BoB Authentication API


The BoB Authentication API is the BoB identity provider and provides BoB clients with JSON Web Tokens (RFC 7519) used for authentication with Bob APIs.


getAuthenticationToken is used to get an authentication token given an entity identifier (provided in request URI) and a TLS client certificate. 

The client to server TLS connection is usually terminated at a HTTP proxy (e.g. a load balancer) and the SHA1 fingerprint (as hex) of the TLS client certificate is transferred to the authentication server via a header, e.g., "X-SSL-Client-SHA1".

Result is provided both as a JWT in compact format as well as a serialized JWT header/payload to ease parsing. In addition to the standard JWT claims, BoB JWTs contains the following additional claims:

  • bobHok – holder of key claim, a SHA1 fingerprint (as hex) of the entity's TLS client certificate
  • bobAuthZ – authorization group

Example request
curl --verbose \
     --cert xyzzy.crt \
     --key xyzzy.key \

Example response
    "header": {
        "alg": "ES256",
        "kid": "auth20170320"
    "jwtCompact": "REDACTED_JWT",
    "payload": {
        "bobAuthZ": "val",
        "bobHok": "0a9a063eb8d540cbf7dfba7697c674d14a174f7d",
        "exp": 1490001801,
        "iat": 1489998201,
        "iss": "1",
        "nbf": 1489998201,
        "sub": "xyzzy"

BoB Authorization Groups

The following BoB Authorization groups has been defined:

  • val – Validator
  • ins – Inspector
  • tvm – Ticket Vending Machine
  • pos – Point Of Sale

Other groups may be defined in the future.