Truid - OAuth2 and OIDC API (1.0.0)

Download OpenAPI specification:Download

OAuth2 and OIDC API used to authorize access to clients.

Note: To be able to authorize access for a client, the End-User needs to be authenticated. How Truid authenticates End-User is out of scope for this specification, but could include redirects not included here.

Starting point for a Sign authorization flow.

This is the Authorization Request endpoint used to start a flow to sign a single data object or to continue a flow that was started against the PAR Sign Operation endpoint /oauth2/v1/par/sign.

The scope that is passed represents the information that a client needs access to to be able to complete the transaction.

Each scope is the key of a Data Point. See Data Points documentation for a full list of the supported Data Points.

Additional OIDC scopes that are supported are:

email
phone

Note: If using PAR only client_id and request_uri parameters should be used.

See:

query Parameters

response_type	string Value: "code" Must be set to `code`. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 Required if not using PAR.
client_id required	string The `client_id` of the client that initiated the flow (not the app). See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
request_uri	string The `request_uri` obtained using PAR. See https://datatracker.ietf.org/doc/html/rfc9126#section-4
scope	string A set of requested scopes, as a space separated string. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
redirect_uri	string The URI used to redirect back to the client when the flow is complete. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 Required if not using PAR.
state	string It is required that the client passes a state value. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 Required if not using PAR.
nonce	string It is recommended that the client passes a nonce value. See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
code_challenge	string It is required that the client creates a code challenge according to PKCE. See https://www.rfc-editor.org/rfc/rfc7636#section-4.3 Required if not using PAR.
code_challenge_method	string Value: "S256" It is required that the client sends a code verifier transformation method according to PKCE. See https://www.rfc-editor.org/rfc/rfc7636#section-4.3 Required if not using PAR.
user_message	string <= 100 characters Human-readable message of what the End-User (signer) is about to sign and commit to. Will be displayed to the End-User and should be localized for the intended End-User. Personal and confidential data should be avoided, the End-User will be identified by other means in the signature. The `user_message` will be included in the returned signature as part of the protected header as `truid.app/user_message/v1` and will therefore contribute to the signature. The text should be plain text and not contain special characters or formatting. Required if not using PAR.
data_object_id	string Data object identifier. Should according to ETSI be a URI uniquely identifying the data that is signed. When using `detached` packaging with `digest` this id must identify the individual document and version in the client system. This value is included in the signature as a reference, but is not used in any other way by Truid. Required if not using PAR.
data_object_digest	string Base64Url encoded digest of the data object that should be signed. Will be added to the `hashV` property array in the protected `sigD` header in the JWS. The `data_object_b64` tells if the data object was Base64Url encoded prior to calculating the digest value. Example: With `data_object_b64: true`: `BASE64URL-ENCODE(SHA256( BASE64URL-ENCODE( data object ) ) )` With `data_object_b64: false`: `BASE64URL-ENCODE(SHA256( data object ) )` Can only be used with `detached` packaging. See: Mechanism ObjectIdByURIHash https://www.etsi.org/deliver/etsi_ts/119100_119199/11918201/01.01.01_60/ts_11918201v010101p.pdf
data_object_digest_algorithm	string (DigestAlgorithm) Value: "S256" Algorithm used to calculate the digest of the Data object. Will be set as the `hashM` property in the protected `sigD` header in the JWS. Can only be used with `detached` packaging. Required if the parameter `data_object_digest` is present. See: 5.2.8.3.3 https://www.etsi.org/deliver/etsi_ts/119100_119199/11918201/01.01.01_60/ts_11918201v010101p.pdf See: 5.1 https://www.etsi.org/deliver/etsi_ts/119300_119399/119312/01.02.01_60/ts_119312v010201p.pdf
data_object_b64	boolean Boolean if the data object was Base64Url encoded prior to calculating the digest. Required if `data_object_digest` is provided. See: See: 5.2.8.1 https://www.etsi.org/deliver/etsi_ts/119100_119199/11918201/01.01.01_60/ts_11918201v010101p.pdf See: https://datatracker.ietf.org/doc/html/rfc7797
data_object_content_type	string Optional content type of the data object according to RFC2045. Will be used as the `cty` JWS header or in the `ctys` array of the protected `sigD` JWS/JAdES header. See: 5.2.8.1 https://www.etsi.org/deliver/etsi_ts/119100_119199/11918201/01.01.01_60/ts_11918201v010101p.pdf See: https://www.rfc-editor.org/rfc/rfc2045
signature_profile	string (SignatureProfile) Value: "aes_jades_baseline_b-b" Signature profile. Required if not using PAR.
jws_packaging	string (JwsPackagingType) Value: "detached" How the payload will be packaged in the jws. Required if not using PAR.
jws_serialization	string (JwsSerializationType) Value: "compact" How the JWS should be serialized Required if not using PAR.

Responses

Response Schema: text/html

string

Starting point for Identity Verification authorization flow.

This is the Authorization Request endpoint used to start a flow to perform an instant Identity Verification of a user or to continue a flow that was started against the PAR Identity Verification endpoint /oauth2/v1/par/idv.

The scope that is passed represents the information that a client needs access to to be able to complete the identity verification process.

Each scope is the key of a Data Point. See Data Points documentation for a full list of the supported Data Points.

Additional OIDC scopes that are supported are:

email
phone

Note: If using PAR only client_id and request_uri parameters should be used.

See:

query Parameters

response_type	string Value: "code" Must be set to `code`. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 Required if not using PAR.
client_id required	string The `client_id` of the client that initiated the flow (not the app). See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
request_uri	string The `request_uri` obtained using PAR. See https://datatracker.ietf.org/doc/html/rfc9126#section-4
scope	string A set of requested scopes, as a space separated string. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
redirect_uri	string The URI used to redirect back to the client when the flow is complete. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 Required if not using PAR.
state	string It is required that the client passes a state value. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 Required if not using PAR.
nonce	string It is recommended that the client passes a nonce value. See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
code_challenge	string It is required that the client creates a code challenge according to PKCE. See https://www.rfc-editor.org/rfc/rfc7636#section-4.3 Required if not using PAR.
code_challenge_method	string Value: "S256" It is required that the client sends a code verifier transformation method according to PKCE. See https://www.rfc-editor.org/rfc/rfc7636#section-4.3 Required if not using PAR.

Responses

Response Schema: text/html

string

Starting point for Confirm Signup authorization flow.

This is the Authorization Request endpoint used to start a flow to sign up a user or to continue a flow that was started against the PAR Onboarding Session endpoint /oauth2/v1/par/confirm-signup.

The scope that is passed represents the information that a client needs access to to be able to complete the sign up process.

Each scope is the key of a Data Point. See Data Points documentation for a full list of the supported Data Points.

Additional OIDC scopes that are supported are:

email
phone

Note: If using PAR only client_id and request_uri parameters should be used.

See:

query Parameters

response_type	string Value: "code" Must be set to `code`. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 Required if not using PAR.
client_id required	string The `client_id` of the client that initiated the flow (not the app). See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
request_uri	string The `request_uri` obtained using PAR. See https://datatracker.ietf.org/doc/html/rfc9126#section-4
scope	string A set of requested scopes, as a space separated string. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
redirect_uri	string The URI used to redirect back to the client when the flow is complete. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 Required if not using PAR.
state	string It is required that the client passes a state value. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 Required if not using PAR.
nonce	string It is recommended that the client passes a nonce value. See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
code_challenge	string It is required that the client creates a code challenge according to PKCE. See https://www.rfc-editor.org/rfc/rfc7636#section-4.3 Required if not using PAR.
code_challenge_method	string Value: "S256" It is required that the client sends a code verifier transformation method according to PKCE. See https://www.rfc-editor.org/rfc/rfc7636#section-4.3 Required if not using PAR.

Responses

Response Schema: text/html

string

Starting point for Login authorization flow.

This is the Authorization Request endpoint used to start a flow to login or to continue a flow that was started against the PAR Login Session endpoint /oauth2/v1/par/login-session

The scope that is passed represents the information that a client needs access to during the login session.

Each scope is the key of a Data Point. See Data Points documentation for a full list of the supported Data Points.

Additional OIDC scopes that are supported are:

email
phone

Note: If using PAR only client_id and request_uri parameters should be used.

See:

query Parameters

response_type	string Value: "code" Must be set to `code`. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 Required if not using PAR.
client_id required	string The `client_id` of the client that initiated the flow (not the app). See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
request_uri	string The `request_uri` obtained using PAR. See https://datatracker.ietf.org/doc/html/rfc9126#section-4
scope	string A set of requested scopes, as a space separated string. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
redirect_uri	string The URI used to redirect back to the client when the flow is complete. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 Required if not using PAR.
state	string It is required that the client passes a state value. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 Required if not using PAR.
nonce	string It is recommended that the client passes a nonce value. See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
code_challenge	string It is required that the client creates a code challenge according to PKCE. See https://www.rfc-editor.org/rfc/rfc7636#section-4.3 Required if not using PAR.
code_challenge_method	string Value: "S256" It is required that the client sends a code verifier transformation method according to PKCE. See https://www.rfc-editor.org/rfc/rfc7636#section-4.3 Required if not using PAR.

Responses

Response Schema: text/html

string

Pushed Authorization Request for Identity Verification

Pushed Authorization Request (PAR) endpoint for Identity Verification.

An OAuth2 authorization flow is started at this endpoint by a POST request from the client backend. The response contains a request_uri parameter that should be used when redirecting the End-User in the User-Agent to the OAuth2 authorization endpoint.

The PAR flow is recommended over standard OAuth2 authorization request since the authorization request params are uploaded out-of-bands of the End-User request, which is typically done in a browser.

See: https://datatracker.ietf.org/doc/html/rfc9126

Request Body schema:
application/json

response_type required	string Value: "code" Must be set to `code`. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
client_id required	string The `client_id` of the client that made the request. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
client_secret required	string The `client_secret` of the client that made the request. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
scope	string A set of requested scopes, as a space separated string. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
	object (Claims) Claims parameter according to https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter Note that this parameter has some Truid specific extensions, and that the `id-token` and `userinfo` properties are not supported.
redirect_uri required	string The URI used to redirect back to the client when the flow is complete. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
state required	string It is required that the client passes a state value. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
nonce	string It is recommended that the client passes a nonce value. See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
code_challenge required	string It is required that the client creates a code challenge according to PKCE. See https://www.rfc-editor.org/rfc/rfc7636#section-4.3
code_challenge_method required	string Value: "S256" It is required that the client sends a code verifier transformation method according to PKCE. See https://www.rfc-editor.org/rfc/rfc7636#section-4.3

Responses

Response Schema: application/json

request_uri required	string A unique reference (ticket) to this request which is used in the End-User request to the OAuth2 authorization endpoint.
expires_in required	integer <int64> Time to live in seconds for the `request_uri`.

Request samples

Payload

Content type

application/json

{"response_type": "code",
"client_id": "string",
"client_secret": "string",
"scope": "string",
"claims": {"signature": {"property1": {"essential": true
},
"property2": {"essential": true
}
}
},
"redirect_uri": "string",
"state": "string",
"nonce": "string",
"code_challenge": "string",
"code_challenge_method": "S256"
}

Response samples

201
400
401

Content type

application/json

{"request_uri": "asd-fdas-asdf-asdf",
"expires_in": 120
}

Pushed Authorization Request for Onboarding Session

Pushed Authorization Request (PAR) endpoint for Onboarding Session.

An OAuth2 authorization flow is started at this endpoint by a POST request from the client backend. The response contains a request_uri parameter that should be used when redirecting the End-User in the User-Agent to the OAuth2 authorization endpoint.

The PAR flow is recommended over standard OAuth2 authorization request since the authorization request params are uploaded out-of-bands of the End-User request, which is typically done in a browser.

See: https://datatracker.ietf.org/doc/html/rfc9126

Request Body schema:
application/json

response_type required	string Value: "code" Must be set to `code`. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
client_id required	string The `client_id` of the client that made the request. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
client_secret required	string The `client_secret` of the client that made the request. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
scope	string A set of requested scopes, as a space separated string. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
	object (Claims) Claims parameter according to https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter Note that this parameter has some Truid specific extensions, and that the `id-token` and `userinfo` properties are not supported.
redirect_uri required	string The URI used to redirect back to the client when the flow is complete. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
state required	string It is required that the client passes a state value. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
nonce	string It is recommended that the client passes a nonce value. See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
code_challenge required	string It is required that the client creates a code challenge according to PKCE. See https://www.rfc-editor.org/rfc/rfc7636#section-4.3
code_challenge_method required	string Value: "S256" It is required that the client sends a code verifier transformation method according to PKCE. See https://www.rfc-editor.org/rfc/rfc7636#section-4.3

Responses

Response Schema: application/json

request_uri required	string A unique reference (ticket) to this request which is used in the End-User request to the OAuth2 authorization endpoint.
expires_in required	integer <int64> Time to live in seconds for the `request_uri`.

Request samples

Payload

Content type

application/json

{"response_type": "code",
"client_id": "string",
"client_secret": "string",
"scope": "string",
"claims": {"signature": {"property1": {"essential": true
},
"property2": {"essential": true
}
}
},
"redirect_uri": "string",
"state": "string",
"nonce": "string",
"code_challenge": "string",
"code_challenge_method": "S256"
}

Response samples

201
400
401

Content type

application/json

{"request_uri": "asd-fdas-asdf-asdf",
"expires_in": 120
}

Pushed Authorization Request for Login Session

Pushed Authorization Request (PAR) endpoint for Login Session.

An OAuth2 authorization flow is started at this endpoint by a POST request from the client backend. The response contains a request_uri parameter that should be used when redirecting the End-User in the User-Agent to the OAuth2 authorization endpoint.

The PAR flow is recommended over standard OAuth2 authorization request since the authorization request params are uploaded out-of-bands of the End-User request, which is typically done in a browser.

See: https://datatracker.ietf.org/doc/html/rfc9126

Request Body schema:
application/json

response_type required	string Value: "code" Must be set to `code`. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
client_id required	string The `client_id` of the client that made the request. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
client_secret required	string The `client_secret` of the client that made the request. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
scope	string A set of requested scopes, as a space separated string. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
	object (Claims) Claims parameter according to https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter Note that this parameter has some Truid specific extensions, and that the `id-token` and `userinfo` properties are not supported.
redirect_uri required	string The URI used to redirect back to the client when the flow is complete. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
state required	string It is required that the client passes a state value. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
nonce	string It is recommended that the client passes a nonce value. See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
code_challenge required	string It is required that the client creates a code challenge according to PKCE. See https://www.rfc-editor.org/rfc/rfc7636#section-4.3
code_challenge_method required	string Value: "S256" It is required that the client sends a code verifier transformation method according to PKCE. See https://www.rfc-editor.org/rfc/rfc7636#section-4.3

Responses

Response Schema: application/json

request_uri required	string A unique reference (ticket) to this request which is used in the End-User request to the OAuth2 authorization endpoint.
expires_in required	integer <int64> Time to live in seconds for the `request_uri`.

Request samples

Payload

Content type

application/json

{"response_type": "code",
"client_id": "string",
"client_secret": "string",
"scope": "string",
"claims": {"signature": {"property1": {"essential": true
},
"property2": {"essential": true
}
}
},
"redirect_uri": "string",
"state": "string",
"nonce": "string",
"code_challenge": "string",
"code_challenge_method": "S256"
}

Response samples

201
400
401

Content type

application/json

{"request_uri": "asd-fdas-asdf-asdf",
"expires_in": 120
}

Pushed Authorization Request for Sign Operation

Pushed Authorization Request (PAR) endpoint for Sign Operation.

An OAuth2 authorization flow is started at this endpoint by a POST request from the client backend. The response contains a request_uri parameter that should be used when redirecting the End-User in the User-Agent to the OAuth2 authorization endpoint.

The PAR flow is recommended over standard OAuth2 authorization request since the authorization request params are uploaded out-of-bands of the End-User request, which is typically done in a browser.

See: https://datatracker.ietf.org/doc/html/rfc9126

Request Body schema:
application/json

response_type required	string Value: "code" Must be set to `code`. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
client_id required	string The `client_id` of the client that made the request. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
client_secret required	string The `client_secret` of the client that made the request. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
scope	string A set of requested scopes, as a space separated string. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
	object (Claims) Claims parameter according to https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter Note that this parameter has some Truid specific extensions, and that the `id-token` and `userinfo` properties are not supported.
redirect_uri required	string The URI used to redirect back to the client when the flow is complete. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
state required	string It is required that the client passes a state value. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
nonce	string It is recommended that the client passes a nonce value. See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
code_challenge required	string It is required that the client creates a code challenge according to PKCE. See https://www.rfc-editor.org/rfc/rfc7636#section-4.3
code_challenge_method required	string Value: "S256" It is required that the client sends a code verifier transformation method according to PKCE. See https://www.rfc-editor.org/rfc/rfc7636#section-4.3
user_message required	string <= 100 characters Human-readable message of what the End-User (signer) is about to sign and commit to. Will be displayed to the End-User and should be localized for the intended End-User. Personal and confidential data should be avoided, the End-User will be identified by other means in the signature. The `user_message` will be included in the returned signature as part of the protected header as `truid.app/user_message/v1` and will therefore contribute to the signature. The text should be plain text and not contain special characters or formatting.
data_object_id required	string Data object identifier. Should according to ETSI be a URI uniquely identifying the data that is signed. When using `detached` packaging with `digest` this id must identify the individual document and version in the client system. This value is included in the signature as a reference, but is not used in any other way by Truid.
data_object_digest	string Base64Url encoded digest of the data object that should be signed. Will be added to the `hashV` property array in the protected `sigD` header in the JWS. The `data_object_b64` tells if the data object was Base64Url encoded prior to calculating the digest value. Example: With `data_object_b64: true`: `BASE64URL-ENCODE(SHA256( BASE64URL-ENCODE( data object ) ) )` With `data_object_b64: false`: `BASE64URL-ENCODE(SHA256( data object ) )` Can only be used with `detached` packaging. See: Mechanism ObjectIdByURIHash https://www.etsi.org/deliver/etsi_ts/119100_119199/11918201/01.01.01_60/ts_11918201v010101p.pdf
data_object_digest_algorithm	string (DigestAlgorithm) Value: "S256" Digest algorithm. The hash algorithms that shall be used according to JAdES are listed here: See: Annex E https://www.etsi.org/deliver/etsi_ts/119100_119199/11918201/01.01.01_60/ts_11918201v010101p.pdf See: 5.1 https://www.etsi.org/deliver/etsi_ts/119300_119399/119312/01.02.01_60/ts_119312v010201p.pdf S256 - SHA-256 See: https://csrc.nist.gov/csrc/media/publications/fips/180/4/final/documents/fips180-4-draft-aug2014.pdf
data_object_b64	boolean Boolean if the data object was Base64Url encoded prior to calculating the digest. Required if `data_object_digest` is provided. See: See: 5.2.8.1 https://www.etsi.org/deliver/etsi_ts/119100_119199/11918201/01.01.01_60/ts_11918201v010101p.pdf See: https://datatracker.ietf.org/doc/html/rfc7797
data_object_content_type	string Optional content type of the data object according to RFC2045. Will be used as the `cty` JWS header or in the `ctys` array of the protected `sigD` JWS/JAdES header. See: 5.2.8.1 https://www.etsi.org/deliver/etsi_ts/119100_119199/11918201/01.01.01_60/ts_11918201v010101p.pdf See: https://www.rfc-editor.org/rfc/rfc2045
signature_profile required	string (SignatureProfile) Value: "aes_jades_baseline_b-b" Defines type of signature and the requirement on long term availability and integrity of validation material. aes_jades_baseline_b-b - A JAdES signature using AES and the AdES level B-B (base signature). See: 6.1 https://www.etsi.org/deliver/etsi_ts/119100_119199/11918201/01.01.01_60/ts_11918201v010101p.pdf
jws_packaging required	string (JwsPackagingType) Value: "detached" How the JWS and its signature relates to the signed data. For JAdES there are two packaging types: enveloping - the signed data (payload) is included in the JWS detached - the signed data (payload) is detached from the JWS Only `detached` is currently supported. See: https://ec.europa.eu/digital-building-blocks/DSS/webapp-demo/doc/dss-documentation.html#Packaging
jws_serialization required	string (JwsSerializationType) Value: "compact" How the JWS signature will be serialized when delivered. JWS signature can be serialized in three ways: compact - where header, payload and signature is separate with a dot. Payload can be empty if packaging is detached. json - each part of the JWS (i.e header, payload and signature) is delivered in a json object. flatten - similar to json, but each array is flatten and supports one document Only `compact` is currently supported. See: https://www.rfc-editor.org/rfc/rfc7515#section-7.1

Responses

Response Schema: application/json

request_uri required	string A unique reference (ticket) to this request which is used in the End-User request to the OAuth2 authorization endpoint.
expires_in required	integer <int64> Time to live in seconds for the `request_uri`.

Request samples

Payload

Content type

application/json

{"response_type": "code",
"client_id": "string",
"client_secret": "string",
"scope": "string",
"claims": {"signature": {"property1": {"essential": true
},
"property2": {"essential": true
}
}
},
"redirect_uri": "string",
"state": "string",
"nonce": "string",
"code_challenge": "string",
"code_challenge_method": "S256",
"user_message": "string",
"data_object_id": "string",
"data_object_digest": "string",
"data_object_digest_algorithm": "S256",
"data_object_b64": true,
"data_object_content_type": "string",
"signature_profile": "aes_jades_baseline_b-b",
"jws_packaging": "detached",
"jws_serialization": "compact"
}

Response samples

201
400
401

Content type

application/json

{"request_uri": "asd-fdas-asdf-asdf",
"expires_in": 120
}

Request an access token.

Request an access token that can be used to access other resources. This is the OAuth2 token endpoint.

See: https://datatracker.ietf.org/doc/html/rfc6749#section-3.2

Request Body schema:
application/json

grant_type required	string Grant type See https://datatracker.ietf.org/doc/html/rfc6749#section-3.2 authorization_code
code required	string Code received from the authorization endpoint. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
client_id required	string Identifies the client that requests the access token. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
client_secret required	string Identifies the client that requests the access token. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
redirect_uri required	string The URI used to redirect back to the client when the flow is complete. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
code_verifier	string PKCE code verifier. Must be included if a code challenge was included in the authorize request. See https://www.rfc-editor.org/rfc/rfc7636#section-4.5
scope	string Optional scope string for the new access_token. Only the same scope as the original access_token are supported. See https://datatracker.ietf.org/doc/html/rfc6749#section-6

Responses

Response Schema: application/json

access_token required	string See https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
token_type required	string See https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
refresh_token	string See https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
expires_in required	integer <int64> See https://datatracker.ietf.org/doc/html/rfc6749#section-5.1
scope required	string See https://datatracker.ietf.org/doc/html/rfc6749#section-5.1

Request samples

Payload

Content type

application/json

Example

authorization_code

{"grant_type": "authorization_code",
"code": "string",
"client_id": "string",
"client_secret": "string",
"redirect_uri": "string",
"code_verifier": "string",
"scope": "string"
}

Response samples

200
400
401

Content type

application/json

{"access_token": "string",
"token_type": "string",
"refresh_token": "string",
"expires_in": 0,
"scope": "string"
}

Revoke a refresh token or access token.

Token revocation endpoint. When a user logs out the client should revoke the refresh token.

See: https://www.rfc-editor.org/rfc/rfc7009

Request Body schema:
application/json

token required	string The token that the client wants to get revoked. See https://www.rfc-editor.org/rfc/rfc7009#section-2.1
token_type_hint	string A hint about the type of the token submitted for revocation. See https://www.rfc-editor.org/rfc/rfc7009#section-2.1
client_id required	string Identifies the client that requests the access token. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3
client_secret required	string Identifies the client that requests the access token. See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3

Responses

Request samples

Payload

Content type

application/json

{"token": "string",
"token_type_hint": "string",
"client_id": "string",
"client_secret": "string"
}

Response samples

400
401

Content type

application/json

{"error": "invalid_request",
"error_description": "string",
"error_uri": "string"
}

OAuth2 token introspection endpoint

OAuth2 token introspection endpoint, according to RFC-7662: https://datatracker.ietf.org/doc/html/rfc7662

Request Body schema:
application/x-www-form-urlencoded

token required	string
token_type_hint	string

Responses

Response Schema: application/json

Request samples

Payload

Content type

application/x-www-form-urlencoded

No sample

Response samples

200
400
401

Content type

application/json

Example

true

null

Truid - OAuth2 and OIDC API (1.0.0)

Starting point for a Sign authorization flow.

query Parameters

Responses

Response Schema: text/html

Starting point for Identity Verification authorization flow.

query Parameters

Responses

Response Schema: text/html

Starting point for Confirm Signup authorization flow.

query Parameters

Responses

Response Schema: text/html

Starting point for Login authorization flow.

query Parameters

Responses

Response Schema: text/html

Pushed Authorization Request for Identity Verification

Request Body schema: application/jsonapplication/x-www-form-urlencodedapplication/json

Responses

Response Schema: application/json

Request samples

Response samples

Pushed Authorization Request for Onboarding Session

Request Body schema: application/jsonapplication/x-www-form-urlencodedapplication/json

Responses

Response Schema: application/json

Request samples

Response samples

Pushed Authorization Request for Login Session

Request Body schema: application/jsonapplication/x-www-form-urlencodedapplication/json

Responses

Response Schema: application/json

Request samples

Response samples

Pushed Authorization Request for Sign Operation

Request Body schema: application/jsonapplication/x-www-form-urlencodedapplication/json

Responses

Response Schema: application/json

Request samples

Response samples

Request an access token.

Request Body schema: application/jsonapplication/x-www-form-urlencodedapplication/json

Responses

Response Schema: application/json

Request samples

Response samples

Revoke a refresh token or access token.

Request Body schema: application/jsonapplication/x-www-form-urlencodedapplication/json

Responses

Request samples

Response samples

OAuth2 token introspection endpoint

Request Body schema: application/x-www-form-urlencodedapplication/jsonapplication/x-www-form-urlencoded

Responses

Response Schema: application/json

Request samples

Response samples

Request Body schema:
application/json

Request Body schema:
application/json

Request Body schema:
application/json

Request Body schema:
application/json

Request Body schema:
application/json

Request Body schema:
application/json

Request Body schema:
application/x-www-form-urlencoded