Customer Credential Signing API Definition

If you choose to sign your credentials with your private key, you must implement an API that conforms to this design. You must Update Credential Issuer Profile and provide the URL of your API in credentialSigning.url.

The request for signing contains an array of payloads that you must sign. Each payload has a key ID and a corresponding credential signing key ID. The key ID, kid, you define in the public signing key submitted in the request to Create Customer Signing Public Key. The credential signing key ID, credentialSigningKeyId, the PingOne service assigns in the response to Create Customer Signing Public Key.

Customer credential signing request data model

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`purpose`	String	Optional	Immutable	A free-format string for auditing.
`payloads`	Object[]	Required	Immutable	Array of payload objects that you must sign.
`payloads.payload`	String	Required	Immutable	Opaque data to be individually signed by your service using your private key.
`payloads.kid`	String	Required	Immutable	The key ID in the public credential signing key JWK, submitted to the credential signing service, to use to sign the payload.
`payloads.credentialSigningKeyId`	String	Required	Immutable	Unique identifier (UUID) of the credential signing key to use to sign the payload. PingOne credentialing service generates this UUID for each public credential signing key you submit to the credential signing service.

purpose

String

Optional

Immutable

A free-format string for auditing.

payloads

Object[]

Required

Immutable

Array of payload objects that you must sign.

payloads.payload

String

Required

Immutable

Opaque data to be individually signed by your service using your private key.

payloads.kid

String

Required

Immutable

The key ID in the public credential signing key JWK, submitted to the credential signing service, to use to sign the payload.

payloads.credentialSigningKeyId

String

Required

Immutable

Unique identifier (UUID) of the credential signing key to use to sign the payload. PingOne credentialing service generates this UUID for each public credential signing key you submit to the credential signing service.

In payloads.payload, the service supplies the base64-encoded JWT header, derived from the public key the service expects you to use, and the base64-encoded payload, the opaque credential object to sign, separated by a literal period.

You can use either payloads.kid or payloads.credentialSigningKeyId to find the correct private key for signing.

Customer credential signing response data model

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`signedData`	Object[]	Required	Immutable	Array of signed payload objects.
`payloads.payload`	String	Required	Immutable	The `payload` sent in the request.
`payloads.signature`	String	Required	Immutable	The base64-encoded signature you generated using your private credential signing key.

signedData

Object[]

Required

Immutable

Array of signed payload objects.

payloads.payload

String

Required

Immutable

The payload sent in the request.

payloads.signature

String

Required

Immutable

The base64-encoded signature you generated using your private credential signing key.

Learn more about Java Web Tokens (JWT) in Introduction to JSON Web Tokens (JWT).

PingOne Platform APIs

Customer Credential Signing API Definition

Customer credential signing request data model

Customer credential signing response data model