platform-config-openapi.yaml

openapi: 3.0.4
info:
  title: Sphereon Platform Config API
  version: 0.1.0
  x-products: [edk, vdx]
  x-product-descriptions:
    edk: |
      API for configuring the singleton tenant-owned EDK services.

      EDK has at most one tenant-owned authorization server, one OID4VCI issuer,
      and one OID4VP verifier per tenant. Configuration paths are therefore
      scoped by tenant only, without an instance id.

      The API covers OAuth2/OIDC authorization-server settings for tokens,
      grants, feature policy, and the `/clients` registry for public and
      confidential clients. It also exposes sectioned OID4VCI issuer and OID4VP
      verifier configuration for runtime settings that are not owned by
      credential-design, status-list, or DCQL APIs.
    vdx: |
      API for configuring VDX tenant service instances.

      VDX can host multiple authorization server, OID4VCI issuer, and OID4VP
      verifier instances per tenant. Instance-scoped configuration paths include
      `{instanceId}` and are backed by service-instance commands using VDX
      software party ids as issuer and verifier instance ids.

      The API covers OAuth2/OIDC authorization-server settings for tokens,
      grants, feature policy, and the `/clients` registry for public and
      confidential clients. It also exposes sectioned OID4VCI issuer and OID4VP
      verifier configuration for runtime settings that are not owned by
      credential-design, status-list, or DCQL APIs.
  description: |
    API for configuring tenant-owned service instances.

    Platform-config is separate from platform-admin. Platform-admin manages the
    tenant lifecycle, domains, signup, operator bootstrap, and platform
    infrastructure. Platform-config manages the service instances a tenant runs
    and the operational resources behind those instances.

    EDK and VDX share the same section schema components and validation engine,
    but expose different REST path surfaces. EDK has at most one tenant-owned AS,
    OID4VCI issuer, and OID4VP verifier, so its configuration paths do not take
    an instance id. VDX can host multiple service instances per tenant, so its
    configuration paths are scoped by `{instanceId}`. The instance-scoped VDX
    paths are backed by the service-instance commands and use VDX software party
    ids as instance ids for issuer and verifier instances.

    The API covers OAuth2/OIDC authorization-server settings for tokens,
    grants, feature policy, and the `/clients` registry for public and
    confidential OAuth2 clients. It also exposes sectioned OID4VCI issuer and
    OID4VP verifier runtime configuration for settings that are not owned by
    credential-design, status-list, or DCQL APIs.

    The storage layer is intentionally hidden. Consumers work with typed
    configuration resources and effective values; they do not manage raw
    configuration keys or storage-specific records.

    Settings resources return effective values with `{ value, source }` markers.
    `source: tenant` means the tenant has an override. `source: default` means
    the value is inherited from runtime defaults. PUT replaces one settings
    resource and clears omitted fields back to defaults. PATCH follows JSON
    Merge Patch semantics: absent fields stay unchanged and explicit `null`
    clears a field.

    AS clients are managed as first-class OAuth2 client registrations. A client
    carries `clientType: public` or `clientType: confidential`; confidential
    client secrets are accepted on writes but are never returned.
  contact:
    name: Sphereon International B.V.
    email: support@sphereon.com
    url: https://sphereon.com
  license:
    name: Apache 2.0
    url: https://www.apache.org/licenses/LICENSE-2.0
servers:
  - url: https://api.example.com/api/platform/config/v1
    description: Production server.
  - url: http://localhost:8080/api/platform/config/v1
    description: Local development server.
security:
  - bearer: []
tags:
  - name: AsInstances
    description: OAuth2/OIDC authorization-server instance lifecycle.
  - name: AsTokenSettings
    description: Token lifetime and token-format settings for authorization-server instances.
  - name: AsGrantSettings
    description: Grant type, response type, and scope settings for authorization-server instances.
  - name: AsFeatures
    description: Typed OAuth2/OIDC feature policy for authorization-server instances.
  - name: AsClients
    description: OAuth2 public and confidential client registrations for authorization-server instances.
  - name: AsIdentities
    description: Authenticating identities, their login identifiers and credentials, and optional party bindings for authorization-server instances.
  - name: Oid4vciIssuerMetadataSettings
    description: OID4VCI issuer metadata and display settings.
  - name: Oid4vciIssuerSecuritySettings
    description: OID4VCI issuer credential response and request encryption settings.
  - name: Oid4vciIssuerIssuanceSettings
    description: OID4VCI issuer issuance tuning settings.
  - name: Oid4vpVerifierClientSettings
    description: OID4VP verifier client identity and redirect settings.
  - name: Oid4vpVerifierRequestObjectSigningSettings
    description: OID4VP verifier request-object signing settings.
  - name: Oid4vpVerifierSessionSettings
    description: OID4VP verifier authorization-session lifetime settings.
  - name: Oid4vpVerifierReconciliationSettings
    description: OID4VP verifier identity reconciliation settings.
  - name: Oid4vciIssuerInstances
    description: OID4VCI issuer instance lifecycle. VDX party ids are the instance ids.
  - name: Oid4vpVerifierInstances
    description: OID4VP verifier instance lifecycle. VDX party ids are the instance ids.
  - name: KmsProviders
    description: >
      Manage a tenant's KMS providers — the key-management backends that hold and operate the tenant's
      cryptographic keys. Create additional software providers, list them, and enable or disable them.
  - name: SecretProviders
    description: >
      Select and configure the tenant's secret provider — the backend that resolves and stores the
      tenant's secret references. Reads cascade tenant-first then the application default then the
      read-only environment floor; writes route to the tenant's selected provider. Credentials are
      supplied as references and are never returned.
  - name: EmailAccounts
    description: >
      Manage tenant SMTP mail accounts. Accounts are EXTERNAL software parties with an EMAIL_SERVER
      capability and configuration rooted at `vdx.service.email.accounts.<accountId>.*`. Accounts
      created for the platform tenant act as named defaults that tenant runtimes can inherit unless
      the tenant creates an account with its own sender and SMTP settings.
paths:
  /tenants/{tenantId}/oauth2/as/instances:
    post:
      tags: [AsInstances]
      summary: Create an AS instance
      description: >
        Creates an OAuth2/OIDC authorization-server instance for a tenant. The
        command writes descriptor keys under `oauth2.servers.<slug>.*` and
        enforces the tenant service-instance policy before writing.
      operationId: createAsInstance
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/CreateAsInstanceRequest'
            example:
              tenantId: 7b3c2d9e-1f4a-4c8b-9e2d-5a6f7c8b9d01
              slug: default
              issuer: https://auth.acme.example
              signingAlgorithm: ES256
              userBacking: local
              scopes: [openid, profile, email]
              claimMappings:
                email: email
                name: displayName
      responses:
        '201':
          description: Created AS instance.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsInstance'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '401':
          $ref: './common-components.yml#/components/responses/Unauthorized'
        '403':
          $ref: './common-components.yml#/components/responses/Forbidden'
    get:
      tags: [AsInstances]
      summary: List AS instances
      description: Lists AS instances materialized from `oauth2.servers.<slug>.issuer` rows for the tenant.
      operationId: listAsInstances
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/PageQuery'
        - $ref: './platform-config-components.yml#/components/parameters/SizeQuery'
      responses:
        '200':
          description: AS instances.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsInstanceList'
              example:
                items:
                  - tenantId: 7b3c2d9e-1f4a-4c8b-9e2d-5a6f7c8b9d01
                    slug: default
                    issuer: https://auth.acme.example
                    signingAlgorithm: ES256
                    userBacking: local
                    scopes: [openid, profile, email]
                    claimMappings:
                      email: email
                page:
                  page: 0
                  size: 20
                  totalElements: 1
                  totalPages: 1
        '401':
          $ref: './common-components.yml#/components/responses/Unauthorized'
        '403':
          $ref: './common-components.yml#/components/responses/Forbidden'
  /tenants/{tenantId}/oauth2/as/instances/{slug}:
    get:
      tags: [AsInstances]
      summary: Get an AS instance
      operationId: getAsInstance
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/AsSlug'
      responses:
        '200':
          description: AS instance.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsInstance'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
    put:
      tags: [AsInstances]
      summary: Update an AS instance descriptor
      operationId: updateAsInstance
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/AsSlug'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/UpdateAsInstanceRequest'
      responses:
        '200':
          description: Updated AS instance.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsInstance'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
    delete:
      tags: [AsInstances]
      summary: Delete an AS instance
      description: Deletes every tenant config key under `oauth2.servers.<slug>.`.
      operationId: deleteAsInstance
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/AsSlug'
      responses:
        '200':
          description: Delete result.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/DeleteAsInstanceResult'
              example:
                deleted: true
  /tenants/{tenantId}/kms/providers:
    post:
      tags: [KmsProviders]
      summary: Create a software KMS provider
      description: >
        Adds a software KMS provider to a tenant. You supply an identifier and optional settings; key
        storage and protection are managed for you, so no filesystem paths or secrets are accepted. The
        provider becomes available to the tenant immediately. Only the `software` provider type is
        supported today.
      operationId: createKmsProvider
      x-products: [edk, vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/CreateKmsProviderRequest'
            example:
              providerId: acme-secondary
              type: software
              autoCreateCertificate: true
      responses:
        '201':
          description: Created KMS provider.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/KmsProvider'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '401':
          $ref: './common-components.yml#/components/responses/Unauthorized'
        '403':
          $ref: './common-components.yml#/components/responses/Forbidden'
    get:
      tags: [KmsProviders]
      summary: List a tenant's KMS providers
      description: Returns the KMS providers configured for the tenant, including the primary `_tenant_` provider.
      operationId: listKmsProviders
      x-products: [edk, vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      responses:
        '200':
          description: KMS providers.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/KmsProviderList'
        '401':
          $ref: './common-components.yml#/components/responses/Unauthorized'
        '403':
          $ref: './common-components.yml#/components/responses/Forbidden'
  /tenants/{tenantId}/kms/providers/{providerId}:
    get:
      tags: [KmsProviders]
      summary: Get a KMS provider
      description: Returns a single KMS provider for the tenant.
      operationId: getKmsProvider
      x-products: [edk, vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/KmsProviderId'
      responses:
        '200':
          description: KMS provider.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/KmsProvider'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
    put:
      tags: [KmsProviders]
      summary: Update a KMS provider
      description: Updates a KMS provider's mutable settings — its enabled state and whether it auto-creates certificates.
      operationId: updateKmsProvider
      x-products: [edk, vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/KmsProviderId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/UpdateKmsProviderRequest'
      responses:
        '200':
          description: Updated KMS provider.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/KmsProvider'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
  /tenants/{tenantId}/kms/providers/{providerId}/enable:
    patch:
      tags: [KmsProviders]
      summary: Enable or disable a KMS provider
      description: >
        Enables or disables a KMS provider for the tenant. The tenant's primary `_tenant_` provider holds the
        tenant's key material and cannot be disabled.
      operationId: enableKmsProvider
      x-products: [edk, vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/KmsProviderId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/EnableKmsProviderRequest'
            example:
              enabled: true
      responses:
        '200':
          description: Updated KMS provider.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/KmsProvider'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
  /tenants/{tenantId}/secrets/provider:
    get:
      tags: [SecretProviders]
      summary: Get the tenant's selected secret provider
      description: >
        Returns the secret provider selected for the tenant, identified by its type. When no tenant
        provider is selected the tenant inherits the application default and ultimately the read-only
        environment floor. Plaintext secrets and credential references are never returned; the response
        reports only the credential mode together with the partition strategy and instance id that
        determine how addresses are sharded.
      operationId: getSecretProvider
      x-products: [edk, vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      responses:
        '200':
          description: Selected secret provider.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/SecretProvider'
        '401':
          $ref: './common-components.yml#/components/responses/Unauthorized'
        '403':
          $ref: './common-components.yml#/components/responses/Forbidden'
    put:
      tags: [SecretProviders]
      summary: Select and configure the tenant's secret provider
      description: >
        Selects and configures the secret provider that resolves and stores the tenant's secret
        references. The concrete request shape is chosen by `type`. Credentials are supplied as
        references resolved at runtime and are never returned. The optional `partitionStrategy` and
        `instanceId` control how the provider shards tenant and instance addresses; when omitted the
        per-type default strategy applies.
      operationId: putSecretProvider
      x-products: [edk, vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/SetSecretProviderRequest'
            example:
              type: vault
              partitionStrategy: TENANT_PATH_INSTANCE_PATH
              address: https://vault.acme.internal
              credentialRef:
                ref: ${env:ACME_VAULT_TOKEN}
      responses:
        '200':
          description: Selected secret provider.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/SecretProvider'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '401':
          $ref: './common-components.yml#/components/responses/Unauthorized'
        '403':
          $ref: './common-components.yml#/components/responses/Forbidden'
  /tenants/{tenantId}/secrets/values:
    put:
      tags: [SecretProviders]
      summary: Write secret values through the tenant's selected provider
      description: >
        Writes one or more secret values through the tenant's selected writable secret provider and
        returns the canonical reference for each key. Values are write-only; only the resulting
        references are returned so they can be stored in configuration. The selected provider must be
        writable — a read-only provider (such as the environment floor or a Kubernetes secret mount)
        is rejected.
      operationId: putSecretValues
      x-products: [edk, vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/SecretValuesWriteRequest'
            example:
              values:
                idp/idp-client-secret: super-secret-value
      responses:
        '200':
          description: Canonical references for the written values.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/SecretValuesWriteResult'
              example:
                references:
                  idp/idp-client-secret:
                    ref: ${secret:idp/idp-client-secret}
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '401':
          $ref: './common-components.yml#/components/responses/Unauthorized'
        '403':
          $ref: './common-components.yml#/components/responses/Forbidden'
  /tenants/{tenantId}/email/accounts:
    get:
      tags: [EmailAccounts]
      summary: List tenant email accounts
      description: >
        Lists SMTP mail accounts registered for the tenant. For the platform tenant these accounts are
        named platform defaults; regular tenants can add their own accounts to send mail with their
        own sender name, address, and SMTP server.
      operationId: listEmailAccounts
      x-products: [edk, vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/ManagementModeQuery'
        - $ref: './platform-config-components.yml#/components/parameters/LifecycleStatusQuery'
        - $ref: './platform-config-components.yml#/components/parameters/PageQuery'
        - $ref: './platform-config-components.yml#/components/parameters/SizeQuery'
      responses:
        '200':
          description: Tenant email accounts.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/EmailAccountList'
        '401':
          $ref: './common-components.yml#/components/responses/Unauthorized'
        '403':
          $ref: './common-components.yml#/components/responses/Forbidden'
    post:
      tags: [EmailAccounts]
      summary: Create an email account
      description: >
        Creates an EXTERNAL software party with an EMAIL_SERVER capability and writes the mail account
        config under `vdx.service.email.accounts.<accountId>.*`. SMTP credentials are supplied as a
        secret reference only; plaintext passwords are not accepted.
      operationId: createEmailAccount
      x-products: [edk, vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/EmailAccountCreateRequest'
            example:
              accountId: support
              displayName: Acme Support Mail
              managementMode: EXTERNAL
              runtimeMode: THIRD_PARTY
              config:
                transportId: smtp
                fromAddress: support@acme.example
                fromName: Acme Support
                replyTo: helpdesk@acme.example
                smtp:
                  host: smtp.mail.example
                  port: 587
                  username: support@acme.example
                  passwordSecretRef: ${secret:mail/support/password}
                  useStarttls: true
                  useSsl: false
      responses:
        '201':
          description: Created email account.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/EmailAccountDetail'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '401':
          $ref: './common-components.yml#/components/responses/Unauthorized'
        '403':
          $ref: './common-components.yml#/components/responses/Forbidden'
  /tenants/{tenantId}/email/accounts/{instanceId}:
    get:
      tags: [EmailAccounts]
      summary: Get an email account
      operationId: getEmailAccount
      x-products: [edk, vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      responses:
        '200':
          description: Email account detail.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/EmailAccountDetail'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
    patch:
      tags: [EmailAccounts]
      summary: Update an email account
      description: >
        Updates the tenant mail account configuration. The path id is the email account software
        party id; the stable account id remains the `<accountId>` segment in the config key prefix.
      operationId: updateEmailAccount
      x-products: [edk, vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/EmailAccountUpdateRequest'
      responses:
        '200':
          description: Updated email account.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/EmailAccountDetail'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
    delete:
      tags: [EmailAccounts]
      summary: Delete an email account
      description: Soft-deletes the email account software party and removes its mail config prefix.
      operationId: deleteEmailAccount
      x-products: [edk, vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      responses:
        '204':
          description: Deleted.
  /tenants/{tenantId}/email/accounts/{instanceId}/test-send:
    post:
      tags: [EmailAccounts]
      summary: Send a test email through an account
      description: >
        Sends a test message using the selected tenant email account. The path id is the email
        account software party id; the server resolves the stable `accountId` and dispatches through
        the tenant-scoped email service.
      operationId: testSendEmailAccount
      x-products: [edk, vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/EmailAccountTestSendRequest'
            example:
              to: operator@acme.example
              subject: Test email from Acme Support
      responses:
        '202':
          description: Test email accepted by the configured transport.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/EmailAccountTestSendResponse'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
  /tenants/{tenantId}/oauth2/as/tokens:
    get:
      tags: [AsTokenSettings]
      summary: Get EDK AS token settings
      description: >
        Returns token lifetimes and token behavior for the tenant's singleton
        EDK authorization server. EDK couples this AS to the tenant, so no
        instance id is present in the path.
      operationId: getAsTokenSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      responses:
        '200':
          description: Effective token settings with source markers.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsTokensConfigView'
    put:
      tags: [AsTokenSettings]
      summary: Replace EDK AS token settings
      operationId: replaceAsTokenSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsTokensConfig'
            example:
              accessTokenLifetimeSeconds: 1800
              refreshTokenLifetimeSeconds: 2592000
              tokenFormat: jwt
              refreshTokenRotation: true
      responses:
        '200':
          description: Effective token settings after replacement.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsTokensConfigView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
    patch:
      tags: [AsTokenSettings]
      summary: Update EDK AS token settings
      operationId: updateAsTokenSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsTokensConfig'
            example:
              accessTokenLifetimeSeconds: 900
              refreshTokenLifetimeSeconds: null
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsTokensConfig'
      responses:
        '200':
          description: Effective token settings after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsTokensConfigView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oauth2/as/grants:
    get:
      tags: [AsGrantSettings]
      summary: Get EDK AS grant settings
      operationId: getAsGrantSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      responses:
        '200':
          description: Effective grant, response-type, and scope settings.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsGrantsConfigView'
    put:
      tags: [AsGrantSettings]
      summary: Replace EDK AS grant settings
      operationId: replaceAsGrantSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsGrantsConfig'
            example:
              grantTypesEnabled: [authorization_code, refresh_token]
              responseTypesSupported: [code]
              scopesSupported: [openid, profile, email]
      responses:
        '200':
          description: Effective grant settings after replacement.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsGrantsConfigView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
    patch:
      tags: [AsGrantSettings]
      summary: Update EDK AS grant settings
      operationId: updateAsGrantSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsGrantsConfig'
            example:
              scopesSupported: [openid, profile, email, offline_access]
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsGrantsConfig'
      responses:
        '200':
          description: Effective grant settings after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsGrantsConfigView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oauth2/as/features:
    get:
      tags: [AsFeatures]
      summary: Get EDK AS feature policy
      operationId: getAsFeatures
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      responses:
        '200':
          description: Effective OAuth/OIDC feature policy.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsFeaturesConfigView'
    put:
      tags: [AsFeatures]
      summary: Replace EDK AS feature policy
      operationId: replaceAsFeatures
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsFeaturesConfig'
            example:
              oidc: supported
              logout: supported
              introspection: supported
              revocation: supported
              par: disabled
              tokenExchange: disabled
              deviceFlow: disabled
              pkce: required
              dpop: supported
              iae: disabled
              jar: supported
              attestation: disabled
              jarm: disabled
              mtls: disabled
              signedMetadata: supported
      responses:
        '200':
          description: Effective feature policy after replacement.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsFeaturesConfigView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
    patch:
      tags: [AsFeatures]
      summary: Update EDK AS feature policy
      operationId: updateAsFeatures
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsFeaturesConfig'
            example:
              pkce: required
              dpop: supported
              jarm: disabled
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsFeaturesConfig'
      responses:
        '200':
          description: Effective feature policy after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsFeaturesConfigView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oauth2/as/instances/{instanceId}/tokens:
    get:
      tags: [AsTokenSettings]
      summary: Get AS token settings
      description: Returns effective token lifetimes and token behavior for the AS instance.
      operationId: getVdxAsTokenSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      responses:
        '200':
          description: Effective token settings with source markers.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsTokensConfigView'
    put:
      tags: [AsTokenSettings]
      summary: Replace AS token settings
      description: >
        Replaces token settings. Provided non-null fields become tenant
        overrides; omitted fields and explicit nulls clear the tenant override
        and return the field to its default.
      operationId: replaceVdxAsTokenSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsTokensConfig'
            example:
              accessTokenLifetimeSeconds: 1800
              tokenFormat: jwt
              refreshTokenRotation: true
      responses:
        '200':
          description: Effective token settings after replacement.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsTokensConfigView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
    patch:
      tags: [AsTokenSettings]
      summary: Update AS token settings
      description: >
        Applies RFC 7386 merge-patch semantics to token settings. Absent fields
        stay unchanged. Explicit null clears the tenant override for that field.
      operationId: updateVdxAsTokenSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              type: object
            example:
              accessTokenLifetimeSeconds: 900
              refreshTokenLifetimeSeconds: null
          application/json:
            schema:
              type: object
      responses:
        '200':
          description: Effective token settings after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsTokensConfigView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oauth2/as/instances/{instanceId}/grants:
    get:
      tags: [AsGrantSettings]
      summary: Get AS grant settings
      operationId: getVdxAsGrantSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      responses:
        '200':
          description: Effective grant, response-type, and scope settings.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsGrantsConfigView'
    put:
      tags: [AsGrantSettings]
      summary: Replace AS grant settings
      operationId: replaceVdxAsGrantSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsGrantsConfig'
      responses:
        '200':
          description: Effective grant settings after replacement.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsGrantsConfigView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
    patch:
      tags: [AsGrantSettings]
      summary: Update AS grant settings
      operationId: updateVdxAsGrantSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsGrantsConfig'
            example:
              scopesSupported: [openid, profile, email]
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsGrantsConfig'
      responses:
        '200':
          description: Effective grant settings after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsGrantsConfigView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oauth2/as/instances/{instanceId}/features:
    get:
      tags: [AsFeatures]
      summary: Get AS feature policy
      operationId: getVdxAsFeatures
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      responses:
        '200':
          description: Effective OAuth/OIDC feature policy.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsFeaturesConfigView'
    put:
      tags: [AsFeatures]
      summary: Replace AS feature policy
      operationId: replaceVdxAsFeatures
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsFeaturesConfig'
      responses:
        '200':
          description: Effective feature policy after replacement.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsFeaturesConfigView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
    patch:
      tags: [AsFeatures]
      summary: Update AS feature policy
      operationId: updateVdxAsFeatures
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsFeaturesConfig'
            example:
              pkce: required
              dpop: supported
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsFeaturesConfig'
      responses:
        '200':
          description: Effective feature policy after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsFeaturesConfigView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oauth2/as/clients:
    get:
      tags: [AsClients]
      summary: List AS OAuth2 clients
      description: Lists public and confidential OAuth2 clients from the tenant client registry consumed by the AS runtime.
      operationId: listAsClients
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      responses:
        '200':
          description: OAuth2 clients.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsClientList'
    post:
      tags: [AsClients]
      summary: Register an AS OAuth2 client
      description: >
        Creates a public or confidential OAuth2 client registration. Use
        `clientType: public` with `tokenEndpointAuthMethod: none` for browser,
        native, and wallet clients. Use `clientType: confidential` with an
        authentication method such as `client_secret_basic` for backend clients.
      operationId: createAsClient
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsClientCreateRequest'
            examples:
              publicWallet:
                value:
                  clientId: wallet-web
                  clientName: Acme web wallet
                  clientType: public
                  grantTypes: [authorization_code, refresh_token]
                  responseTypes: [code]
                  redirectUris: [https://wallet.acme.example/callback]
                  allowedScopes: [openid, profile, email]
                  requirePkce: true
              confidentialBackend:
                value:
                  clientId: issuer-backend
                  clientName: Issuer backend
                  clientType: confidential
                  clientSecret: 8m3YwWv7qR4p2sL9nT6x
                  grantTypes: [client_credentials]
                  tokenEndpointAuthMethod: client_secret_basic
                  allowedScopes: [openid, issuance]
      responses:
        '201':
          description: Created OAuth2 client.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsClient'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oauth2/as/clients/{clientId}:
    get:
      tags: [AsClients]
      summary: Get an AS OAuth2 client
      operationId: getAsClient
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/ClientId'
      responses:
        '200':
          description: OAuth2 client.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsClient'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
    put:
      tags: [AsClients]
      summary: Replace an AS OAuth2 client
      operationId: replaceAsClient
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/ClientId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsClientReplaceRequest'
      responses:
        '200':
          description: Replaced OAuth2 client.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsClient'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
    patch:
      tags: [AsClients]
      summary: Update an AS OAuth2 client
      operationId: updateAsClient
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/ClientId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsClientPatchRequest'
            example:
              redirectUris: [https://wallet.acme.example/callback, com.acme.wallet:/oauth2redirect]
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsClientPatchRequest'
      responses:
        '200':
          description: Updated OAuth2 client.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsClient'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
    delete:
      tags: [AsClients]
      summary: Delete an AS OAuth2 client
      operationId: deleteAsClient
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/ClientId'
      responses:
        '200':
          description: Delete result.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/DeleteAsClientResult'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
  /tenants/{tenantId}/oauth2/as/instances/{instanceId}/clients:
    get:
      tags: [AsClients]
      summary: List AS OAuth2 clients
      description: Lists public and confidential OAuth2 clients from the instance client registry consumed by the AS runtime.
      operationId: listVdxAsClients
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      responses:
        '200':
          description: OAuth2 clients.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsClientList'
    post:
      tags: [AsClients]
      summary: Register an AS OAuth2 client
      description: >
        Creates a public or confidential OAuth2 client registration. Use
        `clientType: public` with `tokenEndpointAuthMethod: none` for browser,
        native, and wallet clients. Use `clientType: confidential` with an
        authentication method such as `client_secret_basic` for backend clients.
      operationId: createVdxAsClient
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsClientCreateRequest'
            examples:
              publicWallet:
                value:
                  clientId: wallet-web
                  clientName: Acme web wallet
                  clientType: public
                  grantTypes: [authorization_code, refresh_token]
                  responseTypes: [code]
                  redirectUris: [https://wallet.acme.example/callback]
                  allowedScopes: [openid, profile, email]
                  requirePkce: true
              confidentialBackend:
                value:
                  clientId: issuer-backend
                  clientName: Issuer backend
                  clientType: confidential
                  clientSecret: 8m3YwWv7qR4p2sL9nT6x
                  grantTypes: [client_credentials]
                  tokenEndpointAuthMethod: client_secret_basic
                  allowedScopes: [openid, issuance]
      responses:
        '201':
          description: Created OAuth2 client.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsClient'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oauth2/as/instances/{instanceId}/clients/{clientId}:
    get:
      tags: [AsClients]
      summary: Get an AS OAuth2 client
      operationId: getVdxAsClient
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
        - $ref: './platform-config-components.yml#/components/parameters/ClientId'
      responses:
        '200':
          description: OAuth2 client.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsClient'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
    put:
      tags: [AsClients]
      summary: Replace an AS OAuth2 client
      operationId: replaceVdxAsClient
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
        - $ref: './platform-config-components.yml#/components/parameters/ClientId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsClientReplaceRequest'
      responses:
        '200':
          description: Replaced OAuth2 client.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsClient'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
    patch:
      tags: [AsClients]
      summary: Update an AS OAuth2 client
      operationId: updateVdxAsClient
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
        - $ref: './platform-config-components.yml#/components/parameters/ClientId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsClientPatchRequest'
            example:
              redirectUris: [https://wallet.acme.example/callback, com.acme.wallet:/oauth2redirect]
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsClientPatchRequest'
      responses:
        '200':
          description: Updated OAuth2 client.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsClient'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
    delete:
      tags: [AsClients]
      summary: Delete an AS OAuth2 client
      operationId: deleteVdxAsClient
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
        - $ref: './platform-config-components.yml#/components/parameters/ClientId'
      responses:
        '200':
          description: Delete result.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/DeleteAsClientResult'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
  /tenants/{tenantId}/oauth2/as/identities:
    get:
      tags: [AsIdentities]
      summary: List AS identities
      description: Lists authenticating identities registered against the tenant's singleton AS, with their login identifiers and optional party binding.
      operationId: listAsIdentities
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      responses:
        '200':
          description: AS identities.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsIdentityList'
    post:
      tags: [AsIdentities]
      summary: Create an AS identity
      description: >
        Provisions an authenticating identity with at least one login identifier
        (typically an `email`) and a credential. When no credential is supplied
        the server generates a one-time activation code returned once in the
        response. An optional `partyBinding` binds the identity to an existing
        party or creates and binds a natural person inline.
      operationId: createAsIdentity
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsIdentityCreateRequest'
            examples:
              passwordIdentity:
                value:
                  displayName: Sofia Almeida
                  identifiers:
                    - type: email
                      value: sofia.almeida@acme.example
                  credential:
                    password: correct-horse-battery-staple
                  allowedMethods: [password]
              activationCodeIdentity:
                value:
                  identifiers:
                    - type: email
                      value: new.operator@acme.example
              naturalPersonBinding:
                value:
                  displayName: Sofia Almeida
                  identifiers:
                    - type: email
                      value: sofia.almeida@acme.example
                  partyBinding:
                    naturalPerson:
                      firstName: Sofia
                      lastName: Almeida
      responses:
        '201':
          description: Created AS identity. The activation code is present only when no credential was supplied.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsIdentityCreateResult'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oauth2/as/identities/{identityId}:
    get:
      tags: [AsIdentities]
      summary: Get an AS identity
      operationId: getAsIdentity
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/IdentityId'
      responses:
        '200':
          description: AS identity.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsIdentity'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
    delete:
      tags: [AsIdentities]
      summary: Delete an AS identity
      operationId: deleteAsIdentity
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/IdentityId'
      responses:
        '200':
          description: Delete result.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/DeleteAsIdentityResult'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
  /tenants/{tenantId}/oauth2/as/identities/{identityId}/credential:
    put:
      tags: [AsIdentities]
      summary: Set or reset an AS identity credential
      description: >
        Sets the identity's login credential as an operator. When a password is
        supplied it replaces the current one; when omitted the server generates a
        new one-time activation code returned once in the response. Any existing
        credential is overwritten.
      operationId: setAsIdentityCredential
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/IdentityId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsIdentityCredentialResetRequest'
            examples:
              setPassword:
                value:
                  password: correct-horse-battery-staple
              regenerateActivationCode:
                value: {}
      responses:
        '200':
          description: Credential updated. The activation code is present only when no password was supplied.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsIdentityCredentialResetResult'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
  /tenants/{tenantId}/oauth2/as/instances/{instanceId}/identities:
    get:
      tags: [AsIdentities]
      summary: List AS identities
      description: Lists authenticating identities registered against the AS instance, with their login identifiers and optional party binding.
      operationId: listVdxAsIdentities
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      responses:
        '200':
          description: AS identities.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsIdentityList'
    post:
      tags: [AsIdentities]
      summary: Create an AS identity
      description: >
        Provisions an authenticating identity with at least one login identifier
        (typically an `email`) and a credential. When no credential is supplied
        the server generates a one-time activation code returned once in the
        response. An optional `partyBinding` binds the identity to an existing
        party or creates and binds a natural person inline.
      operationId: createVdxAsIdentity
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsIdentityCreateRequest'
            examples:
              passwordIdentity:
                value:
                  displayName: Sofia Almeida
                  identifiers:
                    - type: email
                      value: sofia.almeida@acme.example
                  credential:
                    password: correct-horse-battery-staple
                  allowedMethods: [password]
              activationCodeIdentity:
                value:
                  identifiers:
                    - type: email
                      value: new.operator@acme.example
      responses:
        '201':
          description: Created AS identity. The activation code is present only when no credential was supplied.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsIdentityCreateResult'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oauth2/as/instances/{instanceId}/identities/{identityId}:
    get:
      tags: [AsIdentities]
      summary: Get an AS identity
      operationId: getVdxAsIdentity
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
        - $ref: './platform-config-components.yml#/components/parameters/IdentityId'
      responses:
        '200':
          description: AS identity.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsIdentity'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
    delete:
      tags: [AsIdentities]
      summary: Delete an AS identity
      operationId: deleteVdxAsIdentity
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
        - $ref: './platform-config-components.yml#/components/parameters/IdentityId'
      responses:
        '200':
          description: Delete result.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/DeleteAsIdentityResult'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
  /tenants/{tenantId}/oauth2/as/instances/{instanceId}/identities/{identityId}/credential:
    put:
      tags: [AsIdentities]
      summary: Set or reset an AS identity credential
      description: >
        Sets the identity's login credential as an operator. When a password is
        supplied it replaces the current one; when omitted the server generates a
        new one-time activation code returned once in the response. Any existing
        credential is overwritten.
      operationId: setVdxAsIdentityCredential
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
        - $ref: './platform-config-components.yml#/components/parameters/IdentityId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/AsIdentityCredentialResetRequest'
            examples:
              setPassword:
                value:
                  password: correct-horse-battery-staple
              regenerateActivationCode:
                value: {}
      responses:
        '200':
          description: Credential updated. The activation code is present only when no password was supplied.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/AsIdentityCredentialResetResult'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
  /tenants/{tenantId}/oid4vci/issuer/metadata:
    get:
      tags: [Oid4vciIssuerMetadataSettings]
      summary: Get EDK OID4VCI issuer metadata settings
      operationId: getOid4vciIssuerMetadataSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      responses:
        '200':
          description: Effective issuer metadata settings.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerMetadataSettingsView'
    put:
      tags: [Oid4vciIssuerMetadataSettings]
      summary: Replace EDK OID4VCI issuer metadata settings
      operationId: replaceOid4vciIssuerMetadataSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerMetadataSettings'
      responses:
        '200':
          description: Effective issuer metadata settings after replacement.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerMetadataSettingsView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
    patch:
      tags: [Oid4vciIssuerMetadataSettings]
      summary: Update EDK OID4VCI issuer metadata settings
      operationId: updateOid4vciIssuerMetadataSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerMetadataSettings'
            example:
              displayName: Acme Workforce Issuer
              displayLocale: en-US
              signedMetadataEnabled: true
              metadataSigningKeyAlias: oid4vci-metadata-signing
              metadataSigningKmsProviderId: software-kms
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerMetadataSettings'
      responses:
        '200':
          description: Effective issuer metadata settings after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerMetadataSettingsView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oid4vci/issuer/security:
    get:
      tags: [Oid4vciIssuerSecuritySettings]
      summary: Get EDK OID4VCI issuer security settings
      operationId: getOid4vciIssuerSecuritySettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      responses:
        '200':
          description: Effective issuer security settings.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerSecuritySettingsView'
    patch:
      tags: [Oid4vciIssuerSecuritySettings]
      summary: Update EDK OID4VCI issuer security settings
      operationId: updateOid4vciIssuerSecuritySettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerSecuritySettings'
            example:
              credentialResponseEncryptionAlgValuesSupported: [ECDH-ES]
              credentialResponseEncryptionEncValuesSupported: [A256GCM]
              credentialResponseEncryptionRequired: true
              credentialRequestDecryptionKeyAlias: oid4vci-request-decryption
              credentialRequestDecryptionKmsProviderId: software-kms
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerSecuritySettings'
      responses:
        '200':
          description: Effective issuer security settings after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerSecuritySettingsView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oid4vci/issuer/issuance:
    get:
      tags: [Oid4vciIssuerIssuanceSettings]
      summary: Get EDK OID4VCI issuer issuance settings
      operationId: getOid4vciIssuerIssuanceSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      responses:
        '200':
          description: Effective issuer issuance settings.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerIssuanceSettingsView'
    patch:
      tags: [Oid4vciIssuerIssuanceSettings]
      summary: Update EDK OID4VCI issuer issuance settings
      operationId: updateOid4vciIssuerIssuanceSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerIssuanceSettings'
            example:
              batchCredentialIssuanceMaxSize: 10
              issuanceClockSkewInSeconds: 60
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerIssuanceSettings'
      responses:
        '200':
          description: Effective issuer issuance settings after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerIssuanceSettingsView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oid4vci/issuer/instances/{instanceId}/metadata:
    get:
      tags: [Oid4vciIssuerMetadataSettings]
      summary: Get VDX OID4VCI issuer metadata settings
      operationId: getVdxOid4vciIssuerMetadataSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      responses:
        '200':
          description: Effective issuer metadata settings.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerMetadataSettingsView'
    put:
      tags: [Oid4vciIssuerMetadataSettings]
      summary: Replace VDX OID4VCI issuer metadata settings
      operationId: replaceVdxOid4vciIssuerMetadataSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerMetadataSettings'
      responses:
        '200':
          description: Effective issuer metadata settings after replacement.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerMetadataSettingsView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
    patch:
      tags: [Oid4vciIssuerMetadataSettings]
      summary: Update VDX OID4VCI issuer metadata settings
      operationId: updateVdxOid4vciIssuerMetadataSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerMetadataSettings'
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerMetadataSettings'
      responses:
        '200':
          description: Effective issuer metadata settings after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerMetadataSettingsView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oid4vci/issuer/instances/{instanceId}/security:
    get:
      tags: [Oid4vciIssuerSecuritySettings]
      summary: Get VDX OID4VCI issuer security settings
      operationId: getVdxOid4vciIssuerSecuritySettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      responses:
        '200':
          description: Effective issuer security settings.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerSecuritySettingsView'
    patch:
      tags: [Oid4vciIssuerSecuritySettings]
      summary: Update VDX OID4VCI issuer security settings
      operationId: updateVdxOid4vciIssuerSecuritySettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerSecuritySettings'
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerSecuritySettings'
      responses:
        '200':
          description: Effective issuer security settings after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerSecuritySettingsView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oid4vci/issuer/instances/{instanceId}/issuance:
    get:
      tags: [Oid4vciIssuerIssuanceSettings]
      summary: Get VDX OID4VCI issuer issuance settings
      operationId: getVdxOid4vciIssuerIssuanceSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      responses:
        '200':
          description: Effective issuer issuance settings.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerIssuanceSettingsView'
    patch:
      tags: [Oid4vciIssuerIssuanceSettings]
      summary: Update VDX OID4VCI issuer issuance settings
      operationId: updateVdxOid4vciIssuerIssuanceSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerIssuanceSettings'
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerIssuanceSettings'
      responses:
        '200':
          description: Effective issuer issuance settings after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerIssuanceSettingsView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oid4vp/verifier/client:
    get:
      tags: [Oid4vpVerifierClientSettings]
      summary: Get EDK OID4VP verifier client settings
      operationId: getOid4vpVerifierClientSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      responses:
        '200':
          description: Effective verifier client settings.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierClientSettingsView'
    patch:
      tags: [Oid4vpVerifierClientSettings]
      summary: Update EDK OID4VP verifier client settings
      operationId: updateOid4vpVerifierClientSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierClientSettings'
            example:
              externalBaseUrl: https://verify.acme.example
              responseUri: https://verify.acme.example/direct_post
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierClientSettings'
      responses:
        '200':
          description: Effective verifier client settings after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierClientSettingsView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oid4vp/verifier/request-object-signing:
    get:
      tags: [Oid4vpVerifierRequestObjectSigningSettings]
      summary: Get EDK OID4VP request-object signing settings
      operationId: getOid4vpVerifierRequestObjectSigningSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      responses:
        '200':
          description: Effective request-object signing settings.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierRequestObjectSigningSettingsView'
    patch:
      tags: [Oid4vpVerifierRequestObjectSigningSettings]
      summary: Update EDK OID4VP request-object signing settings
      operationId: updateOid4vpVerifierRequestObjectSigningSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierRequestObjectSigningSettings'
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierRequestObjectSigningSettings'
      responses:
        '200':
          description: Effective request-object signing settings after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierRequestObjectSigningSettingsView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oid4vp/verifier/sessions:
    get:
      tags: [Oid4vpVerifierSessionSettings]
      summary: Get EDK OID4VP verifier session settings
      operationId: getOid4vpVerifierSessionSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      responses:
        '200':
          description: Effective verifier session settings.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierSessionSettingsView'
    patch:
      tags: [Oid4vpVerifierSessionSettings]
      summary: Update EDK OID4VP verifier session settings
      operationId: updateOid4vpVerifierSessionSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierSessionSettings'
            example:
              sessionTtlSeconds: 300
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierSessionSettings'
      responses:
        '200':
          description: Effective verifier session settings after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierSessionSettingsView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oid4vp/verifier/identity-reconciliation:
    get:
      tags: [Oid4vpVerifierReconciliationSettings]
      summary: Get EDK OID4VP verifier reconciliation settings
      operationId: getOid4vpVerifierReconciliationSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      responses:
        '200':
          description: Effective verifier reconciliation settings.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierReconciliationSettingsView'
    patch:
      tags: [Oid4vpVerifierReconciliationSettings]
      summary: Update EDK OID4VP verifier reconciliation settings
      operationId: updateOid4vpVerifierReconciliationSettings
      x-products: [edk]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierReconciliationSettings'
            example:
              requireReconciliation: true
              userIdentifierClaimPath: sub
              frontendUrl: https://app.acme.example/verify
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierReconciliationSettings'
      responses:
        '200':
          description: Effective verifier reconciliation settings after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierReconciliationSettingsView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oid4vp/verifier/instances/{instanceId}/client:
    get:
      tags: [Oid4vpVerifierClientSettings]
      summary: Get VDX OID4VP verifier client settings
      operationId: getVdxOid4vpVerifierClientSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      responses:
        '200':
          description: Effective verifier client settings.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierClientSettingsView'
    patch:
      tags: [Oid4vpVerifierClientSettings]
      summary: Update VDX OID4VP verifier client settings
      operationId: updateVdxOid4vpVerifierClientSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierClientSettings'
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierClientSettings'
      responses:
        '200':
          description: Effective verifier client settings after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierClientSettingsView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oid4vp/verifier/instances/{instanceId}/request-object-signing:
    get:
      tags: [Oid4vpVerifierRequestObjectSigningSettings]
      summary: Get VDX OID4VP request-object signing settings
      operationId: getVdxOid4vpVerifierRequestObjectSigningSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      responses:
        '200':
          description: Effective request-object signing settings.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierRequestObjectSigningSettingsView'
    patch:
      tags: [Oid4vpVerifierRequestObjectSigningSettings]
      summary: Update VDX OID4VP request-object signing settings
      operationId: updateVdxOid4vpVerifierRequestObjectSigningSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierRequestObjectSigningSettings'
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierRequestObjectSigningSettings'
      responses:
        '200':
          description: Effective request-object signing settings after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierRequestObjectSigningSettingsView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oid4vp/verifier/instances/{instanceId}/sessions:
    get:
      tags: [Oid4vpVerifierSessionSettings]
      summary: Get VDX OID4VP verifier session settings
      operationId: getVdxOid4vpVerifierSessionSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      responses:
        '200':
          description: Effective verifier session settings.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierSessionSettingsView'
    patch:
      tags: [Oid4vpVerifierSessionSettings]
      summary: Update VDX OID4VP verifier session settings
      operationId: updateVdxOid4vpVerifierSessionSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierSessionSettings'
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierSessionSettings'
      responses:
        '200':
          description: Effective verifier session settings after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierSessionSettingsView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oid4vp/verifier/instances/{instanceId}/identity-reconciliation:
    get:
      tags: [Oid4vpVerifierReconciliationSettings]
      summary: Get VDX OID4VP verifier reconciliation settings
      operationId: getVdxOid4vpVerifierReconciliationSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      responses:
        '200':
          description: Effective verifier reconciliation settings.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierReconciliationSettingsView'
    patch:
      tags: [Oid4vpVerifierReconciliationSettings]
      summary: Update VDX OID4VP verifier reconciliation settings
      operationId: updateVdxOid4vpVerifierReconciliationSettings
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/merge-patch+json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierReconciliationSettings'
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierReconciliationSettings'
      responses:
        '200':
          description: Effective verifier reconciliation settings after patch.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierReconciliationSettingsView'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
  /tenants/{tenantId}/oid4vci/issuer/instances:
    get:
      tags: [Oid4vciIssuerInstances]
      summary: List OID4VCI issuer instances
      description: >
        Lists OID4VCI issuer instances for the tenant. The implementation is the
        VDX service-instance issuer command surface mounted under platform-config;
        instances are software parties with an OID4VCI_ISSUER capability and
        configuration rooted at `oid4vci.issuers.<instanceId>.*`.
      operationId: listOid4vciIssuerInstances
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/ManagementModeQuery'
        - $ref: './platform-config-components.yml#/components/parameters/LifecycleStatusQuery'
        - $ref: './platform-config-components.yml#/components/parameters/PageQuery'
        - $ref: './platform-config-components.yml#/components/parameters/SizeQuery'
      responses:
        '200':
          description: OID4VCI issuer instances.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerInstanceList'
              example:
                items:
                  - partyId: 4ca2a7cc-f5ef-4e13-8c0d-6a8bd7f6d211
                    tenantId: 7b3c2d9e-1f4a-4c8b-9e2d-5a6f7c8b9d01
                    displayName: Acme Workforce Issuer
                    managementMode: MANAGED
                    runtimeMode: VDX_MANAGED
                    authorizationServerId: 996d5f68-8836-4af1-b6da-1330b42a2805
                    capability:
                      id: 70984e6c-bc67-456e-b22d-809d0cfb8456
                      tenantId: 7b3c2d9e-1f4a-4c8b-9e2d-5a6f7c8b9d01
                      softwarePartyId: 4ca2a7cc-f5ef-4e13-8c0d-6a8bd7f6d211
                      capabilityType: OID4VCI_ISSUER
                      isEnabled: true
                      lifecycleStatus: ACTIVE
                      createdAt: '2026-06-12T09:15:00Z'
                      updatedAt: '2026-06-12T09:15:00Z'
                    config:
                      supportedFormats: [vc+sd-jwt]
                      credentialEndpointPath: /credential
                      preAuthorizedCodeEnabled: true
                page:
                  page: 0
                  size: 20
                  totalElements: 1
        '401':
          $ref: './common-components.yml#/components/responses/Unauthorized'
        '403':
          $ref: './common-components.yml#/components/responses/Forbidden'
    post:
      tags: [Oid4vciIssuerInstances]
      summary: Create an OID4VCI issuer instance
      description: >
        Creates an issuer software party, reserves the tenant public endpoint
        for the issuer surface, and writes initial issuer configuration under
        `oid4vci.issuers.<instanceId>.*`. `host` and `pathPrefix` drive the
        public route projection; when omitted the command derives a tenant-safe
        route prefix.
      operationId: createOid4vciIssuerInstance
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/CreateOid4vciIssuerInstanceRequest'
            example:
              displayName: Acme Workforce Issuer
              managementMode: MANAGED
              runtimeMode: VDX_MANAGED
              authorizationServerId: 996d5f68-8836-4af1-b6da-1330b42a2805
              host: issuer.acme.example
              pathPrefix: /oid4vci
              config:
                supportedFormats: [vc+sd-jwt]
                credentialEndpointPath: /credential
                deferredCredentialEndpointPath: /credential_deferred
                notificationEndpointEnabled: true
                preAuthorizedCodeEnabled: true
                batchCredentialEnabled: false
      responses:
        '201':
          description: Created OID4VCI issuer instance.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerInstance'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '401':
          $ref: './common-components.yml#/components/responses/Unauthorized'
        '403':
          $ref: './common-components.yml#/components/responses/Forbidden'
  /tenants/{tenantId}/oid4vci/issuer/instances/{instanceId}:
    get:
      tags: [Oid4vciIssuerInstances]
      summary: Get an OID4VCI issuer instance
      operationId: getOid4vciIssuerInstance
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      responses:
        '200':
          description: OID4VCI issuer instance.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerInstance'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
    patch:
      tags: [Oid4vciIssuerInstances]
      summary: Update an OID4VCI issuer instance
      description: Updates issuer display metadata and the initial config fields exposed by the service-instance command.
      operationId: updateOid4vciIssuerInstance
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/UpdateOid4vciIssuerInstanceRequest'
            example:
              displayName: Acme Workforce Issuer
              config:
                preAuthorizedCodeEnabled: true
                batchCredentialEnabled: true
      responses:
        '200':
          description: Updated OID4VCI issuer instance.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vciIssuerInstance'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
    delete:
      tags: [Oid4vciIssuerInstances]
      summary: Delete an OID4VCI issuer instance
      description: Soft-deletes the service instance, removes its public endpoint projection, and deletes the issuer config prefix.
      operationId: deleteOid4vciIssuerInstance
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      responses:
        '204':
          description: Deleted.
  /tenants/{tenantId}/oid4vp/verifier/instances:
    get:
      tags: [Oid4vpVerifierInstances]
      summary: List OID4VP verifier instances
      description: >
        Lists OID4VP verifier instances for the tenant. The implementation is the
        VDX service-instance verifier command surface mounted under platform-config;
        instances are software parties with an OID4VP_VERIFIER capability and
        configuration rooted at `oid4vp.verifiers.<instanceId>.*`.
      operationId: listOid4vpVerifierInstances
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/ManagementModeQuery'
        - $ref: './platform-config-components.yml#/components/parameters/LifecycleStatusQuery'
        - $ref: './platform-config-components.yml#/components/parameters/PageQuery'
        - $ref: './platform-config-components.yml#/components/parameters/SizeQuery'
      responses:
        '200':
          description: OID4VP verifier instances.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierInstanceList'
              example:
                items:
                  - partyId: b12f86b9-fab4-48c7-9e14-e0a930a64182
                    tenantId: 7b3c2d9e-1f4a-4c8b-9e2d-5a6f7c8b9d01
                    displayName: Acme Workforce Verifier
                    managementMode: MANAGED
                    runtimeMode: VDX_MANAGED
                    capability:
                      id: 0ce8916e-8d0e-4d11-8ec1-a17d69a8a715
                      tenantId: 7b3c2d9e-1f4a-4c8b-9e2d-5a6f7c8b9d01
                      softwarePartyId: b12f86b9-fab4-48c7-9e14-e0a930a64182
                      capabilityType: OID4VP_VERIFIER
                      isEnabled: true
                      lifecycleStatus: ACTIVE
                      createdAt: '2026-06-12T09:30:00Z'
                      updatedAt: '2026-06-12T09:30:00Z'
                    config:
                      externalBaseUrl: https://verify.acme.example
                      responseUri: https://verify.acme.example/direct_post
                      clientId: https://verify.acme.example
                      responseMode: direct_post.jwt
                page:
                  page: 0
                  size: 20
                  totalElements: 1
        '401':
          $ref: './common-components.yml#/components/responses/Unauthorized'
        '403':
          $ref: './common-components.yml#/components/responses/Forbidden'
    post:
      tags: [Oid4vpVerifierInstances]
      summary: Create an OID4VP verifier instance
      description: >
        Creates a verifier software party, reserves the tenant public endpoint
        for the verifier surface, and writes initial verifier configuration
        under `oid4vp.verifiers.<instanceId>.*`.
      operationId: createOid4vpVerifierInstance
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/CreateOid4vpVerifierInstanceRequest'
            example:
              displayName: Acme Workforce Verifier
              managementMode: MANAGED
              runtimeMode: VDX_MANAGED
              host: verify.acme.example
              pathPrefix: /oid4vp
              config:
                externalBaseUrl: https://verify.acme.example
                responseUri: https://verify.acme.example/direct_post
                clientId: https://verify.acme.example
                responseMode: direct_post.jwt
                sessionTtlSeconds: 300
                autoCreateUser: false
                requireReconciliation: true
                userIdentifierClaimPath: sub
      responses:
        '201':
          description: Created OID4VP verifier instance.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierInstance'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '401':
          $ref: './common-components.yml#/components/responses/Unauthorized'
        '403':
          $ref: './common-components.yml#/components/responses/Forbidden'
  /tenants/{tenantId}/oid4vp/verifier/instances/{instanceId}:
    get:
      tags: [Oid4vpVerifierInstances]
      summary: Get an OID4VP verifier instance
      operationId: getOid4vpVerifierInstance
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      responses:
        '200':
          description: OID4VP verifier instance.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierInstance'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
    patch:
      tags: [Oid4vpVerifierInstances]
      summary: Update an OID4VP verifier instance
      operationId: updateOid4vpVerifierInstance
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: './platform-config-components.yml#/components/schemas/UpdateOid4vpVerifierInstanceRequest'
            example:
              displayName: Acme Workforce Verifier
              config:
                responseMode: direct_post.jwt
                requireReconciliation: true
      responses:
        '200':
          description: Updated OID4VP verifier instance.
          content:
            application/json:
              schema:
                $ref: './platform-config-components.yml#/components/schemas/Oid4vpVerifierInstance'
        '400':
          $ref: './common-components.yml#/components/responses/ValidationError'
        '404':
          $ref: './common-components.yml#/components/responses/NotFound'
    delete:
      tags: [Oid4vpVerifierInstances]
      summary: Delete an OID4VP verifier instance
      description: Soft-deletes the service instance, removes its public endpoint projection, and deletes the verifier config prefix.
      operationId: deleteOid4vpVerifierInstance
      x-products: [vdx]
      parameters:
        - $ref: './platform-config-components.yml#/components/parameters/TenantId'
        - $ref: './platform-config-components.yml#/components/parameters/InstanceId'
      responses:
        '204':
          description: Deleted.
components:
  securitySchemes:
    bearer:
      $ref: './common-components.yml#/components/securitySchemes/bearer'