Changelog

RP API v3 now supports both HTTP/1.1 and HTTP/2 protocols.

Custom HTTP response status codes (471 and 472) are no longer used. These have been replaced with 404 (see OpenAPI specification for overview of possible HTTP error codes for each request). The error details are provided according to RFC9457 format.

Instructions have been fixed regarding session handling after callback URL is used in the same-device flows.

Page Additional security measures has been updated.

Added device link based interaction flows (QR code, Web2App, App2App) for authentication, signing, and certificate-choice.

Added distinct API endpoints for device link and notification based flows.

App2App and Web2App device link flows include a mandatory initialCallbackUrl parameter. It is used to construct the final callback URL to which the end-user is redirected after a successful PIN entry.

Added new signature protocols:

Added capability to link a device link based certificate-choice request to a subsequent notification based signature request via /v3/signature/notification/linked/{document-number}.

Added an endpoint /v3/signature/certificate/{document-number} to request signing certificates when document number is know. This means that certificate-choice should only be used now before signature sessions in cases where document number is not know (e.g., no prior Smart-ID authentication).

To prevent replay attacks, the mandatory rpChallenge parameter (an RP-generated random value) has been introduced for all initial v3 requests, effectively replacing the nonce parameter used in v2.

The RSASSA-PKCS#1 v1.5 signature padding scheme has been removed and is replaced by RSASSA-PSS, which is now the only supported option for RSA signatures.

Revised Verification Code (VC) generation for notification flows:

Introduced a possibility for new verification code formats in the future. For now, the existing format (four numbers) will still be the only option.

App2App and Web2App device link flows now require callback verification process as part of the response verification process.

The certificatechoice (v2) functionality is now certificate-choice (v3).

The allowedInteractionsOrder parameter has been renamed to interactions, and its value (a JSON array of objects) must now be Base64 encoded.

The standalone interaction type verificationCodeChoice has been removed. Use confirmationMessageAndVerificationCodeChoice instead for flows that require a verification code choice.

The RP API server now provides the device link base URL to RPs.

The session status response (GET /session/{sessionID}) now includes userChallenge and flowType.

Added interactionTypeUsed to v3 responses.

Added new session result.endResult status codes:

USER_REFUSED_INTERACTION replaced previous result.endResult status codes (the used interaction type is now provided separately):

Error responses now use RFC9457 format.