§ Tier 3 — Raw / Spec-level

Raw / Spec-level

For auditors, OIDF conformance reviewers, interop partners, and teams that need to reproduce Tessaliq flows byte for byte. Nothing is hidden behind the useCase abstraction here — this is the spec-aligned surface.

OpenAPI / Swagger

Full API schema auto-exposed via Fastify Swagger, always up to date with the deployed staging version :

Open Swagger UI →

Covers 52+ endpoints across Sessions, Verification, Receipts, Webhooks, Wallet request/response, Public metadata, OID4VP request/response endpoints.

OIDF conformance — public immutable plans

Four plans, 24/24 modules passed, zero warning, across the SD-JWT-VC × mdoc × standard × HAIP matrix :

• SD-JWT-VC × standard — RBuAUGmDHaAqD (x509_san_dns, plain_vp, direct_post.jwt), 2026-04-24
• SD-JWT-VC × HAIP 1.0 Final — KGvIl7rradJu4 (x509_hash, haip, direct_post.jwt), 2026-04-24
• mdoc × standard — SEz1ECRv5QPl8 (iso_mdl, plain_vp, direct_post.jwt), 2026-04-24
• mdoc × HAIP 1.0 Final — u2gF4EDP8PqfC (iso_mdl, x509_hash, haip, direct_post.jwt), 2026-04-24

Full audit narrative, variant matrix and ARCOM mapping on the Compliance page.

Standards implemented

• OpenID4VP 1.0 Final — December 2024 specification, presentation_definition + DCQL + trusted_authorities
• HAIP 1.0 Final — December 2025 profile, strict allow-list for vp_formats_supported, encrypted_response_enc_values_supported, client_id_scheme=x509_hash
• ISO/IEC 18013-5 — mdoc credentials, IACA trust chain, DeviceSigned, SessionTranscript
• ISO/IEC 18013-7 (1ed) — online presentation over OID4VP, includes the jwkThumbprint fix for verifier encryption keys (bug 5aad1f01 surfaced and fixed during conformance runs)
• SD-JWT-VC — IETF draft, Key Binding JWT, selective disclosure with salt and hash
• RFC 9180 HPKE — ECDH-ES, AES-128-GCM, AES-256-GCM, P-256 ephemeral keypair per Authorization Request
• W3C Digital Credentials API — Chrome and Safari, navigator.credentials.get({ digital: … })
• EU AV blueprint — profile eu.europa.ec.av.1, annex A lockdown: client_id_scheme=redirect_uri, response_mode=direct_post forced, trusted_authorities omitted (TLS/Web PKI trust per spec), deep link av:// scheme, JAR signed inline
• eIDAS 2 / Implementing Regulation (EU) 2026/798 — Levels of Assurance low/substantial/high, ETSI TS 119 461

Trust stores and IACAs

Tessaliq's mdoc verifier maintains two IACA trust stores :

• France Identité qualification — loaded for ANTS Playground raccordement (qualification cert, not production). Located under trust/france-identite/iaca-qual.pem and activatable via TRUSTED_IACA_CERTS.
• EU AV blueprint reference implementation — 8 IACAs covering the seven pilot Member States (FR, DK, GR, IT, ES, CY, IE). Loaded by default in staging and production.

Additional IACA lists can be provisioned per deployment — contact support with the PEM chain.

Receipt JWT schema

Every verified session produces a signed ES256 JWT receipt :

{
  "alg": "ES256",
  "typ": "JWT",
  "kid": "tessaliq-receipt-2026-01"
}
{
  "iss": "https://api-staging.tessaliq.com",
  "sub": "[session_id]",
  "iat": 1714060800,
  "exp": 1714061400,
  "verification": {
    "policy": "av_age_18_plus",
    "policy_version": 1,
    "result": true,
    "state": "verified"
  },
  "proof": {
    "circuit_id": "attribute_check",
    "circuit_version": "1.0",
    "proof_hash": "sha256:[hex]"
  }
}

Full canonical spec: Tessaliq/tessaliq-open · docs/technique/receipt-spec-v1.md.

Offline verification: fetch the JWKS at /.well-known/jwks.json, pick the key by kid, verify the ES256 signature. The receipt verifier page runs this entirely client-side for quick inspection.

Open-core repositories

• Tessaliq/tessaliq-open — MIT license, includes circuits/age_verification (Noir ZK circuit), @tessaliq/sdk-web, @tessaliq/sd-jwt, @tessaliq/shared
• oliviermeunier/tessaliq — private, the verifier core and dashboard. Access granted on request for due diligence.