Skip to main content
European CommissionEBSI European Blockchain
Get Help
Select the Environment you want to work withEnvironment:
warning icon

This API is being released as part of an upcoming version.

The upcoming version is not backward compatible with the current stable version. You can find the details of the upcoming release and affected endpoints in the change log. Please contact eu-ebsi@ec.europa.eu if this upcoming release might cause a high impact on either an ongoing development or a piloting demonstration.

Token endpoint

Last updated on 
POST 
/conformance/v4/auth-mock/token

The client proceeds with the code flow, and calls the Token Endpoint with the required details and signs client_assertion JWT with client's private keys, which public key counterparts are resolvable through jwks_uri or is in the Client Metadata shared in the pre-registration step.

Request

Body

    grant_type Grant Typerequired

    Possible values: [authorization_code, urn:ietf:params:oauth:grant-type:pre-authorized_code]

    MUST have the value 

    authorization_code
    or 
    urn:ietf:params:oauth:grant-type:pre-authorized_code

    client_id URL

    REQUIRED when 

    grant_type
    is 
    authorization_code
    .

    OAuth 2.0 Client Identifier valid at the Authorization Server.

    Verifiable Accreditation Issuance: MUST be URL of the issuer requesting the accreditation that was registered with the Accreditation Issuer

    code Authorisation Code

    REQUIRED when 

    grant_type
    is 
    authorization_code
    .

    An opaque value that can be used to redeem tokens from the token endpoint.

    code
    is returned if the 
    response_type
    includes 
    code
    . The code has a lifetime of 300 seconds. It MUST match the value from the authentication response.

    client_assertion_type Client Assertion Type

    The format of the assertion as defined by the authorization server. The value will be an absolute URI.

    code_verifier Code Verifier

    Wallet generated secure random token, used to validate the original 

    code_challenge
    provided in initial Authorisation Request.

    pre-authorized_code Pre-authorized code

    CONDITIONAL. The code representing the authorization to obtain Credentials of a certain type. This parameter is required if the 

    grant_type
    is 
    urn:ietf:params:oauth:grant-type:pre-authorized_code
    . In WCT v4 Holder wallet tests, the code corresponds to the string concatenation of the last 4 bytes (modulo 10) of the sha256 hash of the user DID. Example: the code corresponding to the DID 
    did:key:z2dmzD81cgPx8Vki7JbuuMmFYrWPgYoytykUZ3eyqht1j9KbsDbVZXdb3jzCagESyY4EE2x7Yjx3gNwctoEuRCKKDrdNP3HPFtG8RTvBiYStT5ghBHhHizH2Dy6xQtW3Pd2SecizL9b2jzDCMr7Ka5cRAWZFwvqwAtwTT7xet769y9ERh6
    is "5910".

    user_pin User PIN

    OPTIONAL. String value containing a user PIN. This value MUST be present if 

    user_pin_required
    was set to 
    true
    in the Credential Offer. The string value MUST consist of maximum 8 numeric characters (the numbers 0 - 9). This parameter MUST only be used if the 
    grant_type
    is 
    urn:ietf:params:oauth:grant-type:pre-authorized_code
    .

Responses

OK

Schema
    access_token JWSrequired

    The access token issued by the authorization server.

    The Access Token MUST be signed by the authorisation server.

    id_token JWSrequired

    The ID token issued by the authorization server.

    token_type Token Typerequired

    Possible values: [bearer]

    The access token type provides the client with the information required to successfully utilize the access token to make a protected resource request (along with type-specific attributes).

    expires_in Expires inrequired

    The lifetime in seconds of the access token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.

    Lifetime must be 86400 seconds.

    c_nonce Challenge Noncerequired

    JSON string containing a nonce to be used to create a proof of possession of key material when requesting a Credential (see Section 7.2 of OpenID for VCI). When received, the Wallet MUST use this nonce value for its subsequent credential requests until the Credential Issuer provides a fresh nonce.

    c_nonce_expires_in Challenge Nonce expires inrequired

    The lifetime in seconds of the c_nonce token. For example, the value "3600" denotes that the access token will expire in one hour from the time the response was generated.

Loading...