The Participant Metadata service, also called coordination function, collects, aggregates and distributes so called Metadata from the different participants. By retrieving this Metadata, participants are able to validate the authenticity of tickets issued by other entities and securely communicate directly with each other.
Samtrafiken has developed an implementation, named BoB Metadata, of the participant metadata specification. Samtrafiken also runs the Administrative Body for Sweden, see endpoints below.
The specification is found at https://bitbucket.org/samtrafiken/bob-api-participant-metadata/src/master/participantMetadata.yaml
Base URL v1 https://bobmetadata.samtrafiken.se/api/v1
Base URL v2 https://bobmetadata.samtrafiken.se/api/v2
To retrieve all metadata for all participants, call https://bobmetadata.samtrafiken.se/api/v2/participantMetadata.
This is the only call, to participant metadata service that doesn't require a PoP (proof-of-posession) token, but do keep in mind that the attached JWS must be verified before using the payload data (the HTTPS, really SSL/TLS, transport should not be trusted). Since the transport might be tampered with, before any processing of the payload data takes place, the authenticity of the payload data should be established, using the mechanisms defined in RFC 7515.
Proof-of-possesion authorisation (PoP) tokens are described in MTS5 (click "View raw")
JSON Web Signature (JWS) is described by RFC 7515
Base URL v1 https://bobmetadata-pp.samtrafiken.se/api/v1
Base URL v2 https://bobmetadata-pp.samtrafiken.se/api/v2
To retrieve all test metadata for all participants in the test environment, call https://bobmetadata-pp.samtrafiken.se/api/v2/participantMetadata.
In MTS5, chapter 2, it says "What parts are required to be signed is assumed to be a policy decision enforced the server end."
BoB Metadata has the following policies
Calls without body that also is a GET request
Calls without body
Calls with body
Chapter 3.2 in MTS5 specifies and has more detailed information
- p = URL path component
- ts = Unix timestamp as a number
- b = Hash of the request body
- h = Request headers