Compliance and Standards
The CoreAPI is built on open standards. The following RFCs and specifications are implemented across the platform.
OAuth2 & OIDC
| Specification | Purpose |
|---|---|
| RFC 6749 — OAuth 2.0 | Core authorization framework |
| RFC 9449 — DPoP | Demonstration of Proof-of-Possession for access tokens |
| OpenID Connect Core 1.0 | Token issuance, nonce validation, scope handling |
Cryptography & Keys
| Specification | Purpose |
|---|---|
| RFC 7519 — JWT | Token signing and verification throughout the platform |
| RFC 7517 / 7518 — JWK / JWKS | Key representation and the /.well-known/jwks.json endpoint |
| RFC 7515 — JWS | Signed credentials and client assertions |
Supported signing algorithm: ES256 (P-256).
Verifiable Credentials
| Specification | Purpose |
|---|---|
| OpenID for Verifiable Credential Issuance (OID4VCI) 1.0 | Credential offer, token exchange, and credential endpoint flows |
SD-JWT VC (dc+sd-jwt) | Selective disclosure credential format |
| W3C Verifiable Credentials Data Model 1.1 | Credential structure and vc claim envelope |
Supported credential formats: dc+sd-jwt.
Identity & Trust
| Specification | Purpose |
|---|---|
W3C DID Core — did:web | Issuer identity and public key resolution via /.well-known/did.json |
| Bitstring Status List 1.0 | Credential revocation status published per tenant |
Error Handling
HTTP error responses follow RFC 9457 — Problem Details for HTTP APIs (application/problem+json), with type, title, detail, status, and instance fields.
Audit
All credential issuance events are logged with RFC 3339 timestamps, credential type, schema version, and expiry. Logs are available for compliance reporting and incident investigation.