Authentication and authorization for the BoB APIs is based on federated JSON Web Tokens (JWT) issued by each participants' authentication service, the BoB Authentication API. All requests to BoB APIs (except the Participant Metadata API that has another type of authentication) must include a X-BoB-AuthToken header containing the JWT. The request should also be authenticated via TLS client authentication using a certificate cryptographically bound to the JWT (the Holder of Key claim).
...
Since the TLS client certificate is self-signed, the entity terminating the TLS transport for API servers cannot do full certificate path validation. It should just accept the certificate and present a hash of the certificate to the application server. It should not check expiration date. It is recommended to use a very long expiration date to avoid problems when technical limitations make it hard to disable the expiration date check.
If a JWT contains a bobHok claim, the API server SHOULD verify that the TLS client certificate used for communications matches the claim.
...