Participant Metadata


The Participant Metadata service, also called coordination function, collects, aggregates and distributes so called Metadata from the different participants. By retrieving this Metadata, participants are able to validate the authenticity of tickets issued by other entities and securely communicate directly with each other.


Samtrafiken has developed an implementation, named BoB Metadata, of the participant metadata specification. Samtrafiken also runs the Administrative Body for Sweden, see endpoints below.

The specification is found at



Base URL v1

Base URL v2

To retrieve all metadata for all participants, call
This is the only call, to participant metadata service that doesn't require a PoP (proof-of-posession) token, but do keep in mind that the attached JWS must be verified before using the payload data (the HTTPS, really SSL/TLS, transport should not be trusted). Since the transport might be tampered with, before any processing of the payload data takes place, the authenticity of the payload data should be established, using the mechanisms defined in RFC 7515.

Proof-of-possesion authorisation (PoP) tokens are described in MTS5 (click "View raw")

JSON Web Signature (JWS) is described by RFC 7515


Base URL v1

Base URL v2

To retrieve all test metadata for all participants in the test environment, call

Technical details

Policy for what parts are required to be signed

In MTS5, chapter 2, it says "What parts are required to be signed is assumed to be a policy decision enforced the server end."

BoB Metadata has the following policies

Calls without body that also is a GET request

p ts

Calls without body

p ts h:content-type

Calls with body

p b ts h:content-type

Chapter 3.2 in MTS5 specifies and has more detailed information

  • p = URL path component

  • ts = Unix timestamp as a number

  • b = Hash of the request body

  • h = Request headers