{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "$id": "https://raw.githubusercontent.com/api-evangelist/beyond-identity/main/json-schema/beyond-identity-credential-schema.json",
  "title": "Credential",
  "description": "A credential (passkey) is the public-private key pair that belongs to an identity in Beyond Identity.",
  "type": "object",
  "properties": {
    "id": {
      "type": "string",
      "description": "A unique identifier for a credential. Automatically generated on creation. Immutable and read-only. Unique within the realm.",
      "readOnly": true,
      "example": "f3e87aa26a696372"
    },
    "identity_id": {
      "type": "string",
      "description": "A unique identifier for the credential's identity. Automatically set on creation. Immutable and read-only.",
      "readOnly": true,
      "example": "4a2719e73d6d972d"
    },
    "realm_id": {
      "type": "string",
      "description": "A unique identifier for the credential's realm. Automatically set on creation. Immutable and read-only.",
      "readOnly": true,
      "example": "d65cc516f7f22fdd"
    },
    "tenant_id": {
      "type": "string",
      "description": "A unique identifier for the credential's tenant. Automatically set on creation. Immutable and read-only.",
      "readOnly": true,
      "example": "f1a7309c1e3d1e85"
    },
    "state": {
      "type": "string",
      "enum": ["ACTIVE", "REVOKED"],
      "description": "Current state of the credential. ACTIVE = can authenticate; REVOKED = cannot authenticate.",
      "readOnly": true,
      "example": "ACTIVE"
    },
    "csr_type": {
      "type": "string",
      "enum": ["JWT", "WEBAUTHN", "FIDO2"],
      "description": "Type of certificate signing request that created this credential. JWT = delivered as a JWT; WEBAUTHN = delivered as a WebAuthn attestation response; FIDO2 = FIDO2 WebAuthn Level 2 attestation.",
      "readOnly": true,
      "example": "JWT"
    },
    "jwk_json": {
      "type": "string",
      "description": "The public key of the Credential in JWK format (RFC-7517). Immutable and read-only.",
      "readOnly": true,
      "example": "{\"crv\":\"P-256\",\"kty\":\"EC\",\"x\":\"2MRhz05PJPq3BUfB18AT3HqgWEkI3VpWUg1MWi8rz1g\",\"y\":\"YtvLYwGEqYQaoDVok2fVziJT4fu7DFPz3hy96FTAelQ\"}"
    },
    "jwk_thumbprint": {
      "type": "string",
      "description": "Base64 URL encoding of the JWK thumbprint of the public key (RFC-7638). Immutable and read-only.",
      "readOnly": true,
      "example": "UW-uVNL0mP1vcLjHrTBxibNgCEe_PD0HIsE3FrbYjPA="
    },
    "create_time": {
      "type": "string",
      "format": "date-time",
      "description": "ISO8601 combined date and time representing when the credential was created. Read-only.",
      "readOnly": true
    }
  }
}