kych

taler-swiyu-verifier-manual.rst (38567B)

---

 ..
   This file is part of GNU TALER.
 
   Copyright (C) 2024, 2025 Taler Systems SA
 
   TALER is free software; you can redistribute it and/or modify it under the
   terms of the GNU Affero General Public License as published by the Free Software
   Foundation; either version 2.1, or (at your option) any later version.
 
   TALER is distributed in the hope that it will be useful, but WITHOUT ANY
   WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
   A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more details.
 
   You should have received a copy of the GNU Affero General Public License along with
   TALER; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
 
 
 Swiyu Verifier Operator Manual
 ##############################
 
 Introduction
 ============
 
 About Swiyu Verifier
 --------------------
 
 The Swiyu Generic Verifier Service is a web server implementing the technical
 standards specified in the Swiyu Trust Infrastructure Interoperability Profile.
 It provides the capability to verify Verifiable Credentials held in users'
 digital wallets using the OpenID for Verifiable Presentations (OID4VP)
 protocol.
 
 The verifier service exposes two distinct API interfaces:
 
 - **Management API**: Internal interface for business systems to create
   verification requests and retrieve results. This API should only be
   accessible from within your organization's network.
 
 - **OID4VP API**: Public interface that implements the OpenID for Verifiable
   Presentations protocol. This interface must be accessible by wallet
   applications and requires HTTPS with a valid TLS certificate.
 
 When integrated with KyCH OAuth2 Gateway, the Swiyu Verifier enables
 KYC (Know Your Customer) verification flows for GNU Taler exchanges,
 allowing users to prove their identity attributes using Swiss Beta ID
 credentials stored in the Swiyu Wallet.
 
 
 About this manual
 -----------------
 
 This manual targets system administrators who want to install, configure,
 and operate a Swiyu Verifier service. It covers the onboarding process
 to the Swiyu Trust Infrastructure, service configuration, integration
 with KyCH OAuth2 Gateway, and API usage.
 
 
 Architecture overview
 ---------------------
 
 The following diagram illustrates the high-level architecture of credential
 verification using the Swiyu Verifier:
 
 ::
 
    +------------------+     +------------------+     +------------------+
    |                  |     |                  |     |                  |
    |  Business        |---->|  Swiyu           |<----|  Swiyu           |
    |  Verifier        |     |  Verifier        |     |  Wallet          |
    |  (e.g., KyCH)    |     |  Service         |     |                  |
    |                  |     |                  |     |                  |
    +------------------+     +------------------+     +------------------+
                                     |
                                     v
                            +------------------+
                            |                  |
                            |  Swiyu           |
                            |  Registries      |
                            |                  |
                            +------------------+
 
 The verification flow proceeds as follows:
 
 1. The business verifier (such as KyCH) creates a verification request
    via the Management API, specifying which credential claims to verify.
 
 2. The verifier service stores the request and returns a verification URI
    and optional deeplink for QR code generation.
 
 3. The user's wallet retrieves the verification request object via the
    OID4VP API and displays the requested claims for user consent.
 
 4. Upon user consent, the wallet sends the authorization response containing
    the Verifiable Presentation with the requested credential data.
 
 5. The verifier service validates the credential by checking the issuer's
    public key against the Base Registry and verifying the credential status
    against the Status Registry.
 
 6. The business verifier retrieves the verification result and disclosed
    claims either by polling or via webhook notification.
 
 
 Prerequisites
 =============
 
 System requirements
 -------------------
 
 Before deploying the Swiyu Verifier, ensure your system meets these requirements:
 
 - **Java Runtime Environment (JRE)**: Version 21 or higher
 - **PostgreSQL**: Version 12 or higher
 - **Disk space**: Approximately 100 MB
 - **Network access**: Outbound access to Swiyu registries and inbound access
   for wallet connections
 - **Operating system**: Linux x64/AArch64, macOS AArch64, or Windows x64
 
 
 HTTPS requirement
 -----------------
 
 The Swiyu Wallet only accepts HTTPS connections with valid TLS certificates.
 Your verifier's OID4VP endpoints must be accessible via HTTPS using a
 certificate from a trusted Certificate Authority.
 
 For development and testing, you can use a tunneling service like ngrok
 to expose your local verifier with a valid HTTPS URL:
 
 .. code-block:: shell-session
 
    $ ngrok http 8080
 
 This provides a public HTTPS URL (e.g., ``https://abc123.ngrok-free.app``)
 that forwards to your local verifier. Use this URL as the ``external-url``
 in your configuration.
 
 For production deployments, obtain a proper TLS certificate and configure
 your reverse proxy or load balancer accordingly.
 
 
 Onboarding to Swiyu Trust Infrastructure
 ========================================
 
 Before operating a verifier in the Swiyu ecosystem, you must complete the
 onboarding process to register your service on the Base Registry. This
 section summarizes the required steps.
 
 The onboarding process involves several administrative and technical steps
 that establish your identity as a trusted verifier within the Swiyu Trust
 Infrastructure.
 
 .. note::
 
    The official Swiyu documentation provides detailed cookbooks that guide
    you through each step of the onboarding process:
 
    - `Onboarding the swiyu Base & Trust Registry <https://swiyu-admin-ch.github.io/cookbooks/onboarding-base-and-trust-registry/>`_:
      Complete guide for registering your organization and managing DIDs
 
    - `Getting started with the swiyu Generic Verifier <https://swiyu-admin-ch.github.io/cookbooks/onboarding-generic-verifier/>`_:
      Step-by-step deployment guide for the verifier service
 
    - `Designing the visualization for Issuer, Verifier and Credential <https://swiyu-admin-ch.github.io/cookbooks/vc-visual-presentation/>`_:
      How to configure the display metadata shown in wallets
 
    - `How to use Beta-ID for my business <https://swiyu-admin-ch.github.io/cookbooks/how-to-use-beta-id/>`_:
      Details about the Swiss Beta ID credential and available claims
 
    The following sections provide a summary. Refer to the official cookbooks
    for the most up-to-date and detailed instructions.
 
 
 Step 1: Access the Swiss Confederacy ePortal
 --------------------------------------------
 
 Sign in or create an account at the Swiss Confederacy ePortal using
 an AGOV or CH-Login account. This account is required for all
 subsequent registration steps.
 
 The ePortal is available at https://www.eportal.admin.ch/.
 
 
 Step 2: Register as Business Partner
 ------------------------------------
 
 Complete the business partner registration process through the ePortal.
 This establishes your organization's identity within the trust infrastructure.
 
 Navigate to the Swiyu Public Beta section and follow the business partner
 registration workflow.
 
 
 Step 3: Obtain API Keys
 -----------------------
 
 Access the API self-service portal to generate the API keys required for
 interacting with the Swiyu registries. These keys authenticate your
 verifier service when making registry requests.
 
 The self-service portal provides:
 
 - API credentials for the Base Registry (DID management)
 - API credentials for the Status Registry (credential revocation checks)
 
 
 Step 4: Allocate DID Space
 --------------------------
 
 Request allocation of a Decentralized Identifier (DID) space on the
 Swiyu Base Registry. This provides a unique namespace for your verifier's
 cryptographic identity.
 
 The DID follows the ``did:tdw`` method (Trust DID Web) with the format::
 
    did:tdw:<hash>:identifier-reg.trust-infra.swiyu.admin.ch:api:v1:did:<uuid>
 
 
 Step 5: Generate Cryptographic Keys
 -----------------------------------
 
 Use the Swiyu DID Toolbox to generate the required cryptographic keys
 and DID log. The toolbox creates:
 
 - An EC P-256 private key for signing verification requests
 - The corresponding DID Document entries
 - A DID log file for registration
 
 Download the DID Toolbox from the official Swiyu repository and run:
 
 .. code-block:: shell-session
 
    $ java -jar didtoolbox.jar generate
 
 This creates a ``.didtoolbox`` directory containing your keys and DID log.
 The key files include:
 
 - ``auth-key-01``: The private authentication key (keep this secure)
 - ``did-log.json``: The DID log to upload to the registry
 
 The generated DID log contains the values needed for verifier configuration:
 
 - ``value.id``: Your verifier's DID (used for ``client_id``)
 - ``value.assertionMethod``: The key reference (used for ``signing-key-verification-method``)
 
 
 Step 6: Upload DID Log
 ----------------------
 
 Upload the generated DID log to the Base Registry using the API keys
 obtained in Step 3. This publishes your verifier's DID Document,
 making your public key available for credential verification.
 
 Use the Base Registry API to upload your DID log::
 
    POST https://identifier-reg.trust-infra.swiyu.admin.ch/api/v1/did/<your-uuid>/log
 
 After successful upload, your DID is resolvable and wallets can verify
 your signed request objects.
 
 
 Step 7: (Optional) Become a Trusted Participant
 -----------------------------------------------
 
 Optionally register on the Trust Registry to become a trusted participant.
 This enables other parties to verify your verifier's trustworthiness
 through the trust infrastructure.
 
 See the `Onboarding the swiyu Base & Trust Registry cookbook
 <https://swiyu-admin-ch.github.io/cookbooks/onboarding-base-and-trust-registry/>`_
 for details on trust registry registration.
 
 
 Installation
 ============
 
 Building from source
 --------------------
 
 Clone the Swiyu Verifier repository and build using Maven:
 
 .. code-block:: shell-session
 
    $ git clone https://github.com/swiyu-admin-ch/swiyu-verifier.git
    $ cd swiyu-verifier
    $ ./mvnw clean install -DskipTests
 
 This produces the executable JAR files in the ``verifier-application/target``
 directory.
 
 
 Database setup
 --------------
 
 The Swiyu Verifier requires a PostgreSQL database to store verification
 requests and results. Create the database and user with appropriate
 privileges:
 
 .. code-block:: shell-session
 
    $ psql -U postgres
 
 .. code-block:: sql
 
    CREATE USER verifier_user WITH PASSWORD 'your_secure_password';
    CREATE DATABASE verifier_db OWNER verifier_user;
    GRANT ALL PRIVILEGES ON DATABASE verifier_db TO verifier_user;
 
 The ``CREATE USER`` command creates a PostgreSQL role that the verifier
 service will use to authenticate with the database. The ``CREATE DATABASE``
 command creates the database and assigns ownership to the verifier user.
 The ``GRANT`` command ensures the user has full access to the database.
 
 The verifier service uses Hibernate to automatically create the required
 schema on first startup when configured with ``ddl-auto: create`` or
 ``ddl-auto: update``.
 
 
 Configuration
 =============
 
 The Swiyu Verifier uses Spring Boot's externalized configuration system,
 which supports YAML configuration files, environment variables, and
 profile-based overrides. This section explains the configuration profiles
 and how to use them for different deployment scenarios.
 
 
 Configuration profiles
 ----------------------
 
 Spring Boot profiles allow you to define environment-specific configurations
 that override the base ``application.yml`` settings. The verifier ships with
 several pre-configured profiles for different deployment scenarios.
 
 **Base configuration (application.yml)**
 
 The base configuration file defines all available settings with environment
 variable placeholders. This configuration is designed for production
 deployments where settings are injected via environment variables or
 container orchestration:
 
 .. code-block:: yaml
 
    application:
      external-url: "${EXTERNAL_URL:}"
      client_id: "${VERIFIER_DID:}"
      client_id_scheme: "did"
      signing_key: "${secret.signing_key:${SIGNING_KEY:}}"
      signing-key-verification-method: "${DID_VERIFICATION_METHOD:}"
      client-metadata-file: "${OPENID_CLIENT_METADATA_FILE:}"
      deeplink-schema: ${DEEPLINK_SCHEMA:swiyu-verify}
 
    spring:
      datasource:
        url: "${POSTGRES_JDBC}"
        username: "${secret.db.username:${POSTGRES_USER}}"
        password: "${secret.db.password:${POSTGRES_PASSWORD}}"
      jpa:
        hibernate:
          ddl-auto: validate
 
 The ``${VARIABLE:default}`` syntax means the value is read from the
 environment variable ``VARIABLE``, falling back to ``default`` if not set.
 The nested form ``${secret.value:${ENV_VAR:}}`` first checks for a
 mounted secret file, then an environment variable.
 
 **Local profile with Docker Compose (application-local.yml)**
 
 The ``local`` profile is designed for development with Docker Compose
 managing the PostgreSQL database. When this profile is active, Spring Boot
 automatically starts a PostgreSQL container:
 
 .. code-block:: yaml
 
    application:
      signing_key: "-----BEGIN EC PRIVATE KEY-----\n...\n-----END EC PRIVATE KEY-----\n"
      signing-key-verification-method: "did:example:12345#key-1"
      external-url: "http://${server.host}:${server.port}"
      client_id: "did:example:12345"
      client-metadata-file: "classpath:client_metadata.json"
 
    spring:
      docker:
        compose:
          enabled: true
          file: compose.yaml
      datasource:
        url: "jdbc:postgresql://localhost:5434/verifier_db"
        username: "verifier_user"
        password: "secret"
      jpa:
        hibernate:
          ddl-auto: create
 
    logging:
      level:
        ch.admin.bj.swiyu: DEBUG
 
 Key characteristics:
 
 - ``spring.docker.compose.enabled: true`` enables Spring Boot's Docker
   Compose support, which starts containers defined in ``compose.yaml``
 - ``ddl-auto: create`` generates the database schema automatically
 - Uses example DID values for testing (not valid for real verifications)
 - Debug logging enabled for development visibility
 - Database runs on port 5434 (mapped from container's 5432)
 
 The accompanying ``compose.yaml`` defines the PostgreSQL container:
 
 .. code-block:: yaml
 
    services:
      postgres:
        image: postgres:15-alpine
        environment:
          POSTGRES_USER: "verifier_user"
          POSTGRES_PASSWORD: "secret"
          POSTGRES_DB: "verifier_db"
        ports:
          - '5434:5432'
        healthcheck:
          test: ["CMD-SHELL", "pg_isready -U postgres"]
          interval: 5s
          timeout: 5s
          retries: 5
 
 **Local dockerless profile (application-local-dockerless.yml)**
 
 The ``local-dockerless`` profile runs without Docker, connecting directly
 to a PostgreSQL instance on your machine. This is useful when you have
 PostgreSQL installed locally or want more control over the database:
 
 .. code-block:: yaml
 
    application:
      external-url: "https://your-ngrok-url.ngrok-free.app"
      client_id: "did:tdw:QmHash:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:your-uuid"
      client_id_scheme: "did"
      signing_key: |
        -----BEGIN EC PRIVATE KEY-----
        MHcCAQEEI...your_actual_key...
        -----END EC PRIVATE KEY-----
      signing-key-verification-method: "did:tdw:QmHash:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:your-uuid#auth-key-01"
      client-metadata-file: "classpath:/client_metadata.json"
 
    spring:
      docker:
        compose:
          enabled: false
      datasource:
        url: "jdbc:postgresql://localhost:5432/verifier_db"
        username: "verifier_user"
        password: "secret"
      jpa:
        hibernate:
          ddl-auto: create
 
    logging:
      level:
        ch.admin.bj.swiyu: DEBUG
 
    webhook:
      callback-uri: "https://kych.example.com/notification"
      callback-interval: 5000
 
 Key characteristics:
 
 - ``spring.docker.compose.enabled: false`` disables Docker Compose support
 - Uses real DID values from the Swiyu Trust Infrastructure onboarding
 - Requires manual PostgreSQL setup (see Database Setup section)
 - Webhook configuration for integration testing with KyCH
 - Uses ngrok or similar for HTTPS exposure to wallets
 
 
 Environment variables file (.env)
 ---------------------------------
 
 For convenience, you can define environment variables in a ``.env`` file
 in the resources directory. Spring Boot loads these automatically:
 
 .. code-block:: bash
 
    # Verifier identity
    EXTERNAL_URL="https://your-verifier.ngrok-free.app"
    VERIFIER_DID="did:tdw:QmHash:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:your-uuid"
    DID_VERIFICATION_METHOD="did:tdw:QmHash:identifier-reg.trust-infra.swiyu-int.admin.ch:api:v1:did:your-uuid#auth-key-01"
    OPENID_CLIENT_METADATA_FILE="classpath:/client_metadata.json"
 
    SIGNING_KEY="-----BEGIN EC PRIVATE KEY-----
    MHcCAQEEI...your_key_content...
    -----END EC PRIVATE KEY-----"
 
    # Database connection
    POSTGRES_USER="verifier_user"
    POSTGRES_PASSWORD="secret"
    POSTGRES_JDBC="jdbc:postgresql://localhost:5432/verifier_db"
 
 This approach separates sensitive values from the configuration files and
 works well with the base ``application.yml`` profile.
 
 
 Deployment Options
 ==================
 
 The Swiyu Verifier supports multiple deployment strategies depending on
 your infrastructure and requirements.
 
 
 Local development without Docker
 --------------------------------
 
 This approach runs the verifier directly on your machine with a locally
 installed PostgreSQL database.
 
 **1. Set up PostgreSQL**
 
 Create the database and user:
 
 .. code-block:: shell-session
 
    $ psql -d postgres -c "CREATE USER verifier_user WITH PASSWORD 'secret';"
    $ psql -d postgres -c "CREATE DATABASE verifier_db OWNER verifier_user;"
    $ psql -d verifier_db -c "GRANT ALL PRIVILEGES ON DATABASE verifier_db TO verifier_user;"
 
 **2. Configure the profile**
 
 Create or edit ``application-local-dockerless.yml`` with your DID credentials
 obtained from the Swiyu onboarding process.
 
 **3. Start the verifier**
 
 .. code-block:: shell-session
 
    $ ./mvnw spring-boot:run -pl verifier-application \
        -Dspring-boot.run.profiles=local-dockerless
 
 **4. Expose via ngrok (for wallet testing)**
 
 Since wallets require HTTPS, use ngrok to expose your local verifier:
 
 .. code-block:: shell-session
 
    $ ngrok http 8080
 
 Update the ``external-url`` in your configuration with the ngrok URL.
 
 
 Local development with Docker Compose
 -------------------------------------
 
 This approach uses Docker Compose to manage the PostgreSQL database while
 running the verifier application directly.
 
 **1. Start the verifier with Docker Compose support**
 
 .. code-block:: shell-session
 
    $ ./mvnw spring-boot:run -pl verifier-application \
        -Dspring-boot.run.profiles=local
 
 Spring Boot automatically starts the PostgreSQL container defined in
 ``compose.yaml`` before the application starts.
 
 **2. Verify the database container**
 
 .. code-block:: shell-session
 
    $ docker ps
    CONTAINER ID   IMAGE              PORTS                    NAMES
    abc123def456   postgres:15-alpine 0.0.0.0:5434->5432/tcp   verifier_postgres
 
 The database is accessible on port 5434 to avoid conflicts with any
 existing PostgreSQL installation.
 
 
 Docker Compose full deployment
 ------------------------------
 
 For testing the complete stack in containers, use the sample compose file
 that includes both the verifier service and database:
 
 **1. Create a .env file with your credentials**
 
 .. code-block:: bash
 
    EXTERNAL_URL=https://your-verifier.example.com
    VERIFIER_DID=did:tdw:QmHash:identifier-reg.trust-infra.swiyu.admin.ch:api:v1:did:your-uuid
    DID_VERIFICATION_METHOD=did:tdw:QmHash:identifier-reg.trust-infra.swiyu.admin.ch:api:v1:did:your-uuid#auth-key-01
    SIGNING_KEY="-----BEGIN EC PRIVATE KEY-----
    ...your key...
    -----END EC PRIVATE KEY-----"
    OPENID_CLIENT_METADATA_FILE=/verifier_metadata.json
 
 **2. Start the stack**
 
 .. code-block:: shell-session
 
    $ docker compose -f sample.compose.yml up -d
 
 This starts:
 
 - ``verifier_postgres``: PostgreSQL 15 database on internal port 5432
 - ``verifier-service``: The verifier application on port 8083
 
 **3. Verify the deployment**
 
 .. code-block:: shell-session
 
    $ curl http://localhost:8083/swagger-ui/index.html
 
 The sample compose file:
 
 .. code-block:: yaml
 
    services:
      verifier_postgres:
        image: postgres:15-alpine
        environment:
          POSTGRES_USER: "verifier_user"
          POSTGRES_PASSWORD: "secret"
          POSTGRES_DB: "verifier_db"
        ports:
          - "5434:5432"
        healthcheck:
          test: ["CMD-SHELL", "pg_isready -U verifier_user -d verifier_db"]
          interval: 5s
          timeout: 5s
          retries: 5
 
      verifier-service:
        image: ghcr.io/swiyu-admin-ch/swiyu-verifier:latest
        configs:
          - source: verifier_metadata
            target: /verifier_metadata.json
        ports:
          - "8083:8080"
        environment:
          EXTERNAL_URL: ${EXTERNAL_URL}
          OPENID_CLIENT_METADATA_FILE: ${OPENID_CLIENT_METADATA_FILE}
          VERIFIER_DID: ${VERIFIER_DID}
          DID_VERIFICATION_METHOD: ${DID_VERIFICATION_METHOD}
          SIGNING_KEY: ${SIGNING_KEY}
          POSTGRES_USER: "verifier_user"
          POSTGRES_PASSWORD: "secret"
          POSTGRES_JDBC: "jdbc:postgresql://verifier_postgres:5432/verifier_db"
 
    configs:
      verifier_metadata:
        content: |
          {
            "client_id": "${VERIFIER_DID}",
            "client_name": "My Verifier",
            ...
          }
 
 
 Debug mode
 ----------
 
 To run the verifier with remote debugging enabled:
 
 .. code-block:: shell-session
 
    $ ./mvnw spring-boot:run -pl verifier-application \
        -Dspring-boot.run.profiles=local-dockerless \
        -Dspring-boot.run.fork=true \
        -Dspring-boot.run.jvmArguments="-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005"
 
 This starts the JVM debug agent on port 5005. Connect your IDE's remote
 debugger to ``localhost:5005``.
 
 
 Identity configuration
 ----------------------
 
 These settings establish your verifier's identity within the Swiyu
 Trust Infrastructure. All values are derived from the DID generation
 process during onboarding.
 
 ``application.client_id``
    Your verifier's DID as registered on the Base Registry. This uniquely
    identifies your service to wallets and other participants.
    Example: ``did:tdw:QmHash:identifier-reg.trust-infra.swiyu.admin.ch:api:v1:did:uuid``
 
 ``application.client_id_scheme``
    The client identifier scheme. Set to ``did`` when using Decentralized
    Identifiers.
 
 ``application.signing-key-verification-method``
    The full DID with key fragment that identifies the public key in your
    DID Document. This tells wallets where to find the key for verifying
    your signed request objects.
    Example: ``did:tdw:QmHash:identifier-reg.trust-infra.swiyu.admin.ch:api:v1:did:uuid#auth-key-01``
 
 ``application.signing_key``
    The private EC key used to sign OID4VP request objects. This must be
    the private key corresponding to the public key published in your DID
    Document. Include the full PEM content including BEGIN and END markers::
 
       application:
         signing_key: |
           -----BEGIN EC PRIVATE KEY-----
           MHcCAQEEI...your_key_content...
           -----END EC PRIVATE KEY-----
 
 ``application.external-url``
    The publicly accessible URL of your verifier service. Wallets use this
    URL to retrieve request objects and submit presentations. Must be HTTPS
    in production.
    Example: ``https://verifier.example.com``
 
 ``application.client-metadata-file``
    Path to the verifier metadata JSON file. This file contains display
    information shown to users in their wallet, including localized names
    and logo.
    Example: ``classpath:/client_metadata.json``
 
 
 Database configuration
 ----------------------
 
 Configure the PostgreSQL connection for storing verification state:
 
 ``spring.datasource.url``
    JDBC connection URL for the PostgreSQL database.
    Example: ``jdbc:postgresql://localhost:5432/verifier_db``
 
 ``spring.datasource.username``
    Database username for authentication.
 
 ``spring.datasource.password``
    Database password for authentication.
 
 ``spring.jpa.hibernate.ddl-auto``
    Schema management strategy. Use ``create`` for initial setup (creates
    schema from entity definitions), ``update`` for adding new fields to
    existing tables, or ``validate`` for production (verifies schema matches
    entities without modifications).
 
 
 Operational parameters
 ----------------------
 
 These settings control verification behavior and resource management:
 
 ``VERIFICATION_TTL_SEC``
    How long a verification request remains valid, in seconds. After this
    period, the verification expires and the user must start a new request.
    Default: ``900`` (15 minutes)
 
 ``DATA_CLEAR_PROCESS_INTERVAL_MS``
    Interval between cleanup runs that remove expired verifications from
    the database, in milliseconds.
    Default: ``420000`` (7 minutes)
 
 ``STATUS_LIST_CACHE_TTL_MILLI``
    How long to cache credential status list results, in milliseconds.
    Caching reduces load on the Status Registry.
    Default: ``900000`` (15 minutes)
 
 ``ISSUER_PUBLIC_KEY_CACHE_TTL_MILLI``
    How long to cache issuer public key lookups, in milliseconds.
    Caching reduces load on the Base Registry.
    Default: ``3600000`` (1 hour)
 
 
 Webhook configuration
 ---------------------
 
 Configure webhook callbacks to receive notifications when verification
 status changes, instead of polling:
 
 ``webhook.callback-uri``
    Full URL where webhook notifications should be sent. If not set,
    webhooks are disabled and clients must poll for status updates.
    Example: ``https://kych.example.com/notification``
 
 ``webhook.callback-interval``
    How often to send queued webhook notifications, in milliseconds.
    Failed deliveries are retried on subsequent intervals.
    Default: ``5000`` (5 seconds)
 
 ``WEBHOOK_API_KEY_HEADER``
    HTTP header name for API key authentication on the webhook endpoint.
    Optional but recommended for production.
    Example: ``X-API-Key``
 
 ``WEBHOOK_API_KEY_VALUE``
    The API key value to include in webhook requests. Required if
    ``WEBHOOK_API_KEY_HEADER`` is set.
 
 Webhook payloads contain:
 
 .. code-block:: json
 
    {
      "verification_id": "uuid-of-verification",
      "timestamp": "2025-01-23T10:30:00Z"
    }
 
 
 Security configuration
 ----------------------
 
 The Management API can be secured using OAuth 2.0 resource server
 authentication via Spring Security.
 
 For fixed public key authentication:
 
 ``SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_PUBLICKEYLOCATION``
    URI path to a public key in PEM format for JWT verification.
    Example: ``file:/etc/kych/management-api-public-key.pem``
 
 For dynamic key discovery via authorization server:
 
 ``SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUERURI``
    URI to the OAuth 2.0 authorization server. The verifier fetches
    the public key from the server's ``/.well-known/openid-configuration``.
 
 ``SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWKSETURI``
    Direct URI to the JWK Set endpoint, bypassing OpenID Connect discovery.
 
 ``SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWSALGORITHMS``
    Comma-separated list of accepted JWT signature algorithms.
    Default: ``RS256``
 
 
 Example configuration
 ---------------------
 
 Complete configuration example for production deployment:
 
 .. code-block:: yaml
 
    application:
      external-url: "https://verifier.example.com"
      client_id: "did:tdw:QmHash:identifier-reg.trust-infra.swiyu.admin.ch:api:v1:did:abc123"
      client_id_scheme: "did"
      signing-key-verification-method: "did:tdw:QmHash:identifier-reg.trust-infra.swiyu.admin.ch:api:v1:did:abc123#auth-key-01"
      signing_key: |
        -----BEGIN EC PRIVATE KEY-----
        MHcCAQEEIABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstu
        oAoGCCqGSM49AwEHoUQDQgAE5cice...
        -----END EC PRIVATE KEY-----
      client-metadata-file: "classpath:/client_metadata.json"
 
    spring:
      datasource:
        driver-class-name: org.postgresql.Driver
        url: "jdbc:postgresql://localhost:5432/verifier_db"
        username: "verifier_user"
        password: "secure_password_here"
      jpa:
        hibernate:
          ddl-auto: validate
 
    webhook:
      callback-uri: "https://kych.example.com/notification"
      callback-interval: 5000
 
 
 Running the service
 ===================
 
 See the `Deployment Options`_ section for detailed instructions on running
 the verifier in different environments. This section covers verification
 and additional runtime configuration.
 
 
 Verifying the deployment
 ------------------------
 
 After starting, verify the service is running by accessing the Swagger UI:
 
 ``https://<your-external-url>/swagger-ui/index.html``
 
 The Management API endpoints are available under ``/management/api/``
 and the OID4VP endpoints under ``/oid4vp/api/``.
 
 
 Client metadata configuration
 -----------------------------
 
 The ``client_metadata.json`` file defines how your verifier appears to
 users in their wallet. Create this file with localized display information:
 
 .. code-block:: json
 
    {
      "client_id": "${VERIFIER_DID}",
      "client_name": "My Verifier Service",
      "client_name#en": "My Verifier Service",
      "client_name#de": "Mein Verifizierdienst",
      "client_name#fr": "Mon service de verification",
      "logo_uri": "https://example.com/logo.png",
      "vp_formats": {
        "jwt_vp": {
          "alg": ["ES256"]
        }
      }
    }
 
 The ``vp_formats`` field specifies which Verifiable Presentation formats
 your verifier accepts. For SD-JWT credentials, ``ES256`` is the standard
 algorithm.
 
 
 Integration with KyCH OAuth2 Gateway
 ====================================
 
 The Swiyu Verifier integrates with KyCH OAuth2 Gateway to provide KYC
 verification for GNU Taler exchanges. This section describes the
 required configuration on both sides.
 
 
 KyCH client configuration
 -------------------------
 
 In the KyCH configuration file, configure each client with the Swiyu
 Verifier URL and webhook endpoint:
 
 .. code-block:: ini
 
    [client_exchange]
    CLIENT_ID = taler-exchange
    CLIENT_SECRET = secure_secret
    VERIFIER_URL = https://verifier.example.com
    VERIFIER_MANAGEMENT_API_PATH = /management/api/verifications
    REDIRECT_URI = https://exchange.example.com/kyc/callback
    ACCEPTED_ISSUER_DIDS = {did:tdw:trusted_issuer_did}
 
 
 Webhook configuration
 ---------------------
 
 Configure the Swiyu Verifier to send status notifications to KyCH's
 notification endpoint:
 
 .. code-block:: yaml
 
    webhook:
      callback-uri: "https://kych.example.com/notification"
      callback-interval: 5000
 
 This allows KyCH to receive immediate notification when a verification
 completes, rather than relying on polling.
 
 
 Verification flow with KyCH
 ---------------------------
 
 When integrated with KyCH, the verification flow is:
 
 1. KyCH receives an OAuth 2.0 authorization request from the exchange.
 
 2. KyCH calls ``POST /management/api/verifications`` on the Swiyu Verifier
    with the credential claims specified in the OAuth scope.
 
 3. The verifier returns a verification URI and deeplink.
 
 4. KyCH displays a QR code to the user or provides the deeplink.
 
 5. The user's Swiyu Wallet scans the QR code and presents the credential.
 
 6. The Swiyu Verifier validates the credential and sends a webhook to KyCH.
 
 7. KyCH retrieves the verified claims and continues the OAuth flow.
 
 
 API Usage
 =========
 
 This section describes how to use the Swiyu Verifier APIs directly,
 which is useful for understanding the integration or for custom
 implementations.
 
 
 Creating a verification request
 -------------------------------
 
 Create a verification request using the Management API:
 
 .. code-block:: console
 
    $ curl -X POST \
        -H "Content-Type: application/json" \
        -d @request.json \
        https://verifier.example.com/management/api/verifications
 
 Where ``request.json`` contains:
 
 .. code-block:: json
 
    {
      "accepted_issuer_dids": ["did:tdw:issuer_did"],
      "presentation_definition": {
        "id": "00000000-0000-0000-0000-000000000000",
        "input_descriptors": [{
          "id": "11111111-1111-1111-1111-111111111111",
          "format": {
            "vc+sd-jwt": {
              "sd-jwt_alg_values": ["ES256"],
              "kb-jwt_alg_values": ["ES256"]
            }
          },
          "constraints": {
            "fields": [
              {"path": ["$.vct"], "filter": {"type": "string", "const": "betaid-sdjwt"}},
              {"path": ["$.age_over_18"]}
            ]
          }
        }]
      }
    }
 
 
 Request parameters
 ^^^^^^^^^^^^^^^^^^
 
 ``accepted_issuer_dids``
    List of trusted issuer DIDs. Only credentials from these issuers are
    accepted. If omitted, credentials from any issuer are accepted (not
    recommended for production).
 
 ``trust_anchors``
    Alternative to ``accepted_issuer_dids``. List of trust registry entry
    DIDs. The verifier accepts credentials from any issuer trusted by
    these anchors.
 
 ``presentation_definition``
    DIF Presentation Exchange format specifying required credentials and
    claims. See the Presentation Definition section below.
 
 ``jwt_secured_authorization_request``
    Whether to sign the request object. Default: ``true`` (recommended).
 
 ``response_mode``
    How the wallet sends the response. Options:
 
    - ``direct_post``: Unencrypted response (current default)
    - ``direct_post.jwt``: JWE-encrypted response (recommended for privacy)
 
 
 Response
 ^^^^^^^^
 
 .. code-block:: json
 
    {
      "id": "verification-uuid",
      "request_nonce": "random-nonce",
      "state": "PENDING",
      "verification_url": "https://verifier.example.com/oid4vp/api/request-object/request-id",
      "verification_deeplink": "swiyu-verify://?client_id=..."
    }
 
 Store the ``id`` for polling status. Use ``verification_deeplink`` to
 generate a QR code for the user to scan.
 
 
 Polling verification status
 ---------------------------
 
 Check the status of a verification:
 
 .. code-block:: shell-session
 
    $ curl -X GET \
        https://verifier.example.com/management/api/verifications/{verification_id}
 
 The response includes the current ``state``:
 
 - ``PENDING``: Waiting for user to present credentials
 - ``SUCCESS``: Verification completed successfully
 - ``FAILED``: Verification failed (see ``error_code``)
 - ``REJECTED``: User rejected the verification request
 - ``EXPIRED``: Verification request timed out
 
 
 Presentation definition format
 ------------------------------
 
 The ``presentation_definition`` follows the DIF Presentation Exchange
 specification. Each ``input_descriptor`` specifies one credential requirement:
 
 ``format``
    Accepted credential formats. For Swiss Beta ID, use::
 
       "vc+sd-jwt": {
         "sd-jwt_alg_values": ["ES256"],
         "kb-jwt_alg_values": ["ES256"]
       }
 
 ``constraints.fields``
    List of claim requirements. Each field specifies:
 
    - ``path``: JSONPath to the claim (e.g., ``["$.age_over_18"]``)
    - ``filter``: Optional filter for exact value matching
 
 The first field should filter by credential type (``$.vct``). Subsequent
 fields specify the claims to disclose.
 
 
 Error codes
 ===========
 
 When verification fails, the response includes an error code explaining
 the failure:
 
 ``credential_invalid``
    Generic credential validation failure.
 
 ``credential_expired``
    The presented credential has expired.
 
 ``credential_revoked``
    The credential has been revoked by the issuer.
 
 ``credential_suspended``
    The credential is temporarily suspended.
 
 ``credential_missing_data``
    The credential does not contain the requested claims.
 
 ``issuer_not_accepted``
    The credential issuer is not in the accepted issuers list.
 
 ``public_key_of_issuer_unresolvable``
    Could not retrieve the issuer's public key from the Base Registry.
 
 ``unresolvable_status_list``
    Could not check credential revocation status.
 
 ``holder_binding_mismatch``
    The holder could not prove control of the credential.
 
 ``client_rejected``
    The user rejected the verification request in their wallet.
 
 ``jwt_expired``
    A JWT in the verification process has expired.
 
 ``invalid_format``
    The credential or presentation format is invalid.
 
 
 Deployment considerations
 =========================
 
 Production security
 -------------------
 
 For production deployments:
 
 1. **Protect the Management API**: Use network segmentation or OAuth 2.0
    authentication to restrict access to internal systems only.
 
 2. **Use an API Gateway**: Place a WAF or API gateway in front of the
    OID4VP endpoints to filter malicious requests.
 
 3. **Enable HTTPS**: The OID4VP endpoints must use HTTPS with a valid
    certificate from a trusted CA.
 
 4. **Secure credentials**: Store the signing key securely. Consider using
    an HSM for production key management.
 
 5. **Set accepted issuers**: Always specify ``accepted_issuer_dids`` or
    ``trust_anchors`` in verification requests.
 
 
 HSM support
 -----------
 
 For production deployments, the signing key can be stored in a Hardware
 Security Module (HSM) instead of the configuration file. Configure:
 
 ``SIGNING_KEY_MANAGEMENT_METHOD``
    Set to ``pkcs11`` for Sun PKCS#11 provider or a vendor-specific value.
 
 ``HSM_HOST``, ``HSM_PORT``, ``HSM_USER``, ``HSM_PASSWORD``
    Connection parameters for the HSM.
 
 ``HSM_KEY_ID``
    Key identifier or alias within the HSM.
 
 See the Swiyu Verifier documentation for vendor-specific HSM configuration.
 
 
 Monitoring
 ----------
 
 The verifier exposes Prometheus metrics at ``/actuator/prometheus``.
 Enable authentication for this endpoint in production:
 
 .. code-block:: yaml
 
    MONITORING_BASIC_AUTH_ENABLED: true
    MONITORING_BASIC_AUTH_USERNAME: prometheus
    MONITORING_BASIC_AUTH_PASSWORD: secure_password
 
 
 See also
 ========
 
 - kych.conf(5) - KyCH OAuth2 Gateway configuration
 - kych-oauth2-gateway(1) - KyCH OAuth2 Gateway server
 - `Swiyu Trust Infrastructure <https://swiyu-admin-ch.github.io/>`_
 - `OID4VP Specification <https://openid.net/specs/openid-4-verifiable-presentations-1_0.html>`_
 - `DIF Presentation Exchange <https://identity.foundation/presentation-exchange/>`_
 
 
 Bugs
 ====
 
 Report bugs by using https://bugs.taler.net/ or by sending electronic
 mail to <taler@gnu.org>.