CARO usage #

For how long are authentication tokens valid? #

You can use the same Client ID and Client Secret to communicate with CARO when acting on behalf of each of your VRS customers. The authentication tokens have a validity of 24 h. Please reuse each token until its expiry. Your maximum daily usage allowance is 150 tokens in the absence of any further arrangements with us. This is also highlighted in the VRS guide.

If the use of one client Secret:ID pair or one authentication token for all your VRS customers conflicts with your own architecture, do let us know, since we have no insights into your systems. In that case, we may need to reconsider certain design decisions at our end.

Why can I not see the client details on my dashboard? #

Following a recent update of our user management only users set up as Service Provider Developers are permitted to see this information. You can change your role in User Management in the Service Provider section.

What you should see… CARO VRS Dashboard

What kind of results does the CARO search function return? #

Our search currently returns fuzzy results. So, if you look for a specific corrUUID or DID, make sure to check the returned result, as the search may have found something that is highly similar if there is no exact match.

The search function is WIP. We will refine its capabilities in the coming months to make it more obvious when exact and fuzzy matches are displayed.

CARO Search function

VRS roundtrip set-up and testing #

How do I need to handle the corrUUID in a VRS response? #

The purpose of the corrUUID is to connect all events in a full VRS roundtrip (request and response) for a consistent audit trail. Hence, as a responder you must re-use the corrUUID that you have received from the requester instead of creating a new random corrUUID. The requester’s corrUUID can be extracted from the nonce field in the decoded received Verifiable Presentation.

Please peruse our VRS guide as a refresher.

The relevant OCI references in the Digital Wallet Conformance Criteria are:

How can I retrieve details from a received Verifiable Presentation? #

The Verifiable Presentation is in a JWT format and base64-encoded. Decode it from base64 and you will have a familiar JWT structure. The “vp” root-level field contains the presentation. You can trial decoding a VP or JWT using the decoder at https://jwt.io/.

Where can I find the test data for VRS interoperability testing? #

Provision of VRS test data is beyond the scope of Spherity’s involvement in the HDA-facilitated interoperability testing. It us our understanding that the test data from all participating VRS are stored on HDA’s SharePoint following this path: Verification Router Service > Documents > Testing Scale Up Plan > Service Provider Test Plans and Test Data. Then choose the desired VRS.