# Schema for the Token Endpoint response of the PDP authorization server. # Returned by POST /token. The issued access token is # DPoP-bound (RFC 9449) and follows access-token.yaml. # See also https://www.rfc-editor.org/rfc/rfc6749#section-5.1 $schema: "http://json-schema.org/draft-07/schema#" schemaVersion: "1.1.0" title: Token Response description: >- Schema for the JSON response body returned by the token endpoint of the PDP authorization server. The response depends on the Policy Engine decision (pdp-decision.yaml): - On an allow decision (`result.allow` = true) the endpoint issues the tokens and returns a success response as defined in RFC 6749 Section 5.1 with ZETA-specific DPoP binding. - On a deny decision (`result.allow` = false) NO tokens are issued; the endpoint returns an error response following zeta-error.yaml that conveys the denial `result.reasons` from pdp-decision.yaml. oneOf: - $ref: "#/definitions/successResponse" - $ref: "#/definitions/denyResponse" definitions: successResponse: title: Token Success Response description: >- Success response returned when the Policy Engine allows the request (`result.allow` = true in pdp-decision.yaml). The issued tokens are DPoP-bound (RFC 9449). type: object properties: access_token: type: string description: >- The issued DPoP-bound access token as a signed JWT. Its claims follow access-token.yaml. token_type: type: string description: >- The type of the issued token. In ZETA this MUST be "DPoP", indicating the token is bound to the client's DPoP key (RFC 9449). enum: - DPoP expires_in: type: integer description: >- The lifetime in seconds of the access token. After this period the token is no longer accepted by the resource server. refresh_token: type: string description: >- The refresh token as a signed JWT, which can be used to obtain new access tokens using the same authorization grant. Optional. refresh_expires_in: type: integer description: The lifetime in seconds of the refresh token. Optional. zeta_attestation_token: type: string description: >- Signed JWT ("Fast-Path" attestation token) issued by the ZETA Guard after a successful hardware attestation (TPM / Secure Enclave / TEE / StrongBox). Its claims follow zeta-attestation-token.yaml. Only present when the token exchange included a hardware attestation; absent for software attestation (fallback). asl_access_token: type: string description: >- Signed JWT issued by the ZETA Authorization Server for access to the /ASL Endpoint. Only present when the attribute zeta_asl_use is set to required_passthrough in OAuth Protected Resource well-known; absent otherwise. scope: type: string description: >- The scope of the issued access token as a space-delimited list of scope values. Present if the granted scope differs from the requested scope. issued_token_type: type: string description: >- An identifier for the type of the issued token, as defined in RFC 8693. Present for token exchange responses. enum: - "urn:ietf:params:oauth:token-type:access_token" - "urn:ietf:params:oauth:token-type:jwt" required: - access_token - token_type - expires_in denyResponse: title: Token Deny Response description: >- Error response returned when the Policy Engine denies the request (`result.allow` = false in pdp-decision.yaml). No tokens are issued. The response follows zeta-error.yaml (RFC 6749 Section 5.2) and carries the denial reasons taken from `result.reasons` of the Policy Engine decision. allOf: - $ref: "./zeta-error.yaml" properties: reasons: description: >- The denial reasons from the Policy Engine decision. Explains why no tokens were issued. Shape is taken verbatim from `result.reasons` in pdp-decision.yaml. $ref: "./pdp-decision.yaml#/properties/result/properties/reasons" required: - reasons