POST/authorisation/v2/siop-sessions
Session Token endpoint as the callback for DID SIOP Response.
Request
- application/x-www-form-urlencoded
Bodyrequired
The request body must contain an ID Token (parameter name: id_token
) and, optionally, a VP token (as vp_token
) (only for onboarding).
The ID Token should be a JWT.
Its header must contain the signer's kid
(e.g. "kid": "did:ebsi:zbM8cCuoBMFNLeQyLiVFyxw#keys-1"
).
The ID Token payload must contain the following fields:
aud
: the URL of the /siop-sessions endpoint, e.g. "https://api-conformance.ebsi.eu/authorisation/v2/siop-sessions"sub
: the subjectsub_jwk
: the JWK used to sign the JWTnonce
: a random UUIDclaims
:encryption_key
: public key used to encrypt the response
responseMode
: should be "form_post",iss
: should be "https://self-issued.me/v2",_vp_token
: only if the request also contains a VP token.presentation_submission
: a VP submission object (https://identity.foundation/presentation-exchange/spec/v2.0.0/#presentation-submission).
Here's an example of a valid presentation_submission
:
"presentation_submission": {
"id": "237b0eec-0b7e-4a16-b3bc-bdd42f57b86b",
"definition_id": "b5c07e84-55f6-48e1-a531-3608d26fc336",
"descriptor_map": [
{
"id": "6f43bcea-da4b-4e45-ac2c-25307d6dfe34",
"format": "jwt_vp",
"path": "$",
"path_nested": {
"id": "onboarding-input-id",
"format": "jwt_vc",
"path": "$.vp.verifiableCredential[0]"
}
}
]
}
With the associated vp_token
being a Verifiable Presentation JWT:
eyJhbGciOiJFUzI1NksiLCJ0eXAiOiJKV1QiLCJraWQiOiJkaWQ6ZWJzaTp6c3ROc2VtaWZrd2ZVY2pBYzJucDFXcCNTLTJiQV9lUXNTa1JDbmw0ZnNielVWZGtwM3F4WEVrcnFKTTI3WWhBZUtzIn0.eyJqdGkiOiIiLCJzdWIiOiJkaWQ6ZWJzaTp6c3ROc2VtaWZrd2ZVY2pBYzJucDFXcCIsImlzcyI6ImRpZDplYnNpOnpzdE5zZW1pZmt3ZlVjakFjMm5wMVdwIiwibmJmIjoxNjcyODQyOTc3LCJleHAiOjE2ODg1Njc3NzcsImlhdCI6MTY3Mjg0Mjk3OCwiYXVkIjoiYXV0aG9yaXNhdGlvbi1hcGkiLCJ2cCI6eyJAY29udGV4dCI6WyJodHRwczovL3d3dy53My5vcmcvMjAxOC9jcmVkZW50aWFscy92MSJdLCJ0eXBlIjpbIlZlcmlmaWFibGVQcmVzZW50YXRpb24iXSwidmVyaWZpYWJsZUNyZWRlbnRpYWwiOlsiZXlKaGJHY2lPaUpGVXpJMU5rc2lMQ0owZVhBaU9pSktWMVFpTENKcmFXUWlPaUprYVdRNlpXSnphVHA2Y2pKeVYwUklTSEpWUTJSYVFWYzNkM05UWWpWdVVTTnJaWGx6TFRFaWZRLmV5SnFkR2tpT2lKMll6cGxZbk5wT21GMWRHaGxiblJwWTJGMGFXOXVJMk00TUdSalpHTmlMV1UxTURVdE5HTTRNQzFoTlRnekxUTTROakZsT0RObFlUQTRZaUlzSW5OMVlpSTZJbVJwWkRwbFluTnBPbnB6ZEU1elpXMXBabXQzWmxWamFrRmpNbTV3TVZkd0lpd2lhWE56SWpvaVpHbGtPbVZpYzJrNmVuSXljbGRFU0VoeVZVTmtXa0ZYTjNkelUySTFibEVpTENKdVltWWlPakUyTnpJNE5ESTVOemNzSW1WNGNDSTZNVFk0T0RVMk56YzNOeXdpYVdGMElqb3hOamN5T0RReU9UYzNMQ0oyWXlJNmV5SkFZMjl1ZEdWNGRDSTZXeUpvZEhSd2N6b3ZMM2QzZHk1M015NXZjbWN2TWpBeE9DOWpjbVZrWlc1MGFXRnNjeTkyTVNKZExDSnBaQ0k2SW5aak9tVmljMms2WVhWMGFHVnVkR2xqWVhScGIyNGpZemd3WkdOa1kySXRaVFV3TlMwMFl6Z3dMV0UxT0RNdE16ZzJNV1U0TTJWaE1EaGlJaXdpZEhsd1pTSTZXeUpXWlhKcFptbGhZbXhsUTNKbFpHVnVkR2xoYkNJc0lsWmxjbWxtYVdGaWJHVkJkWFJvYjNKcGMyRjBhVzl1SWwwc0ltbHpjM1ZsY2lJNkltUnBaRHBsWW5OcE9ucHlNbkpYUkVoSWNsVkRaRnBCVnpkM2MxTmlOVzVSSWl3aWFYTnpkV0Z1WTJWRVlYUmxJam9pTWpBeU15MHdNUzB3TkZReE5Eb3pOam94TjFvaUxDSnBjM04xWldRaU9pSXlNREl6TFRBeExUQTBWREUwT2pNMk9qRTNXaUlzSW5aaGJHbGtSbkp2YlNJNklqSXdNak10TURFdE1EUlVNVFE2TXpZNk1UZGFJaXdpWlhod2FYSmhkR2x2YmtSaGRHVWlPaUl5TURJekxUQTNMVEExVkRFME9qTTJPakUzV2lJc0ltTnlaV1JsYm5ScFlXeFRkV0pxWldOMElqcDdJbWxrSWpvaVpHbGtPbVZpYzJrNmVuTjBUbk5sYldsbWEzZG1WV05xUVdNeWJuQXhWM0FpZlN3aVkzSmxaR1Z1ZEdsaGJGTmphR1Z0WVNJNmV5SnBaQ0k2SW1oMGRIQnpPaTh2WVhCcExYQnBiRzkwTG1WaWMya3VaWFV2ZEhKMWMzUmxaQzF6WTJobGJXRnpMWEpsWjJsemRISjVMM1l5TDNOamFHVnRZWE12ZWtoTmNEVXlUSEZLVjI5amJXaEJPVkpyZW01VVYzVkZaV05LV0c5UVJFdDNNMnRYVVhBNE1WbFpPWEJESWl3aWRIbHdaU0k2SWtaMWJHeEtjMjl1VTJOb1pXMWhWbUZzYVdSaGRHOXlNakF5TVNKOWZYMC5vdmR1a20wVnpRNWpUZE9nTmJHY0g4LTVCdFZTMTNqcDhxUUstV0JJQTlvbmU5WmswUnRXZWV2RkJMQ05LeGdCWS0tMk1WZ0E2eUJTNHR4Y3Z4VlZhZyJdLCJob2xkZXIiOiJkaWQ6ZWJzaTp6c3ROc2VtaWZrd2ZVY2pBYzJucDFXcCJ9fQ.86g3f_b5JvsvKwuayWGp_9BpQ0GwsvmY_51K88npaFM2CWJH6D3Aqjee4_URXHPtdSzKoiBhPdGqGyz3RACsKQ
JWS compact serialised ID Token
A Verifiable Presentation JWT. Only for onboarding.
Responses
- 200
- 400
- 500
Success
- application/json
- Schema
- Encrypted access token
Schema
Encrypted payload with user's public key
Detached JWS of AKE1 Signing Payload
ake1_sig_payload object
Encrypted payload with user's public key
Nonce used during the authentication process
API DID
Issued at
Expires
Issuer (Authorisation API)
API KID
{
"ake1_enc_payload": "ce527bf1e06bd6241625d54e76bdb5ac029c455f97324ed20a5038724966ba5d9befd49195b4841b513c7f23e785c99f87bad2e255cbceb1152cef05b15137a1411520d8d578961f16d6c59ec042889e45cb4d3965d9d859dac8f217b3b3776ad342a605f2bb985d820ad8b0f6cb2c7c40da4d1ebd3efb5a3d57507e0479801c088e68b277fac799f852c1053a1dacc7cdb921cff2006eaf1b3fa3a5b64de91e991390b7317814625f490a1354dc2b69498b2bfad7caf0e819ebd93cccb2ef26e399d996ab19910605d798dacf9f78489dd7bac8613b5da28314e1153d929a9059decedce00eeb2848ee95f14e523f9f12372e71b9db4ebe702ce508d2dbc1e5cbdafcd5a15afe397fb35f9a45424c6aac43380b054185cbac4f498a5db4dcf517cf8bc760354c26e2e1af37dbdf06f888e5d424a66ab9546475b187787b557d197af20c7ac1e0639acf0304f051194da4be7c8badb0747b3e669ffd7ffe5a2c9c2060f338d8e4eb3010e10e6a67a1c8fe21d48ee7bc5d540497071f80dd36e58d309e868837c193dd5646b33baa61c3c190d5ce44d08bc6820d240e14edd12af9ae8242e5a7186c1697426d14e97101313331cb1d803030cd2d6d2799852bda0dbc80b3c927efffc19d170327ac11c5d645b83c38fdcfb9ac779d9eac795d8eb671fe0ade56cdcb020261e1bf6d2e1d2fdfc1f954959c2d5516adf3f2abcee298c92b5451e3dee89d1903b8390fe9a426278ec879a59e682eabf8b8f3ad4482de9c636a41e506c82d7d0be1a92d926ba7fb05779f2612a86f8b47e10477b1d6080044d1f983cf3cb81e35af5b3ea4205e1d25ce0b6d20755442904d670380082203e25d4326df0ab47ee8bb404f98d5184a3949e043a0656e856f78f442fb33a2ec63c7347520c796fb721bfc0c6106c0db9e0580ba17aa3f96abf1a4744256635803f90bcfce185ddba20a8635a1c59f68760220ddaf296ac3a582ea953f928290c50f186ea8909a9a94a82b6b1c8204f243a4ed4cef5fd672959cec8359a57ac08c4b41ccb515b963f675af7cf4a9bef97f13942a63678680fb8f9e2de766f3c578d6f5913d7e71aafbd5ebc965b90ce4c3dc4a7bc2af74754c3e7c05fc3fbd1851ee5caa4723fe7bf5a9cd804a979bbd341836bcb3e82ad164748cb46f5d9fd4b599d27a307962eea6465eb91a6155",
"ake1_sig_payload": {
"iat": 1672841881,
"exp": 1672842781,
"ake1_nonce": "53a6e914-ef94-412b-b226-82da24be3dd9",
"ake1_enc_payload": "ce527bf1e06bd6241625d54e76bdb5ac029c455f97324ed20a5038724966ba5d9befd49195b4841b513c7f23e785c99f87bad2e255cbceb1152cef05b15137a1411520d8d578961f16d6c59ec042889e45cb4d3965d9d859dac8f217b3b3776ad342a605f2bb985d820ad8b0f6cb2c7c40da4d1ebd3efb5a3d57507e0479801c088e68b277fac799f852c1053a1dacc7cdb921cff2006eaf1b3fa3a5b64de91e991390b7317814625f490a1354dc2b69498b2bfad7caf0e819ebd93cccb2ef26e399d996ab19910605d798dacf9f78489dd7bac8613b5da28314e1153d929a9059decedce00eeb2848ee95f14e523f9f12372e71b9db4ebe702ce508d2dbc1e5cbdafcd5a15afe397fb35f9a45424c6aac43380b054185cbac4f498a5db4dcf517cf8bc760354c26e2e1af37dbdf06f888e5d424a66ab9546475b187787b557d197af20c7ac1e0639acf0304f051194da4be7c8badb0747b3e669ffd7ffe5a2c9c2060f338d8e4eb3010e10e6a67a1c8fe21d48ee7bc5d540497071f80dd36e58d309e868837c193dd5646b33baa61c3c190d5ce44d08bc6820d240e14edd12af9ae8242e5a7186c1697426d14e97101313331cb1d803030cd2d6d2799852bda0dbc80b3c927efffc19d170327ac11c5d645b83c38fdcfb9ac779d9eac795d8eb671fe0ade56cdcb020261e1bf6d2e1d2fdfc1f954959c2d5516adf3f2abcee298c92b5451e3dee89d1903b8390fe9a426278ec879a59e682eabf8b8f3ad4482de9c636a41e506c82d7d0be1a92d926ba7fb05779f2612a86f8b47e10477b1d6080044d1f983cf3cb81e35af5b3ea4205e1d25ce0b6d20755442904d670380082203e25d4326df0ab47ee8bb404f98d5184a3949e043a0656e856f78f442fb33a2ec63c7347520c796fb721bfc0c6106c0db9e0580ba17aa3f96abf1a4744256635803f90bcfce185ddba20a8635a1c59f68760220ddaf296ac3a582ea953f928290c50f186ea8909a9a94a82b6b1c8204f243a4ed4cef5fd672959cec8359a57ac08c4b41ccb515b963f675af7cf4a9bef97f13942a63678680fb8f9e2de766f3c578d6f5913d7e71aafbd5ebc965b90ce4c3dc4a7bc2af74754c3e7c05fc3fbd1851ee5caa4723fe7bf5a9cd804a979bbd341836bcb3e82ad164748cb46f5d9fd4b599d27a307962eea6465eb91a6155",
"did": "did:ebsi:zbM8cCuoBMFNLeQyLiVFyxw",
"iss": "authorisation-api_pilot-temp-01"
},
"ake1_jws_detached": "eyJhbGciOiJFUzI1NksiLCJ0eXAiOiJKV1QiLCJraWQiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L3RydXN0ZWQtYXBwcy1yZWdpc3RyeS92My9hcHBzL2F1dGhvcmlzYXRpb24tYXBpX3BpbG90LXRlbXAtMDEifQ..bJ5gwcsgYcRTpMAJYpkUPGSYA962eioQ94Yju7buVGneuCCmelxWH-ZhKxMf7RolebgdVrrnNIIhdTZLJ8NpMw",
"kid": "https://api-conformance.ebsi.eu/trusted-apps-registry/v3/apps/authorisation-api_pilot-temp-01"
}
Bad Request
- application/problem+json
- Schema
- Bad Request
- Token Expired
- Issuer Not Found
Schema
Default value: about:blank
An absolute URI that identifies the problem type. When dereferenced, it SHOULD provide human-readable documentation for the problem type.
A short summary of the problem type.
Possible values: >= 400
and <= 600
The HTTP status code generated by the origin server for this occurrence of the problem.
A human readable explanation specific to this occurrence of the problem.
An absolute URI that identifies the specific occurrence of the problem. It may or may not yield further information if dereferenced.
{
"title": "Bad Request",
"status": 400,
"detail": "Bad request."
}
{
"title": "Token Expired",
"status": 400,
"detail": "The token has expired."
}
{
"title": "Issuer Not Found",
"status": 400,
"detail": "Issuer not found in the trusted apps registry."
}
Internal Error
- application/problem+json
- Schema
- Internal Server Error
Schema
Default value: about:blank
An absolute URI that identifies the problem type. When dereferenced, it SHOULD provide human-readable documentation for the problem type.
A short summary of the problem type.
Possible values: >= 400
and <= 600
The HTTP status code generated by the origin server for this occurrence of the problem.
A human readable explanation specific to this occurrence of the problem.
An absolute URI that identifies the specific occurrence of the problem. It may or may not yield further information if dereferenced.
{
"title": "Internal Server Error",
"status": 500,
"detail": "The server encountered an internal error and was unable to process your request."
}