sequenceDiagram
autonumber
actor Admin
participant CP as Control Panel UI/API
participant Auth as Auth Service
participant Reg as Registry DB
participant Vault as Platform eVault
participant Tok as Token Store
Admin->>CP: Grant access token for platformId
CP->>Reg: Load platform (publicKey, status)
Reg-->>CP: platform record
CP->>Auth: Create challenge (platformId)
Auth-->>CP: challengeId, nonce, expiresAt
CP-->>Vault: Deliver challenge (challengeId, nonce, expiresAt)
Vault->>Vault: Sign/Prove nonce with platform private key
Vault-->>CP: POST /platforms/challenge/response (challengeId, proof)
CP->>Auth: Verify proof (challengeId, proof, publicKey)
Auth->>Auth: Verify signature / proof-of-possession
Auth-->>CP: verified=true
CP->>Tok: Mint access token (platformId, scopes, ttl)
Tok-->>CP: accessToken
CP->>Reg: Update status=VERIFIED, lastVerifiedAt=now
CP-->>Admin: Token granted (accessToken)
Platform Auth — eVault Self-Registration + Token Grant via Crypto Challenge
Overview
Actors & Components
Sequence — Create Platform eVault → Auto-Register
Sequence — Admin Grants Token → Crypto Challenge → Token Issued
State — Platform Registration & Token Grant
Data Model (Minimal)
erDiagram PLATFORM { string platformId PK string vaultId string displayName string publicKey string status "UNVERIFIED|VERIFIED" datetime createdAt datetime lastVerifiedAt } CHALLENGE { string challengeId PK string platformId FK string nonce datetime expiresAt datetime createdAt string status "PENDING|USED|EXPIRED" } TOKEN_GRANT { string tokenId PK string platformId FK string accessTokenHash string scopes datetime issuedAt datetime expiresAt string status "ACTIVE|REVOKED|EXPIRED" } PLATFORM ||--o{ CHALLENGE : issues PLATFORM ||--o{ TOKEN_GRANT : has