This guide explains how to authorise new entities to create documents in the Track and Trace service. This operation is restricted to the Support Office and other administrators who have the TNT:authoriseDid attribute defined in the Trusted Policies Registry.

Prerequisites

Before starting this process, ensure you have:

1. Support Office credentials with appropriate permissions
2. TNT:authoriseDid attribute defined in the Trusted Policies Registry
3. Node.js v22 installed on your system
4. Hardware wallet setup (recommended for security) - see Hardware Wallet Setup

note

This operation is restricted to Support Office and administrators with the TNT:authoriseDid attribute. Regular users cannot perform this operation.

Step 1: Load Support Office Credentials

Load the keys of the Support Office:

Command

==> using user ES256K did1 <SUPPORT_OFFICE_PRIVATE_KEY_ES256K> <SUPPORT_OFFICE_DID>
==> using user ES256 did1 <SUPPORT_OFFICE_PRIVATE_KEY_ES256> <SUPPORT_OFFICE_DID>

Now connect the wallet with the pilot environment:

Command

==> env pilot

Step 2: Issue VC to Onboard

Issue a verifiable credential to onboard the Support Office to the Track and Trace service:

Command

==> vc: run issueVcOnboard user.did

note

The CLI will automatically use user.did (the DID of the currently loaded user) for this command.

Output - value saved in 'vc'

eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImRpZDplYnNpOnpnVUIxcDJ6Tm1HdHltVXd6SHJ4aDI0I05QWFVERm5vbDlqTWhxVkI5aVc5R3BNeWNPQl9SWmdFWlUweTBNZDVlZncifQ.eyJpYXQiOjE3NTcwNjgwOTgsImp0aSI6InVybjp1dWlkOmNlMjgwZjQ2LWFhZDktNDkzOC1hMDRhLWJhZjlmMzg0N2M0MCIsIm5iZiI6MTc1NzA2ODA5OCwiZXhwIjoxOTE0NzQ4MDk4LCJzdWIiOiJkaWQ6ZWJzaTp6Z1VCMXAyek5tR3R5bVV3ekhyeGgyNCIsImlzcyI6ImRpZDplYnNpOnpnVUIxcDJ6Tm1HdHltVXd6SHJ4aDI0IiwidmMiOnsiQGNvbnRleHQiOlsiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiXSwiaWQiOiJ1cm46dXVpZDpjZTI4MGY0Ni1hYWQ5LTQ5MzgtYTA0YS1iYWY5ZjM4NDdjNDAiLCJ0eXBlIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVmVyaWZpYWJsZUF0dGVzdGF0aW9uIiwiVmVyaWZpYWJsZUF1dGhvcmlzYXRpb25Ub09uYm9hcmQiXSwiaXNzdWVyIjoiZGlkOmVic2k6emdVQjFwMnpObUd0eW1Vd3pIcnhoMjQiLCJpc3N1YW5jZURhdGUiOiIyMDI1LTA5LTA1VDEwOjI4OjE4WiIsImlzc3VlZCI6IjIwMjUtMDktMDVUMTA6Mjg6MThaIiwidmFsaWRGcm9tIjoiMjAyNS0wOS0wNVQxMDoyODoxOFoiLCJleHBpcmF0aW9uRGF0ZSI6IjIwMzAtMDktMDRUMTA6Mjg6MThaIiwiY3JlZGVudGlhbFN1YmplY3QiOnsiaWQiOiJkaWQ6ZWJzaTp6Z1VCMXAyek5tR3R5bVV3ekhyeGgyNCIsImFjY3JlZGl0ZWRGb3IiOltdfSwidGVybXNPZlVzZSI6eyJpZCI6Imh0dHBzOi8vYXBpLXRlc3QuZWJzaS5ldS90cnVzdGVkLWlzc3VlcnMtcmVnaXN0cnkvdjUvaXNzdWVycy9kaWQ6ZWJzaTp6Z1VCMXAyek5tR3R5bVV3ekhyeGgyNC9hdHRyaWJ1dGVzL2VlNWU0MWNiMTdmYTY5YjYxZmRhNjVjMDNkMmY3ZDExMTcyNzI5YzdmODU1OWE1MWI1ZWVlY2QyMWZkYjk1ZTEiLCJ0eXBlIjoiSXNzdWFuY2VDZXJ0aWZpY2F0ZSJ9LCJjcmVkZW50aWFsU2NoZW1hIjp7ImlkIjoiaHR0cHM6Ly9hcGktdGVzdC5lYnNpLmV1L3RydXN0ZWQtc2NoZW1hcy1yZWdpc3RyeS92My9zY2hlbWFzL3pINzRNS2tZVGJRNlpmVHh1Zmk2QTNBdzhnaVM0cGlHbThkcGd4Rm1rSmptdSIsInR5cGUiOiJGdWxsSnNvblNjaGVtYVZhbGlkYXRvcjIwMjEifX19.G0EH2mW0mpQbwLhsKkldw8xi8VvovNO7UVRRYkCkGRVaRUR7ZYaczF-OAfqze-z8S6j8ZZM4-WDn_iF75ZfbuA

Step 3: Get Access Token

Get an access token from the authorisation API for the tnt_authorise scope:

Command

==> t: authorisation auth tnt_authorise_presentation ES256K vc
==> using token t.access_token

note

The CLI will automatically use the values from the loaded variables:

• vc: The verifiable credential created in Step 2
• t.access_token: The access token returned from the authorisation API

Output - value saved in 't'

{
  "access_token": "eyJhbGciOiJFUzI1NiIsImtpZCI6ImhjcHhRMnhMOG5jWEtCOVNvRWdXMkltaUdfNFdSNU5YSnZRX1BHdUhPNWsiLCJ0eXAiOiJKV1QifQ.eyJpYXQiOjE3NTcwNjgxMzcsImV4cCI6MTc1NzA3NTMzNywiYXVkIjoiaHR0cHM6Ly9hcGktdGVzdC5lYnNpLmV1L2F1dGhvcmlzYXRpb24vdjQiLCJqdGkiOiIxNDdjNzU0Zi0yNDg2LTQzYWQtODc4NC00NjkyMThlMmQ1YTYiLCJzY3AiOiJvcGVuaWQgdG50X2F1dGhvcmlzZSIsInN1YiI6ImRpZDplYnNpOnpnVUIxcDJ6Tm1HdHltVXd6SHJ4aDI0IiwiaXNzIjoiaHR0cHM6Ly9hcGktdGVzdC5lYnNpLmV1L2F1dGhvcmlzYXRpb24vdjQifQ.VrBi8dBrE0pZrCNFIZs98AeKx_5Cc9aR1NdaIQBql2PNawf24F96sFHrbQuJEFWXZdNX3_rHhXcQzOs-CDQIcg",
  "token_type": "Bearer",
  "expires_in": 3600
}

Step 4: Authorise Entity in Track and Trace

Register the new entity as a document creator in the Track and Trace API:

Command

==> tnt authoriseDid user.did <LEGAL_ENTITY> true

note

Replace <LEGAL_ENTITY> with the actual DID of the legal entity you want to authorise as a document creator.

Output

{
  "senderDid": "did:ebsi:zgUB1p2zNmGtymUwzHrxh24",
  "authorisedDid": "did:ebsi:zrpaCYAKLX3LTnhrj11DEp2",
  "whiteList": true
}

Verify the Authorisation

To verify that the entity has been properly authorised as a document creator:

Command

==> tnt head /accesses?creator=<LEGAL_ENTITY>

Status: 204 No Content
Body: (empty)

note

A successful response with status 204 and empty body indicates that the entity is properly authorised as a document creator.

Revoke Authorisation (Optional)

If you need to revoke the authorisation of an entity:

Command

==> tnt authoriseDid user.did <LEGAL_ENTITY> false

note

Replace <LEGAL_ENTITY> with the actual DID of the legal entity you want to revoke authorisation for.

Congratulations!

You have successfully authorised a new entity to create documents in the Track and Trace service. The entity can now use the Track and Trace API to create and manage documents.

Key Points

• Restricted Operation: Only Support Office and administrators with TNT:authoriseDid attribute can perform this operation
• Access Token Required: The operation requires a valid access token with tnt_authorise scope
• Reversible: Authorisations can be revoked by setting the authorisation to false

Related Documentation

• Track and Trace API: Complete API reference
• Authorisation API: Authentication and token management
• Hardware Wallet Setup: Secure key management
• CLI Commands: Complete command reference