# Schema for the AccessToken JSON object. Issuer is a PDP authorization server.
# See also https://www.rfc-editor.org/rfc/rfc9068.html
$schema: "http://json-schema.org/draft-07/schema#"
title: Access Token
description: Schema for the Access Token issued by the PDP authorization server, as defined in RFC 9068.
type: object
properties:
  header:
    type: object
    description: The JOSE Header of the Access Token.
    properties:
      typ:
        type: string
        description: Type of the JWT. Must be "at+jwt" or "JWT".
        enum:
          - at+jwt
          - JWT
      alg:
        type: string
        description: Asymmetric algorithm used to sign the JWT.
        enum:
          - ES256
          - ES384
      kid:
        type: string
        description: The key ID of the public key used to sign the JWT.
    required:
      - typ
      - alg
      - kid
  payload:
    type: object
    description: The JWT Claims Set of the Access Token.
    properties:
      iss:
        type: string
        description: The issuer of the token.
      exp:
        type: integer
        description: Expiration time of the token as a Unix timestamp.
      aud:
        oneOf:
          - type: array
            items:
              type: string
          - type: string
        description: The intended recipients (audiences) of the token.
      sub:
        type: string
        description: "The subject of the token; Telematik-ID, KVNR or other unique identifier"
      profession_oid:
        type: string
        description: "Profession identifier (OID)"
      common_name:
        type: string
        description: "Common name of the subject"
      organization_name:
        type: string
        description: "Organization name of the subject"
      client_id:
        type: string
        description: The client identifier of the OAuth 2.0 client that requested the token.
      ip_address:
        type: string
        description: The IP address of the client that requested the token.
      product_id:
        type: string
        description: The product ID of the client that requested the token.
      product_version:
        type: string
        description: The product version of the client that requested the token.
      platform:
        type: string
        description: The platform of the client that requested the token.
        enum:
          - android
          - apple
          - windows
          - linux
      iat:
        type: integer
        description: Issued at time of the token as a Unix timestamp.
      jti:
        type: string
        description: The JWT ID.
      scope:
        type: string
        description: The permissions that this token grants.
      cnf:
        type: object
        description: The confirmation claim binding the token to the public key.
        properties:
          jkt:
            type: string
            description: SHA-256 hash of the public key used in the DPoP proof.
        required:
          - jkt
      sid:
        type: string
        description: The session ID of the client.
    required:
      - iss
      - exp
      - aud
      - sub
      - profession_oid
      - client_id
      - ip_address
      - product_id
      - product_version
      - iat
      - jti
      - cnf
      - sid