The Authorisation API is a core EBSI service responsible for managing access to the protected EBSI services. Legal entities must present a valid Verifiable Authorisations or Verifiable Accreditations in a form of a Verifiable Presentations to get a short-lived access token with a lifetime of 2 hours. Access tokens have a limited scope according to the Legal Entity's authorisations. Users receive access tokens after they present a valid EBSI Verifiable Credential and prove ownership over their DID. There is one exception to this rule during the onboarding process. Since the user does not yet have ownership over a DID, they are only required to present a VerifiableAuthorisationToOnboard in this case.
The following capabilities are used:
- Authorisation Server discovery the /.well-known/openid-configuration
- OpenID for Verifiable Presentation capabilities (v 0.14)
- OIDC capabilities (v1.0)
EBSI Platform distinguishes between identified and anonymous users. Both types of users have different sets of intents. Identified users are legal entities who are using the trusted registries (DID registry and Trusted Issuer Registry). Anonymous users can only read public information, so they can call all the REST endpoints, but no the JSON-RPC endpoints.
For more information see:
- CLI Tool page: Test the capabilities using the EBSI CLI tool