SHAKEN Policy Administrator
External API Specification
Release 1.4
iconectiv System Documentation
STI-PA-US-API-001
Issue 3
April 2020
iconectiv STI-PA External API Document
STI-PA-US-API-001
Copyright 2020 iconectiv, LLC.
All rights Reserved.
January 2020 Page ii
Trademark Acknowledgments
♦ iconectiv® is a registered trademark of iconectiv, LLC.
♦ All brand or product names are trademarks of their respective companies or organizations.
Technical Contact:
Product Support
productsupport@iconectiv.com
1-800-458-4826
iconectiv STI-PA External API Document
STI-PA-US-API-001
Copyright 2020 iconectiv, LLC.
All rights Reserved.
January 2020 Page iii
Table of Contents
About This Document……………………………………………………………………………………………….. 1
Document Overview ………………………………………………………………………………………………… 1
Related Documentation ……………………………………………………………………………………………. 1
Change History……………………………………………………………………………………………………….. 2
Chapter 1 STI-PA Overview……………………………………………………………………………………….. 3
Chapter 2 API Interface Description …………………………………………………………………………… 4
2.1 Interface Type……………………………………………………………………………………………………. 4
2.2 Setting up API Access for an Account……………………………………………………………………. 5
2.3 Authentication……………………………………………………………………………………………………. 5
2.4 Common API Validations…………………………………………………………………………………….. 5
2.4.1 API Endpoint Validations ………………………………………………………………………………………………. 5
2.4.2 Standard Response Message Structure………………………………………………………………………….. 7
2.5 API Invocation Rate……………………………………………………………………………………………. 7
Chapter 3 HTML File Attachment……………………………………………………………………………….. 8
3.1 Open Attachment……………………………………………………………………………………………….. 8
3.2 Save Attachment ……………………………………………………………………………………………….. 8
Chapter 4 Message Codes…………………………………………………………………………………………. 9
Chapter 5 API Examples……………………………………………………………………………………………11
5.1 Login Request: ………………………………………………………………………………………………….11
5.2 Logout Request: ………………………………………………………………………………………………..12
5.3 Refresh Token Request:……………………………………………………………………………………..12
5.4 STIPA Public Certificate Request: ………………………………………………………………………..13
5.5 CRL Request: ……………………………………………………………………………………………………14
5.6 CA List Request:………………………………………………………………………………………………..14
5.6.1 JWT Header (base64url encoded)…………………………………………………………………………………15
5.6.2 JWT Payload (base64url encoded) ……………………………………………………………………………….15
5.6.3 JWT Signature (base64url encoded) ……………………………………………………………………………..15
5.7 SPC Token Request: ………………………………………………………………………………………….15
5.7.1 JWT Header (base64url encoded)…………………………………………………………………………………16
5.7.2 JWT Payload (base64url encoded) ……………………………………………………………………………….16
5.7.3 JWT Signature (base64url encoded) ……………………………………………………………………………..17
iconectiv STI-PA External API Document
STI-PA-US-API-001
Copyright 2020 iconectiv, LLC.
All rights Reserved.
January 2020 Page ii
iconectiv STI-PA API Document
STI-PA-US-API-001
Copyright 2019 iconectiv, LLC.
All rights Reserved.
September 2019 Page 1
About This Document
Document Overview
This document provides a description of the Policy Administrator external APIs that should be used by Certification Authorities and Service Providers participating in the STIR/SHAKEN ecosystem. These APIs are based primarily on the framework outlined in [ATIS-1000080] and [ATIS-1000084] and provide the means for the retrieval of:
♦ List of trusted STI-CAs
♦ Assigned Service Provider Code Tokens with the URL to the Certificate Revocation List (CRL)
♦ STI-PA issued Certificate Revocation List
♦ STI-PA Public Certificates, necessary to validate the digital signatures provided in the various responses
Contents of this document include:
1. Overview of the STI-PA system
2. API Interface Description: list of the APIs, user authentication, overview of API endpoint validations and error handling
3. How to download and view the API specification html file attached to this document
4. Message Codes
Related Documentation
The specification for the STI-PA APIs is contained in the html file “STI-PA API Specification Draft B.html” and the “STI-PA API Swagger Draft B.yaml” attached to this pdf document. See the instructions to open or save the files in Chapter 3 .
Contents of the attached API specification include:
• Accessing the STI-PA system – Login and Logout
• Refreshing an Access Token
• Requesting the STI Certification Authorities Trust List
• Requesting the STI Policy Administrator Public Certificates
• Requesting the Certificate Revocation List
• Requesting a Service Provider Code Token
It is recommended that the information provided in the PDF document be used in conjunction with the html/yaml documents when implementing the API interface.
iconectiv STI-PA API Document
STI-PA-US-API-001
Copyright 2019 iconectiv, LLC.
All rights Reserved.
September 2019 Page 2
Change History
Issue No.
Date
Revised By
Description of Change
Section(s)/ Page(s)
Issue 2
01-16-2020
F. Postigo
Added a new error code for a scenario where a user invokes the Login API, but for which the Account Agreement has not yet been accepted
Section 4
Issue 2
01-16-2020
F. Postigo
Updated the atc claim to be a JSON object with the four new elements defined in draft-ietf-acme-authority-token-tnauthlist-05 (tktype, tkvalue, ca and fingerprint)
HTML and yaml attachments as well as Section 5.7
Issue 2
01-16-2020
F. Postigo
Updated examples with the updated order of the tag/value pairs in the JSON API responses
Section 5
Issue 4
04-15-2020
F. Postigo
Updated section 2.3 to correctly state that the accessToken, generated as a result of a Login or Refresh token API call, is valid for 1 hour
Section 2.3
Issue 4
04-15-2020
F. Postigo
Noted that the field definitions associated with the main APIs requests and responses are documented within the ATIS specifications and IETF reference documents within those, and that such definitions are not within the scope of this document
Section 2
Issue 4
04-15-2020
F. Postigo
Added a new section to provide guidance on typical API invocation rates
Section 2.5
Issue 4
04-15-2020
F. Postigo
Updated the atc definition in the JWT Payload of the SPC Token Request API examples to include tktype and tkvalue
Section 5.7.2
iconectiv STI-PA API Document
STI-PA-US-API-001
Copyright 2019 iconectiv, LLC.
All rights Reserved.
September 2019 Page 3
Chapter 1 STI-PA Overview
The SHAKEN PKI model is an inter-domain model with the STI Policy Administrator (STI-PA) serving as the Trust Authority for the PKI. The Policy Administrator maintains a list of the root certificates of the STI-CAs that have been approved to issue certificates in the SHAKEN ecosystem. Similarly, Service Provider Code Tokens are issued by the STI-PA only to those Service Providers that have been previously vetted to participate. The STI-PA also maintains a Certificate Revocation List based on revoked certificates submitted by either Service Providers or Certification Authorities. iconectiv® Policy Administrator is a web-based application that provides real-time access to these resources. In order to support the distribution of this information, the Policy Administrator provides a secure method to access its HTTPS-based APIs. For a subset of the APIs, this includes the use of an STI-PA-defined secret that is used in the HTTP Authorization header of each request to the STI-PA.
The service is limited to Service Providers and Certification Authorities that comply with the policies and procedures defined by the STI-GA and enforced by the STI-PA. The diagram below depicts the various types of Policy Administrator’s interfaces; however, the scope of this document is limited to the RESTful APIs supported by the application.
iconectiv STI-PA API Document
STI-PA-US-API-001
Copyright 2019 iconectiv, LLC.
All rights Reserved.
September 2019 Page 4
Chapter 2 API Interface Description
This section provides a description of the APIs that provide external access to the STI-PA system.
The STI-PA APIs support the following functions:
• The login API allows an external user to start an API session, when required, in order to send external API calls to the STI-PA system. When credentials are valid, an access token and refresh token are returned.
• The logout API is used to end an active API session and invalidate the access token and refreshToken.
• The refreshToken API is used to obtain a new access token and refresh token.
• The crl API is used by Service Providers to retrieve the latest Certificate Revocation List available. This list is defined based on the revoked certificates submitted by either Service Providers or Certification Authorities. This API does not require an Access Token in the Authorization Header.
• The sticaList API is used by Service Providers to retrieve the root certificates from participating STI Certification Authorities. Note that definition for the trustList and other fields within the API’s response are defined within the ATIS-1000084 specification and associated errata and those definitions are outside the scope of this specification.
• The stipaCertificate API is used by Certification Authorities and Service Providers to retrieve the Public Certificates from the STI-PA necessary to validate the digital signatures of the various API responses. This API does not require an Access Token in the Authorization Header.
• The spcToken API is used by Service Providers to request the assignment of an SPC Token, which in turn will be used by the Service Providers to be able to get STI certificates to be issued to them by an approved Certification Authority. Note that definition for the atc claim, TNAuthList constructs and other fields used within this API’s request and response are defined within the ATIS-1000080.v002 specification and references within that document, and those definitions are outside the scope of this specification.
2.1 Interface Type
The RESTful Web Service has been chosen as the interface for the STI-PA APIs. The JSON (JavaScript Object Notation) format is used for data representation for this interface unless otherwise specified for the particular API. TN data will be exchanged using the HTTPS protocol.
The STI-PA APIs were documented using the Swagger™ Editor. The API specification file from Swagger and the generated HTML2 document for the specification are attached to this PDF document. (See Chapter 3). For your convenience, the generated client includes all language types supported via Swagger-Codegen, but note that not all clients have been tested.
iconectiv STI-PA API Document
STI-PA-US-API-001
Copyright 2019 iconectiv, LLC.
All rights Reserved.
September 2019 Page 5
2.2 Setting up API Access for an Account
In order to access the STI-PA system via the external API, the customer must have a STI-PA account with one or more users defined with the “API” role. Note that connectivity established via ACLs or VPN must have been previously configured and tested. The API users:
• must have a valid email address
• are subject to the system password expiration limits
• can log into the STI-PA UI to update the profile or reset the password.
Initial testing of the external API will be done in the Production environment, but any testing subsequent to Go Live shall be performed on the staging environment
2.3 Authentication
For those APIs that require authentication, the login API allows an external user to start an API session in order to send external API calls to the STI-PA system. When the login request is sent and credentials are valid, an access token and refresh token are generated and returned in the response. The external user then provides the access token in the request header of subsequent API calls as the source of authentication.
♦ The HTTP header ‘Authorization’ must be present for each spcToken and sticaList API call or the request will be rejected.
♦ An access token expires after 1 hour and will cause a session timeout. The token also expires when a logout is received. Once the access token expires, a new session can be started by sending a new login request. Or by using the refresh token in the refreshToken API to obtain a new access token (with another 1 hour validity) until the refresh token expires (90 days).
• Note: the expiration time of the token is contained in the token generated at login and can be read by the client by parsing the token.
• Note: if the external application is issuing request calls periodically, a logout is not required after every request as the access token is valid for 1 hour.
♦ If a login request is sent with an invalid user name or password, the request will be rejected.
2.4 Common API Validations
2.4.1 API Endpoint Validations
This section describes the common validations that apply to the endpoint for all STI-PA APIs. The example URI below is used to identify the component parts of the endpoint that are referenced by the validations. (See the attached HTML document for the definitions of the endpoints)
_____________________Endpoint____________________
/ \
/ \
iconectiv STI-PA API Document
STI-PA-US-API-001
Copyright 2019 iconectiv, LLC.
All rights Reserved.
September 2019 Page 6
https://authenticate-api.iconectiv.com/api/v1/{parameter}
\_____/\__________________________/\_____/\_________/
| | | |
scheme host path path
parameter
value
2.4.1.1 Scheme
Supported schemes are: https.
2.4.1.2 Host
The domain name for STI-PA.
2.4.1.3 Path
The path is case sensitive.
If a request is made to an endpoint where the path does not match the documented case, an HTTP status 404 is returned to indicate the endpoint is not found.
• For example, if “v1” is documented, “V1” is not accepted.
Unrecognized/misspelled path
If a request is made to an endpoint where the path does not match the exact spelling of the documented path, an HTTP status 404 is returned to indicate the endpoint is not found.
• For example, if “parameter” is documented, then “parameters” is not accepted.
Note: Any unrecognized/spelling errors in the path prior to v1, an HTTP status 403 is returned to indicate the request is Forbidden.
Versioning
The API version number is embedded in the path following the API name. The version starts with “v” followed by the version number.
• In the example, /api/v1/ the “v1” represents the version number.
2.4.1.4 Path Parameter
Extra path parameter
If a request is made to an endpoint that contains additional path parameters an HTTP status 404 is returned to indicate the endpoint is not found.
• For example, if the {parameter} is documented then /parameter/1 is not accepted.
Missing required path parameter
If a request is made to an endpoint with a required path parameter and the path parameter value is missing, an HTTP status 404 is returned if the endpoint is not found. An HTTP status 403/404 is returned if the endpoint is found but the method type is not allowed on that endpoint.
iconectiv STI-PA API Document
STI-PA-US-API-001
Copyright 2019 iconectiv, LLC.
All rights Reserved.
September 2019 Page 7
• For example, the endpoint documented below requires the id in the path for the POST method. If the id is not present and the endpoint is not found for any method, 404 is returned.
https://authenticate.iconectiv.com/api/v1/account/:id/token
2.4.2 Standard Response Message Structure
The Standard Response Message Structure applies to the login, logout, refreshToken, ca-list and spcToken APIs. The JSON structure is composed of:
♦ status – indicates if the response is a failure or success message
♦ message – text to indicate success or describe the exception encountered
♦ errorCode – Optional numeric code used to identify the nature of the exception when status is error
2.5 API Invocation Rate
The frequency with which the APIs shall be invoked depends on the STIPA API for which the request is being sent.
♦ For the Login or Refresh Token APIs, the frequency with which these shall be invoked is dependent on those APIs that require the Authorization HTTP header (i.e. spcToken and sticaList APIs).
♦ The frequency with which SPC Token API shall be invoked is dependent on the SPC Token expiry, which is a configurable parameter, and it is selected by the Service Provider during the approval process (minimum 24 hours / maximum 2 years)
♦ The frequency with which the CA List API shall be invoked, at a minimum, based on the expiration of the trustList, which is configured to be 24 hours. Also note that ATIS specifications recommend HTTP caching of resources.
♦ The frequency with which the CRL API shall be invoked, at a minimum, based on the expiration of the CRL, which is configured to be 24 hours. Also note that ATIS specifications recommend HTTP caching of resources.
iconectiv STI-PA API Document
STI-PA-US-API-001
Copyright 2019 iconectiv, LLC.
All rights Reserved.
September 2019 Page 8
Chapter 3 HTML File Attachment
An HTML document for the specification of the STI-PA APIs is attached to this PDF document. The HTML file may be opened directly from the pdf document or after it is saved to the user’s computer.
3.1 Open Attachment
To open the HTML file from the pdf document, click the attachment icon on the left menu of this document and double click the html file name.
Figure 1 Open Attachment
3.2 Save Attachment
To save the attached HTML file, right click the HTML file name and click Save Attachment. Once the HTML file is saved it may be opened using either Chrome, IE or Firefox.
Figure 2 Save Attachment
iconectiv STI-PA API Document
STI-PA-US-API-001
Copyright 2019 iconectiv, LLC.
All rights Reserved.
September 2019 Page 9
Chapter 4 Message Codes
This section contains a list of possible messages that could be returned in the external APIs.
API
Success / Failure Scenario
status
message
HTTP Code
errorCode
Login
Valid user
Valid password
success
Login is successful
200
N/A
Login
Valid user
Invalid password
error
The User ID and/or Password are incorrect or your user account may not be enabled. If you think you have gotten this message in error, please contact your STI-PA Administrator.
200
100
Login
Invalid user
Valid password
error
The User ID and/or Password are incorrect or your user account may not be enabled. If you think you have gotten this message in error, please contact your STI-PA Administrator.
200
100
Login
Inactive user
error
The User ID and/or Password are incorrect or your user account may not be enabled. If you think you have gotten this message in error, please contact your STI-PA Administrator.
200
100
Login
Missing user
Valid password
error
Missing required parameter userId.
200
101
Login
Valid user
Missing password
error
Missing required parameter password.
200
102
Login
Service Agreement not Accepted
error
Service Agreement for this account has not been accepted. Please first log in to the Web Portal and agree to the terms of the agreement.
200
103
Logout
Valid unexpired Access Token
success
Logout is successful
200
N/A
Logout
Invalid or expired Access Token
error
Invalid token. Access Denied.
403
801
Refresh Token
Valid unexpired Refresh Token
success
Refresh Token is successful
200
N/A
Refresh Token
Invalid or expired Refresh Token
error
Invalid refresh token
200
301
Refresh Token
Missing Refresh Token
error
Missing required parameter refreshToken.
200
302
CRL
Valid unexpired Access Token
success
CRL request is successful
200
N/A
CRL
No results are found
error
Not Found
404
N/A
iconectiv STI-PA API Document
STI-PA-US-API-001
Copyright 2019 iconectiv, LLC.
All rights Reserved.
September 2019 Page 10
STI-CA List
Valid unexpired Access Token
Non-empty trustList
success
STI-CA trustList request is successful
200
N/A
STI-CA List
Valid unexpired Access Token
Empty trustList
success
STI-CA trustList request is successful
200
N/A
STI-CA List
Invalid or expired Access Token
error
Invalid token. Access Denied.
403
801
STI-PA Certificate
Valid
certificate Id
success
STI-PA Public Certificate request is successful
200
N/A
STI-PA Certificate
Invalid Certificate id or when no results are found
error
Not Found
404
N/A
SPC Token
Valid id
Valid atc
Valid SPC
success
SPC token for spc: <spc code> created successfully
200
N/A
SPC Token
Valid id
Invalid atc
error
The “atc” claim is not properly formatted or has invalid content
200
701
SPC Token
Valid id
Valid atc
Invalid SPC
error
SPC value in the TNAuthList in the “atc” claim does not match the SPC value associated with the account.
200
702
SPC Token
Valid id
Missing atc
error
“atc” is a required parameter
200
703
SPC Token
Invalid or expired Access Token
error
Invalid token. Access Denied.
403
801
SPC Token
Invalid id
error
Invalid account ID
404
705
iconectiv STI-PA API Document
STI-PA-US-API-001
Copyright 2019 iconectiv, LLC.
All rights Reserved.
September 2019 Page 11
Chapter 5 API Examples
This section contains a list of API request and response examples for a successful response for each of the external APIs. The examples are color coded to denote the various elements of the request and response as well as how the response from one API is used in another:
• The accessToken: color coded green
• The refreshToken: color coded red
• Standard response message structure: color coded pink
• Other SHAKEN specific structures (e.g. crl, ca-list, etc.): color coded orange
5.1 Login Request:
curl -X POST “https://authenticate-api.iconectiv.com/api/v1/auth/login” -H “accept: application/json” -H “Content-Type: application/json” -d “{ \”userId\”: \”userxxxx\”, \”password\”: \”passwordxxxx\”}”
{“status”:”success”,”message”:”Login is successful”,”accessToken”:”eyJraWQiOiI3clZHWmtjVmdVb3hUZnJVckZWXC9JRGJkQWxwalA4cW13VEx4MGRnQjg5MD0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI0ZjE4OTk3My1hZGEyLTRkYjMtYmU3ZS05ZjFlZDM0MzRlMjQiLCJjb2duaXRvOmdyb3VwcyI6WyJBUEkiXSwiZXZlbnRfaWQiOiIxZGNiMTI1MS00NzYwLTQ5ZjAtYjczZS1hYTg4OWRlOGI3NjEiLCJ0b2tlbl91c2UiOiJhY2Nlc3MiLCJzY29wZSI6ImF3cy5jb2duaXRvLnNpZ25pbi51c2VyLmFkbWluIiwiYXV0aF90aW1lIjoxNTc1NDQ3MjA4LCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtZWFzdC0xLmFtYXpvbmF3cy5jb21cL3VzLWVhc3QtMV92ZzdzaXAzZnkiLCJleHAiOjE1NzU0NTA4MDgsImlhdCI6MTU3NTQ0NzIwOCwianRpIjoiNTc5MjdkOWYtMzRiZi00YzFjLTgyZWEtNTg5YzRiYjEwNzM0IiwiY2xpZW50X2lkIjoiM3BxY3JiNjR1NnMzNTA3bGZpMjBwZHJ2c3EiLCJ1c2VybmFtZSI6ImRlbW9zdGlwYTEwMjIrMXZ6NWEifQ.HXYse0LwttD4t4KkZt7uOGSoz0ksXiJeDhPxZlpGrA8Ufikoif2XcHMLLmcxrxfgLeqcqkJjZlkkiyYG3m4FefTXkgu8VNCCJDJowHGlnMU4yYDMBMZArZgTkgB_Qvy72LOT33PGC-xgu9FztSDWOjSxeceqiWecUQiXa75y6O6MilZQQ65tGjc3E7n_wRg7iMFdCu-QCytG678kPDpvVAcDlGZEjGUNJZRtZXrW6Fz3NmeYQ0E6r3ULa8cLSj8iq9nQlUjLdNCzJCIJscpw0z9SxDvc_DOohFWHMkpI3CW6guq6G2LzDVM2mWXQChmsoYD1tDzyPq4SmhGuPKNzfQ”,”refreshToken”:”eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAifQ.fCo6qsBhiC7S-gqUziyUCSabx_H7WvyCMiBGZ5_QFuaBiO_XZac1gJS10M2XO4YevLkZxJpR377qD1FQVRXcY0W0r1cUd0E9XJyV1GjehQP4wlUPxwfhZ4VFU2tH26P7Oqz9v_Klku_yq-Cjn3kI0fQL0OyLwssh3SoOhLjFLfUMVCQulmykpCWZdwO15iugyIGtkXIZ8pimsY4VwN6p9ektp2xbNS9od5i3wroD4sHZV0SOYrf7zfEfwWibrXtKN6aWhIwUxHJ9YCbXTyEcLdXFqjcViZOAkhN0wtuVDI-e_qpI69dIut1BpXFczwcQuUvwVPWV3goEbVC7F8aziA.B4KcMTVxNpum9uYi.3nrSWQGmTuD7NaRc-_nWb3o5JKV0m01YKc_1WdNHzhkqYunq8gdDAqRAi9E5aRQOpNJjc_A2TpsYVVNdcwxoGUNICEtSr9-96-EczDgIk_o9xG9uVteLJELwYAwqqQUU8bk9cHphXXYzPTohV6HECqh2EN8CRwayB5R8WuzUgVWQdQLQ6t0piaSLe77RGP1B69yu9Qj-UWTpQrgj0Qn05Wi1PtJ6csQvhgiwl4K7zB86XKbJk7VEe4FvPyDWJ-PXyXhST3I3thU0WihtQGMCYDWpVy-GmbWJ_1R8bqx6tXD_FpmUvl9pmMNoBRzi_3Q5PBS3NRJ5_NQTuzx02IYZ1AtB81VvK_0Py7p7ZqUsZ6QqeQ1oiGTW1lIcL3f4za5K3ekSlpKNkQsmqFBC-pb5ro3JmamwfD19SDzXdrfoTMot7-ChFk3QiyiHpX0pKFb_RK_Pt-2LmHmoBRbJLhFKQSeO7yRDzP5WSqv_jEdurAURSy-VJGi3DfPrj9e_1G8qzdgBHXL7GiuDMUzQdHxuu2ky-S0KDPpBxRGh_ABB9NQJcn9J7j_8JOi6ARq-aXF3bB9oX27WrU1rE5BTf3FYYgmsLya5iK3LTzDoAS5z4AVi8aK_kZFmTZnBCrEghamO2MUgNS6a6eDQLBKrjqqnvpvmUMu_diFiv2_nkomb6XT1VrO_4BpCXC05Jep1U3KpD_S6HMsvKkg7cP5D6-3XlDG2ek98hmGhnGZkk9qazHSdf6KCKPByJ311CWXXV7gjMx4nVh2W1sL3g0I4OJjeZ5NcHHCbYwtOjUTj03ITXaUdSvutciIHFhHwpgEByKV5cXiNdryFUdENnBs8vc09ikd4jPZKrJGiCCuL5UKMu55fVPWPQy-jaq7j1dyYNx9ItAmGkQ5NZonFB4CNiYF-HfHNOy4MZdOXyfNKpH1G8Er-mgyf0_BjvcVJ2b0d9ZLgnrxsqODoyK23-a22-V57-7gUUPNcUMPfooAqSdw2iwqsEPo9SeAJz4KF3xDy_ax6ZWqNHlM9_df745z-r–7L8D2JEiczGanGoF7_N84_4-UbdsKy6aUUuhM2r4HmNwqd2ak7l4955zVToKrQ2tj1WVcbK69aQiRUVM7lw3trTmIuBw_Vqcb7OlhJq3WwR7Pj4WIQIzTctKNZOc5ZnIqmyP47kfSZTWjC-DIxGT17cIdD3I8UvugNoNjSMtABZWlwxerTOQE9__RYWZaDedeLomdlshWS5iul058KpIpUOtoEoYcC8pr4T9L6Iw8oPIQdSUVzIF0RezMRmnelWJa7KlCU6aVIUo7.7Q_C3XLmxS9YzLI6Mcc66w”}
iconectiv STI-PA API Document
STI-PA-US-API-001
Copyright 2019 iconectiv, LLC.
All rights Reserved.
September 2019 Page 12
Note that the userId and password shall be valid in order to get a success response, but have been purposely modified for this example.
5.2 Logout Request:
curl -X POST “https://authenticate-api.iconectiv.com/api/v1/auth/logout” -H “accept: application/json” -H “Authorization: eyJraWQiOiI3clZHWmtjVmdVb3hUZnJVckZWXC9JRGJkQWxwalA4cW13VEx4MGRnQjg5MD0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI0ZjE4OTk3My1hZGEyLTRkYjMtYmU3ZS05ZjFlZDM0MzRlMjQiLCJjb2duaXRvOmdyb3VwcyI6WyJBUEkiXSwiZXZlbnRfaWQiOiIxZGNiMTI1MS00NzYwLTQ5ZjAtYjczZS1hYTg4OWRlOGI3NjEiLCJ0b2tlbl91c2UiOiJhY2Nlc3MiLCJzY29wZSI6ImF3cy5jb2duaXRvLnNpZ25pbi51c2VyLmFkbWluIiwiYXV0aF90aW1lIjoxNTc1NDQ3MjA4LCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtZWFzdC0xLmFtYXpvbmF3cy5jb21cL3VzLWVhc3QtMV92ZzdzaXAzZnkiLCJleHAiOjE1NzU0NTA4MDgsImlhdCI6MTU3NTQ0NzIwOCwianRpIjoiNTc5MjdkOWYtMzRiZi00YzFjLTgyZWEtNTg5YzRiYjEwNzM0IiwiY2xpZW50X2lkIjoiM3BxY3JiNjR1NnMzNTA3bGZpMjBwZHJ2c3EiLCJ1c2VybmFtZSI6ImRlbW9zdGlwYTEwMjIrMXZ6NWEifQ.HXYse0LwttD4t4KkZt7uOGSoz0ksXiJeDhPxZlpGrA8Ufikoif2XcHMLLmcxrxfgLeqcqkJjZlkkiyYG3m4FefTXkgu8VNCCJDJowHGlnMU4yYDMBMZArZgTkgB_Qvy72LOT33PGC-xgu9FztSDWOjSxeceqiWecUQiXa75y6O6MilZQQ65tGjc3E7n_wRg7iMFdCu-QCytG678kPDpvVAcDlGZEjGUNJZRtZXrW6Fz3NmeYQ0E6r3ULa8cLSj8iq9nQlUjLdNCzJCIJscpw0z9SxDvc_DOohFWHMkpI3CW6guq6G2LzDVM2mWXQChmsoYD1tDzyPq4SmhGuPKNzfQ”
{“status”:”success”,”message”:”Logout is successful”}
5.3 Refresh Token Request:
curl -X POST “https://authenticate-api.iconectiv.com/api/v1/auth/refreshToken” -H “accept: application/json” -H “Content-Type: application/json” -d “{ \”refreshToken\”: \”eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAifQ.fCo6qsBhiC7S-gqUziyUCSabx_H7WvyCMiBGZ5_QFuaBiO_XZac1gJS10M2XO4YevLkZxJpR377qD1FQVRXcY0W0r1cUd0E9XJyV1GjehQP4wlUPxwfhZ4VFU2tH26P7Oqz9v_Klku_yq-Cjn3kI0fQL0OyLwssh3SoOhLjFLfUMVCQulmykpCWZdwO15iugyIGtkXIZ8pimsY4VwN6p9ektp2xbNS9od5i3wroD4sHZV0SOYrf7zfEfwWibrXtKN6aWhIwUxHJ9YCbXTyEcLdXFqjcViZOAkhN0wtuVDI-e_qpI69dIut1BpXFczwcQuUvwVPWV3goEbVC7F8aziA.B4KcMTVxNpum9uYi.3nrSWQGmTuD7NaRc-_nWb3o5JKV0m01YKc_1WdNHzhkqYunq8gdDAqRAi9E5aRQOpNJjc_A2TpsYVVNdcwxoGUNICEtSr9-96-EczDgIk_o9xG9uVteLJELwYAwqqQUU8bk9cHphXXYzPTohV6HECqh2EN8CRwayB5R8WuzUgVWQdQLQ6t0piaSLe77RGP1B69yu9Qj-UWTpQrgj0Qn05Wi1PtJ6csQvhgiwl4K7zB86XKbJk7VEe4FvPyDWJ-PXyXhST3I3thU0WihtQGMCYDWpVy-GmbWJ_1R8bqx6tXD_FpmUvl9pmMNoBRzi_3Q5PBS3NRJ5_NQTuzx02IYZ1AtB81VvK_0Py7p7ZqUsZ6QqeQ1oiGTW1lIcL3f4za5K3ekSlpKNkQsmqFBC-pb5ro3JmamwfD19SDzXdrfoTMot7-ChFk3QiyiHpX0pKFb_RK_Pt-2LmHmoBRbJLhFKQSeO7yRDzP5WSqv_jEdurAURSy-VJGi3DfPrj9e_1G8qzdgBHXL7GiuDMUzQdHxuu2ky-S0KDPpBxRGh_ABB9NQJcn9J7j_8JOi6ARq-aXF3bB9oX27WrU1rE5BTf3FYYgmsLya5iK3LTzDoAS5z4AVi8aK_kZFmTZnBCrEghamO2MUgNS6a6eDQLBKrjqqnvpvmUMu_diFiv2_nkomb6XT1VrO_4BpCXC05Jep1U3KpD_S6HMsvKkg7cP5D6-3XlDG2ek98hmGhnGZkk9qazHSdf6KCKPByJ311CWXXV7gjMx4nVh2W1sL3g0I4OJjeZ5NcHHCbYwtOjUTj03ITXaUdSvutciIHFhHwpgEByKV5cXiNdryFUdENnBs8vc09ikd4jPZKrJGiCCuL5UKMu55fVPWPQy-jaq7j1dyYNx9ItAmGkQ5NZonFB4CNiYF-HfHNOy4MZdOXyfNKpH1G8Er-mgyf0_BjvcVJ2b0d9ZLgnrxsqODoyK23-a22-V57-7gUUPNcUMPfooAqSdw2iwqsEPo9SeAJz4KF3xDy_ax6ZWqNHlM9_df745z-r–7L8D2JEiczGanGoF7_N84_4-UbdsKy6aUUuhM2r4HmNwqd2ak7l4955zVToKrQ2tj1WVcbK69aQiRUVM7lw3trTmIuBw_Vqcb7OlhJq3WwR7Pj4WIQIzTctKNZOc5ZnIqmyP47kfSZTWjC-DIxGT17cIdD3I8UvugNoNjSMtABZWlwxerTOQE9__RYWZaDedeLomdlshWS5iul058KpIpUOtoEoYcC8pr4T9L6Iw8oPIQdSUVzIF0RezMRmnelWJa7KlCU6aVIUo7.7Q_C3XLmxS9YzLI6Mcc66w\”}”
{“status”:”success”,”message”:”RefreshToken is successful”,”accessToken”:”eyJraWQiOiI3clZHWmtjVmdVb3hUZnJVckZWXC9JRGJkQWxwalA4cW13VEx4MGRnQjg5MD0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI0ZjE4OTk3My1hZGEyLTRkYjMtYmU3ZS05ZjFlZDM0MzRlMjQiLCJjb2duaXRvOmdyb3VwcyI6WyJBUEkiXSwiZXZlbnRfaWQiOiJmZTE3ZGE4Ny1hMDI4LTRmYTUtOGRhMi05M2E2NTNhZjQxYmQiLCJ0b2tlbl91c2UiOiJhY2Nlc3MiLCJzY29wZSI6ImF3cy5jb2duaXRvLnNpZ25pbi51c2VyLmFkbWluIiwiYXV0aF90aW1lIjoxNTc1NDQ3NTQzLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtZWFzdC0xLmFtYXpvbmF3cy5jb21cL3VzLWVhc3QtMV92ZzdzaXAzZnkiLCJleHAiOjE1NzU0NTExODIsImlhdCI6MTU3NTQ0NzU4MywianRpIjoiODBjMjdhNDQtNjk4Ny00YjczLTkyZTYtOWE1ODU1YjUwYTA1IiwiY2xpZW50X2lkIjoiM3BxY3JiNjR11
iconectiv STI-PA API Document
STI-PA-US-API-001
Copyright 2019 iconectiv, LLC.
All rights Reserved.
September 2019 Page 13
NnMzNTA3bGZpMjBwZHJ2c3EiLCJ1c2VybmFtZSI6ImRlbW9zdGlwYTEwMjIrMXZ6NWEifQ.BVO8dyDKE2KuunN7hkoFei_2bkety2OOThdtxgxf4D2Rd3y2tQ__jqR4myDuIXSgBp3Jtchf0tlU-a_25Xs0TvhhHCzFL5RhOGgDFSu53rnHQsFRId1c5po0ovIR8wpGDSHplO9y_o-bck1B2Q2Q8xX320Q9-CDuWERuifaQBu3WtK0BkuOQpJUn1BJVinSJUptvvww4nUNH97PkH5StqyBeYxofF4Tas_FsZ70nfh0TxaI0R1fl_CPx5QtSIXnYSv_Q351YGhlmX9J3oURe2RjnVX-Uo2EkS1jihnuJx9rdzlx7MyoOglHEHUYHK-M34bQ2rmM0r3eZzOL7gZHQBw”,”refreshToken”:”eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAifQ.fCo6qsBhiC7S-gqUziyUCSabx_H7WvyCMiBGZ5_QFuaBiO_XZac1gJS10M2XO4YevLkZxJpR377qD1FQVRXcY0W0r1cUd0E9XJyV1GjehQP4wlUPxwfhZ4VFU2tH26P7Oqz9v_Klku_yq-Cjn3kI0fQL0OyLwssh3SoOhLjFLfUMVCQulmykpCWZdwO15iugyIGtkXIZ8pimsY4VwN6p9ektp2xbNS9od5i3wroD4sHZV0SOYrf7zfEfwWibrXtKN6aWhIwUxHJ9YCbXTyEcLdXFqjcViZOAkhN0wtuVDI-e_qpI69dIut1BpXFczwcQuUvwVPWV3goEbVC7F8aziA.B4KcMTVxNpum9uYi.3nrSWQGmTuD7NaRc-_nWb3o5JKV0m01YKc_1WdNHzhkqYunq8gdDAqRAi9E5aRQOpNJjc_A2TpsYVVNdcwxoGUNICEtSr9-96-EczDgIk_o9xG9uVteLJELwYAwqqQUU8bk9cHphXXYzPTohV6HECqh2EN8CRwayB5R8WuzUgVWQdQLQ6t0piaSLe77RGP1B69yu9Qj-UWTpQrgj0Qn05Wi1PtJ6csQvhgiwl4K7zB86XKbJk7VEe4FvPyDWJ-PXyXhST3I3thU0WihtQGMCYDWpVy-GmbWJ_1R8bqx6tXD_FpmUvl9pmMNoBRzi_3Q5PBS3NRJ5_NQTuzx02IYZ1AtB81VvK_0Py7p7ZqUsZ6QqeQ1oiGTW1lIcL3f4za5K3ekSlpKNkQsmqFBC-pb5ro3JmamwfD19SDzXdrfoTMot7-ChFk3QiyiHpX0pKFb_RK_Pt-2LmHmoBRbJLhFKQSeO7yRDzP5WSqv_jEdurAURSy-VJGi3DfPrj9e_1G8qzdgBHXL7GiuDMUzQdHxuu2ky-S0KDPpBxRGh_ABB9NQJcn9J7j_8JOi6ARq-aXF3bB9oX27WrU1rE5BTf3FYYgmsLya5iK3LTzDoAS5z4AVi8aK_kZFmTZnBCrEghamO2MUgNS6a6eDQLBKrjqqnvpvmUMu_diFiv2_nkomb6XT1VrO_4BpCXC05Jep1U3KpD_S6HMsvKkg7cP5D6-3XlDG2ek98hmGhnGZkk9qazHSdf6KCKPByJ311CWXXV7gjMx4nVh2W1sL3g0I4OJjeZ5NcHHCbYwtOjUTj03ITXaUdSvutciIHFhHwpgEByKV5cXiNdryFUdENnBs8vc09ikd4jPZKrJGiCCuL5UKMu55fVPWPQy-jaq7j1dyYNx9ItAmGkQ5NZonFB4CNiYF-HfHNOy4MZdOXyfNKpH1G8Er-mgyf0_BjvcVJ2b0d9ZLgnrxsqODoyK23-a22-V57-7gUUPNcUMPfooAqSdw2iwqsEPo9SeAJz4KF3xDy_ax6ZWqNHlM9_df745z-r–7L8D2JEiczGanGoF7_N84_4-UbdsKy6aUUuhM2r4HmNwqd2ak7l4955zVToKrQ2tj1WVcbK69aQiRUVM7lw3trTmIuBw_Vqcb7OlhJq3WwR7Pj4WIQIzTctKNZOc5ZnIqmyP47kfSZTWjC-DIxGT17cIdD3I8UvugNoNjSMtABZWlwxerTOQE9__RYWZaDedeLomdlshWS5iul058KpIpUOtoEoYcC8pr4T9L6Iw8oPIQdSUVzIF0RezMRmnelWJa7KlCU6aVIUo7.7Q_C3XLmxS9YzLI6Mcc66w”}
5.4 STIPA Public Certificate Request:
curl -X GET “https://authenticate-api.iconectiv.com/download/v1/certificate/certificateId_5.crt” -H “accept: application/pkix-cert”
—–BEGIN CERTIFICATE—–
MIICUDCCAfWgAwIBAgIRAK6dP/PdHKW8sQV6blEQQsowCgYIKoZIzj0EAwIwYzEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5KMRQwEgYDVQQHDAtCcmlkZ2V3YXRlcjEP
MA0GA1UECgwGU1RJLVBBMSAwHgYDVQQDDBdTVEktUEEgUm9vdCBDZXJ0aWZpY2F0
ZTAeFw0yMDAxMTUxNDU1MDVaFw0yMDAxMTYxNTU1MDVaMFYxFDASBgNVBAcTC0Jy
aWRnZXdhdGVyMQswCQYDVQQIEwJOSjETMBEGA1UEAxMKU1RJLVBBIENSTDELMAkG
A1UEBhMCVVMxDzANBgNVBAoTBlNUSS1QQTBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABJFPoGiOU1kHsX8Xhl0vC6V56MR0/PB9BER62rBDdDIO//zs4Kf8MXlI2V2e
Fetg4pp1tLn0zY/1F7G7OK6abKijgZYwgZMwCQYDVR0TBAIwADAfBgNVHSMEGDAW
gBQOZDzy2PmYh6Hq3RLh6b732Gz9PDAdBgNVHQ4EFgQU0Fd2b5STSmM/sk+YLbe7
ZmQCxDQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAXBgNVHSABAf8EDTALMAkGB2CGSAGG/wkwCgYIKoZIzj0EAwIDSQAwRgIh
AKa39gpnAb4wNkHP97HU0FrphrJbQYRDNy0YMh7d0QLmAiEAgCmbeXAZDjRgd68a
4x10pCW96Z3bn7lO2A3qw4JB1Vc=
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
MIICBjCCAaygAwIBAgIQWdx0lcnwY0kS1j1qMoKhVTAKBggqhkjOPQQDAjBjMQsw
CQYDVQQGEwJVUzELMAkGA1UECAwCTkoxFDASBgNVBAcMC0JyaWRnZXdhdGVyMQ8w
DQYDVQQKDAZTVEktUEExIDAeBgNVBAMMF1NUSS1QQSBSb290IENlcnRpZmljYXRl
MB4XDTE5MTAwNDExNDEyM1oXDTI5MTAwNDEyNDEyM1owYzELMAkGA1UEBhMCVVMx
CzAJBgNVBAgMAk5KMRQwEgYDVQQHDAtCcmlkZ2V3YXRlcjEPMA0GA1UECgwGU1RJ
iconectiv STI-PA API Document
STI-PA-US-API-001
Copyright 2019 iconectiv, LLC.
All rights Reserved.
September 2019 Page 14
LVBBMSAwHgYDVQQDDBdTVEktUEEgUm9vdCBDZXJ0aWZpY2F0ZTBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABCYlkZftjTJ5LjnKSG4Ed4Wdjs2yA4i6IsrKEp55roKm
Ypbni2MWS7CB1XMzO62h/8m+6tuu9zDsx77csEXpbpajQjBAMA8GA1UdEwEB/wQF
MAMBAf8wHQYDVR0OBBYEFA5kPPLY+ZiHoerdEuHpvvfYbP08MA4GA1UdDwEB/wQE
AwIBhjAKBggqhkjOPQQDAgNIADBFAiEA6Hydwq1G2qV9QFRfGtpSI2ekZ7+NnQey
sLATvTYUOp8CICar8g1HJb/EvjI5Lw5Su0XqAzUXpRyXr6ehLvWeR/NO
—–END CERTIFICATE—–
5.5 CRL Request:
curl -X GET “https://authenticate-api.iconectiv.com/download/v1/crl” -H “accept: application/pkix-crl”
—–BEGIN X509 CRL—–
MIIBjTCCATICAQEwCgYIKoZIzj0EAwIwUjEUMBIGA1UEBwwLQnJpZGdld2F0ZXIx
…
LzFa6J/N1MMYjx7L+tZIp3Y=
—–END X509 CRL—–
Note that the CRL returned should be a valid base64-encoded (Section 4 of RFC 4648) DER X.509 CRL, but have been purposely modified for this example.
5.6 CA List Request:
curl -X GET “https://authenticate-api.iconectiv.com/api/v1/ca-list” -H “accept: application/jose+json” -H “Authorization: eyJraWQiOiI3clZHWmtjVmdVb3hUZnJVckZWXC9JRGJkQWxwalA4cW13VEx4MGRnQjg5MD0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI0ZjE4OTk3My1hZGEyLTRkYjMtYmU3ZS05ZjFlZDM0MzRlMjQiLCJjb2duaXRvOmdyb3VwcyI6WyJBUEkiXSwiZXZlbnRfaWQiOiJjNDdiNWU4My02MzRhLTQxOTQtYmY0YS1kMDE2NGIzZjFlMDEiLCJ0b2tlbl91c2UiOiJhY2Nlc3MiLCJzY29wZSI6ImF3cy5jb2duaXRvLnNpZ25pbi51c2VyLmFkbWluIiwiYXV0aF90aW1lIjoxNTc1NDQ4NTUzLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtZWFzdC0xLmFtYXpvbmF3cy5jb21cL3VzLWVhc3QtMV92ZzdzaXAzZnkiLCJleHAiOjE1NzU0NTIxNTMsImlhdCI6MTU3NTQ0ODU1MywianRpIjoiOGI2ZWQyMzQtNWM2YS00NjBiLTlkMGMtYzg5MmRjNWZmZmEyIiwiY2xpZW50X2lkIjoiM3BxY3JiNjR1NnMzNTA3bGZpMjBwZHJ2c3EiLCJ1c2VybmFtZSI6ImRlbW9zdGlwYTEwMjIrMXZ6NWEifQ.ZXobu3bCrZYsAfEXd9oskUqpXYvKfYNu_zb6dV-S6CSHfzGyyGyLX6CXOjuTI1cSkPaf1KE7OtqsQtAfXq25WDuoXvHZ04I07QsZnnJk9c4_ob50gYVCKBDXzmon923r34phWVzLslVPB26jFhXn0j6mWxcpNs2NxeSJF-kezmWwLs6D2Ix0WRrtGskkH8l1AYb_tXTJHvcCkZL80orn8FID0O2CWaivRIVVVmH7b9jGk85_9NYSK9paRQgb0WcVIEbzdCJb1BPJnClia0NdLJF2F7Q9wQUavra8056KrzpEjkkVQhhS-LLF7ID2p9HQYIPLwgcQyM06DchLqeUnZw”
{“status”:”success”,”message”:”STI-CA trustList request is successful”,”caList”:”eyJ4NXUiOiJodHRwczovL2F1dGhlbnRpY2F0ZS1hcGkuaWNvbmVjdGl2LmNvbS9kb3dubG9hZC92MS9jZXJ0aWZpY2F0ZS9jZXJ0aWZpY2F0ZUlkXzUuY3J0IiwidHlwIjoiSldUIiwiYWxnIjoiRVMyNTYifQ.eyJzZXF1ZW5jZSI6OTEsInRydXN0TGlzdCI6WyItLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS1cbk1JSUNCakNDQWF1Z0F3SUJBZ0lDRGg4d0RBWUlLb1pJemowRUF3SUZBREJOTVFzd0NRWURWUVFHRXdKVlV6RVVcbk1CSUdBMVVFQ2hNTFZFMVBRa2xNUlMxVlUwRXhLREFtQmdOVkJBTVRIMVJOVDBKSlRFVXRVRkpQUkMxU1QwOVVcbkxWTlVTVkpUU0VGTFJVNHRSVU13SGhjTk1Ua3dPVEU1TWpBeE1qQXlXaGNOTkRRd09URTRNakF4TWpBeVdqQk5cbk1Rc3dDUVlEVlFRR0V3SlZVekVVTUJJR0ExVUVDaE1MVkUxUFFrbE1SUzFWVTBFeEtEQW1CZ05WQkFNVEgxUk5cblQwSkpURVV0VUZKUFJDMVNUMDlVTFZOVVNWSlRTRUZMUlU0dFJVTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9cblBRTUJCd05DQUFTa0J2….
SSGhpVWhwNEpHekFPQmdOVkhROEJBZjhFQkFNQ0FZWXdEUVlKS29aSWh2Y05cbkFRRUxCUUFEZ2dFQkFFSUh1STA0aG5XMUV1cjNzcWMyRlJiWWNDWkM0dWhjR0VHRDB0blV5aXk3SWtzUFB1bUVcbmZ1d2Z3VUpHVjVnNzNTSVdCVEZqa3phRTNVUXpmb0lCVnJ0Y0cwb1dDVlNwUG52ckV5aURrVkFNYlEzMWxzalFcbjNQaTdwWHNlNmpPQ0RKOTFOWTFyY0poSjBsTmZIUjJ2ekhBUHc3SjhvcGEwNXQ2Qi9jS1RXTVZCcjZNMHhPbWRcbmtLdHBQTnNMbmtRYzdRMzZIcnNVMm83cTZjclJKZzhMZ1V5aTd2QjE2S0RUQWpsSVNSY29KREZBQXFaNi9QWGVcblhET3d6aW5tT1BRbjhpQ1M5SlVQV2RkMS8rWkFmeis3Y2xGeitoamU5MFBYajY2Wmc1MjBLeVRkcWNoQzA5U25cbkpDd3ZCMFlHc1V6NHlPZGJuODZwQzFCUlZKWlNMR0hnakFRPVxuLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLVxuIl0sImV4cCI6MTU3NTUxMDc2NSwidmVyc2lvbiI6IjEuMCJ9.2F1gSe27SDwJbpMOUWhELIIEs0sJ-B6IlPLtrbIfrO1-gxGGYukFZ93wHsN93g6eAyWyWnkXOJOpvIvd_jfTWw”}
Note that the calist returned should be a Jason Web Token, but has been purposely modified for this example. See following subsections for definitions of each JWT segment:
iconectiv STI-PA API Document
STI-PA-US-API-001
Copyright 2019 iconectiv, LLC.
All rights Reserved.
September 2019 Page 15
5.6.1 JWT Header (base64url encoded)
{
“x5u”: “https://authenticate-api.iconectiv.com/download/v1/certificate/certificateId_5.crt”,
“typ”: “JWT”,
“alg”: “ES256”
}
5.6.2 JWT Payload (base64url encoded)
{
“sequence”: 91,
“trustList”: [
“—–BEGIN CERTIFICATE—–\nMIICBjCCAaugAwIBAgICDh8wDAYIKoZIzj0EAwIFADBNMQswCQYDVQQGEwJVUzEU\nMBIGA1UEChMLVE1…vS\nkIFnAMu/xaUCIEF9yPw3mFC0TA4DiPtR4md516yZ82mLnW/+ekdU1bGh\n—–END CERTIFICATE—–“,
“—–BEGIN CERTIFICATE—–\nMIICHjCCAaSgAwIBAgIJANqqj4tD5LNrMAoGCCqGSM49BAMCME0xCzAJBgNVBAYT\nAlVTMRUwEwYDVQQI…avro/Xr+XCPhNdxD/M4AjEA94X04Y+1g7gsXs/2Eyg9qIlVTQw/vDI47Z6drZTz\nct+pqESrzQv70II1VmyewOlw\n—–END CERTIFICATE—–“,
“—–BEGIN CERTIFICATE—–\nMIICQjCCAeigAwIBAgIOBsajeFeWTBL5zjlAGlIwCgYIKoZIzj0EAwIwgYExCzAJ\nBgNVBAYTAlVTMRAwDgYDV… QIhAIIMLN5w2vHhXyoqHZwrbzOdHmiuo6iFEav2\nU6Ezv3BV\n—–END CERTIFICATE—–“,
“—–BEGIN CERTIFICATE—–\nMIIEBjCCAu6gAwIBAgIUfzd00EOROqoBaE/Zjx+KO8oDcZgwDQYJKoZIhvcNAQEL\nBQAwgYExLDAqBgNVBA… TdqchC09Sn\nJCwvB0YGsUz4yOdbn86pC1BRVJZSLGHgjAQ=\n—–END CERTIFICATE—–”
],
“exp”: 1575510765,
“version”: “1.0”
}Note that each of the root certificates returned should be a valid base64-encoded (Section 4 of RFC 4648) DER X.509 root certificate, but have been purposely modified for this example.
5.6.3 JWT Signature (base64url encoded)
Note that the signature uses ES256 algorithm and it’s computed based on the concatenation of the Encoded Header, a period (‘.’) character, and the Encoded Payload of the JWT
5.7 SPC Token Request:
curl -X POST “https://authenticate-api.iconectiv.com/api/v1/account/6509/token/” -H “accept: application/jose+json” -H “Authorization: eyJraWQiOiJJN09QNkhUNVNZdHg3NGduYkExSGtDSlJUcVwvcjlmQUhGTDE4akZcL29ndVU9IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiI0MWIzOWI0OS00MDk1LTRjZGEtODNkNi1mYzg0NWU2OWY1ZDAiLCJjb2duaXRvOmdyb3VwcyI6WyJBUEkiXSwiZXZlbnRfaWQiOiI2OTJlMTc4Ny02ODRlLTQ2NGMtYThiZS0zNDk4YjdjMDczZjQiLCJ0b2tlbl91c2UiOiJhY2Nlc3MiLCJzY29wZSI6ImF3cy5jb2duaXRvLnN
iconectiv STI-PA API Document
STI-PA-US-API-001
Copyright 2019 iconectiv, LLC.
All rights Reserved.
September 2019 Page 16
pZ25pbi51c2VyLmFkbWluIiwiYXV0aF90aW1lIjoxNTc5MTk1Mjk2LCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtZWFzdC0xLmFtYXpvbmF3cy5jb21cL3VzLWVhc3QtMV9Va09MUm5NVXQiLCJleHAiOjE1NzkxOTg4OTYsImlhdCI6MTU3OTE5NTI5NiwianRpIjoiOTBmNTIxNzMtZjdkZS00NDA3LWJjZDEtY2ZhNWQ3MDJiYTE2IiwiY2xpZW50X2lkIjoiMTRxMmQzZ2RvNzVxdmVjMTlyM3Y3NjdrNnUiLCJ1c2VybmFtZSI6ImFwaXN0aXBhdXNlciJ9.kPbHda1sotg2fiqfXnSJXUv9t4jSv33RwhpB_rcgwJiRSxdxUiZyxyrSN7fqkwQ4HUzgdhspct-cI1GiIqYNYE3BCWNBOjw2N84uijl1kXeiOka9jQuC3HCX4xxWowwbrtm7V2zpeoxQ4mLFsoGj19vqK_Uszz48vwiLvQK6o2ojBWTOrocRPrTwzdEKi3_qU7athosmHvkyJHRdztEEZArMolcuWGQIRnK_shDWwHxe3V4HXlqcP-Lr0AJpdtryfXEHWpHQzd2tkVuYZI9hc18c2E695b_JIT1BQ02_HlYXvSGTXR9-wDtkjxjemcygEGtfoNMySoGUL0d3rRdAXw” -H “Content-Type: application/json” -d “{ \”atc\”: { \”tktype\”: \”TNAuthList\”, \”tkvalue\”: \”MAigBhYEODg2NA==\”, \”ca\”: false, \”fingerprint\”: \”SHA256 D3:AC:95:1E:7B:0A:01:42:A4:17:EB:AB:02:D7:99:EB:52:0A:F7:2C:F7:28:E3:22:0A:A2:58:4D:A0:31:5A:82\” }}” {“status”:”success”,”message”:”SPC token for spc: 8864 is created successfully”,”token”:”eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1dSI6Imh0dHBzOi8vYXV0aGVudGljYXRlLWFwaS1kZXYuaWNvbmVjdGl2LmNvbS9kb3dubG9hZC92MS9jZXJ0aWZpY2F0ZS9jZXJ0aWZpY2F0ZUlkXzI1Ni5jcnQifQ.eyJleHAiOiIxNTc5MjgxOTI0IiwianRpIjoiMzc2NGNhNDgtYTMwNy00MDY3LTk0Y2ItYTcwMDQ2MWRhYWM5IiwiYXRjIjp7InRrdHlwZSI6IlROQXV0aExpc3QiLCJ0a3ZhbHVlIjoiTUFpZ0JoWUVPRGcyTkE9PSIsImNhIjpmYWxzZSwiZmluZ2VycHJpbnQiOiJTSEEyNTYgRDM6QUM6OTU6MUU6N0I6MEE6MDE6NDI6QTQ6MTc6RUI6QUI6MDI6RDc6OTk6RUI6NTI6MEE6Rjc6MkM6Rjc6Mjg6RTM6MjI6MEE6QTI6NTg6NEQ6QTA6MzE6NUE6ODIifX0.zvD2R5hzKs4-23ul1QUEOFNcVrVzGK4IcQp9nE4n3EYKIMJb9Xu_1oH-pqIdmMfmDYA0lZ1T55YuQ-djIqZLBQ”,”crl”:”https://authenticate-api.iconectiv.com/download/v1/crl”}
Note that the token is a Jason Web Token. See following subsections for definitions of each JWT segment:
5.7.1 JWT Header (base64url encoded)
{
“alg”: “ES256”,
“typ”: “JWT”,
“x5u”:”https://authenticate-api.iconectiv.com/download/v1/certificate/certificateId_145.crt”
}
5.7.2 JWT Payload (base64url encoded)
{
“atc”: {
“tktype”: “TNAuthList”,
” tkvalue”: “MAigBhYEMVZaNQ==”,
“ca”: false,
“fingerprint”: “SHA256 D3:AC:95:1E:7B:0A:01:42:A4:17:EB:AB:02:D7:99:EB:52:0A:F7:2C:F7:28:E3:22:0A:A2:58:4D:A0:31:5A:82”
},
“jti”: “3c3542dc-c9c8-4da5-96f5-7da3a1797786”,
“exp”: “1606985956”
}
Note that the atc claim is the same request body and the TNAuthList is the same as in the request body and it’s a base64 encoded TN Authorization List certificate extension ASN.1 object as defined in RFC 8226. In this case, the decoded value in this example corresponds to SPC 1VZ5.
iconectiv STI-PA API Document
STI-PA-US-API-001
Copyright 2019 iconectiv, LLC.
All rights Reserved.
September 2019 Page 17
5.7.3 JWT Signature (base64url encoded)
Note that the signature uses ES256 algorithm and it’s computed based on the concatenation of the Encoded Header, a period (‘.’) character, and the Encoded Payload of the JWT
sti-pa_api_overview_iconectivTim Keefer2025-06-20T13:52:13+00:00