Compliance and Standards
The VX API is built on open standards. The following RFCs and specifications are implemented across the platform.
OAuth2 & OIDC
| Specification | Purpose |
|---|---|
| RFC 6749 — OAuth 2.0 | Core authorization framework |
| RFC 9126 — Pushed Authorization Request (PAR) | RP-initiated authorization via secure back-channel |
| RFC 7636 — PKCE | Proof Key for Code Exchange; S256 and plain supported |
| OpenID Connect Core 1.0 | ID token issuance, nonce validation, scope handling |
Cryptography & Keys
| Specification | Purpose |
|---|---|
| RFC 7519 — JWT | Token signing and verification throughout the platform |
| RFC 7517 / 7518 — JWK / JWKS | Key representation and the /.well-known/jwks.json endpoint |
| RFC 7515 — JWS | Signed request objects and client assertions |
Supported signing algorithms: ES256 (P-256), ES384 (P-384), ES512 (P-521). RSA is not supported.
Verifiable Credentials
| Specification | Purpose |
|---|---|
| OpenID for Verifiable Presentations (OID4VP) 1.0 | Wallet presentation flow using direct_post response mode |
| Digital Credentials Query Language (DCQL) | Structured credential queries registered per tenant |
Supported credential formats: sd-jwt, mdoc.
Identity & Trust
| Specification | Purpose |
|---|---|
| RFC 5280 — X.509 | Certificate validation; AKI extraction for trust anchors |
DID Web (did:web) | Verifier metadata and client identifier resolution |
| ETSI TS 119 612 — Trusted List | etsi_tl trust anchor type for EU trust infrastructure |
| OpenID Federation 1.0 | openid_federation trust anchor type |
Client identifier schemes supported (per OID4VP §5.9.1): x509_san_dns, x509_san_uri, did, openid_federation.
Error Handling
HTTP error responses follow RFC 9457 — Problem Details for HTTP APIs (application/problem+json), with title, detail, status, and instance fields.
Audit
All successful transactions produce structured audit events with RFC 3339 timestamps and a SHA-256 integrity hash covering the full audit record.