Implementation Guidance
Data recipients need to retrieve an access token from the
Token Endpoint
to include in calls to theGet Data Holder Brands
andGet Software Statement Assertion (SSA)
APIs.Private Key JWT client authentication is used to identify and authenticate the data recipient software product requesting the access token.
The data recipient software product must be in an
ACTIVE
state in order to be issued an access token by the Register.The access token issued by the Register is valid for 5 minutes. The Register does not provide refresh tokens, so a new access token needs to be requested once the current access token expires.
The access token that is issued by the Register is bound to the client certificate that was used in the call to the Token Endpoint. The same client certificate must be used in the calls to the
Get Data Holder Brands
andGet Software Statement Assertion (SSA)
APIs to satisfy Holder of Key requirements.The Register will verify the client certificate used in the request against the list of client certificates that have been issued to the software product, responding with an error if no matches are found.