorization queries associated with the session.\nEncrypted at rest.",
"allOf": [
{
"$ref": "#/components/schemas/AuthorizeQueries"
}
]
},
"offer": {
"description": "Credential offer object containing details about the credential offer or presentation request.\nEncrypted at rest.",
"type": "object"
},
"offerUrl": {
"type": "string",
"description": "Offer URL for the credential offer."
},
"credentialPayload": {
"description": "Credential payload containing the offer request details.\nEncrypted at rest - may contain sensitive claim data.",
"allOf": [
{
"$ref": "#/components/schemas/OfferRequestDto"
}
]
},
"notifyWebhook": {
"description": "Webhook configuration to send the result of the notification response.",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"notifications": {
"description": "Notifications associated with the session.",
"type": "array",
"items": {
"type": "object"
}
},
"requestId": {
"type": "string"
},
"requestUrl": {
"type": "string",
"description": "The URL of the presentation auth request."
},
"requestObject": {
"type": "string",
"description": "Signed presentation auth request."
},
"credentials": {
"description": "Verified credentials from the presentation process.\nEncrypted at rest - contains personal information.",
"type": "array",
"items": {
"type": "object"
}
},
"vp_nonce": {
"type": "string",
"description": "Noncce from the Verifiable Presentation request."
},
"clientId": {
"type": "string",
"description": "Client ID used in the OID4VP authorization request."
},
"responseUri": {
"type": "string",
"description": "Response URI used in the OID4VP authorization request."
},
"redirectUri": {
"type": "string",
"nullable": true,
"description": "Redirect URI to which the user-agent should be redirected after the presentation is completed."
},
"parsedWebhook": {
"description": "Where to send the claims webhook response.",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"transaction_data": {
"description": "Transaction data to include in the OID4VP authorization request.\nCan be overridden per-request from the presentation configuration.",
"type": "array",
"items": {
"$ref": "#/components/schemas/TransactionData"
}
},
"externalIssuer": {
"type": "string"
},
"externalSubject": {
"type": "string",
"description": "The subject (sub) from the external authorization server token.\nUsed to identify the user at the external AS."
}
},
"required": [
"status",
"id",
"createdAt",
"updatedAt",
"useDcApi",
"tenantId",
"tenant",
"notifications"
]
}
DELETE /session/{id}¶
Deletes a session by its ID
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
POST /session/revoke¶
Update the status of the credentials of a specific session.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the request body
{
"type": "object",
"properties": {
"sessionId": {
"type": "string",
"description": "The session ID of the user"
},
"credentialConfigurationId": {
"type": "string",
"description": "The ID of the credential configuration\nThis is optional, if not provided, all credentials will be revoked of the session."
},
"status": {
"type": "number",
"description": "The status of the credential\n0 = valid, 1 = revoked, 2 = suspended"
}
},
"required": [
"sessionId",
"status"
]
}
Responses
GET /session-config¶
Get session storage configuration
Description
Returns the session storage configuration for the current tenant.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the response body
{
"type": "object",
"properties": {
"ttlSeconds": {
"type": "number",
"description": "Time-to-live for sessions in seconds. If not set, uses global SESSION_TTL.",
"example": 86400,
"minimum": 60
},
"cleanupMode": {
"type": "string",
"description": "Cleanup mode: 'full' deletes everything, 'anonymize' keeps metadata but removes PII.",
"enum": [
"full",
"anonymize"
],
"default": "full"
}
}
}
PUT /session-config¶
Update session storage configuration
Description
Updates the session storage configuration for the current tenant.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the request body
{
"type": "object",
"properties": {
"ttlSeconds": {
"type": "number",
"nullable": true,
"description": "Time-to-live for sessions in seconds. Set to null to use global default.",
"minimum": 60,
"example": 86400
},
"cleanupMode": {
"description": "Cleanup mode: 'full' deletes everything, 'anonymize' keeps metadata but removes PII.",
"enum": [
"full",
"anonymize"
],
"type": "string",
"default": "full"
}
}
}
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the response body
{
"type": "object",
"properties": {
"ttlSeconds": {
"type": "number",
"description": "Time-to-live for sessions in seconds. If not set, uses global SESSION_TTL.",
"example": 86400,
"minimum": 60
},
"cleanupMode": {
"type": "string",
"description": "Cleanup mode: 'full' deletes everything, 'anonymize' keeps metadata but removes PII.",
"enum": [
"full",
"anonymize"
],
"default": "full"
}
}
}
DELETE /session-config¶
Reset session storage configuration
Description
Resets the session storage configuration to use global defaults.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
Session Events¶
GET /session/{id}/events¶
Subscribe to session status updates
Description
Server-Sent Events endpoint for real-time session status updates. Requires JWT authentication via query parameter.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
id |
path | string | No | Session ID to subscribe to | |
token |
query | string | No | JWT access token for authentication |
Responses
Issuer¶
GET /issuer/config¶
Returns the issuance configurations for this tenant. Creates a default one if it does not exist.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
{
"signingKeyId": "string",
"chainedAs": null,
"tenant": null,
"authServers": [
"string"
],
"batchSize": 10.12,
"dPopRequired": true,
"walletAttestationRequired": true,
"walletProviderTrustLists": [
"string"
],
"preferredAuthServer": "string",
"display": [
{
"name": "string",
"locale": "string",
"logo": {
"uri": "string",
"alt_text": "string"
}
}
],
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
}
Schema of the response body
{
"type": "object",
"properties": {
"signingKeyId": {
"type": "string",
"description": "Key ID for signing access tokens. If unset, the default signing key is used."
},
"chainedAs": {
"description": "Configuration for Chained Authorization Server mode.\nWhen enabled, EUDIPLO acts as an OAuth AS facade, delegating user authentication\nto an upstream OIDC provider while issuing its own tokens with issuer_state.",
"allOf": [
{
"$ref": "#/components/schemas/ChainedAsConfig"
}
]
},
"tenant": {
"description": "The tenant that owns this object.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
},
"authServers": {
"description": "Authentication server URL for the issuance process.",
"type": "array",
"items": {
"type": "string"
}
},
"batchSize": {
"type": "number",
"description": "Value to determine the amount of credentials that are issued in a batch.\nDefault is 1."
},
"dPopRequired": {
"type": "boolean",
"description": "Indicates whether DPoP is required for the issuance process. Default value is true."
},
"walletAttestationRequired": {
"type": "boolean",
"description": "Indicates whether wallet attestation is required for the token endpoint.\nWhen enabled, wallets must provide OAuth-Client-Attestation headers.\nDefault value is false."
},
"walletProviderTrustLists": {
"description": "URLs of trust lists containing trusted wallet providers.\nThe wallet attestation's X.509 certificate will be validated against these trust lists.\nIf empty and walletAttestationRequired is true, all wallet providers are rejected.",
"type": "array",
"items": {
"type": "string"
}
},
"preferredAuthServer": {
"type": "string",
"description": "The URL of the preferred authorization server for wallet-initiated flows.\nWhen set, this AS is placed first in the `authorization_servers` array\nof the credential issuer metadata, signaling wallets to use it by default.\nMust match one of the configured auth servers, the chained AS URL, or \"built-in\"."
},
"display": {
"type": "array",
"items": {
"$ref": "#/components/schemas/DisplayInfo"
}
},
"createdAt": {
"format": "date-time",
"type": "string",
"description": "The timestamp when the VP request was created."
},
"updatedAt": {
"format": "date-time",
"type": "string",
"description": "The timestamp when the VP request was last updated."
}
},
"required": [
"tenant",
"display",
"createdAt",
"updatedAt"
]
}
POST /issuer/config¶
Stores the issuance configuration for this tenant.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"signingKeyId": "string",
"chainedAs": null,
"authServers": [
"string"
],
"batchSize": 10.12,
"dPopRequired": true,
"walletAttestationRequired": true,
"walletProviderTrustLists": [
"string"
],
"preferredAuthServer": "string",
"display": [
{
"name": "string",
"locale": "string",
"logo": {
"uri": "string",
"alt_text": "string"
}
}
]
}
Schema of the request body
{
"type": "object",
"properties": {
"signingKeyId": {
"type": "string",
"description": "Key ID for signing access tokens. If unset, the default signing key is used."
},
"chainedAs": {
"description": "Configuration for Chained Authorization Server mode.\nWhen enabled, EUDIPLO acts as an OAuth AS facade, delegating user authentication\nto an upstream OIDC provider while issuing its own tokens with issuer_state.",
"allOf": [
{
"$ref": "#/components/schemas/ChainedAsConfig"
}
]
},
"authServers": {
"description": "Authentication server URL for the issuance process.",
"type": "array",
"items": {
"type": "string"
}
},
"batchSize": {
"type": "number",
"description": "Value to determine the amount of credentials that are issued in a batch.\nDefault is 1."
},
"dPopRequired": {
"type": "boolean",
"description": "Indicates whether DPoP is required for the issuance process. Default value is true."
},
"walletAttestationRequired": {
"type": "boolean",
"description": "Indicates whether wallet attestation is required for the token endpoint.\nWhen enabled, wallets must provide OAuth-Client-Attestation headers.\nDefault value is false."
},
"walletProviderTrustLists": {
"description": "URLs of trust lists containing trusted wallet providers.\nThe wallet attestation's X.509 certificate will be validated against these trust lists.\nIf empty and walletAttestationRequired is true, all wallet providers are rejected.",
"type": "array",
"items": {
"type": "string"
}
},
"preferredAuthServer": {
"type": "string",
"description": "The URL of the preferred authorization server for wallet-initiated flows.\nWhen set, this AS is placed first in the `authorization_servers` array\nof the credential issuer metadata, signaling wallets to use it by default.\nMust match one of the configured auth servers, the chained AS URL, or \"built-in\"."
},
"display": {
"type": "array",
"items": {
"$ref": "#/components/schemas/DisplayInfo"
}
}
},
"required": [
"display"
]
}
Responses
GET /issuer/credentials¶
Returns the credential configurations for this tenant.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
[
{
"vct": null,
"iaeActions": "",
"embeddedDisclosurePolicy": null,
"id": "string",
"description": "string",
"tenant": null,
"config": {
"format": "mso_mdoc",
"display": [
{
"name": "string",
"description": "string",
"locale": "string",
"background_color": "string",
"text_color": "string",
"background_image": {
"uri": "string"
},
"logo": null
}
],
"scope": "string",
"docType": "string",
"namespace": "string",
"claimsByNamespace": {}
},
"claims": {},
"claimsWebhook": null,
"notificationWebhook": null,
"disclosureFrame": {},
"keyBinding": true,
"keyChainId": "string",
"keyChain": {
"id": "string",
"tenantId": "string",
"tenant": null,
"description": "string",
"usageType": "access",
"usage": "sign",
"kmsProvider": "string",
"externalKeyId": "string",
"rootKey": {},
"rootCertificate": "string",
"activeKey": {},
"activeCertificate": "string",
"rotationEnabled": true,
"rotationIntervalDays": 10.12,
"certValidityDays": 10.12,
"lastRotatedAt": "2022-04-13T15:42:05.901Z",
"previousKey": {},
"previousCertificate": "string",
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"statusManagement": true,
"lifeTime": 10.12,
"schema": null
}
]
POST /issuer/credentials¶
Stores the credential configuration for this tenant.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"vct": null,
"iaeActions": "",
"embeddedDisclosurePolicy": null,
"id": "string",
"description": "string",
"config": {
"format": "mso_mdoc",
"display": [
{
"name": "string",
"description": "string",
"locale": "string",
"background_color": "string",
"text_color": "string",
"background_image": {
"uri": "string"
},
"logo": null
}
],
"scope": "string",
"docType": "string",
"namespace": "string",
"claimsByNamespace": {}
},
"claims": {},
"claimsWebhook": null,
"notificationWebhook": null,
"disclosureFrame": {},
"keyBinding": true,
"keyChainId": "string",
"statusManagement": true,
"lifeTime": 10.12,
"schema": null
}
Schema of the request body
{
"type": "object",
"properties": {
"vct": {
"description": "VCT as a URI string (e.g., urn:eudi:pid:de:1) or as an object for EUDIPLO-hosted VCT",
"nullable": true,
"oneOf": [
{
"type": "string",
"description": "VCT URI string"
},
{
"$ref": "#/components/schemas/VCT"
}
]
},
"iaeActions": {
"type": "array",
"nullable": true,
"description": "List of IAE actions to execute before credential issuance",
"example": "",
"items": {
"oneOf": [
{
"$ref": "#/components/schemas/IaeActionOpenid4vpPresentation"
},
{
"$ref": "#/components/schemas/IaeActionRedirectToWeb"
}
]
}
},
"embeddedDisclosurePolicy": {
"nullable": true,
"description": "Embedded disclosure policy (discriminated union by `policy`).\nThe discriminator makes class-transformer instantiate the right subclass,\nand then class-validator runs that subclass’s rules.",
"oneOf": [
{
"$ref": "#/components/schemas/AttestationBasedPolicy"
},
{
"$ref": "#/components/schemas/NoneTrustPolicy"
},
{
"$ref": "#/components/schemas/AllowListPolicy"
},
{
"$ref": "#/components/schemas/RootOfTrustPolicy"
}
],
"allOf": [
{
"$ref": "#/components/schemas/EmbeddedDisclosurePolicy"
}
]
},
"id": {
"type": "string"
},
"description": {
"type": "string",
"nullable": true
},
"config": {
"$ref": "#/components/schemas/IssuerMetadataCredentialConfig"
},
"claims": {
"type": "object",
"nullable": true
},
"claimsWebhook": {
"nullable": true,
"description": "Webhook to receive claims for the issuance process.",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"notificationWebhook": {
"nullable": true,
"description": "Webhook to receive claims for the issuance process.",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"disclosureFrame": {
"type": "object",
"nullable": true
},
"keyBinding": {
"type": "boolean"
},
"keyChainId": {
"type": "string",
"description": "Reference to the key chain used for signing.\nOptional: if not specified, the default attestation key chain will be used."
},
"statusManagement": {
"type": "boolean"
},
"lifeTime": {
"type": "number"
},
"schema": {
"nullable": true,
"allOf": [
{
"$ref": "#/components/schemas/SchemaResponse"
}
]
}
},
"required": [
"id",
"config"
]
}
Responses
GET /issuer/credentials/{id}¶
Returns a specific credential configuration by ID.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
{
"vct": null,
"iaeActions": "",
"embeddedDisclosurePolicy": null,
"id": "string",
"description": "string",
"tenant": null,
"config": {
"format": "mso_mdoc",
"display": [
{
"name": "string",
"description": "string",
"locale": "string",
"background_color": "string",
"text_color": "string",
"background_image": {
"uri": "string"
},
"logo": null
}
],
"scope": "string",
"docType": "string",
"namespace": "string",
"claimsByNamespace": {}
},
"claims": {},
"claimsWebhook": null,
"notificationWebhook": null,
"disclosureFrame": {},
"keyBinding": true,
"keyChainId": "string",
"keyChain": {
"id": "string",
"tenantId": "string",
"tenant": null,
"description": "string",
"usageType": "access",
"usage": "sign",
"kmsProvider": "string",
"externalKeyId": "string",
"rootKey": {},
"rootCertificate": "string",
"activeKey": {},
"activeCertificate": "string",
"rotationEnabled": true,
"rotationIntervalDays": 10.12,
"certValidityDays": 10.12,
"lastRotatedAt": "2022-04-13T15:42:05.901Z",
"previousKey": {},
"previousCertificate": "string",
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"statusManagement": true,
"lifeTime": 10.12,
"schema": null
}
Schema of the response body
{
"type": "object",
"properties": {
"vct": {
"description": "VCT as a URI string (e.g., urn:eudi:pid:de:1) or as an object for EUDIPLO-hosted VCT",
"nullable": true,
"oneOf": [
{
"type": "string",
"description": "VCT URI string"
},
{
"$ref": "#/components/schemas/VCT"
}
]
},
"iaeActions": {
"type": "array",
"nullable": true,
"description": "List of IAE actions to execute before credential issuance",
"example": "",
"items": {
"oneOf": [
{
"$ref": "#/components/schemas/IaeActionOpenid4vpPresentation"
},
{
"$ref": "#/components/schemas/IaeActionRedirectToWeb"
}
]
}
},
"embeddedDisclosurePolicy": {
"nullable": true,
"description": "Embedded disclosure policy (discriminated union by `policy`).\nThe discriminator makes class-transformer instantiate the right subclass,\nand then class-validator runs that subclass’s rules.",
"oneOf": [
{
"$ref": "#/components/schemas/AttestationBasedPolicy"
},
{
"$ref": "#/components/schemas/NoneTrustPolicy"
},
{
"$ref": "#/components/schemas/AllowListPolicy"
},
{
"$ref": "#/components/schemas/RootOfTrustPolicy"
}
],
"allOf": [
{
"$ref": "#/components/schemas/EmbeddedDisclosurePolicy"
}
]
},
"id": {
"type": "string"
},
"description": {
"type": "string",
"nullable": true
},
"tenant": {
"description": "The tenant that owns this object.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
},
"config": {
"$ref": "#/components/schemas/IssuerMetadataCredentialConfig"
},
"claims": {
"type": "object",
"nullable": true
},
"claimsWebhook": {
"nullable": true,
"description": "Webhook to receive claims for the issuance process.",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"notificationWebhook": {
"nullable": true,
"description": "Webhook to receive claims for the issuance process.",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"disclosureFrame": {
"type": "object",
"nullable": true
},
"keyBinding": {
"type": "boolean"
},
"keyChainId": {
"type": "string",
"description": "Reference to the key chain used for signing.\nOptional: if not specified, the default attestation key chain will be used."
},
"keyChain": {
"$ref": "#/components/schemas/KeyChainEntity"
},
"statusManagement": {
"type": "boolean"
},
"lifeTime": {
"type": "number"
},
"schema": {
"nullable": true,
"allOf": [
{
"$ref": "#/components/schemas/SchemaResponse"
}
]
}
},
"required": [
"id",
"tenant",
"config"
]
}
PATCH /issuer/credentials/{id}¶
Updates a credential configuration by ID.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Request body
{
"vct": null,
"iaeActions": "",
"embeddedDisclosurePolicy": null,
"id": "string",
"description": "string",
"config": {
"format": "mso_mdoc",
"display": [
{
"name": "string",
"description": "string",
"locale": "string",
"background_color": "string",
"text_color": "string",
"background_image": {
"uri": "string"
},
"logo": null
}
],
"scope": "string",
"docType": "string",
"namespace": "string",
"claimsByNamespace": {}
},
"claims": {},
"claimsWebhook": null,
"notificationWebhook": null,
"disclosureFrame": {},
"keyBinding": true,
"keyChainId": "string",
"statusManagement": true,
"lifeTime": 10.12,
"schema": null
}
Schema of the request body
{
"type": "object",
"properties": {
"vct": {
"description": "VCT as a URI string (e.g., urn:eudi:pid:de:1) or as an object for EUDIPLO-hosted VCT",
"nullable": true,
"oneOf": [
{
"type": "string",
"description": "VCT URI string"
},
{
"$ref": "#/components/schemas/VCT"
}
]
},
"iaeActions": {
"type": "array",
"nullable": true,
"description": "List of IAE actions to execute before credential issuance",
"example": "",
"items": {
"oneOf": [
{
"$ref": "#/components/schemas/IaeActionOpenid4vpPresentation"
},
{
"$ref": "#/components/schemas/IaeActionRedirectToWeb"
}
]
}
},
"embeddedDisclosurePolicy": {
"nullable": true,
"description": "Embedded disclosure policy (discriminated union by `policy`).\nThe discriminator makes class-transformer instantiate the right subclass,\nand then class-validator runs that subclass’s rules.",
"oneOf": [
{
"$ref": "#/components/schemas/AttestationBasedPolicy"
},
{
"$ref": "#/components/schemas/NoneTrustPolicy"
},
{
"$ref": "#/components/schemas/AllowListPolicy"
},
{
"$ref": "#/components/schemas/RootOfTrustPolicy"
}
],
"allOf": [
{
"$ref": "#/components/schemas/EmbeddedDisclosurePolicy"
}
]
},
"id": {
"type": "string"
},
"description": {
"type": "string",
"nullable": true
},
"config": {
"$ref": "#/components/schemas/IssuerMetadataCredentialConfig"
},
"claims": {
"type": "object",
"nullable": true
},
"claimsWebhook": {
"nullable": true,
"description": "Webhook to receive claims for the issuance process.",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"notificationWebhook": {
"nullable": true,
"description": "Webhook to receive claims for the issuance process.",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"disclosureFrame": {
"type": "object",
"nullable": true
},
"keyBinding": {
"type": "boolean"
},
"keyChainId": {
"type": "string",
"description": "Reference to the key chain used for signing.\nOptional: if not specified, the default attestation key chain will be used."
},
"statusManagement": {
"type": "boolean"
},
"lifeTime": {
"type": "number"
},
"schema": {
"nullable": true,
"allOf": [
{
"$ref": "#/components/schemas/SchemaResponse"
}
]
}
}
}
Responses
DELETE /issuer/credentials/{id}¶
Deletes an credential configuration.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
POST /issuer/offer¶
Create an offer for a credential.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
Schema of the request body
{
"type": "object",
"properties": {
"response_type": {
"enum": [
"uri",
"dc-api"
],
"type": "string",
"examples": [
{
"value": "qrcode"
}
],
"description": "The type of response expected for the offer request."
},
"credentialClaims": {
"type": "object",
"description": "Credential claims configuration per credential. Keys must match credentialConfigurationIds.",
"properties": {
"additionalProperties": {
"oneOf": [
{
"type": "object",
"properties": {
"type": {
"type": "string",
"enum": [
"inline"
]
},
"claims": {
"type": "object",
"additionalProperties": true
}
},
"required": [
"type",
"claims"
]
},
{
"type": "object",
"properties": {
"type": {
"type": "string",
"enum": [
"webhook"
]
},
"webhook": {
"type": "object"
}
},
"required": [
"type",
"webhook"
]
}
]
}
},
"example": {
"citizen": {
"type": "inline",
"claims": {
"given_name": "John",
"family_name": "Doe"
}
}
}
},
"flow": {
"description": "The flow type for the offer request.",
"enum": [
"authorization_code",
"pre_authorized_code"
],
"type": "string"
},
"tx_code": {
"type": "string",
"description": "Transaction code for pre-authorized code flow."
},
"tx_code_description": {
"type": "string",
"description": "Description for the transaction code (e.g., \"Please enter the PIN sent to your email\")."
},
"credentialConfigurationIds": {
"description": "List of credential configuration ids to be included in the offer.",
"type": "array",
"items": {
"type": "string"
}
},
"authorization_server": {
"type": "string",
"description": "Optional authorization server to be used for this issuance flow."
},
"notifyWebhook": {
"description": "Webhook to notify about the status of the issuance process.",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
}
},
"required": [
"response_type",
"flow",
"credentialConfigurationIds"
]
}
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
POST /issuer/deferred/{transactionId}/complete¶
Complete a deferred credential transaction
Description
Completes a pending deferred credential transaction by providing the claims. The credential will be generated and marked as ready for wallet retrieval.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
transactionId |
path | string | No |
Request body
Schema of the request body
{
"type": "object",
"properties": {
"claims": {
"type": "object",
"description": "Claims to include in the credential. The structure should match the credential configuration's expected claims.",
"example": {
"given_name": "John",
"family_name": "Doe",
"birthdate": "1990-01-15"
}
}
},
"required": [
"claims"
]
}
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the response body
{
"type": "object",
"properties": {
"transactionId": {
"type": "string",
"description": "The transaction ID"
},
"status": {
"description": "The new status of the transaction",
"enum": [
"pending",
"ready",
"retrieved",
"expired",
"failed"
],
"type": "string"
},
"message": {
"type": "string",
"description": "Optional message"
}
},
"required": [
"transactionId",
"status"
]
}
POST /issuer/deferred/{transactionId}/fail¶
Fail a deferred credential transaction
Description
Marks a deferred credential transaction as failed. The wallet will receive an invalid_transaction_id error when attempting retrieval.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
transactionId |
path | string | No |
Request body
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the response body
{
"type": "object",
"properties": {
"transactionId": {
"type": "string",
"description": "The transaction ID"
},
"status": {
"description": "The new status of the transaction",
"enum": [
"pending",
"ready",
"retrieved",
"expired",
"failed"
],
"type": "string"
},
"message": {
"type": "string",
"description": "Optional message"
}
},
"required": [
"transactionId",
"status"
]
}
POST /trust-list¶
Creates a new trust list for the tenant
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the request body
{
"type": "object",
"properties": {
"id": {
"type": "string"
},
"description": {
"type": "string"
},
"keyChainId": {
"type": "string"
},
"entities": {
"type": "array",
"items": {
"type": "object"
}
},
"data": {
"type": "object",
"description": "The full trust list JSON (generated LoTE structure)"
}
},
"required": [
"entities"
]
}
Responses
{
"id": "string",
"description": "string",
"tenantId": "string",
"tenant": null,
"keyChainId": "string",
"keyChain": {
"id": "string",
"tenantId": "string",
"tenant": null,
"description": "string",
"usageType": "access",
"usage": "sign",
"kmsProvider": "string",
"externalKeyId": "string",
"rootKey": {},
"rootCertificate": "string",
"activeKey": {},
"activeCertificate": "string",
"rotationEnabled": true,
"rotationIntervalDays": 10.12,
"certValidityDays": 10.12,
"lastRotatedAt": "2022-04-13T15:42:05.901Z",
"previousKey": {},
"previousCertificate": "string",
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"data": {},
"entityConfig": [
{}
],
"sequenceNumber": 10.12,
"jwt": "string",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the trust list"
},
"description": {
"type": "string"
},
"tenantId": {
"type": "string",
"description": "The tenant ID for which the VP request is made."
},
"tenant": {
"description": "The tenant that owns this object.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
},
"keyChainId": {
"type": "string"
},
"keyChain": {
"$ref": "#/components/schemas/KeyChainEntity"
},
"data": {
"type": "object",
"description": "The full trust list JSON (generated LoTE structure)"
},
"entityConfig": {
"description": "The original entity configuration used to create this trust list.\nStored for round-tripping when editing.",
"type": "array",
"items": {
"type": "object"
}
},
"sequenceNumber": {
"type": "number",
"description": "The sequence number for versioning (incremented on updates)"
},
"jwt": {
"type": "string",
"description": "The signed JWT representation of this trust list"
},
"createdAt": {
"format": "date-time",
"type": "string"
},
"updatedAt": {
"format": "date-time",
"type": "string"
}
},
"required": [
"id",
"tenantId",
"tenant",
"keyChainId",
"keyChain",
"sequenceNumber",
"jwt",
"createdAt",
"updatedAt"
]
}
GET /trust-list¶
Returns all trust lists for the tenant
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
[
{
"id": "string",
"description": "string",
"tenantId": "string",
"tenant": null,
"keyChainId": "string",
"keyChain": {
"id": "string",
"tenantId": "string",
"tenant": null,
"description": "string",
"usageType": "access",
"usage": "sign",
"kmsProvider": "string",
"externalKeyId": "string",
"rootKey": {},
"rootCertificate": "string",
"activeKey": {},
"activeCertificate": "string",
"rotationEnabled": true,
"rotationIntervalDays": 10.12,
"certValidityDays": 10.12,
"lastRotatedAt": "2022-04-13T15:42:05.901Z",
"previousKey": {},
"previousCertificate": "string",
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"data": {},
"entityConfig": [
{}
],
"sequenceNumber": 10.12,
"jwt": "string",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
}
]
GET /trust-list/{id}¶
Returns the trust list by id for the tenant
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
{
"id": "string",
"description": "string",
"tenantId": "string",
"tenant": null,
"keyChainId": "string",
"keyChain": {
"id": "string",
"tenantId": "string",
"tenant": null,
"description": "string",
"usageType": "access",
"usage": "sign",
"kmsProvider": "string",
"externalKeyId": "string",
"rootKey": {},
"rootCertificate": "string",
"activeKey": {},
"activeCertificate": "string",
"rotationEnabled": true,
"rotationIntervalDays": 10.12,
"certValidityDays": 10.12,
"lastRotatedAt": "2022-04-13T15:42:05.901Z",
"previousKey": {},
"previousCertificate": "string",
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"data": {},
"entityConfig": [
{}
],
"sequenceNumber": 10.12,
"jwt": "string",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the trust list"
},
"description": {
"type": "string"
},
"tenantId": {
"type": "string",
"description": "The tenant ID for which the VP request is made."
},
"tenant": {
"description": "The tenant that owns this object.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
},
"keyChainId": {
"type": "string"
},
"keyChain": {
"$ref": "#/components/schemas/KeyChainEntity"
},
"data": {
"type": "object",
"description": "The full trust list JSON (generated LoTE structure)"
},
"entityConfig": {
"description": "The original entity configuration used to create this trust list.\nStored for round-tripping when editing.",
"type": "array",
"items": {
"type": "object"
}
},
"sequenceNumber": {
"type": "number",
"description": "The sequence number for versioning (incremented on updates)"
},
"jwt": {
"type": "string",
"description": "The signed JWT representation of this trust list"
},
"createdAt": {
"format": "date-time",
"type": "string"
},
"updatedAt": {
"format": "date-time",
"type": "string"
}
},
"required": [
"id",
"tenantId",
"tenant",
"keyChainId",
"keyChain",
"sequenceNumber",
"jwt",
"createdAt",
"updatedAt"
]
}
PUT /trust-list/{id}¶
Updates a trust list with new entities Creates a new version for audit and regenerates the JWT
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the request body
{
"type": "object",
"properties": {
"id": {
"type": "string"
},
"description": {
"type": "string"
},
"keyChainId": {
"type": "string"
},
"entities": {
"type": "array",
"items": {
"type": "object"
}
},
"data": {
"type": "object",
"description": "The full trust list JSON (generated LoTE structure)"
}
},
"required": [
"entities"
]
}
Responses
{
"id": "string",
"description": "string",
"tenantId": "string",
"tenant": null,
"keyChainId": "string",
"keyChain": {
"id": "string",
"tenantId": "string",
"tenant": null,
"description": "string",
"usageType": "access",
"usage": "sign",
"kmsProvider": "string",
"externalKeyId": "string",
"rootKey": {},
"rootCertificate": "string",
"activeKey": {},
"activeCertificate": "string",
"rotationEnabled": true,
"rotationIntervalDays": 10.12,
"certValidityDays": 10.12,
"lastRotatedAt": "2022-04-13T15:42:05.901Z",
"previousKey": {},
"previousCertificate": "string",
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"data": {},
"entityConfig": [
{}
],
"sequenceNumber": 10.12,
"jwt": "string",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the trust list"
},
"description": {
"type": "string"
},
"tenantId": {
"type": "string",
"description": "The tenant ID for which the VP request is made."
},
"tenant": {
"description": "The tenant that owns this object.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
},
"keyChainId": {
"type": "string"
},
"keyChain": {
"$ref": "#/components/schemas/KeyChainEntity"
},
"data": {
"type": "object",
"description": "The full trust list JSON (generated LoTE structure)"
},
"entityConfig": {
"description": "The original entity configuration used to create this trust list.\nStored for round-tripping when editing.",
"type": "array",
"items": {
"type": "object"
}
},
"sequenceNumber": {
"type": "number",
"description": "The sequence number for versioning (incremented on updates)"
},
"jwt": {
"type": "string",
"description": "The signed JWT representation of this trust list"
},
"createdAt": {
"format": "date-time",
"type": "string"
},
"updatedAt": {
"format": "date-time",
"type": "string"
}
},
"required": [
"id",
"tenantId",
"tenant",
"keyChainId",
"keyChain",
"sequenceNumber",
"jwt",
"createdAt",
"updatedAt"
]
}
DELETE /trust-list/{id}¶
Deletes a trust list
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
GET /trust-list/{id}/export¶
Exports the trust list in LoTE format
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string"
},
"description": {
"type": "string"
},
"keyChainId": {
"type": "string"
},
"entities": {
"type": "array",
"items": {
"type": "object"
}
},
"data": {
"type": "object",
"description": "The full trust list JSON (generated LoTE structure)"
}
},
"required": [
"entities"
]
}
GET /trust-list/{id}/versions¶
Returns the version history for a trust list
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
[
{
"id": "string",
"trustListId": "string",
"trustList": {
"id": "string",
"description": "string",
"tenantId": "string",
"tenant": null,
"keyChainId": "string",
"keyChain": {
"id": "string",
"tenantId": "string",
"tenant": null,
"description": "string",
"usageType": "access",
"usage": "sign",
"kmsProvider": "string",
"externalKeyId": "string",
"rootKey": {},
"rootCertificate": "string",
"activeKey": {},
"activeCertificate": "string",
"rotationEnabled": true,
"rotationIntervalDays": 10.12,
"certValidityDays": 10.12,
"lastRotatedAt": "2022-04-13T15:42:05.901Z",
"previousKey": {},
"previousCertificate": "string",
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"data": {},
"entityConfig": [
{}
],
"sequenceNumber": 10.12,
"jwt": "string",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"tenantId": "string",
"sequenceNumber": 10.12,
"data": {},
"entityConfig": {},
"jwt": "string",
"createdAt": "2022-04-13T15:42:05.901Z"
}
]
GET /trust-list/{id}/versions/{versionId}¶
Returns a specific version of a trust list
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No | ||
versionId |
path | string | No |
Responses
{
"id": "string",
"trustListId": "string",
"trustList": {
"id": "string",
"description": "string",
"tenantId": "string",
"tenant": null,
"keyChainId": "string",
"keyChain": {
"id": "string",
"tenantId": "string",
"tenant": null,
"description": "string",
"usageType": "access",
"usage": "sign",
"kmsProvider": "string",
"externalKeyId": "string",
"rootKey": {},
"rootCertificate": "string",
"activeKey": {},
"activeCertificate": "string",
"rotationEnabled": true,
"rotationIntervalDays": 10.12,
"certValidityDays": 10.12,
"lastRotatedAt": "2022-04-13T15:42:05.901Z",
"previousKey": {},
"previousCertificate": "string",
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"data": {},
"entityConfig": [
{}
],
"sequenceNumber": 10.12,
"jwt": "string",
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
},
"tenantId": "string",
"sequenceNumber": 10.12,
"data": {},
"entityConfig": {},
"jwt": "string",
"createdAt": "2022-04-13T15:42:05.901Z"
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string"
},
"trustListId": {
"type": "string"
},
"trustList": {
"$ref": "#/components/schemas/TrustList"
},
"tenantId": {
"type": "string"
},
"sequenceNumber": {
"type": "number",
"description": "The sequence number at the time this version was created"
},
"data": {
"type": "object",
"description": "The full trust list JSON at this version"
},
"entityConfig": {
"type": "object",
"description": "The entity configuration at this version"
},
"jwt": {
"type": "string",
"description": "The signed JWT at this version"
},
"createdAt": {
"format": "date-time",
"type": "string"
}
},
"required": [
"id",
"trustListId",
"trustList",
"tenantId",
"sequenceNumber",
"data",
"jwt",
"createdAt"
]
}
GET /{tenantId}/trust-list/{id}¶
Returns the JWT of the trust list
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
id |
path | string | No | ||
tenantId |
path | string | No |
Responses
Verifier¶
GET /verifier/config¶
Returns the presentation request configurations.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
[
{
"id": "string",
"tenant": null,
"description": "string",
"lifeTime": 10.12,
"dcql_query": null,
"transaction_data": [
{
"type": "string",
"credential_ids": [
"string"
]
}
],
"registrationCert": null,
"webhook": null,
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z",
"attached": [
{
"format": "string",
"data": {},
"credential_ids": [
"string"
]
}
],
"redirectUri": "https://example.com/callback?session={sessionId}",
"accessKeyChainId": "string"
}
]
POST /verifier/config¶
Store a presentation request configuration. If it already exists, it will be updated.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"id": "string",
"description": "string",
"lifeTime": 10.12,
"dcql_query": null,
"transaction_data": [
{
"type": "string",
"credential_ids": [
"string"
]
}
],
"registrationCert": null,
"webhook": null,
"attached": [
{
"format": "string",
"data": {},
"credential_ids": [
"string"
]
}
],
"redirectUri": "https://example.com/callback?session={sessionId}",
"accessKeyChainId": "string"
}
Schema of the request body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the VP request."
},
"description": {
"type": "string",
"nullable": true,
"description": "Description of the presentation configuration."
},
"lifeTime": {
"type": "number",
"description": "Lifetime how long the presentation request is valid after creation, in seconds."
},
"dcql_query": {
"description": "The DCQL query to be used for the VP request.",
"allOf": [
{
"$ref": "#/components/schemas/DCQL"
}
]
},
"transaction_data": {
"type": "array",
"items": {
"$ref": "#/components/schemas/TransactionData"
}
},
"registrationCert": {
"nullable": true,
"description": "The registration certificate request containing the necessary details.",
"allOf": [
{
"$ref": "#/components/schemas/RegistrationCertificateRequest"
}
]
},
"webhook": {
"nullable": true,
"description": "Optional webhook URL to receive the response.",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"attached": {
"nullable": true,
"description": "Attestation that should be attached",
"type": "array",
"items": {
"$ref": "#/components/schemas/PresentationAttachment"
}
},
"redirectUri": {
"type": "string",
"nullable": true,
"description": "Redirect URI to which the user-agent should be redirected after the presentation is completed.\nYou can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID.",
"example": "https://example.com/callback?session={sessionId}"
},
"accessKeyChainId": {
"type": "string",
"nullable": true,
"description": "Optional ID of the access certificate to use for signing the presentation request.\nIf not provided, the default access certificate for the tenant will be used.\n\nNote: This is intentionally NOT a TypeORM relationship because CertEntity uses\na composite primary key (id + tenantId), and SQLite cannot create foreign keys\nthat reference only part of a composite primary key. The relationship is handled\nat the application level in the service layer."
}
},
"required": [
"id",
"dcql_query"
]
}
Responses
GET /verifier/config/{id}¶
Get a presentation request configuration by its ID.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
{
"id": "string",
"tenant": null,
"description": "string",
"lifeTime": 10.12,
"dcql_query": null,
"transaction_data": [
{
"type": "string",
"credential_ids": [
"string"
]
}
],
"registrationCert": null,
"webhook": null,
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z",
"attached": [
{
"format": "string",
"data": {},
"credential_ids": [
"string"
]
}
],
"redirectUri": "https://example.com/callback?session={sessionId}",
"accessKeyChainId": "string"
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the VP request."
},
"tenant": {
"description": "The tenant that owns this object.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
},
"description": {
"type": "string",
"nullable": true,
"description": "Description of the presentation configuration."
},
"lifeTime": {
"type": "number",
"description": "Lifetime how long the presentation request is valid after creation, in seconds."
},
"dcql_query": {
"description": "The DCQL query to be used for the VP request.",
"allOf": [
{
"$ref": "#/components/schemas/DCQL"
}
]
},
"transaction_data": {
"type": "array",
"items": {
"$ref": "#/components/schemas/TransactionData"
}
},
"registrationCert": {
"nullable": true,
"description": "The registration certificate request containing the necessary details.",
"allOf": [
{
"$ref": "#/components/schemas/RegistrationCertificateRequest"
}
]
},
"webhook": {
"nullable": true,
"description": "Optional webhook URL to receive the response.",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"createdAt": {
"format": "date-time",
"type": "string",
"description": "The timestamp when the VP request was created."
},
"updatedAt": {
"format": "date-time",
"type": "string",
"description": "The timestamp when the VP request was last updated."
},
"attached": {
"nullable": true,
"description": "Attestation that should be attached",
"type": "array",
"items": {
"$ref": "#/components/schemas/PresentationAttachment"
}
},
"redirectUri": {
"type": "string",
"nullable": true,
"description": "Redirect URI to which the user-agent should be redirected after the presentation is completed.\nYou can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID.",
"example": "https://example.com/callback?session={sessionId}"
},
"accessKeyChainId": {
"type": "string",
"nullable": true,
"description": "Optional ID of the access certificate to use for signing the presentation request.\nIf not provided, the default access certificate for the tenant will be used.\n\nNote: This is intentionally NOT a TypeORM relationship because CertEntity uses\na composite primary key (id + tenantId), and SQLite cannot create foreign keys\nthat reference only part of a composite primary key. The relationship is handled\nat the application level in the service layer."
}
},
"required": [
"id",
"tenant",
"dcql_query",
"createdAt",
"updatedAt"
]
}
PATCH /verifier/config/{id}¶
Update a presentation request configuration by its ID.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Request body
{
"id": "string",
"description": "string",
"lifeTime": 10.12,
"dcql_query": null,
"transaction_data": [
{
"type": "string",
"credential_ids": [
"string"
]
}
],
"registrationCert": null,
"webhook": null,
"attached": [
{
"format": "string",
"data": {},
"credential_ids": [
"string"
]
}
],
"redirectUri": "https://example.com/callback?session={sessionId}",
"accessKeyChainId": "string"
}
Schema of the request body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the VP request."
},
"description": {
"type": "string",
"nullable": true,
"description": "Description of the presentation configuration."
},
"lifeTime": {
"type": "number",
"description": "Lifetime how long the presentation request is valid after creation, in seconds."
},
"dcql_query": {
"description": "The DCQL query to be used for the VP request.",
"allOf": [
{
"$ref": "#/components/schemas/DCQL"
}
]
},
"transaction_data": {
"type": "array",
"items": {
"$ref": "#/components/schemas/TransactionData"
}
},
"registrationCert": {
"nullable": true,
"description": "The registration certificate request containing the necessary details.",
"allOf": [
{
"$ref": "#/components/schemas/RegistrationCertificateRequest"
}
]
},
"webhook": {
"nullable": true,
"description": "Optional webhook URL to receive the response.",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"attached": {
"nullable": true,
"description": "Attestation that should be attached",
"type": "array",
"items": {
"$ref": "#/components/schemas/PresentationAttachment"
}
},
"redirectUri": {
"type": "string",
"nullable": true,
"description": "Redirect URI to which the user-agent should be redirected after the presentation is completed.\nYou can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID.",
"example": "https://example.com/callback?session={sessionId}"
},
"accessKeyChainId": {
"type": "string",
"nullable": true,
"description": "Optional ID of the access certificate to use for signing the presentation request.\nIf not provided, the default access certificate for the tenant will be used.\n\nNote: This is intentionally NOT a TypeORM relationship because CertEntity uses\na composite primary key (id + tenantId), and SQLite cannot create foreign keys\nthat reference only part of a composite primary key. The relationship is handled\nat the application level in the service layer."
}
}
}
Responses
DELETE /verifier/config/{id}¶
Deletes a presentation request configuration by its ID.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
POST /verifier/offer¶
Create an presentation request that can be sent to the user
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
Schema of the request body
{
"type": "object",
"properties": {
"response_type": {
"type": "string",
"description": "The type of response expected from the presentation request.",
"enum": [
"uri",
"dc-api"
]
},
"requestId": {
"type": "string",
"description": "Identifier of the presentation configuration"
},
"webhook": {
"description": "Webhook configuration to receive the response.\nIf not provided, the configured webhook from the configuration will be used.",
"allOf": [
{
"$ref": "#/components/schemas/WebhookConfig"
}
]
},
"redirectUri": {
"type": "string",
"description": "Optional redirect URI to which the user-agent should be redirected after the presentation is completed.\nYou can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID.",
"example": "https://example.com/callback?session={sessionId}"
},
"transaction_data": {
"description": "Optional transaction data to include in the OID4VP request.\nIf provided, this will override the transaction_data from the presentation configuration.",
"type": "array",
"items": {
"$ref": "#/components/schemas/TransactionData"
}
}
},
"required": [
"response_type",
"requestId"
]
}
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Cache Management¶
GET /cache/stats¶
Get cache statistics
Description
Returns statistics about the trust list and status list caches.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
DELETE /cache¶
Clear all caches
Description
Clears both trust list and status list caches. Next verification will fetch fresh data.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
DELETE /cache/trust-list¶
Clear trust list cache
Description
Clears the trust list cache. Next verification will fetch fresh trust lists.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
DELETE /cache/status-list¶
Clear status list cache
Description
Clears the status list (revocation) cache. Next status check will fetch fresh status lists.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
Chained AS¶
POST /{tenant}/chained-as/par¶
Pushed Authorization Request
Description
Submit authorization request parameters. Returns a request_uri for use at the authorization endpoint.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
dpop |
header | string | No | ||
DPoP |
header | string | No | DPoP proof JWT | |
oauth-client-attestation |
header | string | No | ||
OAuth-Client-Attestation |
header | string | No | Wallet attestation JWT | |
oauth-client-attestation-pop |
header | string | No | ||
OAuth-Client-Attestation-PoP |
header | string | No | Wallet attestation proof-of-possession JWT | |
tenant |
path | string | No | Tenant identifier |
Request body
{
"response_type": "code",
"client_id": "https://wallet.example.com",
"redirect_uri": "https://wallet.example.com/callback",
"code_challenge": "string",
"code_challenge_method": "S256",
"state": "string",
"scope": "openid credential",
"issuer_state": "string",
"authorization_details": [
{}
]
}
Schema of the request body
{
"type": "object",
"properties": {
"response_type": {
"type": "string",
"description": "OAuth response type (must be 'code')",
"example": "code"
},
"client_id": {
"type": "string",
"description": "Client identifier (wallet identifier)",
"example": "https://wallet.example.com"
},
"redirect_uri": {
"type": "string",
"description": "URI to redirect the wallet after authorization",
"example": "https://wallet.example.com/callback"
},
"code_challenge": {
"type": "string",
"description": "PKCE code challenge"
},
"code_challenge_method": {
"type": "string",
"description": "PKCE code challenge method (e.g., S256)",
"example": "S256"
},
"state": {
"type": "string",
"description": "State parameter (returned in redirect)"
},
"scope": {
"type": "string",
"description": "Scope requested",
"example": "openid credential"
},
"issuer_state": {
"type": "string",
"description": "Issuer state from credential offer"
},
"authorization_details": {
"description": "Authorization details (JSON array)",
"type": "array",
"items": {
"type": "object"
}
}
},
"required": [
"response_type",
"client_id",
"redirect_uri"
]
}
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the response body
{
"type": "object",
"properties": {
"request_uri": {
"type": "string",
"description": "The request URI to use at the authorization endpoint",
"example": "urn:ietf:params:oauth:request_uri:abc123"
},
"expires_in": {
"type": "number",
"description": "The lifetime of the request URI in seconds",
"example": 600
}
},
"required": [
"request_uri",
"expires_in"
]
}
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
GET /{tenant}/chained-as/authorize¶
Authorization endpoint
Description
Validates the request_uri from PAR and redirects to the upstream OIDC provider for authentication.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
client_id |
query | string | No | Client identifier | |
request_uri |
query | string | No | Request URI from PAR response | |
tenant |
path | string | No | Tenant identifier |
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
GET /{tenant}/chained-as/callback¶
Upstream OIDC callback
Description
Receives the authorization response from the upstream OIDC provider, exchanges the code, and redirects back to the wallet.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
code |
query | string | No | ||
error |
query | string | No | ||
error_description |
query | string | No | ||
state |
query | string | No | ||
tenant |
path | string | No | Tenant identifier |
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
POST /{tenant}/chained-as/token¶
Token endpoint
Description
Exchanges the authorization code for an access token containing issuer_state.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
dpop |
header | string | No | ||
DPoP |
header | string | No | DPoP proof JWT | |
tenant |
path | string | No | Tenant identifier |
Request body
{
"grant_type": "authorization_code",
"code": "string",
"client_id": "string",
"redirect_uri": "string",
"code_verifier": "string"
}
Schema of the request body
{
"type": "object",
"properties": {
"grant_type": {
"type": "string",
"description": "Grant type (must be 'authorization_code')",
"example": "authorization_code"
},
"code": {
"type": "string",
"description": "Authorization code received in the callback"
},
"client_id": {
"type": "string",
"description": "Client identifier"
},
"redirect_uri": {
"type": "string",
"description": "Redirect URI (must match the one used in PAR)"
},
"code_verifier": {
"type": "string",
"description": "PKCE code verifier"
}
},
"required": [
"grant_type",
"code"
]
}
Responses
{
"access_token": "string",
"token_type": "DPoP",
"expires_in": 3600,
"scope": "string",
"authorization_details": [
{}
],
"c_nonce": "string",
"c_nonce_expires_in": 10.12
}
Schema of the response body
{
"type": "object",
"properties": {
"access_token": {
"type": "string",
"description": "The access token"
},
"token_type": {
"type": "string",
"description": "Token type (Bearer or DPoP)",
"example": "DPoP"
},
"expires_in": {
"type": "number",
"description": "Token lifetime in seconds",
"example": 3600
},
"scope": {
"type": "string",
"description": "Scope granted"
},
"authorization_details": {
"description": "Authorized credential configurations",
"type": "array",
"items": {
"type": "object"
}
},
"c_nonce": {
"type": "string",
"description": "C_NONCE for credential request"
},
"c_nonce_expires_in": {
"type": "number",
"description": "C_NONCE lifetime in seconds"
}
},
"required": [
"access_token",
"token_type",
"expires_in"
]
}
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
GET /{tenant}/chained-as/.well-known/jwks.json¶
JSON Web Key Set
Description
Returns the public keys for verifying tokens issued by this Chained AS.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
tenant |
path | string | No | Tenant identifier |
Responses
GET /{tenant}/chained-as/.well-known/oauth-authorization-server¶
OAuth AS Metadata
Description
Returns the OAuth Authorization Server metadata for the Chained AS.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
tenant |
path | string | No | Tenant identifier |
Responses
Registrar¶
GET /registrar/config¶
Get registrar configuration
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
{
"registrarUrl": "https://sandbox.eudi-wallet.org/api",
"oidcUrl": "https://auth.example.com/realms/my-realm",
"clientId": "registrar-client",
"clientSecret": "string",
"username": "admin@example.com",
"password": "string",
"tenantId": "string",
"tenant": null
}
Schema of the response body
{
"type": "object",
"properties": {
"registrarUrl": {
"type": "string",
"description": "The base URL of the registrar API",
"format": "uri",
"example": "https://sandbox.eudi-wallet.org/api"
},
"oidcUrl": {
"type": "string",
"description": "The OIDC issuer URL for authentication (e.g., Keycloak realm URL)",
"format": "uri",
"example": "https://auth.example.com/realms/my-realm"
},
"clientId": {
"type": "string",
"description": "The OIDC client ID for the registrar",
"example": "registrar-client"
},
"clientSecret": {
"type": "string",
"description": "The OIDC client secret (optional, for confidential clients)"
},
"username": {
"type": "string",
"description": "The username for OIDC login",
"example": "admin@example.com"
},
"password": {
"type": "string",
"description": "The password for OIDC login (stored in plaintext)"
},
"tenantId": {
"type": "string",
"description": "The tenant ID this configuration belongs to."
},
"tenant": {
"description": "The tenant that owns this configuration.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
}
},
"required": [
"registrarUrl",
"oidcUrl",
"clientId",
"username",
"password",
"tenantId",
"tenant"
]
}
POST /registrar/config¶
Create or replace registrar configuration
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"registrarUrl": "https://sandbox.eudi-wallet.org/api",
"oidcUrl": "https://auth.example.com/realms/my-realm",
"clientId": "registrar-client",
"clientSecret": "string",
"username": "admin@example.com",
"password": "string"
}
Schema of the request body
{
"type": "object",
"properties": {
"registrarUrl": {
"type": "string",
"description": "The base URL of the registrar API",
"format": "uri",
"example": "https://sandbox.eudi-wallet.org/api"
},
"oidcUrl": {
"type": "string",
"description": "The OIDC issuer URL for authentication (e.g., Keycloak realm URL)",
"format": "uri",
"example": "https://auth.example.com/realms/my-realm"
},
"clientId": {
"type": "string",
"description": "The OIDC client ID for the registrar",
"example": "registrar-client"
},
"clientSecret": {
"type": "string",
"description": "The OIDC client secret (optional, for confidential clients)"
},
"username": {
"type": "string",
"description": "The username for OIDC login",
"example": "admin@example.com"
},
"password": {
"type": "string",
"description": "The password for OIDC login (stored in plaintext)"
}
},
"required": [
"registrarUrl",
"oidcUrl",
"clientId",
"username",
"password"
]
}
Responses
{
"registrarUrl": "https://sandbox.eudi-wallet.org/api",
"oidcUrl": "https://auth.example.com/realms/my-realm",
"clientId": "registrar-client",
"clientSecret": "string",
"username": "admin@example.com",
"password": "string",
"tenantId": "string",
"tenant": null
}
Schema of the response body
{
"type": "object",
"properties": {
"registrarUrl": {
"type": "string",
"description": "The base URL of the registrar API",
"format": "uri",
"example": "https://sandbox.eudi-wallet.org/api"
},
"oidcUrl": {
"type": "string",
"description": "The OIDC issuer URL for authentication (e.g., Keycloak realm URL)",
"format": "uri",
"example": "https://auth.example.com/realms/my-realm"
},
"clientId": {
"type": "string",
"description": "The OIDC client ID for the registrar",
"example": "registrar-client"
},
"clientSecret": {
"type": "string",
"description": "The OIDC client secret (optional, for confidential clients)"
},
"username": {
"type": "string",
"description": "The username for OIDC login",
"example": "admin@example.com"
},
"password": {
"type": "string",
"description": "The password for OIDC login (stored in plaintext)"
},
"tenantId": {
"type": "string",
"description": "The tenant ID this configuration belongs to."
},
"tenant": {
"description": "The tenant that owns this configuration.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
}
},
"required": [
"registrarUrl",
"oidcUrl",
"clientId",
"username",
"password",
"tenantId",
"tenant"
]
}
PATCH /registrar/config¶
Update registrar configuration
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"registrarUrl": "https://sandbox.eudi-wallet.org/api",
"oidcUrl": "https://auth.example.com/realms/my-realm",
"clientId": "registrar-client",
"clientSecret": "string",
"username": "admin@example.com",
"password": "string"
}
Schema of the request body
{
"type": "object",
"properties": {
"registrarUrl": {
"type": "string",
"description": "The base URL of the registrar API",
"format": "uri",
"example": "https://sandbox.eudi-wallet.org/api"
},
"oidcUrl": {
"type": "string",
"description": "The OIDC issuer URL for authentication (e.g., Keycloak realm URL)",
"format": "uri",
"example": "https://auth.example.com/realms/my-realm"
},
"clientId": {
"type": "string",
"description": "The OIDC client ID for the registrar",
"example": "registrar-client"
},
"clientSecret": {
"type": "string",
"description": "The OIDC client secret (optional, for confidential clients)"
},
"username": {
"type": "string",
"description": "The username for OIDC login",
"example": "admin@example.com"
},
"password": {
"type": "string",
"description": "The password for OIDC login (stored in plaintext)"
}
}
}
Responses
{
"registrarUrl": "https://sandbox.eudi-wallet.org/api",
"oidcUrl": "https://auth.example.com/realms/my-realm",
"clientId": "registrar-client",
"clientSecret": "string",
"username": "admin@example.com",
"password": "string",
"tenantId": "string",
"tenant": null
}
Schema of the response body
{
"type": "object",
"properties": {
"registrarUrl": {
"type": "string",
"description": "The base URL of the registrar API",
"format": "uri",
"example": "https://sandbox.eudi-wallet.org/api"
},
"oidcUrl": {
"type": "string",
"description": "The OIDC issuer URL for authentication (e.g., Keycloak realm URL)",
"format": "uri",
"example": "https://auth.example.com/realms/my-realm"
},
"clientId": {
"type": "string",
"description": "The OIDC client ID for the registrar",
"example": "registrar-client"
},
"clientSecret": {
"type": "string",
"description": "The OIDC client secret (optional, for confidential clients)"
},
"username": {
"type": "string",
"description": "The username for OIDC login",
"example": "admin@example.com"
},
"password": {
"type": "string",
"description": "The password for OIDC login (stored in plaintext)"
},
"tenantId": {
"type": "string",
"description": "The tenant ID this configuration belongs to."
},
"tenant": {
"description": "The tenant that owns this configuration.",
"allOf": [
{
"$ref": "#/components/schemas/TenantEntity"
}
]
}
},
"required": [
"registrarUrl",
"oidcUrl",
"clientId",
"username",
"password",
"tenantId",
"tenant"
]
}
DELETE /registrar/config¶
Delete registrar configuration
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
POST /registrar/access-certificate¶
Create an access certificate for a key
Description
Creates an access certificate at the registrar for the specified key. Requires a relying party to be already registered at the registrar. The certificate is automatically stored in EUDIPLO.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Responses
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Key Chain¶
GET /key-chain/providers¶
Get available KMS providers
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
{
"providers": [
{
"name": "main-vault",
"type": "vault",
"description": "Production HashiCorp Vault",
"capabilities": null
}
],
"default": "db"
}
Schema of the response body
{
"type": "object",
"properties": {
"providers": {
"description": "Detailed info for each registered KMS provider.",
"type": "array",
"items": {
"$ref": "#/components/schemas/KmsProviderInfoDto"
}
},
"default": {
"type": "string",
"description": "The default KMS provider name.",
"example": "db"
}
},
"required": [
"providers",
"default"
]
}
GET /key-chain¶
List all key chains for the tenant
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Responses
[
{
"id": "string",
"usageType": "access",
"type": "standalone",
"description": "string",
"kmsProvider": "string",
"rootCertificate": null,
"activePublicKey": null,
"activeCertificate": null,
"previousPublicKey": null,
"previousCertificate": null,
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"rotationPolicy": null,
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
}
]
POST /key-chain¶
Create a new key chain
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"usageType": "attestation",
"type": "internalChain",
"description": "Production credential signing key",
"kmsProvider": "vault",
"rotationPolicy": null
}
Schema of the request body
{
"type": "object",
"properties": {
"usageType": {
"enum": [
"access",
"attestation",
"trustList",
"statusList",
"encrypt"
],
"type": "string",
"description": "Usage type determines the purpose of this key chain (access, attestation, etc.).",
"example": "attestation"
},
"type": {
"enum": [
"standalone",
"internalChain"
],
"type": "string",
"description": "Type of key chain to create.",
"example": "internalChain"
},
"description": {
"type": "string",
"description": "Human-readable description for the key chain.",
"example": "Production credential signing key"
},
"kmsProvider": {
"type": "string",
"description": "KMS provider to use (defaults to the configured default provider).",
"example": "vault"
},
"rotationPolicy": {
"description": "Rotation policy configuration. Only applicable for the signing key (root CA never rotates).",
"allOf": [
{
"$ref": "#/components/schemas/RotationPolicyCreateDto"
}
]
}
},
"required": [
"usageType",
"type"
]
}
Responses
GET /key-chain/{id}¶
Get a key chain by ID
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
{
"id": "string",
"usageType": "access",
"type": "standalone",
"description": "string",
"kmsProvider": "string",
"rootCertificate": null,
"activePublicKey": null,
"activeCertificate": null,
"previousPublicKey": null,
"previousCertificate": null,
"previousKeyExpiry": "2022-04-13T15:42:05.901Z",
"rotationPolicy": null,
"createdAt": "2022-04-13T15:42:05.901Z",
"updatedAt": "2022-04-13T15:42:05.901Z"
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Unique identifier for the key chain."
},
"usageType": {
"enum": [
"access",
"attestation",
"trustList",
"statusList",
"encrypt"
],
"type": "string",
"description": "Usage type of the key chain."
},
"type": {
"enum": [
"standalone",
"internalChain"
],
"type": "string",
"description": "Type of key chain (standalone or internalChain)."
},
"description": {
"type": "string",
"description": "Human-readable description."
},
"kmsProvider": {
"type": "string",
"description": "KMS provider used for this key chain."
},
"rootCertificate": {
"description": "Root CA certificate (only for internalChain type).",
"allOf": [
{
"$ref": "#/components/schemas/CertificateInfoDto"
}
]
},
"activePublicKey": {
"description": "Active signing key's public key info.",
"allOf": [
{
"$ref": "#/components/schemas/PublicKeyInfoDto"
}
]
},
"activeCertificate": {
"description": "Active signing key's certificate. Not present for encryption keys.",
"allOf": [
{
"$ref": "#/components/schemas/CertificateInfoDto"
}
]
},
"previousPublicKey": {
"description": "Previous signing key's public key info (if in grace period).",
"allOf": [
{
"$ref": "#/components/schemas/PublicKeyInfoDto"
}
]
},
"previousCertificate": {
"description": "Previous signing key's certificate (if in grace period).",
"allOf": [
{
"$ref": "#/components/schemas/CertificateInfoDto"
}
]
},
"previousKeyExpiry": {
"format": "date-time",
"type": "string",
"description": "Previous key expiry date."
},
"rotationPolicy": {
"description": "Rotation policy configuration.",
"allOf": [
{
"$ref": "#/components/schemas/RotationPolicyResponseDto"
}
]
},
"createdAt": {
"format": "date-time",
"type": "string",
"description": "Timestamp when the key chain was created."
},
"updatedAt": {
"format": "date-time",
"type": "string",
"description": "Timestamp when the key chain was last updated."
}
},
"required": [
"id",
"usageType",
"type",
"kmsProvider",
"activePublicKey",
"rotationPolicy",
"createdAt",
"updatedAt"
]
}
PUT /key-chain/{id}¶
Update key chain metadata and rotation policy
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Schema of the request body
{
"type": "object",
"properties": {
"description": {
"type": "string",
"description": "Human-readable description for the key chain."
},
"rotationPolicy": {
"description": "Rotation policy configuration.",
"allOf": [
{
"$ref": "#/components/schemas/RotationPolicyUpdateDto"
}
]
},
"activeCertificate": {
"type": "string",
"description": "Active certificate chain in PEM format. Used for external certificate updates."
}
}
}
Responses
DELETE /key-chain/{id}¶
Delete a key chain
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
GET /key-chain/{id}/export¶
Export a key chain in config-import format
Description
Returns the key chain including private key material in the same format used by config import JSON files.
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
{
"id": "string",
"description": "string",
"usageType": "access",
"key": null,
"crt": [
"string"
],
"kmsProvider": "string",
"rotationPolicy": null
}
Schema of the response body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "Key chain ID."
},
"description": {
"type": "string",
"description": "Human-readable description."
},
"usageType": {
"enum": [
"access",
"attestation",
"trustList",
"statusList",
"encrypt"
],
"type": "string",
"description": "Usage type for this key chain."
},
"key": {
"description": "The private key in JWK format (EC).",
"allOf": [
{
"$ref": "#/components/schemas/ExportEcJwk"
}
]
},
"crt": {
"description": "Certificate chain in PEM format (leaf first, then intermediates/CA).",
"type": "array",
"items": {
"type": "string"
}
},
"kmsProvider": {
"type": "string",
"description": "KMS provider name."
},
"rotationPolicy": {
"description": "Rotation policy.",
"allOf": [
{
"$ref": "#/components/schemas/ExportRotationPolicyDto"
}
]
}
},
"required": [
"id",
"usageType",
"key"
]
}
POST /key-chain/import¶
Import an existing key chain
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
{
"id": "string",
"key": null,
"description": "string",
"usageType": "access",
"crt": [
"string"
],
"kmsProvider": "string",
"rotationPolicy": null
}
Schema of the request body
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "ID for the key chain. If not provided, a new UUID will be generated."
},
"key": {
"description": "The private key in JWK format.",
"allOf": [
{
"$ref": "#/components/schemas/EcJwk"
}
]
},
"description": {
"type": "string",
"description": "Human-readable description."
},
"usageType": {
"enum": [
"access",
"attestation",
"trustList",
"statusList",
"encrypt"
],
"type": "string",
"description": "Usage type for this key chain."
},
"crt": {
"description": "Certificate chain in PEM format (leaf first, then intermediates/CA).",
"type": "array",
"items": {
"type": "string"
}
},
"kmsProvider": {
"type": "string",
"description": "KMS provider to use. Defaults to 'db'."
},
"rotationPolicy": {
"description": "Rotation policy. When enabled, the imported key becomes a root CA and a new leaf key is generated.",
"allOf": [
{
"$ref": "#/components/schemas/RotationPolicyImportDto"
}
]
}
},
"required": [
"key",
"usageType"
]
}
Responses
POST /key-chain/{id}/rotate¶
Rotate the signing key in a key chain
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No | |
id |
path | string | No |
Responses
Storage¶
POST /storage¶
Upload files that belong to a tenant like images
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
oauth2 |
header | string | N/A | No |
Request body
⚠️ This example has been generated automatically from the schema and it is not accurate. Refer to the schema for more information.
Responses
GET /storage/{key}¶
Input parameters
| Parameter | In | Type | Default | Nullable | Description |
|---|---|---|---|---|---|
key |
path | string | No |
Responses
Schemas¶
AllowListPolicy¶
| Name | Type | Description |
|---|---|---|
policy |
string | |
values |
Array<string> |
ApiKeyConfig¶
| Name | Type | Description |
|---|---|---|
headerName |
string | The name of the header where the API key will be sent. |
value |
string | The value of the API key to be sent in the header. |
AttestationBasedPolicy¶
| Name | Type | Description |
|---|---|---|
policy |
string | |
values |
Array<PolicyCredential> |
AuthenticationMethodAuth¶
| Name | Type | Description |
|---|---|---|
config |
AuthenticationUrlConfig | |
method |
string |
AuthenticationMethodNone¶
| Name | Type | Description |
|---|---|---|
method |
string |
AuthenticationMethodPresentation¶
| Name | Type | Description |
|---|---|---|
config |
PresentationDuringIssuanceConfig | |
method |
string |
AuthenticationUrlConfig¶
| Name | Type | Description |
|---|---|---|
url |
string | The URL used in the OID4VCI authorized code flow. This URL is where users will be redirected for authentication. |
webhook |
Optional webhook configuration for authentication callbacks |
AuthorizeQueries¶
| Name | Type | Description |
|---|---|---|
auth_session |
string | |
client_id |
string | |
code_challenge |
string | |
code_challenge_method |
string | |
dpop_jkt |
string | |
issuer_state |
string | |
redirect_uri |
string | |
request_uri |
string | |
resource |
string | |
response_type |
string | |
scope |
string | |
state |
string |
CertificateInfoDto¶
| Name | Type | Description |
|---|---|---|
issuer |
string | Certificate issuer (CN). |
notAfter |
string(date-time) | Certificate not after date. |
notBefore |
string(date-time) | Certificate not before date. |
pem |
string | Certificate in PEM format. |
serialNumber |
string | Serial number. |
subject |
string | Certificate subject (CN). |
ChainedAsConfig¶
| Name | Type | Description |
|---|---|---|
enabled |
boolean | Enable chained AS mode |
requireDPoP |
boolean | Require DPoP binding for tokens |
token |
Token configuration | |
upstream |
Upstream OIDC provider configuration |
ChainedAsErrorResponseDto¶
| Name | Type | Description |
|---|---|---|
error |
string | Error code |
error_description |
string | Human-readable error description |
ChainedAsParRequestDto¶
| Name | Type | Description |
|---|---|---|
authorization_details |
Array<> | Authorization details (JSON array) |
client_id |
string | Client identifier (wallet identifier) |
code_challenge |
string | PKCE code challenge |
code_challenge_method |
string | PKCE code challenge method (e.g., S256) |
issuer_state |
string | Issuer state from credential offer |
redirect_uri |
string | URI to redirect the wallet after authorization |
response_type |
string | OAuth response type (must be 'code') |
scope |
string | Scope requested |
state |
string | State parameter (returned in redirect) |
ChainedAsParResponseDto¶
| Name | Type | Description |
|---|---|---|
expires_in |
number | The lifetime of the request URI in seconds |
request_uri |
string | The request URI to use at the authorization endpoint |
ChainedAsTokenConfig¶
| Name | Type | Description |
|---|---|---|
lifetimeSeconds |
number | Access token lifetime in seconds |
signingKeyId |
string | Key ID for token signing |
ChainedAsTokenRequestDto¶
| Name | Type | Description |
|---|---|---|
client_id |
string | Client identifier |
code |
string | Authorization code received in the callback |
code_verifier |
string | PKCE code verifier |
grant_type |
string | Grant type (must be 'authorization_code') |
redirect_uri |
string | Redirect URI (must match the one used in PAR) |
ChainedAsTokenResponseDto¶
| Name | Type | Description |
|---|---|---|
access_token |
string | The access token |
authorization_details |
Array<> | Authorized credential configurations |
c_nonce |
string | C_NONCE for credential request |
c_nonce_expires_in |
number | C_NONCE lifetime in seconds |
expires_in |
number | Token lifetime in seconds |
scope |
string | Scope granted |
token_type |
string | Token type (Bearer or DPoP) |
ClaimsQuery¶
| Name | Type | Description |
|---|---|---|
id |
string | |
path |
Array<string> | |
values |
Array<string> |
ClientEntity¶
| Name | Type | Description |
|---|---|---|
allowedIssuanceConfigs |
Array<string> | List of issuance config IDs this client can use. If empty/null, all configs are allowed. |
allowedPresentationConfigs |
Array<string> | List of presentation config IDs this client can use. If empty/null, all configs are allowed. |
clientId |
string | The unique identifier for the client. |
description |
string | The description of the client. |
roles |
Array<string> | The roles assigned to the client. |
secret |
string | The secret key for the client. |
tenant |
The tenant that the client belongs to. | |
tenantId |
string | The unique identifier for the tenant that the client belongs to. Only null for accounts that manage tenants, that do not belong to a client |
ClientSecretResponseDto¶
| Name | Type | Description |
|---|---|---|
secret |
string |
CompleteDeferredDto¶
| Name | Type | Description |
|---|---|---|
claims |
Example: {'given_name': 'John', 'family_name': 'Doe', 'birthdate': '1990-01-15'} |
Claims to include in the credential. The structure should match the credential configuration's expected claims. |
CreateAccessCertificateDto¶
| Name | Type | Description |
|---|---|---|
keyId |
string | The ID of the key to create an access certificate for |
CreateClientDto¶
| Name | Type | Description |
|---|---|---|
allowedIssuanceConfigs |
Array<string> | List of issuance config IDs this client can use. If empty/null, all configs are allowed. |
allowedPresentationConfigs |
Array<string> | List of presentation config IDs this client can use. If empty/null, all configs are allowed. |
clientId |
string | The unique identifier for the client. |
description |
string | The description of the client. |
roles |
Array<string> | The roles assigned to the client. |
secret |
string | The secret key for the client. |
CreateRegistrarConfigDto¶
| Name | Type | Description |
|---|---|---|
clientId |
string | The OIDC client ID for the registrar |
clientSecret |
string | The OIDC client secret (optional, for confidential clients) |
oidcUrl |
string(uri) | The OIDC issuer URL for authentication (e.g., Keycloak realm URL) |
password |
string | The password for OIDC login (stored in plaintext) |
registrarUrl |
string(uri) | The base URL of the registrar API |
username |
string | The username for OIDC login |
CreateStatusListDto¶
| Name | Type | Description |
|---|---|---|
bits |
number | Bits per status value. More bits allow more status states. Defaults to tenant configuration. |
capacity |
number | Maximum number of credential status entries. Defaults to tenant configuration. |
credentialConfigurationId |
string | Credential configuration ID to bind this list exclusively to. Leave empty for a shared list. |
keyChainId |
string | Key chain ID to use for signing. Leave empty to use the tenant's default StatusList key chain. |
CreateTenantDto¶
| Name | Type | Description |
|---|---|---|
description |
string | The description of the tenant. |
id |
string | The unique identifier for the tenant. |
name |
string | The name of the tenant. |
roles |
Array<string> | |
sessionConfig |
Session storage configuration. Controls TTL and cleanup behavior. | |
statusListConfig |
Status list configuration for this tenant. Only affects newly created status lists. |
CredentialConfig¶
| Name | Type | Description |
|---|---|---|
claims |
||
claimsWebhook |
Webhook to receive claims for the issuance process. | |
config |
IssuerMetadataCredentialConfig | |
description |
string | null | |
disclosureFrame |
||
embeddedDisclosurePolicy |
Embedded disclosure policy (discriminated union by `policy`). The discriminator makes class-transformer instantiate the right subclass, and then class-validator runs that subclass’s rules. | |
iaeActions |
Array<> | List of IAE actions to execute before credential issuance |
id |
string | |
keyBinding |
boolean | |
keyChain |
KeyChainEntity | |
keyChainId |
string | Reference to the key chain used for signing. Optional: if not specified, the default attestation key chain will be used. |
lifeTime |
number | |
notificationWebhook |
Webhook to receive claims for the issuance process. | |
schema |
||
statusManagement |
boolean | |
tenant |
The tenant that owns this object. | |
vct |
VCT as a URI string (e.g., urn:eudi:pid:de:1) or as an object for EUDIPLO-hosted VCT |
CredentialConfigCreate¶
| Name | Type | Description |
|---|---|---|
claims |
||
claimsWebhook |
Webhook to receive claims for the issuance process. | |
config |
IssuerMetadataCredentialConfig | |
description |
string | null | |
disclosureFrame |
||
embeddedDisclosurePolicy |
Embedded disclosure policy (discriminated union by `policy`). The discriminator makes class-transformer instantiate the right subclass, and then class-validator runs that subclass’s rules. | |
iaeActions |
Array<> | List of IAE actions to execute before credential issuance |
id |
string | |
keyBinding |
boolean | |
keyChainId |
string | Reference to the key chain used for signing. Optional: if not specified, the default attestation key chain will be used. |
lifeTime |
number | |
notificationWebhook |
Webhook to receive claims for the issuance process. | |
schema |
||
statusManagement |
boolean | |
vct |
VCT as a URI string (e.g., urn:eudi:pid:de:1) or as an object for EUDIPLO-hosted VCT |
CredentialConfigUpdate¶
| Name | Type | Description |
|---|---|---|
claims |
||
claimsWebhook |
Webhook to receive claims for the issuance process. | |
config |
IssuerMetadataCredentialConfig | |
description |
string | null | |
disclosureFrame |
||
embeddedDisclosurePolicy |
Embedded disclosure policy (discriminated union by `policy`). The discriminator makes class-transformer instantiate the right subclass, and then class-validator runs that subclass’s rules. | |
iaeActions |
Array<> | List of IAE actions to execute before credential issuance |
id |
string | |
keyBinding |
boolean | |
keyChainId |
string | Reference to the key chain used for signing. Optional: if not specified, the default attestation key chain will be used. |
lifeTime |
number | |
notificationWebhook |
Webhook to receive claims for the issuance process. | |
schema |
||
statusManagement |
boolean | |
vct |
VCT as a URI string (e.g., urn:eudi:pid:de:1) or as an object for EUDIPLO-hosted VCT |
CredentialQuery¶
| Name | Type | Description |
|---|---|---|
claims |
Array<ClaimsQuery> | |
format |
string | |
id |
string | |
meta |
||
multiple |
boolean | |
trusted_authorities |
Array<TrustedAuthorityQuery> |
CredentialSetQuery¶
| Name | Type | Description |
|---|---|---|
options |
Array<Array<string>> | |
required |
boolean |
DCQL¶
| Name | Type | Description |
|---|---|---|
credential_sets |
Array<CredentialSetQuery> | |
credentials |
Array<CredentialQuery> |
DeferredOperationResponse¶
| Name | Type | Description |
|---|---|---|
message |
string | Optional message |
status |
string | The new status of the transaction |
transactionId |
string | The transaction ID |
Display¶
| Name | Type | Description |
|---|---|---|
background_color |
string | |
background_image |
DisplayImage | |
description |
string | |
locale |
string | |
logo |
DisplayImage | |
name |
string | |
text_color |
string |
DisplayImage¶
| Name | Type | Description |
|---|---|---|
uri |
string |
DisplayInfo¶
| Name | Type | Description |
|---|---|---|
locale |
string | |
logo |
DisplayLogo | |
name |
string |
DisplayLogo¶
| Name | Type | Description |
|---|---|---|
alt_text |
string | |
uri |
string |
EcJwk¶
| Name | Type | Description |
|---|---|---|
alg |
string | |
crv |
string | |
d |
string | |
kid |
string | |
kty |
string | |
x |
string | |
y |
string |
EmbeddedDisclosurePolicy¶
| Name | Type | Description |
|---|---|---|
policy |
string |
ExportEcJwk¶
| Name | Type | Description |
|---|---|---|
alg |
string | Algorithm |
crv |
string | Curve |
d |
string | Private key (base64url) |
kid |
string | Key ID |
kty |
string | Key type |
x |
string | X coordinate (base64url) |
y |
string | Y coordinate (base64url) |
ExportRotationPolicyDto¶
| Name | Type | Description |
|---|---|---|
certValidityDays |
number | Certificate validity in days. |
enabled |
boolean | Whether rotation is enabled. |
intervalDays |
number | Rotation interval in days. |
FailDeferredDto¶
| Name | Type | Description |
|---|---|---|
error |
string | Optional error message explaining why the issuance failed |
FileUploadDto¶
| Name | Type | Description |
|---|---|---|
file |
string(binary) |
IaeActionOpenid4vpPresentation¶
| Name | Type | Description |
|---|---|---|
label |
string | Optional label for this step (for display purposes) |
presentationConfigId |
string | ID of the presentation configuration to use for this step |
type |
string | Action type discriminator |
IaeActionRedirectToWeb¶
| Name | Type | Description |
|---|---|---|
callbackUrl |
string(uri) | URL where the external service should redirect back after completion. If not provided, the service must call back to the IAE endpoint. |
description |
string | Description of what the user should do on the web page (for wallet display) |
label |
string | Optional label for this step (for display purposes) |
type |
string | Action type discriminator |
url |
string(uri) | URL to redirect the user to for web-based interaction |
ImportTenantDto¶
| Name | Type | Description |
|---|---|---|
description |
string | The description of the tenant. |
name |
string | The name of the tenant. |
IssuanceConfig¶
| Name | Type | Description |
|---|---|---|
authServers |
Array<string> | Authentication server URL for the issuance process. |
batchSize |
number | Value to determine the amount of credentials that are issued in a batch. Default is 1. |
chainedAs |
Configuration for Chained Authorization Server mode. When enabled, EUDIPLO acts as an OAuth AS facade, delegating user authentication to an upstream OIDC provider while issuing its own tokens with issuer_state. | |
createdAt |
string(date-time) | The timestamp when the VP request was created. |
display |
Array<DisplayInfo> | |
dPopRequired |
boolean | Indicates whether DPoP is required for the issuance process. Default value is true. |
preferredAuthServer |
string | The URL of the preferred authorization server for wallet-initiated flows. When set, this AS is placed first in the `authorization_servers` array of the credential issuer metadata, signaling wallets to use it by default. Must match one of the configured auth servers, the chained AS URL, or "built-in". |
signingKeyId |
string | Key ID for signing access tokens. If unset, the default signing key is used. |
tenant |
The tenant that owns this object. | |
updatedAt |
string(date-time) | The timestamp when the VP request was last updated. |
walletAttestationRequired |
boolean | Indicates whether wallet attestation is required for the token endpoint. When enabled, wallets must provide OAuth-Client-Attestation headers. Default value is false. |
walletProviderTrustLists |
Array<string> | URLs of trust lists containing trusted wallet providers. The wallet attestation's X.509 certificate will be validated against these trust lists. If empty and walletAttestationRequired is true, all wallet providers are rejected. |
IssuanceDto¶
| Name | Type | Description |
|---|---|---|
authServers |
Array<string> | Authentication server URL for the issuance process. |
batchSize |
number | Value to determine the amount of credentials that are issued in a batch. Default is 1. |
chainedAs |
Configuration for Chained Authorization Server mode. When enabled, EUDIPLO acts as an OAuth AS facade, delegating user authentication to an upstream OIDC provider while issuing its own tokens with issuer_state. | |
display |
Array<DisplayInfo> | |
dPopRequired |
boolean | Indicates whether DPoP is required for the issuance process. Default value is true. |
preferredAuthServer |
string | The URL of the preferred authorization server for wallet-initiated flows. When set, this AS is placed first in the `authorization_servers` array of the credential issuer metadata, signaling wallets to use it by default. Must match one of the configured auth servers, the chained AS URL, or "built-in". |
signingKeyId |
string | Key ID for signing access tokens. If unset, the default signing key is used. |
walletAttestationRequired |
boolean | Indicates whether wallet attestation is required for the token endpoint. When enabled, wallets must provide OAuth-Client-Attestation headers. Default value is false. |
walletProviderTrustLists |
Array<string> | URLs of trust lists containing trusted wallet providers. The wallet attestation's X.509 certificate will be validated against these trust lists. If empty and walletAttestationRequired is true, all wallet providers are rejected. |
IssuerMetadataCredentialConfig¶
| Name | Type | Description |
|---|---|---|
claimsByNamespace |
Claims organized by namespace for mDOC credentials. Allows specifying claims across multiple namespaces. Only applicable when format is "mso_mdoc". Example: { "org.iso.18013.5.1": { "given_name": "John", "family_name": "Doe" }, "org.iso.18013.5.1.aamva": { "DHS_compliance": "F" } } | |
display |
Array<Display> | |
docType |
string | Document type for mDOC credentials (e.g., "org.iso.18013.5.1.mDL"). Only applicable when format is "mso_mdoc". |
format |
string | |
namespace |
string | Namespace for mDOC credentials (e.g., "org.iso.18013.5.1"). Only applicable when format is "mso_mdoc". Used when claims are provided as a flat object. |
scope |
string |
KeyChainCreateDto¶
| Name | Type | Description |
|---|---|---|
description |
string | Human-readable description for the key chain. |
kmsProvider |
string | KMS provider to use (defaults to the configured default provider). |
rotationPolicy |
Rotation policy configuration. Only applicable for the signing key (root CA never rotates). | |
type |
string | Type of key chain to create. |
usageType |
string | Usage type determines the purpose of this key chain (access, attestation, etc.). |
KeyChainEntity¶
| Name | Type | Description |
|---|---|---|
activeCertificate |
string | Certificate for the active signing key in PEM format. Either CA-signed (if rootKey exists) or self-signed. |
activeKey |
||
certValidityDays |
number | Certificate validity in days when generating new certificates. |
createdAt |
string(date-time) | |
description |
string | Human-readable description of the key chain. |
externalKeyId |
string | External key identifier for cloud KMS providers. This field stores the provider-specific key reference for the active signing key. |
id |
string | Unique identifier for the key chain. This is the ID referenced by other entities (e.g., issuance config's signingKeyId). |
kmsProvider |
string | The KMS provider used for this key chain. References a configured KMS provider name. |
lastRotatedAt |
string(date-time) | Timestamp of when the key was last rotated. |
previousCertificate |
string | Certificate for the previous signing key in PEM format. |
previousKey |
||
previousKeyExpiry |
string(date-time) | Expiry date for the previous key. After this date, the previous key should be deleted. |
rootCertificate |
string | Root CA certificate in PEM format. Self-signed certificate for the root CA key. |
rootKey |
||
rotationEnabled |
boolean | |
rotationIntervalDays |
number | Rotation interval in days. Key material will be rotated after this many days. |
tenant |
The tenant that owns this key chain. | |
tenantId |
string | Tenant ID for the key chain. |
updatedAt |
string(date-time) | The timestamp when the key chain was last updated. |
usage |
string | The usage type of the keys (sign or encrypt). |
usageType |
string | The purpose/role of this key chain in the system. |
KeyChainExportDto¶
| Name | Type | Description |
|---|---|---|
crt |
Array<string> | Certificate chain in PEM format (leaf first, then intermediates/CA). |
description |
string | Human-readable description. |
id |
string | Key chain ID. |
key |
The private key in JWK format (EC). | |
kmsProvider |
string | KMS provider name. |
rotationPolicy |
Rotation policy. | |
usageType |
string | Usage type for this key chain. |
KeyChainImportDto¶
| Name | Type | Description |
|---|---|---|
crt |
Array<string> | Certificate chain in PEM format (leaf first, then intermediates/CA). |
description |
string | Human-readable description. |
id |
string | ID for the key chain. If not provided, a new UUID will be generated. |
key |
The private key in JWK format. | |
kmsProvider |
string | KMS provider to use. Defaults to 'db'. |
rotationPolicy |
Rotation policy. When enabled, the imported key becomes a root CA and a new leaf key is generated. | |
usageType |
string | Usage type for this key chain. |
KeyChainResponseDto¶
| Name | Type | Description |
|---|---|---|
activeCertificate |
Active signing key's certificate. Not present for encryption keys. | |
activePublicKey |
Active signing key's public key info. | |
createdAt |
string(date-time) | Timestamp when the key chain was created. |
description |
string | Human-readable description. |
id |
string | Unique identifier for the key chain. |
kmsProvider |
string | KMS provider used for this key chain. |
previousCertificate |
Previous signing key's certificate (if in grace period). | |
previousKeyExpiry |
string(date-time) | Previous key expiry date. |
previousPublicKey |
Previous signing key's public key info (if in grace period). | |
rootCertificate |
Root CA certificate (only for internalChain type). | |
rotationPolicy |
Rotation policy configuration. | |
type |
string | Type of key chain (standalone or internalChain). |
updatedAt |
string(date-time) | Timestamp when the key chain was last updated. |
usageType |
string | Usage type of the key chain. |
KeyChainUpdateDto¶
| Name | Type | Description |
|---|---|---|
activeCertificate |
string | Active certificate chain in PEM format. Used for external certificate updates. |
description |
string | Human-readable description for the key chain. |
rotationPolicy |
Rotation policy configuration. |
KmsProviderCapabilitiesDto¶
| Name | Type | Description |
|---|---|---|
canCreate |
boolean | Whether the provider supports generating new keys. |
canDelete |
boolean | Whether the provider supports deleting keys. |
canImport |
boolean | Whether the provider supports importing existing keys. |
KmsProviderInfoDto¶
| Name | Type | Description |
|---|---|---|
capabilities |
Capabilities of this provider. | |
description |
string | Human-readable description of this provider instance. |
name |
string | Unique provider ID (matches the id in kms.json). |
type |
string | Type of the KMS provider (db, vault, aws-kms). |
KmsProvidersResponseDto¶
| Name | Type | Description |
|---|---|---|
default |
string | The default KMS provider name. |
providers |
Array<KmsProviderInfoDto> | Detailed info for each registered KMS provider. |
NoneTrustPolicy¶
| Name | Type | Description |
|---|---|---|
policy |
string |
OfferRequestDto¶
| Name | Type | Description |
|---|---|---|
authorization_server |
string | Optional authorization server to be used for this issuance flow. |
credentialClaims |
Example: {'citizen': {'type': 'inline', 'claims': {'given_name': 'John', 'family_name': 'Doe'}}} |
Credential claims configuration per credential. Keys must match credentialConfigurationIds. |
credentialConfigurationIds |
Array<string> | List of credential configuration ids to be included in the offer. |
flow |
string | The flow type for the offer request. |
notifyWebhook |
Webhook to notify about the status of the issuance process. | |
response_type |
string | The type of response expected for the offer request. |
tx_code |
string | Transaction code for pre-authorized code flow. |
tx_code_description |
string | Description for the transaction code (e.g., "Please enter the PIN sent to your email"). |
OfferResponse¶
| Name | Type | Description |
|---|---|---|
crossDeviceUri |
string | URI for cross-device flows (no redirect after completion) |
session |
string | |
uri |
string |
PolicyCredential¶
| Name | Type | Description |
|---|---|---|
claims |
Array<ClaimsQuery> | |
credential_sets |
Array<CredentialSetQuery> | |
credentials |
Array<CredentialQuery> |
PresentationAttachment¶
| Name | Type | Description |
|---|---|---|
credential_ids |
Array<string> | |
data |
||
format |
string |
PresentationConfig¶
| Name | Type | Description |
|---|---|---|
accessKeyChainId |
string | null | Optional ID of the access certificate to use for signing the presentation request. If not provided, the default access certificate for the tenant will be used. Note: This is intentionally NOT a TypeORM relationship because CertEntity uses a composite primary key (id + tenantId), and SQLite cannot create foreign keys that reference only part of a composite primary key. The relationship is handled at the application level in the service layer. |
attached |
Array<PresentationAttachment> | Attestation that should be attached |
createdAt |
string(date-time) | The timestamp when the VP request was created. |
dcql_query |
The DCQL query to be used for the VP request. | |
description |
string | null | Description of the presentation configuration. |
id |
string | Unique identifier for the VP request. |
lifeTime |
number | Lifetime how long the presentation request is valid after creation, in seconds. |
redirectUri |
string | null | Redirect URI to which the user-agent should be redirected after the presentation is completed. You can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID. |
registrationCert |
The registration certificate request containing the necessary details. | |
tenant |
The tenant that owns this object. | |
transaction_data |
Array<TransactionData> | |
updatedAt |
string(date-time) | The timestamp when the VP request was last updated. |
webhook |
Optional webhook URL to receive the response. |
PresentationConfigCreateDto¶
| Name | Type | Description |
|---|---|---|
accessKeyChainId |
string | null | Optional ID of the access certificate to use for signing the presentation request. If not provided, the default access certificate for the tenant will be used. Note: This is intentionally NOT a TypeORM relationship because CertEntity uses a composite primary key (id + tenantId), and SQLite cannot create foreign keys that reference only part of a composite primary key. The relationship is handled at the application level in the service layer. |
attached |
Array<PresentationAttachment> | Attestation that should be attached |
dcql_query |
The DCQL query to be used for the VP request. | |
description |
string | null | Description of the presentation configuration. |
id |
string | Unique identifier for the VP request. |
lifeTime |
number | Lifetime how long the presentation request is valid after creation, in seconds. |
redirectUri |
string | null | Redirect URI to which the user-agent should be redirected after the presentation is completed. You can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID. |
registrationCert |
The registration certificate request containing the necessary details. | |
transaction_data |
Array<TransactionData> | |
webhook |
Optional webhook URL to receive the response. |
PresentationConfigUpdateDto¶
| Name | Type | Description |
|---|---|---|
accessKeyChainId |
string | null | Optional ID of the access certificate to use for signing the presentation request. If not provided, the default access certificate for the tenant will be used. Note: This is intentionally NOT a TypeORM relationship because CertEntity uses a composite primary key (id + tenantId), and SQLite cannot create foreign keys that reference only part of a composite primary key. The relationship is handled at the application level in the service layer. |
attached |
Array<PresentationAttachment> | Attestation that should be attached |
dcql_query |
The DCQL query to be used for the VP request. | |
description |
string | null | Description of the presentation configuration. |
id |
string | Unique identifier for the VP request. |
lifeTime |
number | Lifetime how long the presentation request is valid after creation, in seconds. |
redirectUri |
string | null | Redirect URI to which the user-agent should be redirected after the presentation is completed. You can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID. |
registrationCert |
The registration certificate request containing the necessary details. | |
transaction_data |
Array<TransactionData> | |
webhook |
Optional webhook URL to receive the response. |
PresentationDuringIssuanceConfig¶
| Name | Type | Description |
|---|---|---|
type |
string | Link to the presentation configuration that is relevant for the issuance process |
PresentationRequest¶
| Name | Type | Description |
|---|---|---|
redirectUri |
string | Optional redirect URI to which the user-agent should be redirected after the presentation is completed. You can use the `{sessionId}` placeholder in the URI, which will be replaced with the actual session ID. |
requestId |
string | Identifier of the presentation configuration |
response_type |
string | The type of response expected from the presentation request. |
transaction_data |
Array<TransactionData> | Optional transaction data to include in the OID4VP request. If provided, this will override the transaction_data from the presentation configuration. |
webhook |
Webhook configuration to receive the response. If not provided, the configured webhook from the configuration will be used. |
PublicKeyInfoDto¶
| Name | Type | Description |
|---|---|---|
alg |
string | Key algorithm (e.g., ES256). |
crv |
string | Curve (for EC keys). |
kid |
string | Key ID. |
kty |
string | Key type (e.g., EC). |
RegistrarConfigEntity¶
| Name | Type | Description |
|---|---|---|
clientId |
string | The OIDC client ID for the registrar |
clientSecret |
string | The OIDC client secret (optional, for confidential clients) |
oidcUrl |
string(uri) | The OIDC issuer URL for authentication (e.g., Keycloak realm URL) |
password |
string | The password for OIDC login (stored in plaintext) |
registrarUrl |
string(uri) | The base URL of the registrar API |
tenant |
The tenant that owns this configuration. | |
tenantId |
string | The tenant ID this configuration belongs to. |
username |
string | The username for OIDC login |
RegistrationCertificateRequest¶
| Name | Type | Description |
|---|---|---|
jwt |
string | The body of the registration certificate request containing the necessary details. |
RootOfTrustPolicy¶
| Name | Type | Description |
|---|---|---|
policy |
string | |
values |
string |
RotationPolicyCreateDto¶
| Name | Type | Description |
|---|---|---|
certValidityDays |
number | Certificate validity in days. Defaults to rotation interval + 30 days grace period. |
enabled |
boolean | Whether automatic key rotation is enabled. |
intervalDays |
number | Rotation interval in days. Required when enabled is true. |
RotationPolicyImportDto¶
| Name | Type | Description |
|---|---|---|
certValidityDays |
number | Certificate validity in days. |
enabled |
boolean | Whether rotation is enabled. When true, the imported key becomes a root CA. |
intervalDays |
number | Rotation interval in days. |
RotationPolicyResponseDto¶
| Name | Type | Description |
|---|---|---|
certValidityDays |
number | Certificate validity in days. |
enabled |
boolean | Whether automatic key rotation is enabled. |
intervalDays |
number | Rotation interval in days. |
nextRotationAt |
string(date-time) | Next scheduled rotation date. |
RotationPolicyUpdateDto¶
| Name | Type | Description |
|---|---|---|
certValidityDays |
number | Certificate validity in days. |
enabled |
boolean | Whether automatic key rotation is enabled. |
intervalDays |
number | Rotation interval in days. |
SchemaResponse¶
| Name | Type | Description |
|---|---|---|
$schema |
string | |
description |
string | |
properties |
||
required |
Array<string> | |
title |
string | |
type |
string |
Session¶
| Name | Type | Description |
|---|---|---|
auth_queries |
Authorization queries associated with the session. Encrypted at rest. | |
authorization_code |
string | |
clientId |
string | Client ID used in the OID4VP authorization request. |
createdAt |
string(date-time) | The timestamp when the request was created. |
credentialPayload |
Credential payload containing the offer request details. Encrypted at rest - may contain sensitive claim data. | |
credentials |
Array<> | Verified credentials from the presentation process. Encrypted at rest - contains personal information. |
expiresAt |
string(date-time) | The timestamp when the request is set to expire. |
externalIssuer |
string | |
externalSubject |
string | The subject (sub) from the external authorization server token. Used to identify the user at the external AS. |
id |
string | Unique identifier for the session. |
notifications |
Array<> | Notifications associated with the session. |
notifyWebhook |
Webhook configuration to send the result of the notification response. | |
offer |
Credential offer object containing details about the credential offer or presentation request. Encrypted at rest. | |
offerUrl |
string | Offer URL for the credential offer. |
parsedWebhook |
Where to send the claims webhook response. | |
redirectUri |
string | null | Redirect URI to which the user-agent should be redirected after the presentation is completed. |
request_uri |
string | Request URI from the authorization request. |
requestId |
string | |
requestObject |
string | Signed presentation auth request. |
requestUrl |
string | The URL of the presentation auth request. |
responseUri |
string | Response URI used in the OID4VP authorization request. |
status |
string | Status of the session. |
tenant |
The tenant that owns this object. | |
tenantId |
string | Tenant ID for multi-tenancy support. |
transaction_data |
Array<TransactionData> | Transaction data to include in the OID4VP authorization request. Can be overridden per-request from the presentation configuration. |
updatedAt |
string(date-time) | The timestamp when the request was last updated. |
useDcApi |
boolean | Flag indicating whether to use the DC API for the presentation request. |
vp_nonce |
string | Noncce from the Verifiable Presentation request. |
SessionStorageConfig¶
| Name | Type | Description |
|---|---|---|
cleanupMode |
string | Cleanup mode: 'full' deletes everything, 'anonymize' keeps metadata but removes PII. |
ttlSeconds |
number | Time-to-live for sessions in seconds. If not set, uses global SESSION_TTL. |
StatusListConfig¶
| Name | Type | Description |
|---|---|---|
bits |
number | Bits per status entry: 1 (valid/revoked), 2 (with suspended), 4/8 (extended). If not set, uses global STATUS_BITS. |
capacity |
number | The capacity of the status list. If not set, uses global STATUS_CAPACITY. |
enableAggregation |
boolean | If true, include aggregation_uri in status list JWTs for pre-fetching support (default: true). |
immediateUpdate |
boolean | If true, regenerate JWT immediately on status changes. If false (default), use lazy regeneration on TTL expiry. |
ttl |
number | TTL in seconds for the status list JWT. If not set, uses global STATUS_TTL. |
StatusListResponseDto¶
| Name | Type | Description |
|---|---|---|
availableEntries |
number | Number of available entries |
bits |
number | Bits per status value |
capacity |
number | Total capacity of the status list |
createdAt |
string(date-time) | Creation timestamp |
credentialConfigurationId |
string | null | Credential configuration ID this list is bound to. Null means shared. |
expiresAt |
string(date-time) | null | JWT expiration timestamp. Null if JWT has not been generated yet. |
id |
string | Unique identifier for the status list |
keyChainId |
string | null | Key chain ID used for signing. Null means using the tenant's default. |
tenantId |
string | The tenant ID |
uri |
string | The public URI for this status list |
usedEntries |
number | Number of entries in use |
StatusUpdateDto¶
| Name | Type | Description |
|---|---|---|
credentialConfigurationId |
string | The ID of the credential configuration This is optional, if not provided, all credentials will be revoked of the session. |
sessionId |
string | The session ID of the user |
status |
number | The status of the credential 0 = valid, 1 = revoked, 2 = suspended |
TenantEntity¶
| Name | Type | Description |
|---|---|---|
clients |
Array<ClientEntity> | The clients associated with the tenant. |
description |
string | The description of the tenant. |
id |
string | The unique identifier for the tenant. |
name |
string | The name of the tenant. |
sessionConfig |
Session storage configuration for this tenant. Controls TTL and cleanup behavior. | |
status |
string | The current status of the tenant. |
statusListConfig |
Status list configuration for this tenant. Only affects newly created status lists. |
TransactionData¶
| Name | Type | Description |
|---|---|---|
credential_ids |
Array<string> | |
type |
string |
TrustedAuthorityQuery¶
| Name | Type | Description |
|---|---|---|
type |
string | |
values |
Array<string> |
TrustList¶
| Name | Type | Description |
|---|---|---|
createdAt |
string(date-time) | |
data |
The full trust list JSON (generated LoTE structure) | |
description |
string | |
entityConfig |
Array<> | The original entity configuration used to create this trust list. Stored for round-tripping when editing. |
id |
string | Unique identifier for the trust list |
jwt |
string | The signed JWT representation of this trust list |
keyChain |
KeyChainEntity | |
keyChainId |
string | |
sequenceNumber |
number | The sequence number for versioning (incremented on updates) |
tenant |
The tenant that owns this object. | |
tenantId |
string | The tenant ID for which the VP request is made. |
updatedAt |
string(date-time) |
TrustListCreateDto¶
| Name | Type | Description |
|---|---|---|
data |
The full trust list JSON (generated LoTE structure) | |
description |
string | |
entities |
Array<> | |
id |
string | |
keyChainId |
string |
TrustListVersion¶
| Name | Type | Description |
|---|---|---|
createdAt |
string(date-time) | |
data |
The full trust list JSON at this version | |
entityConfig |
The entity configuration at this version | |
id |
string | |
jwt |
string | The signed JWT at this version |
sequenceNumber |
number | The sequence number at the time this version was created |
tenantId |
string | |
trustList |
TrustList | |
trustListId |
string |
UpdateClientDto¶
| Name | Type | Description |
|---|---|---|
allowedIssuanceConfigs |
Array<string> | List of issuance config IDs this client can use. If empty/null, all configs are allowed. |
allowedPresentationConfigs |
Array<string> | List of presentation config IDs this client can use. If empty/null, all configs are allowed. |
description |
string | The description of the client. |
roles |
Array<string> | The roles assigned to the client. |
UpdateRegistrarConfigDto¶
| Name | Type | Description |
|---|---|---|
clientId |
string | The OIDC client ID for the registrar |
clientSecret |
string | The OIDC client secret (optional, for confidential clients) |
oidcUrl |
string(uri) | The OIDC issuer URL for authentication (e.g., Keycloak realm URL) |
password |
string | The password for OIDC login (stored in plaintext) |
registrarUrl |
string(uri) | The base URL of the registrar API |
username |
string | The username for OIDC login |
UpdateSessionConfigDto¶
| Name | Type | Description |
|---|---|---|
cleanupMode |
string | Cleanup mode: 'full' deletes everything, 'anonymize' keeps metadata but removes PII. |
ttlSeconds |
number | null | Time-to-live for sessions in seconds. Set to null to use global default. |
UpdateStatusListConfigDto¶
| Name | Type | Description |
|---|---|---|
bits |
number | null | Bits per status entry. Set to null to reset to global default. |
capacity |
number | null | The capacity of the status list. Set to null to reset to global default. |
enableAggregation |
boolean | null | If true, include aggregation_uri in status list JWTs for pre-fetching support. Set to null to reset to default (true). |
immediateUpdate |
boolean | null | If true, regenerate JWT on every status change. Set to null to reset to default (false). |
ttl |
number | null | TTL in seconds for the status list JWT. Set to null to reset to global default. |
UpdateStatusListDto¶
| Name | Type | Description |
|---|---|---|
credentialConfigurationId |
string | null | Credential configuration ID to bind this list exclusively to. Set to null to make this a shared list. |
keyChainId |
string | null | Key chain ID to use for signing. Set to null to use the tenant's default StatusList key chain. |
UpdateTenantDto¶
| Name | Type | Description |
|---|---|---|
description |
string | The description of the tenant. |
name |
string | The name of the tenant. |
roles |
Array<string> | |
sessionConfig |
Session storage configuration. Controls TTL and cleanup behavior. | |
statusListConfig |
Status list configuration for this tenant. Only affects newly created status lists. |
UpstreamOidcConfig¶
| Name | Type | Description |
|---|---|---|
clientId |
string | The client ID registered with the upstream provider |
clientSecret |
string | The client secret for confidential clients |
issuer |
string(uri) | The OIDC issuer URL of the upstream provider |
scopes |
Array<string> | Scopes to request from the upstream provider |
VCT¶
| Name | Type | Description |
|---|---|---|
description |
string | |
extends |
string | |
extends#integrity |
string | |
name |
string | |
schema_uri |
string | |
schema_uri#integrity |
string | |
vct |
string |
WebHookAuthConfigHeader¶
| Name | Type | Description |
|---|---|---|
config |
Configuration for API key authentication. This is required if the type is 'apiKey'. | |
type |
string | The type of authentication used for the webhook. |
WebHookAuthConfigNone¶
| Name | Type | Description |
|---|---|---|
type |
string | The type of authentication used for the webhook. |
WebhookConfig¶
| Name | Type | Description |
|---|---|---|
auth |
Optional authentication configuration for the webhook. If not provided, no authentication will be used. | |
url |
string | The URL to which the webhook will send notifications. |
Security schemes¶
| Name | Type | Scheme | Description |
|---|---|---|---|
| oauth2 | oauth2 |
More documentation¶
Documentation
For more information: https://openwallet-foundation-labs.github.io/eudiplo/latest/