Haapi (Section)#
Path: /profiles/profile{id, type}/settings/authorization-server/client-store/config-backed/client{id}/capabilities/haapi
Allows the client to use the hypermedia authentication API
Parameters#
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| allow-without-attestation | boolean | optional | false | When enabled, a HAAPI token can be issued to clients based on client authentication instead of based on client attestation. To set this option, a client must have credentials and can not be configured with attestation settings. |
| use-legacy-dpop | boolean | optional | false | Use an older version of the DPoP processing, which is not nonce-based. This may be required if the client uses an older version of the HAAPI SDK. Refer to the HAAPI SDK documentation for details. |
| issue-token-bound-authorization-code | boolean | optional | false | When enabled, the authorization code and refresh token that are issued will be bound to the proof token’s DPoP key. This token binding will not be compatible with legacy DPoP. By default, it is disabled. |