Wavelynx vs Hid
Structural diff of the apple · issuance flows. Steps are aligned by their semantic equivalenceKey; the center column surfaces deltas in envelope kinds, actor kinds, and trust crossings. Hover any row to focus it.
- —User opens the credential management app on the deviceOnly in hid1User → AE Wallet App
User opens AE Wallet App
- —User signs in to the app (email + password / SSO / invitation cred)Only in hid2User → AE Wallet App
Sign in (email + temporary password from invitation)
- —Partner authenticates and requests a bearer tokenOnly in hid3AE Wallet App → AE NFC Cloud
POST /authenticate/verify
TLSTrust boundary - —App / CP generates a 2FA challenge for the userOnly in hid4AE Wallet App → AE NFC Cloud
api/auth/twofactor/generate (optional 2FA)
API-key - —App submits the 2FA code; CP verifiesOnly in hid5AE Wallet App → AE NFC Cloud
api/auth/verifyuser2f (validate OTP)
API-key - —CP returns bearer token to partnerOnly in hid6AE NFC Cloud → AE Wallet App
Auth token returned
TLS - —App persists auth token to OS keystore and enables biometric unlockOnly in hid7AE Wallet App → AE Wallet App
Save token to iOS Keychain · enable biometric if available
- —App fetches cardholder profile / photo / metadata for displayOnly in hid8AE Wallet App → AE NFC Cloud
api/mobilecred/user/me (get user profile)
TLS - —App fetches cardholder profile / photo / metadata for displayOnly in hid9AE Wallet App → AE NFC Cloud
api/binaryresource/download (cardholder photo)
TLS - —User taps Add to Wallet inside the credential-management appOnly in hid10User → AE Wallet App
User taps "Add to Apple Wallet"
- 1Partner → Wavelynx
POST /provisioning (display, role, photo, group_id)
TLSTrust boundaryPartner POSTs provisioning request to credential providerfrom actor kind: partner → servicetrust crossing: yes → no11AE Wallet App → AE NFC Cloudapi/mobilecred/card/add
TLS - 2Wavelynx → Wavelynx
Persist credential record (status PENDING)
CP persists credential record in PENDING stateOnly in wavelynx— - 3Wavelynx → Partner
201 Created (vuid)
TLSCP returns credential identifier to partnerOnly in wavelynx— - 4End-user device → Apple Wallet
User initiates Add to Apple Wallet
User taps Add to Wallet on deviceOnly in wavelynx— - 5Apple Wallet → Wavelynx
Server-to-server fetch — provisioning bundle / pass credential data
mTLSTrust boundaryWallet platform fetches provisioning bundle from CPOnly in wavelynx— - 6Wavelynx → Google Cloud KMS
Decrypt master keyset for partner site
KMS-wrapKMS unwraps master keyset for the credential providerOnly in wavelynx— - 7Google Cloud KMS → Wavelynx
Master keyset (memory only, not persisted)
KMS-wrapKMS returns keyset plaintext into memory (never persisted)Only in wavelynx— - 8Wavelynx → Wavelynx
Diversify per-credential key, wrap per Apple key-wrapping spec
Derive per-credential key from a master keyOnly in wavelynx— - 9Wavelynx → Wavelynx
Assemble bundle — DESFire profile, wrapped keys, pass display fields
CP assembles signed provisioning bundlekind: self → requestto actor kind: service → platformenvelopes: [none] → [mTLS]trust crossing: no → yes12AE NFC Cloud → HID OrigoIssue credential (POST /organization/{orgId}/users · Mobile ID)
mTLSTrust boundary - 10Wavelynx → Apple Wallet
Provisioning bundle (JWS signed)
mTLSTrust boundaryCP delivers provisioning bundle to wallet platformOnly in wavelynx— - —CP returns an issuance token the device-side SDK will redeemOnly in hid13HID Origo → AE NFC Cloud
Issuance token
mTLS - —CP returns an issuance token the device-side SDK will redeemOnly in hid14AE NFC Cloud → AE Wallet App
Issuance token relayed to app
TLS - —Device-side SDK invokes setupEndpoint to begin pass installationOnly in hid15AE Wallet App → HID Origo iOS SDK
createInitializedMobileKeysManager · listWalletPasses · getAvailableTargets
- —Device-side SDK invokes setupEndpoint to begin pass installationOnly in hid16HID Origo iOS SDK → HID Origo
origoKeysManager?.setupEndpoint (issuance token, target .appleWallet)
mTLSTrust boundary - —Mediator / SDK pushes the credential into the wallet platformOnly in hid17HID Origo → Apple Wallet
Deliver Seos credential to Apple Pay (HID Origo Integration Service)
mTLSTrust boundary - 11Apple Wallet → End-user device
Deliver and provision pass on device
Wallet platform installs credential on devicekind: async-event → responseto actor kind: device → serviceenvelopes: [none] → [mTLS]18Apple Wallet → HID Origo iOS SDKPass provisioned on device
mTLS - 12End-user device → Apple Wallet
Provisioning confirmation
Device confirms provisioning to wallet platformOnly in wavelynx— - 13Apple Wallet → Wavelynx
POST eventNotification (PROVISIONED)
mTLSTrust boundaryWallet sends webhook with provisioning outcomeOnly in wavelynx— - 14Wavelynx → Wavelynx
Update credential status → ACTIVE
Internal: PENDING → ACTIVE state transitionOnly in wavelynx— - 15Wavelynx → Partner
Webhook (status ACTIVE)
x-api-keyTrust boundaryCP notifies partner that credential is ACTIVEOnly in wavelynx— - 16Wavelynx → Apple Wallet
200 OK (synchronous response to Apple)
mTLSCP acks wallet platform's bundle fetchOnly in wavelynx— - 17Partner → Wavelynx
200 OK (webhook acknowledged)
x-api-keyPartner acks CP's webhook deliveryOnly in wavelynx— - —App reports back to CP that the credential was successfully issuedOnly in hid19AE Wallet App → AE NFC Cloud
api/mobilecred/card/save (mark issued)
TLS - —CP updates internal credential lifecycle statusOnly in hid20AE NFC Cloud → HID Origo
Status confirmation
mTLS
- src/wallet-api-data-flow-architecture-v1.0.12.pdf — §5.2 Issuance flow
- src/Architecture & Sequence Diagrams/Alert Enterprise - Mobile Credentials Flow - Internal_Engineering_Team.pptx — slides 8-9 (HID iOS Credential Provisioning)
- src/Architecture & Sequence Diagrams/Employee Badge in Apple Wallet Integration Architecture for HID.pptx — HID-Apple architecture diagram
- src/web/hid-origo-api/04-credential-management.md — PPPU and setupEndpoint pattern