Skip to main content
Version: v0.25.0 (Latest)

Token Status List

Revocation for the EuPid uses an IETF Token Status List: a signed, compressed bit array hosted at a public URL. Each issued SD-JWT carries a status claim pointing at the list URI and an index in the array. Management schemas are in the Status List Management API reference; the public surface in the Status List Hosting API reference.

Create the list

The correlation id is the stable business identifier: issuance references it, and the hosted URL embeds it. Indexes are allocated randomly when credentials are issued, never sequentially, so the list does not leak issuance volume or order:

01 Create token status list

Endpoint: POST /api/statuslist/v1/statuslists

Captured response: 201 Created

This captured endpoint is shown from the E2E run; it is not mapped to one of the generated EDK REST API reference pages.

The hosted token

Verifiers dereference the status list URI from the credential's status claim. The hosting surface is public, unauthenticated, and cacheable:

02 Fetch hosted status list token

Endpoint: GET /public/statuslists/OPAQUE-000020

Captured response: 200 OK

This captured endpoint is shown from the E2E run; it is not mapped to one of the generated EDK REST API reference pages.

Updating status

A status update sets the bit at an index. The read side exposes only the bit value: whether an index has been allocated to a credential is intentionally not observable, because an unallocated index is indistinguishable from a valid one:

03 Revoke a status entry

Endpoint: POST /api/statuslist/v1/statuslists/00000000-0000-4000-8000-000000000011/status

Captured response: 200 OK

This captured endpoint is shown from the E2E run; it is not mapped to one of the generated EDK REST API reference pages.

04 Reactivate the status entry

Endpoint: POST /api/statuslist/v1/statuslists/00000000-0000-4000-8000-000000000011/status

Captured response: 200 OK

This captured endpoint is shown from the E2E run; it is not mapped to one of the generated EDK REST API reference pages.

With designs and the status list in place, issue the credentials.