Authorization Tokens in APIHub

A period when the community can review the RFC (comment Docs).

Document Maintainers: Andi Gabriel Tan 2024. List of other contributors in Annex. 1.

Copyright: MIT license

Copyright © 2018-2024 Axiologic Research and Contributors. This document is licensed under MIT license.


1. APIHub as an OpenDSU Cloud Agent

1.1.Token-based authorization in APIHub

1.2. KeySSI-based JWT Tokens

The JWT signature is computed in two steps:

  1. Obtain the hash of the JWT Header and the Payload.
  2. Sign the hash with the private key of the “iss” obtained from the SeedSSI.
JWT Header Fields Details
Typ (Token type) Set to “SeedSSIJWT

JWT Payload Fields Details
sub Set to the identifier of the user owning the SeedSSI used for issuing the token
aud The Audience field is a hash used to verify that the token is authentic and was not reused. The “aud” field is obtained by applying the hash function to a string obtaining by concatenating the URL that is under the authorisation
iss The sReadSSI used for signing (the JWT Issuer)
iat Issued At Time claim
nbf Not Before Time
exp Expiration Time

1.2.1. Threat model

  • Improperly signed JWT Token
  • Stolen SeedSSI used to create valid JWT Tokens
  • Stolen JWT Token
  • Corrupted APIHub

1.2.2.Relevant APIs in OpenDSU SDK

API Description API family
createJWT createJWT(issuer:SeedSSI, scope:string,credentials:array, options, callback)

Returns: a valid JWT token signed by the SeedSSI
verifyJWT verifyJWT(JWT, rootOfTrustVerificationStrategy, callback)

Returns: calls the callback with success (true) or error
createCredential createCredential(issuer:SeedSSI,credentialSubject, callback)  
createAuthToken createAuthToken(seedSSI, scope, credential, callback)  
verifyAuthToken verifyAuthToken (jwt,listOfIssuers, callback)  

skipAuthorisation: [“bricks/get-brick/epi”,“bricks/get-brick/:ssi:zsa:epi:”]

Authorisation SSI Signed
User SSI  
User Credentials Signed by Authorisation SSI Binds User SSI (contains User sRead SSI)
Authentication Token Signed by User SSI Binds User Credentials

2. Type of Wallets

2.1. SeedSSI Wallet

2.2. SecretSSI Wallets


  1. Axiologic Research: New content and improvements. Original texts under PharmaLedger Association and Novartis funding. MIT licensed content accordingly with the contracts. Publish and maintain the site.

  2. PharmaLedger Project: Review, feedback, observations, new content, and corrections MIT licensed accordingly with the consortium agreements.

  3. PrivateSky Research Project: MIT licensed content accordingly with the contracts.

Annex 1. Contributors

Current Editors Email
Andi-Gabriel Țan
Contributors Axiologic Research Email
Adrian Ganga
Andi-Gabriel Țan
Cosmin Ursache
Daniel Sava
Nicoleta Mihalache
Valentin Gérard
PrivateSky Contributors Email
Alex Sofronie (DPO)
Cosmin Ursache (UAIC)
Daniel Sava (HVS, AQS)
Daniel Visoiu (SGiant)
Lenuța Alboaie (UAIC)
Rafael Mastaleru (RMS)
Sînică Alboaie (UAIC)
Vlad Balmos (Code932)
PharmaLedger Contributors Email
Ana Balan (RMS)
Bogdan Mastahac (RMS)
Cosmin Ursache (RMS)
Rafael Mastaleru (RMS)