directory-api-swagger.yaml

openapi: 3.0.0
info:
  title: Open Banking Directory API
  version: 2.2.0
  description: OB Tech Directory API
servers:
  - url: https://matls-dirapi.openbanking.org.uk
    description: Production
  - url: https://matls-dirapi.openbankingtest.org.uk
    description: Sandbox
paths:
  '/v2.1/oauth/{OrganisationId}':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
    get:
      summary: Get details of the active OAuthClient for the given Organisation
      tags:
        - OAuth Client v2.1
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/OAuthClient200OKResponse'
        '204':
          $ref: '#/components/responses/204NoContentResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    put:
      summary: Update OAuthClient for the given Organisation
      tags:
        - OAuth Client v2.1
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPManage
            - TPPManage
      requestBody:
        $ref: '#/components/requestBodies/CertificateOBWACorQWAC'
      responses:
        '200':
          $ref: '#/components/responses/OAuthClient200OKResponse'
        '204':
          $ref: '#/components/responses/204NoContentResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/v2.1/organisation':
    post:
      summary: Enrol a eIDAS QWAC/QSeal-bearing participant
      description: Enrol an eIDAS QWAC/QSealC certificate-bearing participant onto the Open Banking Directory. Currenty only TPPs can use this enrolment endpoint.Enrol an eIDAS QWAC/QSeal certificate-bearing participant onto the Open Banking Directory.
      tags:
        - Organisations v2.1
      requestBody:
        $ref: '#/components/requestBodies/Enrol'
      responses:
        '201':
          $ref: '#/components/responses/Enrol201CreatedResponse'
        '400':
          $ref: '#/components/responses/Enrol400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    get:
      summary: Get all organisations that the client is authorised to retrieve
      description: Note that this was not in the original design but is included to inform the client
      tags:
        - Organisations v2.1
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/OrganisationsGetFromSCIM200OKResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '403':
          $ref: '#/components/responses/403ForbiddenResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
  '/v2.1/organisation/{OrganisationId}':
    get:
      summary: Get the given organisation's details
      tags:
        - Organisations v2.1
      parameters:
        - $ref: '#/components/parameters/OrganisationId'
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/OrganisationGetFromSCIM200OKResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '403':
          $ref: '#/components/responses/403ForbiddenResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
  '/v2.1/organisation/{OrganisationId}/contact/{ContactType}':
    put:
      summary: Update the business or the technical contacts for the given organisation
      tags:
        - Contacts v2.1
      parameters:
        - $ref: '#/components/parameters/OrganisationId'
        - $ref: '#/components/parameters/ContactType'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      requestBody:
        $ref: '#/components/requestBodies/Contact'
      responses:
        '200':
          $ref: '#/components/responses/Contact200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    get:
      summary: Get the business or the technical contacts for the given organisation
      x-PingAccessResourceName: OrganisationContactGET
      x-PingAccessRuleType: uk.org.openbanking.policy.RequestHostOverride
      x-PingAccessRuleTarget: obdorgcontacts.{environment}
      tags:
        - Contacts v2.1
      parameters:
        - $ref: '#/components/parameters/OrganisationId'
        - $ref: '#/components/parameters/ContactType'
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/Contact200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/v2.1/organisation/{OrganisationId}/software-statement':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
    post:
      summary: Create a software statement
      tags:
        - Software Statements v2.1
      parameters:
        - $ref: '#/components/parameters/OrganisationId'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      requestBody:
        $ref: '#/components/requestBodies/SoftwareStatement'
      responses:
        '201':
          $ref: '#/components/responses/SoftwareStatement201CreatedResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    get:
      summary: Get all software statements for the given organisation
      tags:
        - Software Statements v2.1
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/SoftwareStatementsGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/v2.1/organisation/{OrganisationId}/software-statement/{SoftwareStatementId}':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
    get:
      summary: Get a software statement
      tags:
        - Software Statements v2.1
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/SoftwareStatement201CreatedResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    put:
      summary: Activate or deactive a software statement
      tags:
        - Software Statements v2.1
      parameters:
        - $ref: '#/components/parameters/OrganisationId'
        - $ref: '#/components/parameters/SoftwareStatementId'
      requestBody:
        $ref: '#/components/requestBodies/SoftwareStatementState'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '200':
          $ref: '#/components/responses/SoftwareStatementUpdated200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/v2.1/organisation/{OrganisationId}/software-statement/{SoftwareStatementId}/redirect-uri':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
    post:
      summary: Add a redirect URI to the given Software Statement
      tags:
        - Software Statement Redirect URIs v2.1
      parameters:
        - $ref: '#/components/parameters/OrganisationId'
        - $ref: '#/components/parameters/SoftwareStatementId'
      requestBody:
        $ref: '#/components/requestBodies/SoftwareStatementRedirectURI'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '200':
          $ref: '#/components/responses/SoftwareStatementUpdated200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '409':
          $ref: '#/components/responses/409ConflictResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/v2.1/organisation/{OrganisationId}/software-statement/{SoftwareStatementId}/software-statement-assertion':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
    get:
      summary:
        Retrieve the software statement assertion for the given SoftwareStatementID.
      description: |
        # Depending on the type of participant, one of the following pre-conditions must be met in order to generate an SSA:
         * EU TPPs NOT on the TPR  must hold at least one eIDAS certificate.
         * EU TPPs on the TPR must hold at least one eIDAS or OB certiticate.
         * UK TPPs on the TPR must hold at least one OB certificate.
        The response body is a signed JWT and the values found in the header and the payload of the SSA are specified below
        # Terminology
          This specification uses the terms "access token", "authorization code", "authorization endpoint", "authorization grant", "authorization server", "client", "client identifier", "client secret", "grant type", "protected resource", "redirection URI", "refresh token", "resource owner", "resource server", "response type", and "token endpoint" defined by OAuth 2.0 [RFC6749] and uses the term "Claim" defined by JSON Web Token (JWT) [RFC7519].
          * __Account Servicing Payment Services Provider (ASPSP)__ -- An organisation managing customer accounts (and operating banking APIs).
          * __Primary Technical Contact__ -- The person at the TPP who creates an SSA and invokes a registration mechanism. This is an example of an [RFC7591] Client Developer.
          * __OB Organisation ID__ -- The unique identifier for each OpenBanking participant. Both TPPs and ASPSPs have OB Organisation IDs.
          * __OpenBanking Directory__ -- An implementation of a [PSD2] competent authority; acts as an Identity Provider, certificate authority, and registry governing the participants in the UK OpenBanking API scheme.
          * __ASPSP Registration Endpoint__ -- OAuth 2.0 & [RFC7591] compliant endpoint, exact value is discoverable from the [OIDCD] openid-configuration file of the ASPSP.
          * __Software Statement Assertion (SSA)__ -- An implementation of an [RFC7591] software statement, signed by the OpenBanking Directory.
          * __Trusted Third Party (TPP)__ -- An organization working to initiate payments or consume account information with/from an ASPSP.
          * __TPP Client Software__ -- software implementing an OAuth2 client, interacting with an ASPSP registration endpoint.
        # Software Statement Assertion (SSA)
          The SSA is a JSON Web Token (JWT) containing client metadata about an instance of TPP client software. The JWT is issued and signed by the OpenBanking Directory.
        ## SSA Payload
          The payload of an OpenBanking SSA MUST be a compliant software statement according to [RFC7591]. The SSA MUST also be a compliant JWT according to [RFC7519]. The following metadata profiles the metadata in [RFC7591] and [RFC7519]:
          | Metadata | Description | Source Specification |
          |----------|-------------|----------------------|
          |`software_id`|Unique Identifier for TPP Client Software|[RFC7591]|
          |`iss`|SSA Issuer|[RFC7519]|
          |`iat`|Time SSA issued|[RFC7519]|
          |`jti`|JWT ID|[RFC7519]|
          The following software metadata is additionally defined for this profile:
          |Metadata |Description |Field Size |Default values |
          |---------|------------|-----------|---------------|
          |`software_client_id`|The Client ID Registered at OB used to access OB resources|Base62 GUID (22 chars)| |
          |`software_client_description`|Human-readable detailed description of the client|Max256Text| |
          |`software_client_name`|Human-readable Software Name|Max40Text| |
          |`software_client_uri`|The website or resource root uri|Max256Text| |
          |`software_version`|The version number of the software should a TPP choose to register and / or maintain it|Max42Text| |
          |`software_environment`|Requested additional field to avoid certificate check|Max256Text| |
          |`software_jwks_endpoint`|Contains all active signing and network certs for the software|Max256Text| |
          |`software_jwks_revoked_endpoint`|Contains all revoked signing and network certs for the software|Max256Text| |
          |`software_logo_uri`|Link to the TPP logo. Note, ASPSPs are not obliged to display images hosted by third parties|Max256Text| |
          |`software_mode`|ASPSP Requested additional field to indicate that this software is `Test` or `Live` the default is `Live`. Impact and support for `Test` software is up to the ASPSP.|Max40Text| |
          |`software_on_behalf_of_org`|A reference to fourth party organsiation resource on the OB Directory if the registering TPP is acting on behalf of another.|Max40Text| |
          |`software_policy_uri`|A link to the software's policy page|Max256Text| |
          |`software_redirect_uris`|Registered client callback endpoints as registered with Open Banking|A string array of Max256Text items|
          |`software_roles`|A multi value list of PSD2 roles that this software is authorized to perform.|A string array of Max256Text items| |
          |`software_tos_uri`|A link to the software's terms of service page|Max256Text| |
          The following Organisational metadata is defined for this profile:
          |Metadata |Description |Field Size | Default values |
          |---------|------------|-----------|----------------|
          |`organisation_competent_authority_claims`|Authorisations granted to the organsiation by an NCA|CodeList {`AISP`, `PISP`, `CBPII`, `ASPSP`}| |
          |`org_status`|Included to cater for voluntary withdrawal from OB scenarios|`Active`, `Revoked`, or `Withdrawn`| |
          |`org_id`|The Unique TPP or ASPSP ID held by OpenBanking.|Max35Text| |
          |`org_name`|Legal Entity Identifier or other known organisation name|Max140Text| |
          |`org_contacts`|JSON array of objects containing a triplet of name, email, and phone number|Each item Max256Text| |
          |`org_jwks_endpoint`|Contains all active signing and network certs for the organisation|Max256Text| |
          |`org_jwks_revoked_endpoint`|Contains all revoked signing and network certs for the organisation|Max256Text| |
        ## SSA header
          The SSA header MUST comply with [RFC7519].
          |Metadata |Description |Comments |
          |---------|------------|---------|
          |`typ`|MUST be set to `JWT`| |
          |`alg`|MUST be set to `ES256` or `PS256`| |
          |`kid`|The kid will be kept the same as the `x5t` parameter. (X.509 Certificate SHA-1 Thumbprint) of the signing certificate.| |
          ### Example SSA
          The elements defined in the software statement will consist of the following values.
          *Note that there are inconsistent applications of booleans or "Active" strings in the current data model.*
          *Note that there are inconsistent applications of status flags case sensitivity.*
          *The attributes required to be displayed by ASPSPs.*
        ```
        {
          "typ": "JWT",
          "alg": "ES256",
          "kid": "ABCD1234"
        }
        {
          "iss": "OpenBanking Ltd",
          "iat": 1492756331,
          "jti": "id12345685439487678",
          "software_environment": "production",
          "software_mode": "live",
          "software_id": "65d1f27c-4aea-4549-9c21-60e495a7a86f",
          "software_client_id": "Open Banking TPP Client Unique ID",
          "software_client_name": "Amazon Prime Movies",
          "software_client_description": "Amazon Prime Movies is a movie streaming service",
          "software_version": "2.2.2",
          "software_client_uri": "https://prime.amazon.com",
          "software_redirect_uris": [
            "https://prime.amazon.com/cb",
            "https://prime.amazon.co.uk/cb"
          ],
          "software_roles": [
            "PISP",
            "AISP"
          ],
          "organisation_competent_authority_claims": {
            "authority_id": "FMA", // Austrian Financial Market Authority
            "registration_id": "111111",
            "status": "Active",
            "authorisations":  [
              {
                "member_state": "GB",
                "roles": [
                  "PISP",
                  "AISP"
                ]
              },
              {
                "member_state": "IR",
                "roles": [
                  "PISP"
                ]
              }
            ]
          },
          "software_logo_uri": "https://prime.amazon.com/logo.png",
          "org_status": "Active",
          "org_id": "Amazon TPPID",
          "org_name": "OpenBanking TPP Registered Name",
          "org_contacts": [
            {
              "name": "contact name",
              "email": "contact@contact.com",
              "phone": "+447890130558"
              "type": "business"
            },
            {
              "name": "contact name",
              "email": "contact@contact.com",
              "phone": "+447890130558",
              "type": "technical"
            }
          ],
          "org_jwks_endpoint": "https://jwks.openbanking.org.uk/org_id/org_id.jkws",
          "org_jwks_revoked_endpoint": "https://jwks.openbanking.org.uk/org_id/revoked/org_id.jkws",
          "software_jwks_endpoint": "https://jwks.openbanking.org.uk/org_id/software_id.jkws",
          "software_jwks_revoked_endpoint": "https://jwks.openbanking.org.uk/org_id/revoked/software_id.jkws",
          "software_policy_uri": "https://tpp.com/policy.html",
          "software_tos_uri": "https://tpp.com/tos.html",
          "software_on_behalf_of_org": "Acme Ltd"
        }
        {
          Signature
        }
        ```
        # Automated Client Registration
        A TPP MAY use automated client registration to submit an SSA to an ASPSP in exchange for client credentials for use as a client against an OAuth 2.0 Authorization Server. It is RECOMMENDED for ASPSPs to support the automated client registration mechanism. A large number of claims that OpenID Connect OPs could support as part of the RFC7591 request are detailed [https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata) and should be followed if not explicitly referenced in the Software Statement Assertion claim set.
        ## Request Validation
        Prior to issuing a client registration response, the ASPSP MUST perform the following checks
        * The ASPSP SHOULD check whether the TPP that initiated the TLS connection is the same TPP as listed in the SSA.
        * In the case where a gateway or other piece of infrastructure pre-terminates the MATLS channel in front of the registration endpoint, the certificate used to initiate the connection or some part of that certificate (such as DN & Issuer) SHOULD be made available to the ASPSP for validation against the claims in the SSA.
        * The registration request MUST be signed with a key contained in the JWKS referenced in the SSA included with the request. This ensures that a holder-of-key proof-of-possession is performed proving that the TPP app was the originally intended recipient of the SSA when the OB issued it.
        * The SSA MUST be validated according to [RFC7519], including validation of the signature and validity window.
        JWT signature must be validated, this involves retrieving the jwks keyset for both the OB and the TPP. The OB keystore location will be published as part of the directory specification, The TPP's will be included in the software statement.
        ### SSA Lifetime
        The SSA's Lifetime / Validity period is not defined by Open Banking. ASPSPs in the Open Banking ecosystem are required to implement pragmatic time ranges in which to accept an SSA. For example, an ASPSP that has implemented Dynamic Client Registration may choose to accept SSA's that were issued no earlier than 1 minute prior to their presentation however ASPSPs that only support manual registration may need to accept SSAs that were issued 30 minutes prior as the elapsed time period between generation and use between these two flows is expected to differ significantly.
      tags:
        - Software Statement Assertions v2.1
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/SoftwareStatementAssertion200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/v2.1/organisation/{OrganisationId}/certificate':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
    get:
      summary: Get the certificates for the given organisation
      tags:
        - Organisation Certificates v2.1
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificatesOrKeysGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/v2.1/organisation/{OrganisationId}/certificate/{OrganisationCertificateType}':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
      - $ref: '#/components/parameters/OrganisationCertificateType'
    post:
      summary: Store or create a new certificate of the given OrganisationCertificateType for the given organisation
      tags:
        - Organisation Certificates v2.1
      parameters:
        - $ref: '#/components/parameters/OrganisationId'
        - $ref: '#/components/parameters/SoftwareStatementId'
        - $ref: '#/components/parameters/OrganisationCertificateType'
      requestBody:
        $ref: '#/components/requestBodies/CertificateOrCSROrJWS'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '201':
          $ref: '#/components/responses/CertificateOrKey201CreatedResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    get:
      summary: Get the certificates of the given OrganisationCertificateType for the given oranisation
      tags:
        - Organisation Certificates v2.1
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificatesOrKeysGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/v2.1/organisation/{OrganisationId}/certificate/kid/{CertificateOrKeyId}':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/CertificateOrKeyId'
    get:
      summary: Retrieve a certificate with the given CertificateOrKeyId
      tags:
        - Organisation Certificates v2.1
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificateOrKeyGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    delete:
      summary: Revoke or remove a certificate with the given CertificateOrKeyId
      tags:
        - Organisation Certificates v2.1
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '204':
          $ref: '#/components/responses/204NoContentResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/v2.1/organisation/{OrganisationId}/software-statement/{SoftwareStatementId}/certificate':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
    get:
      summary: Get certificates for the given software statement
      tags:
        - Software Statement Certificates v2.1
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificatesOrKeysGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/v2.1/organisation/{OrganisationId}/software-statement/{SoftwareStatementId}/certificate/{SoftwareStatementCertificateOrKeyType}':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
      - $ref: '#/components/parameters/SoftwareStatementCertificateOrKeyType'
    post:
      summary: Add a key or create a new certificate for the given software statement
      tags:
        - Software Statement Certificates v2.1
      parameters:
        - $ref: '#/components/parameters/OrganisationId'
        - $ref: '#/components/parameters/SoftwareStatementId'
      requestBody:
        $ref: '#/components/requestBodies/CSROrKey'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '201':
          $ref: '#/components/responses/CertificateOrKey201CreatedResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    get:
      summary: Get the certificates of the given type for the given software statement
      tags:
        - Software Statement Certificates v2.1
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificatesOrKeysGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/v2.1/organisation/{OrganisationId}/software-statement/{SoftwareStatementId}/certificate/{OrganisationAssociativeCertificateType}/{CertificateOrKeyId}':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
      - $ref: '#/components/parameters/OrganisationAssociativeCertificateType'
      - $ref: '#/components/parameters/CertificateOrKeyId'
    put:
      summary: Associate/de-associate a QSEAL/OBSEAL certificate with the given software statement
      tags:
        - Certificate Associations v2.1
      requestBody:
        $ref: '#/components/requestBodies/CertificateOrKeyAssociation'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '200':
          $ref: '#/components/responses/CertificateAssociatedWithASoftwareStatement200AcceptedResponse'
        '204':
          $ref: '#/components/responses/204NoContentResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '409':
          $ref: '#/components/responses/409ConflictResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    get:
      summary: Get the certificate of the given type and ID for the given software statement
      tags:
        - Software Statement Certificates v2.1
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificateOrKeyGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/v2.1/organisation/{OrganisationId}/authorisation-server':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
    get:
      summary: Get all Authorisation Servers for the given organisation
      tags:
        - Authorisation Servers v2.1
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/AuthorisationServersResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    post:
      summary: Create an Authorisation Server for the given organisation
      tags:
        - Authorisation Servers v2.1
      requestBody:
        $ref: '#/components/requestBodies/AuthorisationServer'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '201':
          $ref: '#/components/responses/AuthorisationServerResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/v2.1/organisation/{OrganisationId}/authorisation-server/{AuthorisationServerId}':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/AuthorisationServerId'
    get:
      summary: Get .well-known entity
      tags:
        - Authorisation Servers v2.1
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/AuthorisationServerResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    put:
      summary: Update .well-known entity
      tags:
        - Authorisation Servers v2.1
      requestBody:
        $ref: '#/components/requestBodies/AuthorisationServer'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '202':
          $ref: '#/components/responses/AuthorisationServer202AcceptedResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    delete:
      summary: Delete an Authorisation Server
      tags:
        - Authorisation Servers v2.1
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '204':
          $ref: '#/components/responses/204NoContentResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/v2.1/certificate/validate':
    post:
      summary: Validate certificate
      tags:
        - Certificate Validation v2.1
      requestBody:
        $ref: '#/components/requestBodies/CertificateValidationRequestBody'
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificateValidationServerResponseV2.1'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/v2/organisation':
    post:
      summary: Enrol a eIDAS QWAC/QSeal-bearing participant
      description: Enrol an eIDAS QWAC/QSealC certificate-bearing participant onto the Open Banking Directory. Currenty only TPPs can use this enrolment endpoint.Enrol an eIDAS QWAC/QSeal certificate-bearing participant onto the Open Banking Directory.
      tags:
        - Organisations
      requestBody:
        $ref: '#/components/requestBodies/Enrol'
      responses:
        '201':
          $ref: '#/components/responses/Enrol201CreatedResponse'
        '400':
          $ref: '#/components/responses/Enrol400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    get:
      summary: Get all organisations that the client is authorised to retrieve
      description: Note that this was not in the original design but is included to inform the client
      tags:
        - Organisations
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/OrganisationsGetFromSCIM200OKResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '403':
          $ref: '#/components/responses/403ForbiddenResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
  '/v2/organisation/{OrganisationId}':
    get:
      summary: Get the given organisation's details
      tags:
        - Organisations
      parameters:
        - $ref: '#/components/parameters/OrganisationId'
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/OrganisationGetFromSCIM200OKResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '403':
          $ref: '#/components/responses/403ForbiddenResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
  '/v2/organisation/{OrganisationId}/contact/{ContactType}':
    put:
      summary: Update the business or the technical contacts for the given organisation
      tags:
        - Contacts
      parameters:
        - $ref: '#/components/parameters/OrganisationId'
        - $ref: '#/components/parameters/ContactType'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      requestBody:
        $ref: '#/components/requestBodies/Contact'
      responses:
        '200':
          $ref: '#/components/responses/Contact200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    get:
      summary: Get the business or the technical contacts for the given organisation
      x-PingAccessResourceName: OrganisationContactGET
      x-PingAccessRuleType: uk.org.openbanking.policy.RequestHostOverride
      x-PingAccessRuleTarget: obdorgcontacts.{environment}
      tags:
        - Contacts
      parameters:
        - $ref: '#/components/parameters/OrganisationId'
        - $ref: '#/components/parameters/ContactType'
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/Contact200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/v2/organisation/{OrganisationId}/software-statement':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
    post:
      summary: Create a software statement
      tags:
        - Software Statements
      parameters:
        - $ref: '#/components/parameters/OrganisationId'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      requestBody:
        $ref: '#/components/requestBodies/SoftwareStatement'
      responses:
        '201':
          $ref: '#/components/responses/SoftwareStatement201CreatedResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    get:
      summary: Get all software statements for the given organisation
      tags:
        - Software Statements
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/SoftwareStatementsGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/v2/organisation/{OrganisationId}/software-statement/{SoftwareStatementId}':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
    get:
      summary: Get a software statement
      tags:
        - Software Statements
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/SoftwareStatement201CreatedResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    put:
      summary: Activate or deactive a software statement
      tags:
        - Software Statements
      parameters:
        - $ref: '#/components/parameters/OrganisationId'
        - $ref: '#/components/parameters/SoftwareStatementId'
      requestBody:
        $ref: '#/components/requestBodies/SoftwareStatementState'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '200':
          $ref: '#/components/responses/SoftwareStatementUpdated200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/v2/organisation/{OrganisationId}/software-statement/{SoftwareStatementId}/redirect-uri':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
    post:
      summary: Add a redirect URI to the given Software Statement
      tags:
        - Software Statement Redirect URIs
      parameters:
        - $ref: '#/components/parameters/OrganisationId'
        - $ref: '#/components/parameters/SoftwareStatementId'
      requestBody:
        $ref: '#/components/requestBodies/SoftwareStatementRedirectURI'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '200':
          $ref: '#/components/responses/SoftwareStatementUpdated200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '409':
          $ref: '#/components/responses/409ConflictResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/v2/organisation/{OrganisationId}/software-statement/{SoftwareStatementId}/software-statement-assertion':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
    get:
      summary:
        Retrieve the software statement assertion for the given SoftwareStatementID.
      description: |
        # Depending on the type of participant, one of the following pre-conditions must be met in order to generate an SSA:
         * EU TPPs NOT on the TPR  must hold at least one eIDAS certificate.
         * EU TPPs on the TPR must hold at least one eIDAS or OB certiticate.
         * UK TPPs on the TPR must hold at least one OB certificate.
        The response body is a signed JWT and the values found in the header and the payload of the SSA are specified below
        # Terminology
          This specification uses the terms "access token", "authorization code", "authorization endpoint", "authorization grant", "authorization server", "client", "client identifier", "client secret", "grant type", "protected resource", "redirection URI", "refresh token", "resource owner", "resource server", "response type", and "token endpoint" defined by OAuth 2.0 [RFC6749] and uses the term "Claim" defined by JSON Web Token (JWT) [RFC7519].
          * __Account Servicing Payment Services Provider (ASPSP)__ -- An organisation managing customer accounts (and operating banking APIs).
          * __Primary Technical Contact__ -- The person at the TPP who creates an SSA and invokes a registration mechanism. This is an example of an [RFC7591] Client Developer.
          * __OB Organisation ID__ -- The unique identifier for each OpenBanking participant. Both TPPs and ASPSPs have OB Organisation IDs.
          * __OpenBanking Directory__ -- An implementation of a [PSD2] competent authority; acts as an Identity Provider, certificate authority, and registry governing the participants in the UK OpenBanking API scheme.
          * __ASPSP Registration Endpoint__ -- OAuth 2.0 & [RFC7591] compliant endpoint, exact value is discoverable from the [OIDCD] openid-configuration file of the ASPSP.
          * __Software Statement Assertion (SSA)__ -- An implementation of an [RFC7591] software statement, signed by the OpenBanking Directory.
          * __Trusted Third Party (TPP)__ -- An organization working to initiate payments or consume account information with/from an ASPSP.
          * __TPP Client Software__ -- software implementing an OAuth2 client, interacting with an ASPSP registration endpoint.
        # Software Statement Assertion (SSA)
          The SSA is a JSON Web Token (JWT) containing client metadata about an instance of TPP client software. The JWT is issued and signed by the OpenBanking Directory.
        ## SSA Payload
          The payload of an OpenBanking SSA MUST be a compliant software statement according to [RFC7591]. The SSA MUST also be a compliant JWT according to [RFC7519]. The following metadata profiles the metadata in [RFC7591] and [RFC7519]:
          | Metadata | Description | Source Specification |
          |----------|-------------|----------------------|
          |`software_id`|Unique Identifier for TPP Client Software|[RFC7591]|
          |`iss`|SSA Issuer|[RFC7519]|
          |`iat`|Time SSA issued|[RFC7519]|
          |`jti`|JWT ID|[RFC7519]|
          The following software metadata is additionally defined for this profile:
          |Metadata |Description |Field Size |Default values |
          |---------|------------|-----------|---------------|
          |`software_client_id`|The Client ID Registered at OB used to access OB resources|Base62 GUID (22 chars)| |
          |`software_client_description`|Human-readable detailed description of the client|Max256Text| |
          |`software_client_name`|Human-readable Software Name|Max40Text| |
          |`software_client_uri`|The website or resource root uri|Max256Text| |
          |`software_version`|The version number of the software should a TPP choose to register and / or maintain it|Max42Text| |
          |`software_environment`|Requested additional field to avoid certificate check|Max256Text| |
          |`software_jwks_endpoint`|Contains all active signing and network certs for the software|Max256Text| |
          |`software_jwks_revoked_endpoint`|Contains all revoked signing and network certs for the software|Max256Text| |
          |`software_logo_uri`|Link to the TPP logo. Note, ASPSPs are not obliged to display images hosted by third parties|Max256Text| |
          |`software_mode`|ASPSP Requested additional field to indicate that this software is `Test` or `Live` the default is `Live`. Impact and support for `Test` software is up to the ASPSP.|Max40Text| |
          |`software_on_behalf_of_org`|A reference to fourth party organsiation resource on the OB Directory if the registering TPP is acting on behalf of another.|Max40Text| |
          |`software_policy_uri`|A link to the software's policy page|Max256Text| |
          |`software_redirect_uris`|Registered client callback endpoints as registered with Open Banking|A string array of Max256Text items|
          |`software_roles`|A multi value list of PSD2 roles that this software is authorized to perform.|A string array of Max256Text items| |
          |`software_tos_uri`|A link to the software's terms of service page|Max256Text| |
          The following Organisational metadata is defined for this profile:
          |Metadata |Description |Field Size | Default values |
          |---------|------------|-----------|----------------|
          |`organisation_competent_authority_claims`|Authorisations granted to the organsiation by an NCA|CodeList {`AISP`, `PISP`, `CBPII`, `ASPSP`}| |
          |`org_status`|Included to cater for voluntary withdrawal from OB scenarios|`Active`, `Revoked`, or `Withdrawn`| |
          |`org_id`|The Unique TPP or ASPSP ID held by OpenBanking.|Max35Text| |
          |`org_name`|Legal Entity Identifier or other known organisation name|Max140Text| |
          |`org_contacts`|JSON array of objects containing a triplet of name, email, and phone number|Each item Max256Text| |
          |`org_jwks_endpoint`|Contains all active signing and network certs for the organisation|Max256Text| |
          |`org_jwks_revoked_endpoint`|Contains all revoked signing and network certs for the organisation|Max256Text| |
        ## SSA header
          The SSA header MUST comply with [RFC7519].
          |Metadata |Description |Comments |
          |---------|------------|---------|
          |`typ`|MUST be set to `JWT`| |
          |`alg`|MUST be set to `ES256` or `PS256`| |
          |`kid`|The kid will be kept the same as the `x5t` parameter. (X.509 Certificate SHA-1 Thumbprint) of the signing certificate.| |
          ### Example SSA
          The elements defined in the software statement will consist of the following values.
          *Note that there are inconsistent applications of booleans or "Active" strings in the current data model.*
          *Note that there are inconsistent applications of status flags case sensitivity.*
          *The attributes required to be displayed by ASPSPs.*
        ```
        {
          "typ": "JWT",
          "alg": "ES256",
          "kid": "ABCD1234"
        }
        {
          "iss": "OpenBanking Ltd",
          "iat": 1492756331,
          "jti": "id12345685439487678",
          "software_environment": "production",
          "software_mode": "live",
          "software_id": "65d1f27c-4aea-4549-9c21-60e495a7a86f",
          "software_client_id": "Open Banking TPP Client Unique ID",
          "software_client_name": "Amazon Prime Movies",
          "software_client_description": "Amazon Prime Movies is a movie streaming service",
          "software_version": "2.2.2",
          "software_client_uri": "https://prime.amazon.com",
          "software_redirect_uris": [
            "https://prime.amazon.com/cb",
            "https://prime.amazon.co.uk/cb"
          ],
          "software_roles": [
            "PISP",
            "AISP"
          ],
          "organisation_competent_authority_claims": {
            "authority_id": "FMA", // Austrian Financial Market Authority
            "registration_id": "111111",
            "status": "Active",
            "authorisations":  [
              {
                "member_state": "GB",
                "roles": [
                  "PISP",
                  "AISP"
                ]
              },
              {
                "member_state": "IR",
                "roles": [
                  "PISP"
                ]
              }
            ]
          },
          "software_logo_uri": "https://prime.amazon.com/logo.png",
          "org_status": "Active",
          "org_id": "Amazon TPPID",
          "org_name": "OpenBanking TPP Registered Name",
          "org_contacts": [
            {
              "name": "contact name",
              "email": "contact@contact.com",
              "phone": "+447890130558"
              "type": "business"
            },
            {
              "name": "contact name",
              "email": "contact@contact.com",
              "phone": "+447890130558",
              "type": "technical"
            }
          ],
          "org_jwks_endpoint": "https://jwks.openbanking.org.uk/org_id/org_id.jkws",
          "org_jwks_revoked_endpoint": "https://jwks.openbanking.org.uk/org_id/revoked/org_id.jkws",
          "software_jwks_endpoint": "https://jwks.openbanking.org.uk/org_id/software_id.jkws",
          "software_jwks_revoked_endpoint": "https://jwks.openbanking.org.uk/org_id/revoked/software_id.jkws",
          "software_policy_uri": "https://tpp.com/policy.html",
          "software_tos_uri": "https://tpp.com/tos.html",
          "software_on_behalf_of_org": "Acme Ltd"
        }
        {
          Signature
        }
        ```
        # Automated Client Registration
        A TPP MAY use automated client registration to submit an SSA to an ASPSP in exchange for client credentials for use as a client against an OAuth 2.0 Authorization Server. It is RECOMMENDED for ASPSPs to support the automated client registration mechanism. A large number of claims that OpenID Connect OPs could support as part of the RFC7591 request are detailed [https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata) and should be followed if not explicitly referenced in the Software Statement Assertion claim set.
        ## Request Validation
        Prior to issuing a client registration response, the ASPSP MUST perform the following checks
        * The ASPSP SHOULD check whether the TPP that initiated the TLS connection is the same TPP as listed in the SSA.
        * In the case where a gateway or other piece of infrastructure pre-terminates the MATLS channel in front of the registration endpoint, the certificate used to initiate the connection or some part of that certificate (such as DN & Issuer) SHOULD be made available to the ASPSP for validation against the claims in the SSA.
        * The registration request MUST be signed with a key contained in the JWKS referenced in the SSA included with the request. This ensures that a holder-of-key proof-of-possession is performed proving that the TPP app was the originally intended recipient of the SSA when the OB issued it.
        * The SSA MUST be validated according to [RFC7519], including validation of the signature and validity window.
        JWT signature must be validated, this involves retrieving the jwks keyset for both the OB and the TPP. The OB keystore location will be published as part of the directory specification, The TPP's will be included in the software statement.
        ### SSA Lifetime
        The SSA's Lifetime / Validity period is not defined by Open Banking. ASPSPs in the Open Banking ecosystem are required to implement pragmatic time ranges in which to accept an SSA. For example, an ASPSP that has implemented Dynamic Client Registration may choose to accept SSA's that were issued no earlier than 1 minute prior to their presentation however ASPSPs that only support manual registration may need to accept SSAs that were issued 30 minutes prior as the elapsed time period between generation and use between these two flows is expected to differ significantly.
      tags:
        - Software Statement Assertions
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/SoftwareStatementAssertion200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/v2/organisation/{OrganisationId}/certificate':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
    get:
      summary: Get the certificates for the given organisation
      tags:
        - Organisation Certificates
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificatesOrKeysGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/v2/organisation/{OrganisationId}/certificate/{OrganisationCertificateType}':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
      - $ref: '#/components/parameters/OrganisationCertificateType'
    post:
      summary: Store or create a new certificate of the given OrganisationCertificateType for the given organisation
      tags:
        - Organisation Certificates
      parameters:
        - $ref: '#/components/parameters/OrganisationId'
        - $ref: '#/components/parameters/SoftwareStatementId'
        - $ref: '#/components/parameters/OrganisationCertificateType'
      requestBody:
        $ref: '#/components/requestBodies/CertificateOrCSROrJWS'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '201':
          $ref: '#/components/responses/CertificateOrKey201CreatedResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    get:
      summary: Get the certificates of the given OrganisationCertificateType for the given oranisation
      tags:
        - Organisation Certificates
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificatesOrKeysGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/v2/organisation/{OrganisationId}/certificate/kid/{CertificateOrKeyId}':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/CertificateOrKeyId'
    get:
      summary: Retrieve a certificate with the given CertificateOrKeyId
      tags:
        - Organisation Certificates
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificateOrKeyGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    delete:
      summary: Revoke or remove a certificate with the given CertificateOrKeyId
      tags:
        - Organisation Certificates
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '204':
          $ref: '#/components/responses/204NoContentResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/v2/organisation/{OrganisationId}/software-statement/{SoftwareStatementId}/certificate':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
    get:
      summary: Get certificates for the given software statement
      tags:
        - Software Statement Certificates
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificatesOrKeysGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/v2/organisation/{OrganisationId}/software-statement/{SoftwareStatementId}/certificate/{SoftwareStatementCertificateOrKeyType}':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
      - $ref: '#/components/parameters/SoftwareStatementCertificateOrKeyType'
    post:
      summary: Add a key or create a new certificate for the given software statement
      tags:
        - Software Statement Certificates
      parameters:
        - $ref: '#/components/parameters/OrganisationId'
        - $ref: '#/components/parameters/SoftwareStatementId'
      requestBody:
        $ref: '#/components/requestBodies/CSROrKey'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '201':
          $ref: '#/components/responses/CertificateOrKey201CreatedResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    get:
      summary: Get the certificates of the given type for the given software statement
      tags:
        - Software Statement Certificates
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificatesOrKeysGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/v2/organisation/{OrganisationId}/software-statement/{SoftwareStatementId}/certificate/{OrganisationAssociativeCertificateType}/{CertificateOrKeyId}':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
      - $ref: '#/components/parameters/OrganisationAssociativeCertificateType'
      - $ref: '#/components/parameters/CertificateOrKeyId'
    put:
      summary: Associate/de-associate a QSEAL/OBSEAL certificate with the given software statement
      tags:
        - Certificate Associations
      requestBody:
        $ref: '#/components/requestBodies/CertificateOrKeyAssociation'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '200':
          $ref: '#/components/responses/CertificateAssociatedWithASoftwareStatement200AcceptedResponse'
        '204':
          $ref: '#/components/responses/204NoContentResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '409':
          $ref: '#/components/responses/409ConflictResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    get:
      summary: Get the certificate of the given type and ID for the given software statement
      tags:
        - Software Statement Certificates
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificateOrKeyGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/v2/organisation/{OrganisationId}/authorisation-server':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
    get:
      summary: Get all Authorisation Servers for the given organisation
      tags:
        - Authorisation Servers
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/AuthorisationServersResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    post:
      summary: Create an Authorisation Server for the given organisation
      tags:
        - Authorisation Servers
      requestBody:
        $ref: '#/components/requestBodies/AuthorisationServer'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '201':
          $ref: '#/components/responses/AuthorisationServerResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/v2/organisation/{OrganisationId}/authorisation-server/{AuthorisationServerId}':
    parameters:
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/AuthorisationServerId'
    get:
      summary: Get .well-known entity
      tags:
        - Authorisation Servers
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/AuthorisationServerResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    put:
      summary: Update .well-known entity
      tags:
        - Authorisation Servers
      requestBody:
        $ref: '#/components/requestBodies/AuthorisationServer'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '202':
          $ref: '#/components/responses/AuthorisationServer202AcceptedResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    delete:
      summary: Delete an Authorisation Server
      tags:
        - Authorisation Servers
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '204':
          $ref: '#/components/responses/204NoContentResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/v2/certificate/validate':
    post:
      summary: Validate certificate
      tags:
        - Certificate Validation
      requestBody:
        $ref: '#/components/requestBodies/CertificateValidationRequestBody'
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificateValidationServerResponseV2'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/organisation/{OrganisationType}':
    post:
      summary: Enrol a eIDAS QWAC/QSeal-bearing participant
      description: Enrol an eIDAS QWAC/QSeal certificate-bearing participant onto the Open Banking Directory. Currenty only TPPs can use this enrolment endpoint, so please set `OrganisationType` to `tpp`
      tags:
        - Organisations (Legacy)
      parameters:
        - $ref: '#/components/parameters/OrganisationTypeForQSealOnboarding'
      requestBody:
        $ref: '#/components/requestBodies/Enrol'
      responses:
        '201':
          $ref: '#/components/responses/Enrol201CreatedResponse'
        '400':
          $ref: '#/components/responses/Enrol400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    get:
      summary: Get all organisations that the client is authorised to retrieve
      description: Note that this was not in the original design but is included to inform the client
      tags:
        - Organisations (Legacy)
      parameters:
        - $ref: '#/components/parameters/OrganisationType'
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/OrganisationsGetFromSCIM200OKResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
  '/organisation/{OrganisationType}/{OrganisationId}':
    get:
      summary: Get the given organisation's details
      tags:
        - Organisations (Legacy)
      parameters:
        - $ref: '#/components/parameters/OrganisationType'
        - $ref: '#/components/parameters/OrganisationId'
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/OrganisationGetFromSCIM200OKResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
  '/organisation/{OrganisationType}/{OrganisationId}/contact/{ContactType}':
    put:
      summary: Update the business or the technical contacts for the given organisation
      tags:
        - Contacts (Legacy)
      parameters:
        - $ref: '#/components/parameters/OrganisationType'
        - $ref: '#/components/parameters/OrganisationId'
        - $ref: '#/components/parameters/ContactType'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      requestBody:
        $ref: '#/components/requestBodies/Contact'
      responses:
        '200':
          $ref: '#/components/responses/Contact200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    get:
      summary: Get the business or the technical contacts for the given organisation
      x-PingAccessResourceName: OrganisationContactGET
      x-PingAccessRuleType: uk.org.openbanking.policy.RequestHostOverride
      x-PingAccessRuleTarget: obdorgcontacts.{environment}
      tags:
        - Contacts (Legacy)
      parameters:
        - $ref: '#/components/parameters/OrganisationType'
        - $ref: '#/components/parameters/OrganisationId'
        - $ref: '#/components/parameters/ContactType'
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/Contact200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/organisation/{OrganisationType}/{OrganisationId}/software-statement':
    parameters:
      - $ref: '#/components/parameters/OrganisationType'
      - $ref: '#/components/parameters/OrganisationId'
    post:
      summary: Create a software statement.
      tags:
        - Software Statements (Legacy)
      parameters:
        - $ref: '#/components/parameters/OrganisationType'
        - $ref: '#/components/parameters/OrganisationId'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      requestBody:
        $ref: '#/components/requestBodies/SoftwareStatement'
      responses:
        '201':
          $ref: '#/components/responses/SoftwareStatement201CreatedResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    get:
      summary: Get all software statements for the given organisation
      tags:
        - Software Statements (Legacy)
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/SoftwareStatementsGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/organisation/{OrganisationType}/{OrganisationId}/software-statement/{SoftwareStatementId}':
    parameters:
      - $ref: '#/components/parameters/OrganisationType'
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
    get:
      summary: Get a software statement
      tags:
        - Software Statements (Legacy)
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/SoftwareStatement201CreatedResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    put:
      summary: Update a software statement
      tags:
        - Software Statements (Legacy)
      parameters:
        - $ref: '#/components/parameters/OrganisationType'
        - $ref: '#/components/parameters/OrganisationId'
        - $ref: '#/components/parameters/SoftwareStatementId'
      requestBody:
        $ref: '#/components/requestBodies/SoftwareStatementState'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '200':
          $ref: '#/components/responses/SoftwareStatementUpdated200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/organisation/{OrganisationType}/{OrganisationId}/software-statement/{SoftwareStatementId}/redirect-uri':
    parameters:
      - $ref: '#/components/parameters/OrganisationType'
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
    post:
      summary: Add a redirect URI to the given Software Statement
      tags:
        - Software Statement Redirect URIs (Legacy)
      parameters:
        - $ref: '#/components/parameters/OrganisationType'
        - $ref: '#/components/parameters/OrganisationId'
        - $ref: '#/components/parameters/SoftwareStatementId'
      requestBody:
        $ref: '#/components/requestBodies/SoftwareStatementRedirectURI'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '200':
          $ref: '#/components/responses/SoftwareStatementUpdated200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '409':
          $ref: '#/components/responses/409ConflictResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/organisation/{OrganisationType}/{OrganisationId}/software-statement/{SoftwareStatementId}/software-statement-assertion':
    parameters:
      - $ref: '#/components/parameters/OrganisationType'
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
    get:
      summary:
        Get a Software Statement Assertion for the given SoftwareStatementID.
      description: |
        The response body is a signed JWT and the values found in the header and the payload of the SSA are specified below
        # Terminology
          This specification uses the terms "access token", "authorization code", "authorization endpoint", "authorization grant", "authorization server", "client", "client identifier", "client secret", "grant type", "protected resource", "redirection URI", "refresh token", "resource owner", "resource server", "response type", and "token endpoint" defined by OAuth 2.0 [RFC6749] and uses the term "Claim" defined by JSON Web Token (JWT) [RFC7519].
          * __Account Servicing Payment Services Provider (ASPSP)__ -- An organisation managing customer accounts (and operating banking APIs).
          * __Primary Technical Contact__ -- The person at the TPP who creates an SSA and invokes a registration mechanism. This is an example of an [RFC7591] Client Developer.
          * __OB Organisation ID__ -- The unique identifier for each OpenBanking participant. Both TPPs and ASPSPs have OB Organisation IDs.
          * __OpenBanking Directory__ -- An implementation of a [PSD2] competent authority; acts as an Identity Provider, certificate authority, and registry governing the participants in the UK OpenBanking API scheme.
          * __ASPSP Registration Endpoint__ -- OAuth 2.0 & [RFC7591] compliant endpoint, exact value is discoverable from the [OIDCD] openid-configuration file of the ASPSP.
          * __Software Statement Assertion (SSA)__ -- An implementation of an [RFC7591] software statement, signed by the OpenBanking Directory.
          * __Trusted Third Party (TPP)__ -- An organization working to initiate payments or consume account information with/from an ASPSP.
          * __TPP Client Software__ -- software implementing an OAuth2 client, interacting with an ASPSP registration endpoint.
        # Software Statement Assertion (SSA)
          The SSA is a JSON Web Token (JWT) containing client metadata about an instance of TPP client software. The JWT is issued and signed by the OpenBanking Directory.
        ## SSA Payload
          The payload of an OpenBanking SSA MUST be a compliant software statement according to [RFC7591]. The SSA MUST also be a compliant JWT according to [RFC7519]. The following metadata profiles the metadata in [RFC7591] and [RFC7519]:
          | Metadata | Description | Source Specification |
          |----------|-------------|----------------------|
          |`software_id`|Unique Identifier for TPP Client Software|[RFC7591]|
          |`iss`|SSA Issuer|[RFC7519]|
          |`iat`|Time SSA issued|[RFC7519]|
          |`jti`|JWT ID|[RFC7519]|
          The following software metadata is additionally defined for this profile:
          |Metadata |Description |Field Size |Default values |
          |---------|------------|-----------|---------------|
          |`software_client_id`|The Client ID Registered at OB used to access OB resources|Base62 GUID (22 chars)| |
          |`software_client_description`|Human-readable detailed description of the client|Max256Text| |
          |`software_client_name`|Human-readable Software Name|Max40Text| |
          |`software_client_uri`|The website or resource root uri|Max256Text| |
          |`software_version`|The version number of the software should a TPP choose to register and / or maintain it|Max42Text| |
          |`software_environment`|Requested additional field to avoid certificate check|Max256Text| |
          |`software_jwks_endpoint`|Contains all active signing and network certs for the software|Max256Text| |
          |`software_jwks_revoked_endpoint`|Contains all revoked signing and network certs for the software|Max256Text| |
          |`software_logo_uri`|Link to the TPP logo. Note, ASPSPs are not obliged to display images hosted by third parties|Max256Text| |
          |`software_mode`|ASPSP Requested additional field to indicate that this software is `Test` or `Live` the default is `Live`. Impact and support for `Test` software is up to the ASPSP.|Max40Text| |
          |`software_on_behalf_of_org`|A reference to fourth party organsiation resource on the OB Directory if the registering TPP is acting on behalf of another.|Max40Text| |
          |`software_policy_uri`|A link to the software's policy page|Max256Text| |
          |`software_redirect_uris`|Registered client callback endpoints as registered with Open Banking|A string array of Max256Text items|
          |`software_roles`|A multi value list of PSD2 roles that this software is authorized to perform.|A string array of Max256Text items| |
          |`software_tos_uri`|A link to the software's terms of service page|Max256Text| |
          The following Organisational metadata is defined for this profile:
          |Metadata |Description |Field Size | Default values |
          |---------|------------|-----------|----------------|
          |`organisation_competent_authority_claims`|Authorisations granted to the organsiation by an NCA|CodeList {`AISP`, `PISP`, `CBPII`, `ASPSP`}| |
          |`org_status`|Included to cater for voluntary withdrawal from OB scenarios|`Active`, `Revoked`, or `Withdrawn`| |
          |`org_id`|The Unique TPP or ASPSP ID held by OpenBanking.|Max35Text| |
          |`org_name`|Legal Entity Identifier or other known organisation name|Max140Text| |
          |`org_contacts`|JSON array of objects containing a triplet of name, email, and phone number|Each item Max256Text| |
          |`org_jwks_endpoint`|Contains all active signing and network certs for the organisation|Max256Text| |
          |`org_jwks_revoked_endpoint`|Contains all revoked signing and network certs for the organisation|Max256Text| |
        ## SSA header
          The SSA header MUST comply with [RFC7519].
          |Metadata |Description |Comments |
          |---------|------------|---------|
          |`typ`|MUST be set to `JWT`| |
          |`alg`|MUST be set to `ES256` or `PS256`| |
          |`kid`|The kid will be kept the same as the `x5t` parameter. (X.509 Certificate SHA-1 Thumbprint) of the signing certificate.| |
          ### Example SSA
          The elements defined in the software statement will consist of the following values.
          *Note that there are inconsistent applications of booleans or "Active" strings in the current data model.*
          *Note that there are inconsistent applications of status flags case sensitivity.*
          *The attributes required to be displayed by ASPSPs.*
        ```
        {
          "typ": "JWT",
          "alg": "ES256",
          "kid": "ABCD1234"
        }
        {
          "iss": "OpenBanking Ltd",
          "iat": 1492756331,
          "jti": "id12345685439487678",
          "software_environment": "production",
          "software_mode": "live",
          "software_id": "65d1f27c-4aea-4549-9c21-60e495a7a86f",
          "software_client_id": "Open Banking TPP Client Unique ID",
          "software_client_name": "Amazon Prime Movies",
          "software_client_description": "Amazon Prime Movies is a movie streaming service",
          "software_version": "2.2.2",
          "software_client_uri": "https://prime.amazon.com",
          "software_redirect_uris": [
            "https://prime.amazon.com/cb",
            "https://prime.amazon.co.uk/cb"
          ],
          "software_roles": [
            "PISP",
            "AISP"
          ],
          "organisation_competent_authority_claims": {
            "authority_id": "FMA", // Austrian Financial Market Authority
            "registration_id": "111111",
            "status": "Active",
            "authorisations":  [
              {
                "member_state": "GB",
                "roles": [
                  "PISP",
                  "AISP"
                ]
              },
              {
                "member_state": "IR",
                "roles": [
                  "PISP"
                ]
              }
            ]
          },
          "software_logo_uri": "https://prime.amazon.com/logo.png",
          "org_status": "Active",
          "org_id": "Amazon TPPID",
          "org_name": "OpenBanking TPP Registered Name",
          "org_contacts": [
            {
              "name": "contact name",
              "email": "contact@contact.com",
              "phone": "+447890130558"
              "type": "business"
            },
            {
              "name": "contact name",
              "email": "contact@contact.com",
              "phone": "+447890130558",
              "type": "technical"
            }
          ],
          "org_jwks_endpoint": "https://jwks.openbanking.org.uk/org_id/org_id.jkws",
          "org_jwks_revoked_endpoint": "https://jwks.openbanking.org.uk/org_id/revoked/org_id.jkws",
          "software_jwks_endpoint": "https://jwks.openbanking.org.uk/org_id/software_id.jkws",
          "software_jwks_revoked_endpoint": "https://jwks.openbanking.org.uk/org_id/revoked/software_id.jkws",
          "software_policy_uri": "https://tpp.com/policy.html",
          "software_tos_uri": "https://tpp.com/tos.html",
          "software_on_behalf_of_org": "Acme Ltd"
        }
        {
          Signature
        }
        ```
        # Automated Client Registration
        A TPP MAY use automated client registration to submit an SSA to an ASPSP in exchange for client credentials for use as a client against an OAuth 2.0 Authorization Server. It is RECOMMENDED for ASPSPs to support the automated client registration mechanism. A large number of claims that OpenID Connect OPs could support as part of the RFC7591 request are detailed [https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata) and should be followed if not explicitly referenced in the Software Statement Assertion claim set.
        ## Request Validation
        Prior to issuing a client registration response, the ASPSP MUST perform the following checks
        * The ASPSP SHOULD check whether the TPP that initiated the TLS connection is the same TPP as listed in the SSA.
        * In the case where a gateway or other piece of infrastructure pre-terminates the MATLS channel in front of the registration endpoint, the certificate used to initiate the connection or some part of that certificate (such as DN & Issuer) SHOULD be made available to the ASPSP for validation against the claims in the SSA.
        * The registration request MUST be signed with a key contained in the JWKS referenced in the SSA included with the request. This ensures that a holder-of-key proof-of-possession is performed proving that the TPP app was the originally intended recipient of the SSA when the OB issued it.
        * The SSA MUST be validated according to [RFC7519], including validation of the signature and validity window.
        JWT signature must be validated, this involves retrieving the jwks keyset for both the OB and the TPP. The OB keystore location will be published as part of the directory specification, The TPP's will be included in the software statement.
        ### SSA Lifetime
        The SSA's Lifetime / Validity period is not defined by Open Banking. ASPSPs in the Open Banking ecosystem are required to implement pragmatic time ranges in which to accept an SSA. For example, an ASPSP that has implemented Dynamic Client Registration may choose to accept SSA's that were issued no earlier than 1 minute prior to their presentation however ASPSPs that only support manual registration may need to accept SSAs that were issued 30 minutes prior as the elapsed time period between generation and use between these two flows is expected to differ significantly.
      tags:
        - Software Statement Assertions (Legacy)
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/SoftwareStatementAssertion200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/organisation/{OrganisationType}/{OrganisationId}/certificate':
    parameters:
      - $ref: '#/components/parameters/OrganisationType'
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
    get:
      summary: Get the certificates for the given organisation
      tags:
        - Organisation Certificates (Legacy)
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificatesOrKeysGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/organisation/{OrganisationType}/{OrganisationId}/certificate/{OrganisationCertificateType}':
    parameters:
      - $ref: '#/components/parameters/OrganisationType'
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
      - $ref: '#/components/parameters/OrganisationCertificateType'
    post:
      summary: Store or create a new certificate of the given OrganisationCertificateType for the given organisation
      tags:
        - Organisation Certificates (Legacy)
      parameters:
        - $ref: '#/components/parameters/OrganisationType'
        - $ref: '#/components/parameters/OrganisationId'
        - $ref: '#/components/parameters/SoftwareStatementId'
        - $ref: '#/components/parameters/OrganisationCertificateType'
      requestBody:
        $ref: '#/components/requestBodies/CertificateOrCSROrJWS'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '201':
          $ref: '#/components/responses/CertificateOrKey201CreatedResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    get:
      summary: Get the certificates of the given OrganisationCertificateType for the given oranisation
      tags:
        - Organisation Certificates (Legacy)
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificatesOrKeysGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/organisation/{OrganisationType}/{OrganisationId}/certificate/kid/{CertificateOrKeyId}':
    parameters:
      - $ref: '#/components/parameters/OrganisationType'
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/CertificateOrKeyId'
    get:
      summary: Retrieve a certificate with the given CertificateOrKeyId
      tags:
        - Organisation Certificates (Legacy)
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificateOrKeyGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    delete:
      summary: Revoke or remove a certificate with the given CertificateOrKeyId
      tags:
        - Organisation Certificates (Legacy)
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '204':
          $ref: '#/components/responses/204NoContentResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/organisation/{OrganisationType}/{OrganisationId}/software-statement/{SoftwareStatementId}/certificate':
    parameters:
      - $ref: '#/components/parameters/OrganisationType'
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
    get:
      summary: Get certificates for the given software statement
      tags:
        - Software Statement Certificates (Legacy)
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificatesOrKeysGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/organisation/{OrganisationType}/{OrganisationId}/software-statement/{SoftwareStatementId}/certificate/{SoftwareStatementCertificateOrKeyType}':
    parameters:
      - $ref: '#/components/parameters/OrganisationType'
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
      - $ref: '#/components/parameters/SoftwareStatementCertificateOrKeyType'
    post:
      summary: Add a key or create a new certificate for the given software statement
      tags:
        - Software Statement Certificates (Legacy)
      parameters:
        - $ref: '#/components/parameters/OrganisationId'
        - $ref: '#/components/parameters/SoftwareStatementId'
      requestBody:
        $ref: '#/components/requestBodies/CSROrKey'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '201':
          $ref: '#/components/responses/CertificateOrKey201CreatedResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    get:
      summary: Get the certificates of the given type for the given software statement
      tags:
        - Software Statement Certificates (Legacy)
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificatesOrKeysGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/organisation/{OrganisationType}/{OrganisationId}/software-statement/{SoftwareStatementId}/certificate/{OrganisationAssociativeCertificateType}/{CertificateOrKeyId}':
    parameters:
      - $ref: '#/components/parameters/OrganisationType'
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/SoftwareStatementId'
      - $ref: '#/components/parameters/OrganisationAssociativeCertificateType'
      - $ref: '#/components/parameters/CertificateOrKeyId'
    put:
      summary: Associate/de-associate a QSEAL/OBSEAL certificate with the given software statement
      tags:
        - Certificate Associations (Legacy)
      requestBody:
        $ref: '#/components/requestBodies/CertificateOrKeyAssociation'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '200':
          $ref: '#/components/responses/CertificateAssociatedWithASoftwareStatement200AcceptedResponse'
        '204':
          $ref: '#/components/responses/204NoContentResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '409':
          $ref: '#/components/responses/409ConflictResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    get:
      summary: Get the certificate of the given type and ID for the given software statement
      tags:
        - Software Statement Certificates (Legacy)
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificateOrKeyGet200OKResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'

  '/organisation/{OrganisationType}/{OrganisationId}/authorisation-server':
    parameters:
      - $ref: '#/components/parameters/OrganisationType'
      - $ref: '#/components/parameters/OrganisationId'
    get:
      summary: Get all Authorisation Servers for the given organisation
      tags:
        - Authorisation Servers (Legacy)
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/AuthorisationServersResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    post:
      summary: Create an Authorisation Server for the given organisation
      tags:
        - Authorisation Servers (Legacy)
      requestBody:
        $ref: '#/components/requestBodies/AuthorisationServer'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '201':
          $ref: '#/components/responses/AuthorisationServerResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/organisation/{OrganisationType}/{OrganisationId}/authorisation-server/{AuthorisationServerId}':
    parameters:
      - $ref: '#/components/parameters/OrganisationType'
      - $ref: '#/components/parameters/OrganisationId'
      - $ref: '#/components/parameters/AuthorisationServerId'
    get:
      summary: Get .well-known entity
      tags:
        - Authorisation Servers (Legacy)
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/AuthorisationServerResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    put:
      summary: Update .well-known entity
      tags:
        - Authorisation Servers (Legacy)
      requestBody:
        $ref: '#/components/requestBodies/AuthorisationServer'
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '202':
          $ref: '#/components/responses/AuthorisationServer202AcceptedResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
    delete:
      summary: Delete an Authorisation Server
      tags:
        - Authorisation Servers (Legacy)
      security:
        - OAuth2SecurityReadWriteOps:
            - ASPSPReadAccess
            - TPPReadAccess
            - TPPManage
      responses:
        '204':
          $ref: '#/components/responses/204NoContentResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
  '/certificate/validate':
    post:
      summary: Validate certificate
      tags:
        - Certificate Validation (Legacy)
      requestBody:
        $ref: '#/components/requestBodies/CertificateValidationRequestBody'
      security:
        - OAuth2SecurityReadOps:
            - ASPSPReadAccess
            - TPPReadAccess
      responses:
        '200':
          $ref: '#/components/responses/CertificateValidationServerResponse'
        '400':
          $ref: '#/components/responses/400BadRequestResponse'
        '401':
          $ref: '#/components/responses/401UnauthorizedResponse'
        '404':
          $ref: '#/components/responses/404NotFoundResponse'
        '406':
          $ref: '#/components/responses/406NotAcceptableResponse'
        '500':
          $ref: '#/components/responses/500InternalServerErrorResponse'
        '502':
          $ref: '#/components/responses/502BadGatewayResponse'
components:
  parameters:
    AuthorisationServerId:
      name: AuthorisationServerId
      description: The authorisation server Id
      in: path
      required: true
      schema:
        $ref: '#/components/schemas/AuthorisationServerIdSchema'
    CertificateOrKeyId:
      name: CertificateOrKeyId
      description: The certificate or key Id
      in: path
      required: true
      schema:
        $ref: '#/components/schemas/CertificateOrKeyIdSchema'
    CertificateTypeForValidation:
      name: CertificateType
      description: Type of certificate
      in: path
      required: true
      schema:
        $ref: '#/components/schemas/CertificateTypeForValidationSchema'
    CertificateType:
      name: CertificateType
      description: Type of certificate
      in: path
      required: true
      schema:
        $ref: '#/components/schemas/CertificateTypeSchema'
    ContactType:
      name: ContactType
      description: The contact type
      in: path
      required: true
      schema:
        $ref: '#/components/schemas/ContactTypeSchema'
    OrganisationTypeForQSealOnboarding:
      name: OrganisationType
      description: OB Organisation Type
      in: path
      required: true
      schema:
        $ref: '#/components/schemas/OrganisationTypeForQSealOnboardingSchema'
    OrganisationType:
      name: OrganisationType
      description: OB Organisation Type
      in: path
      required: true
      schema:
        $ref: '#/components/schemas/OrganisationTypeSchema'
    OrganisationCertificateType:
      name: OrganisationCertificateType
      description: The certificate type
      in: path
      required: true
      schema:
        $ref: '#/components/schemas/OrganisationCertificateTypeSchema'
    OrganisationAssociativeCertificateType:
      name: OrganisationAssociativeCertificateType
      description: The certificate type that can be associated with a software statement
      in: path
      required: true
      schema:
        $ref: '#/components/schemas/OrganisationAssociativeCertificateTypeSchema'
    OrganisationId:
      name: OrganisationId
      description: The organsation ID
      in: path
      required: true
      schema:
        $ref: '#/components/schemas/OrganisationIdSchema'
    SoftwareStatementCertificateOrKeyType:
      name: SoftwareStatementCertificateOrKeyType
      description: The certificate or key type that can be associated with a software statement
      in: path
      required: true
      schema:
        $ref: '#/components/schemas/SoftwareStatementCertificateOrKeyTypeSchema'
    SoftwareStatementId:
      name: SoftwareStatementId
      description: The software statement ID
      in: path
      required: true
      schema:
        $ref: '#/components/schemas/SoftwareStatementIdSchema'
  requestBodies:
    AuthorisationServer:
      description: Properties to create/update authorisation server
      required: true
      content:
        application/vnd.openbanking.directory.authorisationserver-v2+json:
          schema:
            $ref: '#/components/schemas/AuthorisationServerRequestSchema'
    Contact:
      description: Properties to update business/technical contacts
      required: true
      content:
        application/vnd.openbanking.directory.orgcontacts-v2+json:
          schema:
            $ref: '#/components/schemas/ContactSchema'
    CertificateOrCSROrJWS:
      description: |
        * __PEM file__ -- when the request `Content-Type` header is set to  `application/x-pem-file` the contents of the PEM file will differ depending upon `OrganisationCertificateType`. If `OrganisationCertificateType` is set to `qwac`, `qseal` then the PEM file should contain a *QWAC* or a *QSEAL* certificate respectively; if `OrganisationCertificateType` is set to `obwac` or `obseal` then the PEM file should contain a Certificate Signing Request (CSR) for an OB-issued *OBWAC* or *OBSEAL* certificate respectively.
        * __Signed JWT__ -- when the request `Content-Type` header is set to `application/jwt` the body of the signed JWT will contain a CSR or a certificate.
        ### Requesting a Certificate using a signed JWT
        The header `kid` claim is the ID of the QSeal certificate assigned to it by the OB JWKS store.
        The body `csr` claim is the CSR in the DER format.
        ```
        {
          "typ": "JWT",
          "alg": "ES256",
          "kid": "ABCD1234",
        }
        {
          "csr": "string"
        }
        ```
        ### Uploaing a Certificate using a signed JWT
        The header `kid` claim is the ID of the QSeal certificate assigned to it by the OB JWKS store.
        The body `x5c` claim is the array of certificate, issuer certificate, and root certificate in the DER format.
        ```
        {
          "typ": "JWT",
          "alg": "ES256",
          "kid": "ABCD1234",
        }
        {
          "x5c": ["qseal", "issuer certificate", "root certificate"]
        }
        ```
        EXAMPLE REQUEST PAYLOAD USING SIGNED JWT REQUESTS
        ```
        POST /organisation/tpp/123456789012345678/certificate/obwac HTTP/1.1
        Content-Type: application/jwt
        Accept: application/json
        Host: matls-dirapi.openbanking.org.uk
        eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6IkFCQ0QxMjM0IiwieDVjIjpbInFzZWFsYyIsImlzc3VlciBjZXJ0aWZpY2F0ZSIsInJvb3QgY2VydGlmaWNhdGUiXX0.eyJyZWRpcmVjdF91cmlzIjpbInN0cmluZyJdLCJ0b2tlbl9lbmRwb2ludF9hdXRoX21ldGhvZCI6InN0cmluZyIsImdyYW50X3R5cGVzIjpbInN0cmluZyJdLCJyZXNwb25zZV90eXBlcyI6WyJzdHJpbmcibSwiY2xpZW50X25hbWUiOiJzdHJpbmciLCJjbGllbnRfdXJpIjoic3RyaW5nIiwibG9nb191cmkiOiJzdHJpbmciLCJzY29wZSI6InN0cmluZyIsImNvbnRhY3RzIjpbInVzZXJAZXhhbXBsZS5jb20iXSwidG9zX3VyaSI6InN0cmluZyIsInBvbGljeV91cmkiOiJzdHJpbmciLCJqd2tzX3VyaSI6InN0cmluZyIsImp3a3MiOnt9LCJzb2Z0d2FyZV9pZCI6InN0cmluZyIsInNvZnR3YXJlX3ZlcnNpb24iOiJzdHJpbmcifQ.lMsADSHkFGUw5PtgdEqXslYArzqf6tbg0lo0kCitOUA
        ```
      required: true
      content:
        application/x-pem-file:
          schema:
            $ref: '#/components/schemas/CertificateOrKeyOrJWTSchema'
        application/jwt:
          schema:
            $ref: '#/components/schemas/CertificateOrKeyOrJWTSchema'
    CSROrKey:
      description: PEM file -- the contents of the PEM file will differ depending upon *SoftwareStatementCertificateOrKeyType*. If *SoftwareStatementCertificateOrKeyType* is set to *obsigning* or *obtransport* then the PEM file should contain a Certificate Signing Request (CSR) for an OB signing or OB transport certificate respectively; if *SoftwareStatementCertificateOrKeyType* is set to *sigkey*, *enckey* then the PEM file should contain a public signing or encryption key respectively.
      required: true
      content:
        application/x-pem-file:
          schema:
            $ref: '#/components/schemas/CertificateOrKeyOrJWTSchema'
    CertificateOrKeyAssociation:
      description: Certificate or Key Association Payload
      required: true
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/CertificateOrKeyAssociationSchema'
    CertificateValidationRequestBody:
      description: Certificate Validation Payload
      required: true
      content:
        application/x-pem-file:
          schema:
            $ref: '#/components/schemas/CertificateValidationSchema'
    Enrol:
      description: |
        The payload submitted when a TPP attempts to enrol with an eIDAS QWAC or QSeal certificate. It's format and contents will depend on the value of the `Content-Type` header:  TPP onto the Open Banking Directory (required fields to be validated). For eIDAS QSeal-bearing TPPs use a signed JWT (JWS).
        * __application/json__ -- a JSON payload for QWAC onboarding.
        * __application/jwt__ -- a signed JWT (JWS) for QSeal onboarding.
        * __application/jose__ -- same as __application/jwt__.
        ## QWAC-based Onboarding
        Set `Content-Type` to `application/json` and send the payload conforming to the schema.
        EXAMPLE REQUEST PAYLOAD FOR QWAC-BASED ONBOARDING
        ```
        POST /organisation/tpp HTTP/1.1
        Content-Type: application/json
        Accept: application/json
        Host: matls-dirapi.openbanking.org.uk
        {
          "client_name": "string",
          "scope": "string",
          "token_endpoint_auth_method": "string",
          "tls_client_auth_subject_dn": "string",
          "grant_types": [
            "string"
          ],
          "token_endpoint_auth_signing_alg": "string"
        }
        ```
        ## QSeal-based Onboarding
        Set `Content-Type` to `application/jwt` or `application/jose` and send the payload conforming to the schema as a signed JWT.
        The QSeal, the issuing certificate, and the root certificate (all in DER format) must be used as the items of the array, which forms the value of the `x5c` claim in the JWT header.
        The JWT MUST be signed using the private key associated with the QSeal listed in the `x5c` claim in the header.
        ```
        {
          "typ": "JWT",
          "alg": "ES256",
          "kid": "ABCD1234",
          "x5c": ["qseal", "issuer certificate", "root certificate"]
        }
        {
          "client_name": "string",
          "scope": "string",
          "token_endpoint_auth_method": "string",
          "tls_client_auth_subject_dn": "string",
          "grant_types": [
            "string"
          ],
          "token_endpoint_auth_signing_alg": "string"
        }
        ```
        EXAMPLE REQUEST PAYLOAD FOR QSeal-BASED ONBOARDING
        ```
        POST /organisation/tpp HTTP/1.1
        Content-Type: application/jwt | application/jose
        Accept: application/json
        Host: matls-dirapi.openbanking.org.uk
        eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6IkFCQ0QxMjM0IiwieDVjIjpbInFzZWFsYyIsImlzc3VlciBjZXJ0aWZpY2F0ZSIsInJvb3QgY2VydGlmaWNhdGUiXX0.eyJyZWRpcmVjdF91cmlzIjpbInN0cmluZyJdLCJ0b2tlbl9lbmRwb2ludF9hdXRoX21ldGhvZCI6InN0cmluZyIsImdyYW50X3R5cGVzIjpbInN0cmluZyJdLCJyZXNwb25zZV90eXBlcyI6WyJzdHJpbmciXSwiY2xpZW50X25hbWUiOiJzdHJpbmciLCJjbGllbnRfdXJpIjoic3RyaW5nIiwibG9nb191cmkiOiJzdHJpbmciLCJzY29wZSI6InN0cmluZyIsImNvbnRhY3RzIjpbInVzZXJAZXhhbXBsZS5jb20iXSwidG9zX3VyaSI6InN0cmluZyIsInBvbGljeV91cmkiOiJzdHJpbmciLCJqd2tzX3VyaSI6InN0cmluZyIsImp3a3MiOnt9LCJzb2Z0d2FyZV9pZCI6InN0cmluZyIsInNvZnR3YXJlX3ZlcnNpb24iOiJzdHJpbmcifQ.lMsADSHkFGUw5PtgdEqXslYArzqf6tbg0lo0kCitOUA
        ```
      required: true
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/EnrolSchema'
        application/jwt:
          schema:
            $ref: '#/components/schemas/QSealOnboardingSchema'
        application/jose:
          schema:
            $ref: '#/components/schemas/QSealOnboardingSchema'
    SoftwareStatement:
      description: Software Statement payload
      required: true
      content:
        application/vnd.openbanking.directory.softwarestatement-v2+json:
          schema:
            $ref: '#/components/schemas/SoftwareStatementCreateSchema'
    SoftwareStatementRedirectURI:
      description: 'Redirect Uri''s for the registered piece of software. May be overridden by the RFC7591 payload. This field is searchable and is not included as part of the response payload when unassigned.'
      required: true
      content:
        text/plain:
          schema:
            $ref: '#/components/schemas/SoftwareStatementRedirectURISchema'
    SoftwareStatementState:
      description: Payload used to deactivate/reactivate a Software Statement
      required: true
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/SoftwareStatementStateSchema'
    CertificateOBWACorQWAC:
      description: |
        * __PEM file__ -- Certificate in pem format based on OAuthClient is updated. Certificates types available for OAuthClient update are OBWAC or QWAC
      required: true
      content:
        x-pem-file:
          schema:
            $ref: '#/components/schemas/CertificateOrKeyOrJWTSchema'

  responses:
    201CreatedResponse:
      description: Created
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
    204NoContentResponse:
      description: No Content
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
    400BadRequestResponse:
      description: Bad Request
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
    401UnauthorizedResponse:
      description: Unauthorized
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
    403ForbiddenResponse:
      description: Forbidden
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
    404NotFoundResponse:
      description: Not found
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
    406NotAcceptableResponse:
      description: Not Acceptable
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
    409ConflictResponse:
      description: Conflict
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
    502BadGatewayResponse:
      description: Bad Gateway
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
    500InternalServerErrorResponse:
      description: Internal Server Error
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
    AuthorisationServerResponse:
      description: OK
      content:
        application/vnd.openbanking.directory.authorisationserver-v2+json:
          schema:
            $ref: '#/components/schemas/AuthorisationServerSchema'
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
    AuthorisationServer202AcceptedResponse:
      description: Accepted
      content:
        application/vnd.openbanking.directory.authorisationserver-v2+json:
          schema:
            $ref: '#/components/schemas/AuthorisationServerSchema'
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
    AuthorisationServersResponse:
      description: OK
      content:
        application/vnd.openbanking.directory.authorisationserver-list-v2+json:
          schema:
            $ref: '#/components/schemas/AuthorisationServersSchema'
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
    CertificatesOrKeysGet200OKResponse:
      description: OK
      content:
        application/jwk-set+json:
          schema:
            $ref: '#/components/schemas/CertificatesOrKeysGetSchema'
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
    CertificateOrKeyGet200OKResponse:
      description: OK
      content:
        application/jwk+json:
          schema:
            $ref: '#/components/schemas/CertificateOrKeyGetSchema'
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
    CertificateOrKey201CreatedResponse:
      description: Created
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
      content:
        application/jwk+json:
          schema:
            $ref: '#/components/schemas/CertificateOrKeyGetSchema'
    CertificateOrKey202AcceptedResponse:
      description: Accepted
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
      content:
        application/jwk+json:
          schema:
            $ref: '#/components/schemas/CertificateOrKeyGetSchema'
    CertificateAssociatedWithASoftwareStatement200AcceptedResponse:
      description: OK
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
      content:
        application/jwk+json:
          schema:
            $ref: '#/components/schemas/CertificateOrKeyGetSchema'
    CertificateValidationServerResponse:
      description: OK
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/CertificateValidationResponseSchema'
    CertificateValidationServerResponseV2.1:
      description: OK
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/CertificateValidationResponseSchemaV2.1'
    CertificateValidationServerResponseV2:
      description: OK
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/CertificateValidationResponseSchemaV2'
    CertificateTypeValidationOKResponse:
      description: OK
    CertificateTypeValidation400Response:
      description: 400 Bad Request
    Contact200OKResponse:
      description: OK
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
      content:
        application/vnd.openbanking.directory.orgcontacts-v2+json:
          schema:
            $ref: '#/components/schemas/ContactSchema'
    Enrol201CreatedResponse:
      description: Created
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Enrol201CreatedResponseSchema'
    Enrol400BadRequestResponse:
      description: Bad Request
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Enrol400BadRequestResponseSchema'
    OrganisationsGetFromSCIM200OKResponse:
      description: |
        List of the organisation - Schema in scim-swagger.json
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
      content:
        application/scim+json:
          schema:
            $ref: '#/components/schemas/OrganisationsGetFromSCIM200OKResponseSchema'
    OrganisationGetFromSCIM200OKResponse:
      description: |
        Full details of the organisation - Schema in scim-swagger.json
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
      content:
        application/scim+json:
          schema:
            $ref: '#/components/schemas/OrganisationGetFromSCIM200OKResponseSchema'
    SoftwareStatementsGet200OKResponse:
      description: OK
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
      content:
        application/vnd.openbanking.directory.softwarestatement-list-v2+json:
          schema:
            $ref: '#/components/schemas/SoftwareStatementsSchema'
    SoftwareStatementAssertion200OKResponse:
      description: OK
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
      content:
        application/jws+json:
          schema:
            $ref: '#/components/schemas/SoftwareStatementAssertionSchema'
    SoftwareStatement201CreatedResponse:
      description: Created
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
      content:
        application/vnd.openbanking.directory.softwarestatement-v2+json:
          schema:
            $ref: '#/components/schemas/SoftwareStatementSchema'
    SoftwareStatementUpdated200OKResponse:
      description: OK
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
      content:
        application/vnd.openbanking.directory.softwarestatement-v2+json:
          schema:
            $ref: '#/components/schemas/SoftwareStatementSchema'
    SoftwareStatementGet200OKResponse:
      description: Get the software statements with the given id
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
      content:
        application/vnd.openbanking.directory.softwarestatement-v2+json:
          schema:
            $ref: '#/components/schemas/SoftwareStatementSchema'
    OAuthClient200OKResponse:
      description: OK
      headers:
        OB-Request-Id:
          schema:
            $ref: '#/components/schemas/UniqueRequestIdSchema'
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/OAuthClientSchema'
  schemas:
    AuthorisationSchema:
      type: object
      properties:
        Active:
          type: boolean
        MemberState:
          type: string
          description: 'Member state. This field is searchable.'
          enum: [ 'AT','BE','BG','CY','CZ','DE','DK','EE','EL','ES','FI','FR','GB','GG','GI','GR','HR','HU','IE','IM','IS','IT','JE','LI','LT','LU','LV','MT','NL','NO','PL','PT','RO','SE','SI','SK' ]
        Psd2Role:
          type: string
          enum: [ 'ASPSP', 'AISP', 'PISP', 'CBPII' ]
          description: >
            Psd2 Role in which institution authorised. This field is searchable.
              * `AISP` - Account Information Service Provider
              * `ASPSP` - Account Servicing Payment Service Provider
              * `CBPII` - Card-Based Payment Instrument Issuer
              * `PISP` - Payment Initiation Service Provider
      required:
        - Active
        - MemberState
        - Psd2Role
    AuthorisationAuthoritySchema:
      type: object
      properties:
        AuthorityId:
          type: string
          maxLength: 255
          description: 'Authority identifier. This field is searchable.'
        AuthorizationDomain:
          type: string
          enum: [ 'PSD2', 'Pay.UK', 'CD' ]
          description: 'Authorisation Domain. This field is searchable.'
        MemberState:
          type: string
          description: 'Member state. This field is searchable.'
          enum: [ 'AT','BE','BG','CY','CZ','DE','DK','EE','EL','ES','FI','FR','GB','GG','GI','GR','HR','HU','IE','IM','IS','IT','JE','LI','LT','LU','LV','MT','NL','NO','PL','PT','RO','SE','SI','SK' ]
        RegistrationId:
          type: string
          maxLength: 255
          description: 'Registration Id with the principle authority. This field is searchable.'
        X509OrganisationIdentifier:
          type: array
          items:
            type: string
            maxLength: 255
      required:
        - AuthorityId
        - RegistrationId
        - X509OrganisationIdentifier
    AuthorisationDomainStatusSchema:
      type: object
      properties:
        AuthorizationDomain:
          type: string
          enum: [ 'PSD2', 'Pay.UK', 'CD' ]
          description: 'Authorisation Domain. This field is searchable.'
        Status:
          type: string
          enum: [ 'Active', 'Withdrawn', 'Revoked', 'Requested', 'Rejected' ]
          description: >
            Indicates whether authorisation domain is active. This field is searchable.
            * `Active` - participant can take actions in ecosystem in authorisation domains that he is assigned to.
            * `Withdrawn` - revocation initiated by participants
            * `Revoked` - participant can't take actions in ecosystem because of privileges loss
            * `Requested` - set after dynamic client registration, to be confirmed by CRM
            * `Rejected` - dynamic client registration rejected
    AuthorisationDomainStatusRootSchema:
      type: object
      properties:
        Status:
          description: Status of an organisation in a particular authorisation domain.
          type: array
          items:
            $ref: '#/components/schemas/AuthorisationDomainStatusSchema'
    AuthorisationServerRequestSchema:
      type: object
      properties:
        AuthorizationDomain:
          type: string
          description: Authorisation Domain for which the authorisation server is created.
          enum: [ 'PSD2', 'Pay.UK', 'CD' ]
        AutoRegistrationSupported:
          type: boolean
          description: 'Authorisation Server supports auto-registration. This field is searchable.'
        BaseApiDNSUri:
          description: 'Points to the Open Banking APIs V39 required. This field is searchable.'
          type: string
          format: uri
          maxLength: 2000
        CustomerFriendlyDescription:
          description: 'Customer orientated description. This field is searchable and is not included as part of the response payload when unassigned.'
          type: string
          maxLength: 255
        CustomerFriendlyLogoUri:
          description: 'uri from which a TPP can retrieve a certified logo V39 required. This field is searchable.'
          type: string
          format: uri
          maxLength: 255
        CustomerFriendlyName:
          type: string
          maxLength: 255
          description: 'Certified name. This field is searchable and is not included as part of the response payload when unassigned.'
        DeveloperPortalUri:
          description: URI for TPP developer testing V39 required. This field is searchable.
          type: string
          format: uri
          maxLength: 255
        TermsOfService:
          description: 'Uri from which the terms of service can be retrieved V39 required. This field is searchable.'
          type: string
          format: uri
          maxLength: 255
        OpenIDConfigEndPointUri:
          description: Uri used for Oauth2.0 OpenId Configuration V39 required. This field is searchable.
          type: string
          format: uri
          maxLength: 255
        PayloadSigningCertLocation:
          description: 'The location which is used for signing certificates V39 required. This field is searchable.'
          type: string
          format: uri
          maxLength: 255
        EISCDId:
          type: array
          items:
            type: string
            description: 'Allowed lengths: 4, 6, 14. This field is searchable and is not included as part of the response payload when unassigned.'
        ParentAuthorisationServerId:
          type: string
          maxLength: 22
          description: Authorisation Server Id of Parent Authorisation server, used for app to app linking. This field is searchable and is not included as part of the response payload when unassigned.
        ApiResourceDiscoveryEndpoint:
          description: An RFC-3986-compliant URI. This field is searchable and is not included as part of the response payload when unassigned.
          type: string
          format: uri
          maxLength: 256
      required:
        - AuthorizationDomain
        - AutoRegistrationSupported
        - BaseApiDNSUri
        - CustomerFriendlyLogoUri
        - DeveloperPortalUri
        - TermsOfService
        - OpenIDConfigEndPointUri
        - PayloadSigningCertLocation
        - EISCDId
        - CustomerFriendlyName
        - CustomerFriendlyDescription
    AuthorisationV11Schema:
      type: object
      properties:
        Active:
          type: boolean
        AuthorityId:
          type: string
          maxLength: 255
          description: 'Authority identifier. This field is searchable.'
        AuthorizationDomain:
          type: string
          description: Authorisation Domain for which the authorisation server is created.
          enum: [ 'PSD2', 'Pay.UK', 'CD' ]
        MemberState:
          type: string
          description: 'Member state. This field is searchable.'
          enum: [ 'AT','BE','BG','CY','CZ','DE','DK','EE','EL','ES','FI','FR','GB','GG','GI','GR','HR','HU','IE','IM','IS','IT','JE','LI','LT','LU','LV','MT','NL','NO','PL','PT','RO','SE','SI','SK' ]
        Role:
          type: string
          enum: [ 'AISP', 'ASPSP', 'CBPII', 'PISP', 'CD_AISP', 'CD_ASPSP', 'CD_CBPII' ]
          description: >
            Roles for which this software statement can be used. It contains roles from one domain only. If list of roles contains ASPSP role, then any other role cannot be present. This field is searchable.
            Meaning of values:
              * `AISP` - Account Information Service Provider
              * `ASPSP` - Account Servicing Payment Service Provider
              * `CBPII` - Card-Based Payment Instrument Issuer
              * `PISP` - Payment Initiation Service Provider
              * `CD_AISP` - Crown Dependencies Account Information Service Provider
              * `CD_ASPSP` - Crown Dependencies Account Servicing Payment Service Provider
              * `CD_CBPII` - Crown Dependencies Card-Based Payment Instrument Issuer
    CertificateValidationResponseSchema:
      type: object
      properties:
        data:
          type: object
          properties:
            certificate:
              type: object
              properties:
                type:
                  type: string
                  enum: [ 'obwac', 'obseal', 'qwac', 'qseal', 'obsigning' , 'obtransport' ]
                eidas_profile:
                  type: string
                qtsp_name:
                  type: string
                qtsp_uri:
                  type: string
                roles:
                  type: array
                  items:
                    type: string
                    enum: [ 'AISP', 'ASPSP', 'CBPII', 'PISP', 'CD_AISP', 'CD_ASPSP', 'CD_CBPII' ]
                    description: >
                      Roles for which this software statement can be used. It contains roles from one domain only. If list of roles contains ASPSP role, then any other role cannot be present. This field is searchable.
                      Meaning of values:
                        * `AISP` - Account Information Service Provider
                        * `ASPSP` - Account Servicing Payment Service Provider
                        * `CBPII` - Card-Based Payment Instrument Issuer
                        * `PISP` - Payment Initiation Service Provider
                        * `CD_AISP` - Crown Dependencies Account Information Service Provider
                        * `CD_ASPSP` - Crown Dependencies Account Servicing Payment Service Provider
                        * `CD_CBPII` - Crown Dependencies Card-Based Payment Instrument Issuer
                valid_eidas_certificate:
                  type: boolean
                valid_obietf_certificate:
                  type: boolean
                expired:
                  type: boolean
                revoked:
                  type: boolean
              required:
                - type
                - eidas_profile
                - qtsp_name
                - qtsp_uri
                - roles
                - valid_eidas_certificate
                - valid_obietf_certificate
                - expired
                - revoked
                - check_failed
            organisation:
              type: object
              properties:
                onboarded_to_open_banking:
                  type: boolean
                org_name:
                  type: string
                  maxLength: 255
                passports:
                  type: object
                  properties:
                    nca_name:
                      type: object
                      properties:
                        permission_country:
                          type: array
                          items:
                            type: object
                            properties:
                              permission_type:
                                type: string
                              permissions:
                                type: array
                                items:
                                  type: object
                                  properties:
                                    code:
                                      type: string
                                    permission:
                                      type: string
                              roles:
                                type: array
                                items:
                                  type: string
                        roles:
                          type: array
                          items:
                            type: string
                competent_authority_claims:
                  type: array
                  items:
                    type: object
                    properties:
                      authorisation_domain:
                        type: string
                        description: Authorisation Domain for which the authorisation server is created.
                        enum: [ 'PSD2', 'Pay.UK', 'CD' ]
                      authority_id:
                        type: string
                        maxLength: 255
                      registration_id:
                        type: string
                        maxLength: 255
                      status:
                        type: string
                        enum: [ 'Active', 'Withdrawn', 'Revoked', 'Requested', 'Rejected' ]
                        description: >
                          * `Active` - participant can take actions in ecosystem in authorisation domains that he is assigned to.
                          * `Withdrawn` - revocation initiated by participants
                          * `Revoked` - participant can't take actions in ecosystem because of privileges loss
                          * `Requested` - set after dynamic client registration, to be confirmed by CRM
                          * `Rejected` - dynamic client registration rejected
                      authorisations:
                        type: array
                        items:
                          $ref: '#/components/schemas/AuthorisationSchema'
                software_statements:
                  type: array
                  items:
                    type: object
                    properties:
                      software_id:
                        type: string
                        maxLength: 22
              required:
                - onboarded_to_open_banking
                - org_name
                - passports
                - competent_authority_claims
                - software_statements
    CertificateValidationResponseSchemaV2.1:
      type: object
      properties:
        data:
          type: object
          properties:
            certificate:
              type: object
              properties:
                type:
                  type: string
                  enum: [ 'obwac', 'obseal', 'qwac', 'qseal', 'obsigning' , 'obtransport' ]
                eidas_profile:
                  type: string
                qtsp_name:
                  type: string
                qtsp_uri:
                  type: string
                roles:
                  type: array
                  items:
                    type: string
                    enum: [ 'AISP', 'ASPSP', 'CBPII', 'PISP', 'CD_AISP', 'CD_ASPSP', 'CD_CBPII' ]
                    description: >
                      Meaning of values:
                        * `AISP` - Account Information Service Provider
                        * `ASPSP` - Account Servicing Payment Service Provider
                        * `CBPII` - Card-Based Payment Instrument Issuer
                        * `PISP` - Payment Initiation Service Provider
                        * `CD_AISP` - Crown Dependencies Account Information Service Provider
                        * `CD_ASPSP` - Crown Dependencies Account Servicing Payment Service Provider
                        * `CD_CBPII` - Crown Dependencies Card-Based Payment Instrument Issuer
                valid_eidas_certificate:
                  type: boolean
                valid_obietf_certificate:
                  type: boolean
                expired:
                  type: boolean
                revoked:
                  type: boolean
                check_failed:
                  type: boolean
              required:
                - type
                - eidas_profile
                - qtsp_name
                - qtsp_uri
                - roles
                - valid_eidas_certificate
                - valid_obietf_certificate
                - expired
                - revoked
                - check_failed
            organisation:
              type: object
              properties:
                onboarded_to_open_banking:
                  type: boolean
                org_name:
                  type: string
                  maxLength: 255
                passports:
                  type: object
                  properties:
                    nca_name:
                      type: object
                      properties:
                        permission_country:
                          type: array
                          items:
                            type: object
                            properties:
                              permission_type:
                                type: string
                              permissions:
                                type: array
                                items:
                                  type: object
                                  properties:
                                    code:
                                      type: string
                                    permission:
                                      type: string
                              roles:
                                type: array
                                items:
                                  type: string
                        roles:
                          type: array
                          items:
                            type: string
                competent_authority_claims:
                  type: array
                  items:
                    type: object
                    properties:
                      authorisation_domain:
                        type: string
                        description: Authorisation Domain for which the authorisation server is created.
                        enum: [ 'PSD2', 'Pay.UK', 'CD' ]
                      authority_id:
                        type: string
                        maxLength: 255
                      registration_id:
                        type: string
                        maxLength: 255
                      status:
                        type: string
                        enum: [ 'Active', 'Withdrawn', 'Revoked', 'Requested', 'Rejected' ]
                        description: >
                          * `Active` - participant can take actions in ecosystem in authorisation domains that he is assigned to.
                          * `Withdrawn` - revocation initiated by participants
                          * `Revoked` - participant can't take actions in ecosystem because of privileges loss
                          * `Requested` - set after dynamic client registration, to be confirmed by CRM
                          * `Rejected` - dynamic client registration rejected
                      authorisations:
                        type: array
                        items:
                          $ref: '#/components/schemas/AuthorisationSchema'
                software_statements:
                  type: array
                  items:
                    type: object
                    properties:
                      software_id:
                        type: string
                        maxLength: 22
              required:
                - onboarded_to_open_banking
                - org_name
                - passports
                - competent_authority_claims
                - software_statements
    CertificateValidationResponseSchemaV2:
      type: object
      properties:
        data:
          type: object
          properties:
            certificate:
              type: object
              properties:
                type:
                  type: string
                  enum: [ 'obwac', 'obseal', 'qwac', 'qseal', 'obsigning' , 'obtransport' ]
                eidas_profile:
                  type: string
                qtsp_name:
                  type: string
                qtsp_uri:
                  type: string
                roles:
                  type: array
                  items:
                    type: string
                    enum: [ 'AISP', 'ASPSP', 'CBPII', 'PISP', 'CD_AISP', 'CD_ASPSP', 'CD_CBPII' ]
                    description: >
                      Roles for which this software statement can be used. It contains roles from one domain only. If list of roles contains ASPSP role, then any other role cannot be present. This field is searchable.
                      Meaning of values:
                        * `AISP` - Account Information Service Provider
                        * `ASPSP` - Account Servicing Payment Service Provider
                        * `CBPII` - Card-Based Payment Instrument Issuer
                        * `PISP` - Payment Initiation Service Provider
                        * `CD_AISP` - Crown Dependencies Account Information Service Provider
                        * `CD_ASPSP` - Crown Dependencies Account Servicing Payment Service Provider
                        * `CD_CBPII` - Crown Dependencies Card-Based Payment Instrument Issuer
                valid_eidas_certificate:
                  type: boolean
                valid_obietf_certificate:
                  type: boolean
                expired:
                  type: boolean
                revoked:
                  type: boolean
              required:
                - type
                - eidas_profile
                - qtsp_name
                - qtsp_uri
                - roles
                - valid_eidas_certificate
                - valid_obietf_certificate
                - expired
                - revoked
                - check_failed
            organisation:
              type: object
              properties:
                onboarded_to_open_banking:
                  type: boolean
                org_name:
                  type: string
                  maxLength: 255
                passports:
                  type: object
                  properties:
                    nca_name:
                      type: object
                      properties:
                        permission_country:
                          type: array
                          items:
                            type: object
                            properties:
                              permission_type:
                                type: string
                              permissions:
                                type: array
                                items:
                                  type: object
                                  properties:
                                    code:
                                      type: string
                                    permission:
                                      type: string
                              roles:
                                type: array
                                items:
                                  type: string
                        roles:
                          type: array
                          items:
                            type: string
                competent_authority_claims:
                  type: array
                  items:
                    type: object
                    properties:
                      authorisation_domain:
                        type: string
                        description: Authorisation Domain for which the authorisation server is created.
                        enum: [ 'PSD2', 'Pay.UK', 'CD' ]
                      authority_id:
                        type: string
                        maxLength: 255
                      registration_id:
                        type: string
                        maxLength: 255
                      status:
                        type: string
                        enum: [ 'Active', 'Withdrawn', 'Revoked', 'Requested', 'Rejected' ]
                        description: >
                          * `Active` - participant can take actions in ecosystem in authorisation domains that he is assigned to.
                          * `Withdrawn` - revocation initiated by participants
                          * `Revoked` - participant can't take actions in ecosystem because of privileges loss
                          * `Requested` - set after dynamic client registration, to be confirmed by CRM
                          * `Rejected` - dynamic client registration rejected
                      authorisations:
                        type: array
                        items:
                          $ref: '#/components/schemas/AuthorisationSchema'
                software_statements:
                  type: array
                  items:
                    type: object
                    properties:
                      software_id:
                        type: string
                        maxLength: 22
              required:
                - onboarded_to_open_banking
                - org_name
                - passports
                - competent_authority_claims
                - software_statements
    AuthorisationServerSchema:
      type: object
      properties:
        Id:
          type: string
          maxLength: 22
          description: 'Authorisation Server Id V39 required. This field is searchable.'
        AuthorizationDomain:
          type: string
          description: 'Authorisation Domain for which the authorisation server is created.This field is searchable.'
          enum: [ 'PSD2', 'Pay.UK', 'CD' ]
        AutoRegistrationSupported:
          type: boolean
          description: 'Authorisation Server supports auto-registration. This field is searchable.'
        BaseApiDNSUri:
          description: 'Points to the Open Banking APIs V39 required. This field is searchable.'
          type: string
          format: uri
          maxLength: 2083
        CustomerFriendlyDescription:
          type: string
          maxLength: 255
          description: 'Customer orientated description. This field is searchable and is not included as part of the response payload when unassigned.'
        CustomerFriendlyLogoUri:
          description: 'uri from which a TPP can retrieve a certified logo V39 required. This field is searchable.'
          type: string
          format: uri
          maxLength: 2083
        CustomerFriendlyName:
          type: string
          maxLength: 255
          description: 'Certified name. This field is searchable and is not included as part of the response payload when unassigned.'
        DeveloperPortalUri:
          description: URI for TPP developer testing V39 required. This field is searchable.
          type: string
          format: uri
          maxLength: 2083
        TermsOfService:
          description: 'Uri from which the terms of service can be retrieved V39 required. This field is searchable.'
          type: string
          format: uri
          maxLength: 2083
        OpenIDConfigEndPointUri:
          description: Uri used for Oauth2.0 OpenId Configuration V39 required. This field is searchable.
          type: string
          format: uri
          maxLength: 2083
        PayloadSigningCertLocation:
          description: 'The location which is used for signing certificates V39 required. This field is searchable.'
          type: string
          format: uri
          maxLength: 2083
        EISCDId:
          type: array
          items:
            type: string
            description: 'Allowed lengths: 4, 6, 14. This field is searchable and is not included as part of the response payload when unassigned.'
        ParentAuthorisationServerId:
          type: string
          maxLength: 2083
          description: Authorisation Server Id of Parent Authorisation server, used for app to app linking. This field is searchable and is not included as part of the response payload when unassigned.
        ApiResourceDiscoveryEndpoint:
          description: An RFC-3986-compliant URI. This field is searchable and is not included as part of the response payload when unassigned.
          type: string
          format: uri
          maxLength: 2083
      required:
        - Id
        - AutoRegistrationSupported
        - BaseApiDNSUri
        - CustomerFriendlyLogoUri
        - DeveloperPortalUri
        - TermsOfService
        - OpenIDConfigEndPointUri
        - PayloadSigningCertLocation
        - EISCDId
        - CustomerFriendlyName
        - CustomerFriendlyDescription
    AuthorisationServersSchema:
      type: array
      items:
        $ref: '#/components/schemas/AuthorisationServerSchema'
    AuthorisationServerIdSchema:
      type: string
      maxLength: 22
    CertificateOrKeyOrJWTSchema:
      type: string
    CertificateOrKeyIdSchema:
      type: string
      maxLength: 255
    CertificateOrKeyAssociationSchema:
      type: object
      properties:
        associate:
          type: boolean
    CertificatesOrKeysGetSchema:
      type: object
      properties:
        keys:
          type: array
          items:
            $ref: '#/components/schemas/CertificateOrKeyGetSchema'
    CertificateOrKeyGetSchema:
      type: object
      properties:
        obOrganisationId:
          description: Open Banking Organization Identifier. This field is searchable.
          type: string
          readOnly: true
        Associations:
          description: Array of Software Statement Ids that the certificate is associated with
          type: array
          items:
            $ref: '#/components/schemas/SoftwareStatementIdSchema'
        status:
          type: string
        expiryDateTime:
          type: string
          format: date-time
        e:
          type: string
        keyType:
          type: string
          maxLength: 255
        kid:
          type: string
          maxLength: 255
        kty:
          type: string
        n:
          type: string
        use:
          type: string
        x5c:
          type: array
          items:
            description: A PKIX certificate [RFC5280]
            type: string
        x5t:
          type: string
        x5t#S256:
          type: string
        x5u:
          type: string
      required:
        - obOrganisationId
        - Associations
        - status
        - keyType
        - kid
    CertificateValidationSchema:
      type: string
    CompetentAuthoritySchema:
      type: object
      properties:
        AuthorisationAuthorities:
          type: array
          items:
            $ref: '#/components/schemas/AuthorisationAuthoritySchema'
        Authorisations:
          type: array
          items:
            $ref: '#/components/schemas/AuthorisationV11Schema'
    CompetentAuthorityClaimSchema:
      type: object
      properties:
        Authorisations:
          type: array
          items:
            $ref: '#/components/schemas/AuthorisationSchema'
        AuthorityId:
          type: string
          maxLength: 255
          description: 'Authority identifier. This field is searchable.'
        EtsiIdentifier:
          type: string
          description: 'European Telecommunications Standards Institute Organization Identifier. This field is searchable and is not included as part of the response payload when unassigned. '
        MemberState:
          type: string
          description: 'Member state. This field is searchable.'
          enum: [ 'AT','BE','BG','CY','CZ','DE','DK','EE','EL','ES','FI','FR','GB','GG','GI','GR','HR','HU','IE','IM','IS','IT','JE','LI','LT','LU','LV','MT','NL','NO','PL','PT','RO','SE','SI','SK' ]
        RegistrationId:
          type: string
          maxLength: 255
          description: 'Registration Id with the principle authority. This field is searchable.'
      required:
        - RegistrationId
        - EtsiIdentifier
    ContactSchema:
      type: object
      properties:
        EmailAddress:
          type: string
          description: The validation standard you can find under https://datatracker.ietf.org/doc/html/rfc5322#section-3.4.1
        PhoneNumber:
          type: string
      required:
        - EmailAddress
        - PhoneNumber
    CertificateTypeForValidationSchema:
      type: string
      enum: [ 'obwac', 'obseal', 'qwac', 'qseal', 'obsigning' , 'obtransport' ]
    OrganisationAssociativeCertificateTypeSchema:
      type: string
      enum: [ 'obwac', 'obseal', 'qwac', 'qseal' ]
    CertificateTypeSchema:
      type: string
      enum: [ 'obwac', 'obseal', 'qwac', 'qseal', 'obsigning' , 'obtransport' ]
    ContactTypeSchema:
      type: string
      enum: [ 'Business', 'PBC', 'PTC', 'Registered', 'Technical' ]
      description: >
        Meaning of values:
          * `Business` - Business
          * `PBC` - Primary Business Contact
          * `PTC` - Primary Technical Contact
          * `Registered` - Registered
          * `Technical` - Technical
    EmailAddressSchema:
      type: object
      description: The validation standard you can find under https://datatracker.ietf.org/doc/html/rfc5322#section-3.4.1
      properties:
        Name:
          type: string
          description: 'A name of a person or an office to which this email belongs. This field is not searchable.'
          maxLength: 255
        Primary:
          type: boolean
          description: 'Indicator to show is this is the primary email address. This field is not searchable. '
        Type:
          type: string
          description: 'Type of email address. This field is not searchable. '
        Value:
          type: string
          description: 'Value of email address. This field is not searchable. The format of the email address must comply with standards defined here -> https://datatracker.ietf.org/doc/html/rfc5322#section-3.4.1 '
          maxLength: 255
      required:
        - Name
        - Primary
        - Type
        - Value
    EnrolSchema:
      type: object
      properties:
        redirect_uris:
          type: array
          items:
            description: An RFC-3986-compliant URI
            type: string
            format: uri
            maxLength: 255
        token_endpoint_auth_method:
          type: string
        token_endpoint_auth_signing_alg:
          type: string
        tls_client_auth_subject_dn:
          type: string
          enum: [ 'client_secret_post', 'client_secret_basic', 'client_secret_jwt', 'private_key_jwt', 'none' ]
        grant_types:
          type: array
          items:
            type: string
        response_types:
          type: array
          items:
            type: string
        client_name:
          type: string
        client_uri:
          description: An RFC-3986-compliant URI
          type: string
          format: uri
        logo_uri:
          description: An RFC-3986-compliant URI
          type: string
          format: uri
          maxLength: 2000
        scope:
          type: string
        contacts:
          type: array
          items:
            type: string
            format: email
            maxLength: 255
        tos_uri:
          description: An RFC-3986-compliant URI
          type: string
          format: uri
          maxLength: 2000
        policy_uri:
          description: An RFC-3986-compliant URI
          type: string
          format: uri
          maxLength: 2000
        jwks_uri:
          description: An RFC-3986-compliant URI
          type: string
          format: uri
        jwks:
          type: array
          description: Client's JSON Web Key Set [RFC7517] document value
          items:
            description: A JSON object that represents a cryptographic key. The members of the object represent properties of the key, including its value.
            type: object
            properties:
              e:
                type: string
              n:
                type: string
              kty:
                type: string
        software_id:
          type: string
          maxLength: 255
        software_version:
          type: string
          maxLength: 42
      required:
        - client_name
        - token_endpoint_auth_method
        - tls_client_auth_subject_dn
        - grant_types
        - token_endpoint_auth_signing_alg
    Enrol201CreatedResponseSchema:
      description: >-
        A JSON object DCR response returned when client gets created.
      type: object
      properties:
        client_id:
          description: Client ID assigned by Open Banking Directory
          type: string
          minLength: 18
          maxLength: 18
        client_id_issued_at:
          description: Timestamp
          type: integer
        client_secret_expires_at:
          description: Timestamp
          type: integer
        ob_org_id:
          description: Organization ID assigned by Open Banking Directory
          type: string
          minLength: 18
          maxLength: 18
        token_endpoint_auth_method:
          description: client_secret_post
          type: string
        grant_types:
          description: client_credentials
          type: array
          items:
            type: string
        scope:
          description: ASPSPFullAccess
          type: string
        client_name:
          description: ORG name ar per eIDAS certificate
          type: string
        jwks_uri:
          description: An RFC-3986-compliant URI string referencing the client's JSON Web Key (JWK) Set
          type: string
          format: uri
      required:
        - client_id
        - client_id_issued_at
        - client_secret_expires_at
        - ob_org_id
        - token_endpoint_auth_method
        - grant_types
        - scope
        - client_name
        - jwks_uri
    Enrol400BadRequestResponseSchema:
      type: object
      properties:
        error:
          description: Error type
          type: string
          enum: [ 'invalid_redirect_uri', 'invalid_client_metadata', 'invalid_software_statement', 'unapproved_software_statement' ]
        error_description:
          description: A more detailed error description
          type: string
    LegalAuthorityClaimSchema:
      type: object
      properties:
        RegisteredId:
          type: string
          description: 'Company Registration Id. This field is searchable.'
        RegisteredName:
          type: string
          description: 'Company Registered Name. This field is searchable.'
        RegistrationAuthorityId:
          type: string
          description: 'Identification of registering Authority. This field is searchable.'
          readOnly: true
      required:
        - RegisteredId
        - RegisteredName
        - RegistrationAuthorityId
    LegalAuthorityClaimRootSchema:
      type: object
      properties:
        LegalAuthorityClaims:
          type: array
          items:
            $ref: '#/components/schemas/LegalAuthorityClaimSchema'
    MetaSchema:
      type: object
      properties:
        location:
          type: string
        resourceType:
          type: string
    OrganisationSchema:
      type: object
      properties:
        CreateTimestamp:
          type: string
          description: Creation Timestamp.
        EmailAddresses:
          type: array
          description: 'Email addresses associated with the organization. This field is not included as part of the response payload when unassigned'
          items:
            $ref: '#/components/schemas/EmailAddressSchema'
        ModifyTimestamp:
          type: string
          description: Modification Timestamp.
        OBAuthorisationState:
          type: string
          maxLength: 255
          description: 'OB Participant Authorisation State. This field is not searchable'
        OBOrganisationId:
          type: string
          maxLength: 255
          description: Open Banking Organization Identifier. This field is searchable.
          readOnly: true
        OrganisationCommonName:
          type: string
          maxLength: 255
          description: The common name of the organization. This field is searchable
        PersonalAccountRoles:
          type: array
          description: Individuals who have authorised access to the organization. This field is not included as part of the response payload when unassigned.
          items:
            $ref: '#/components/schemas/PersonalAccountRoleSchema'
        PhoneNumbers:
          type: array
          description: Phone numbers by which an organization can be contacted. This field is not included as part of the response payload when unassigned.
          items:
            $ref: '#/components/schemas/PhoneNumberSchema'
        PostalAddresses:
          type: array
          items:
            $ref: '#/components/schemas/PostalAddressSchema'
        status:
          type: string
          enum: [ 'Active', 'Withdrawn', 'Revoked', 'Requested', 'Rejected' ]
          description: >
            Indicates organisation status. It is shown only when organisation has one authorisation domain. This field is searchable.
            * `Active` - participant can take actions in ecosystem in authorisation domains that he is assigned to.
            * `Withdrawn` - revocation initiated by participants
            * `Revoked` - participant can't take actions in ecosystem because of privileges loss
            * `Requested` - set after dynamic client registration, to be confirmed by CRM
            * `Rejected` - dynamic client registration rejected
      required:
        - OBOrganisationId
        - OrganisationCommonName
        - status
    OrganisationCertificateTypeSchema:
      type: string
      enum: [ 'qwac', 'qseal', 'obwac', 'obseal' ]
    OrganisationTypeForQSealOnboardingSchema:
      type: string
      enum: [ 'tpp' ]
    OrganisationTypeSchema:
      type: string
      enum: [ 'aspsp', 'tpp' ]
    OrganisationIdSchema:
      type: string
      maxLength: 255
    OrganisationsGetFromSCIM200OKResponseSchema:
      type: object
      properties:
        Resources:
          type: array
          items:
            $ref: '#/components/schemas/OrganisationGetFromSCIM200OKResponseSchema'
        itemsPerPage:
          type: integer
          format: int32
          description: An integer indicating the maximum number of query results per page.
        schemas:
          type: array
          items:
            type: string
        startIndex:
          type: integer
          format: int32
          description: An integer indicating the 1-based index of the first query result.
        totalResults:
          type: integer
          format: int32
    OrganisationGetFromSCIM200OKResponseSchema:
      type: object
      properties:
        AuthorisationServers:
          type: array
          items:
            $ref: '#/components/schemas/AuthorisationServerSchema'
        id:
          type: string
        meta:
          $ref: '#/components/schemas/MetaSchema'
        schemas:
          type: array
          items:
            type: string
        'urn:openbanking:authorisationdomainstatus:1.0':
          $ref: '#/components/schemas/AuthorisationDomainStatusRootSchema'
        'urn:openbanking:competentauthorityclaims:1.0':
          $ref: '#/components/schemas/CompetentAuthorityClaimSchema'
        'urn:openbanking:legalauthorityclaims:1.0':
          $ref: '#/components/schemas/LegalAuthorityClaimRootSchema'
        'urn:openbanking:organisation:1.0':
          $ref: '#/components/schemas/OrganisationSchema'
        'urn:openbanking:softwarestatement:1.0':
          $ref: '#/components/schemas/SoftwareStatementRootSchema'
        'urn:trustframework:competentauthorityclaims:1.1':
          $ref: '#/components/schemas/CompetentAuthoritySchema'
    PersonalAccountRoleSchema:
      type: object
      properties:
        AuthorizationDomain:
          type: string
          description: 'Authorisation Domain for which the authorisation server is created.This field is searchable.'
          enum: [ 'PSD2', 'Pay.UK', 'CD' ]
        Role:
          type: string
          enum: [ 'PBC', 'PTC', 'SBC', 'STC' ]
          description: >
            Role which the individual holds. This field is searchable.
            Meaning of values:
              * `PBC` - Primary Business Contact
              * `PTC` - Primary Technical Contact
              * `SBC` - Secondary Business Contact
              * `STC` - Secondary Technical Contact
        UserName:
          type: string
          maxLength: 255
          description: 'User''s name, email address or other identifying label. This field is searchable.'
      required:
        - AuthorizationDomain
        - Role
        - UserName
    PhoneNumberSchema:
      type: object
      properties:
        Name:
          type: string
          maxLength: 255
          description: 'A name of a person or an office to which this phone number belongs. This field is not searchable.'
        Type:
          type: string
          enum: [ 'Business', 'PBC', 'PTC', 'Registered', 'Technical' ]
          description: >
            Meaning of values:
              * `Business` - Business
              * `PBC` - Primary Business Contact
              * `PTC` - Primary Technical Contact
              * `Registered` - Registered
              * `Technical` - Technical
        Value:
          type: string
          maxLength: 255
          description: 'Value of phone number through which the organization can be contacted. This field is not searchable.'
        Verified:
          type: boolean
          description: 'Flag to show that the phone number has been verified. This field is not searchable. '
      required:
        - Name
        - Type
        - Value
        - Verified
    PostalAddressSchema:
      type: object
      properties:
        AddressLine2:
          type: string
          maxLength: 255
          description: 'Additional address line. This field is not searchable and is not included as part of the response payload when unassigned'
        Country:
          type: string
          description: 'Address Country in full. This field is not searchable.'
          enum: [ 'Austria', 'Belgium', 'Bulgaria', 'Cyprus', 'Czechia', 'Germany', 'Denmark', 'Estonia', 'Hellenic Republic', 'Spain', 'Finland', 'France', 'United Kingdom', 'Guernsey', 'Gibraltar', 'Greece', 'Croatia', 'Hungary', 'Ireland', 'Isle of Man', 'Iceland', 'Italy', 'Jersey', 'Liechtenstein', 'Lithuania', 'Luxembourg', 'Latvia', 'Malta', 'Netherlands', 'Norway', 'Poland', 'Portugal', 'Romania', 'Sweden', 'Slovenia', 'Slovakia' ]
        County:
          type: string
        Name:
          type: string
          maxLength: 255
          description: 'Name of addressee. This field is not searchable. '
        PostCode:
          type: string
          description: 'Post or ZIP Code. This field is not searchable. '
        Primary:
          type: boolean
          description: 'Flag to indicate that this is the primary contact address. This field is not searchable. '
        StreetAddress:
          type: string
          maxLength: 255
          description: 'Street Address, including building number. This field is not searchable. '
        Town:
          type: string
          description: 'Postal Town. This field is not searchable. '
          maxLength: 255
        Type:
          type: string
          maxLength: 255
          description: 'Type of postal address. This field is not searchable. '
      required:
        - Country
        - Name
        - PostCode
        - Primary
        - StreetAddress
        - Town
        - Type
    QSealOnboardingSchema:
      type: string
      description: A signed JWT (JWS)
    SoftwareStatementCertificateOrKeyTypeSchema:
      type: string
      enum: [ 'obtransport', 'obsigning', 'sigkey', 'enckey' ]
    SoftwareStatementCreateSchema:
      type: object
      properties:
        AuthorizationDomain:
          type: string
          description: Authorisation Domain for which the software statement is created.
          enum: [ 'PSD2', 'Pay.UK', 'CD' ]
        ClientName:
          type: string
          description: Software Statement client name
          maxLength: 40
        Description:
          type: string
          description: Software Statement description
          maxLength: 256
        OnBehalfOfObOrganisation:
          type: string
          description: 'The organization on whom this software statement is behalf of Altered from reference to string, 10/11/2017. This field is searchable. '
          maxLength: 40
        PolicyUri:
          type: string
          format: uri
          description: An optional document containing a link to a Policy document governing the privacy information policy of for the application. Purely to be displayed a PSU at a ASPSP if the ASPSP supports it. Optional for the TPP to provide. This field is searchable
          maxLength: 256
          readOnly: true
        ClientUri:
          type: string
          format: uri
          description: 'The “home page” or other wise recognisable url of the application (oath client). This field is searchable. '
          maxLength: 256
        LogoUri:
          type: string
          format: uri
          description: The Software Statement RFC-3986-compliant logo URI
          maxLength: 255
        RedirectUri:
          type: array
          items:
            description: An RFC-3986-compliant URI
            type: string
            format: uri
            maxLength: 255
          description: The Software Statement redirect URIs
        Roles:
          type: array
          items:
            type: string
            enum: [ 'AISP', 'ASPSP', 'CBPII', 'PISP', 'CD_AISP', 'CD_ASPSP', 'CD_CBPII' ]
          description: >
            Roles for which this software statement can be used. It contains roles from one domain only. If list of roles contains ASPSP role, then any other role cannot be present. This field is searchable.
            Meaning of values:
              * `AISP` - Account Information Service Provider
              * `ASPSP` - Account Servicing Payment Service Provider
              * `CBPII` - Card-Based Payment Instrument Issuer
              * `PISP` - Payment Initiation Service Provider
              * `CD_AISP` - Crown Dependencies Account Information Service Provider
              * `CD_ASPSP` - Crown Dependencies Account Servicing Payment Service Provider
              * `CD_CBPII` - Crown Dependencies Card-Based Payment Instrument Issuer
        TermsOfServiceUri:
          type: string
          format: uri
          description: 'An optional document containing a link to a Terms of Service document governing the terms of service for the application. Purely to be displayed a PSU at a ASPSP if the ASPSP supports it. Optional for the TPP to provide. This field is searchable.'
          maxLength: 256
          readOnly: true
        Version:
          type: string
          description: Client Software version as provided by the organization's PTC. This field is not searchable.
          readOnly: true
          maxLength: 42
      description: Schema defining attributes of Participants', Account Payment Service Providers' and Third Party Providers' records in ecosystem
      required:
        - ClientName
        - Description
        - OnBehalfOfObOrganisation
        - PolicyUri
        - ClientUri
        - LogoUri
        - RedirectUri
        - TermsOfServiceUri
        - Version
    SoftwareStatementSchema:
      type: object
      properties:
        Active:
          type: boolean
          description: 'Flag to show if software statement is active. This field is searchable.'
        AuthorizationDomain:
          type: string
          description: Authorisation Domain for which the software statement is created. This field is searchable.
          enum: [ 'PSD2', 'Pay.UK', 'CD' ]
          readOnly: true
        ClientId:
          type: string
          description: 'Requested Client Id - note that OB will issue a set of credentials with this clientid for this given piece of software. ASPSPs are not obliged to honour this requested clientid. This field is searchable'
          maxLength: 22
        ClientName:
          type: string
          description: 'Human readable client name. May be localised. This field is searchable.'
          maxLength: 40
        Description:
          type: string
          description: 'Description of the unique instance of this piece of software. If only one instance of a piece of software is to be registered then this should be the same as the SoftwareDescription. This field is searchable.'
          maxLength: 256
        Id:
          $ref: '#/components/schemas/SoftwareStatementIdSchema'
        Mode:
          type: string
          enum: [ 'Live', 'Not Live' ]
          description: 'A flag to identify if a piece of software should have access to production PSU accounts. This field has been added at the request of an ASPSP to allow BETA or Non Production testing against production platforms. The default for this system should be ''Live''. This field is searchable.'
          maxLength: 8
        ObClientCreated:
          type: boolean
          description: An indicator to show if the client has been created in Open Banking. This field is searchable.
        OnBehalfOfObOrganisation:
          type: string
          description: 'The organization on whom this software statement is behalf of Altered from reference to string, 10/11/2017. This field is searchable. '
          maxLength: 40
        PolicyUri:
          type: string
          format: uri
          description: An optional document containing a link to a Policy document governing the privacy information policy of for the application. Purely to be displayed a PSU at a ASPSP if the ASPSP supports it. Optional for the TPP to provide. This field is searchable
          maxLength: 256
          readOnly: true
        ClientUri:
          type: string
          format: uri
          description: 'The “home page” or other wise recognisable url of the application (oath client). This field is searchable. '
          maxLength: 256
        LogoUri:
          type: string
          format: uri
          description: The Software Statement logo RFC-3986-compliant URI
          maxLength: 256
        RedirectUri:
          type: array
          items:
            type: string
            format: uri
          description: 'Redirect Uri''s for the registered piece of software. May be overridden by the RFC7591 payload. This field is searchable and is not included as part of the response payload when unassigned.'
          maxLength: 256
        Roles:
          type: array
          items:
            type: string
            enum: [ 'AISP', 'ASPSP', 'CBPII', 'PISP', 'CD_AISP', 'CD_ASPSP', 'CD_CBPII' ]
          description: >
            Roles for which this software statement can be used. It contains roles from one domain only. If list of roles contains ASPSP role, then any other role cannot be present. This field is searchable.
            Meaning of values:
              * `AISP` - Account Information Service Provider
              * `ASPSP` - Account Servicing Payment Service Provider
              * `CBPII` - Card-Based Payment Instrument Issuer
              * `PISP` - Payment Initiation Service Provider
              * `CD_AISP` - Crown Dependencies Account Information Service Provider
              * `CD_ASPSP` - Crown Dependencies Account Servicing Payment Service Provider
              * `CD_CBPII` - Crown Dependencies Card-Based Payment Instrument Issuer
        SigningKeyIds:
          type: array
          items:
            type: string
          description: The list of signing certificate Ids
        TermsOfServiceUri:
          type: string
          format: uri
          description: 'An optional document containing a link to a Terms of Service document governing the terms of service for the application. Purely to be displayed a PSU at a ASPSP if the ASPSP supports it. Optional for the TPP to provide. This field is searchable.'
          maxLength: 256
        TransportKeyIds:
          type: array
          items:
            type: string
          description: The list of transport certificate Ids
        Version:
          type: string
          description: Client Software version as provided by the organization's PTC. This field is not searchable.
          readOnly: true
          maxLength: 42
      description: Schema defining attributes of Participants', Account Payment Service Providers' and Third Party Providers' records in ecosystem
      required:
        - Active
        - ClientId
        - ClientName
        - ClientUri
        - Description
        - Id
        - LogoUri
        - ObClientCreated
        - PolicyUri
        - RedirectUri
        - TermsOfServiceUri
        - Version
    SoftwareStatementAssertionSchema:
      type: string
      description: A signed JWT (JWS)
    SoftwareStatementsSchema:
      type: array
      items:
        $ref: '#/components/schemas/SoftwareStatementSchema'
      description: The list of Software Statements
    SoftwareStatementIdSchema:
      type: string
      description: Software Statement Id
      maxLength: 22
    SoftwareStatementStateSchema:
      type: object
      properties:
        Active:
          type: boolean
      description: Software Statement State
    SoftwareStatementRedirectURISchema:
      description: Array of Redirection RFC-3986-compliant URI values used by the Client, as supplied by the client
      type: array
      items:
        type: string
        format: uri
        maxLength: 255
        minItems: 1
    UniqueRequestIdSchema:
      type: string
      description: Unique Request Id. Give it to the Support Desk if you eve need help with a request that does not work the way you expected.
    SoftwareStatementRootSchema:
      type: object
      properties:
        SoftwareStatements:
          type: array
          items:
            $ref: '#/components/schemas/SoftwareStatementSchema'
    OAuthClientSchema:
      type: object
      description: OAuth Client
      properties:
        ClientID:
          type: string
          description: Organisational OAuthClient ID
        ClientCertIssuerDn:
          type: string
          description: IssuerDN on which behalf OAuthClient is set.
        ClientCertSubjectDn:
          type: string
          description: SubjectDN on which behalf OAuthClient is set.

  securitySchemes:
    OAuth2SecurityReadOps:
      description: This API uses OAuth 2 with the client credentials grant flow
      type: oauth2
      flows:
        clientCredentials:
          tokenUrl: https://sso.openbanking.me.uk/as/token.oauth2
          scopes:
            TPPReadAccess: Retrieve or Search for Third Party Providers
            ASPSPReadAccess: Read ASPSP Records
    OAuth2SecurityReadWriteOps:
      description: This API uses OAuth 2 with the client credentials grant flow
      type: oauth2
      flows:
        clientCredentials:
          tokenUrl: https://sso.openbanking.me.uk/as/token.oauth2
          scopes:
            TPPReadAccess: Retrieve or Search for Third Party Providers
            TPPManage: Modify Your Third Third Party Provider Record
            ASPSPReadAccess: Read ASPSP Records
            ASPSPManage: Modify ASPSP Records