Wavelynx vs Hid
Structural diff of the google · issuance flows. Steps are aligned by their semantic equivalenceKey; the center column surfaces deltas in envelope kinds, actor kinds, and trust crossings. Hover any row to focus it.
- 1Partner → Wavelynx
POST /provisioning (display, role, photo, group_id)
TLSTrust boundaryPartner POSTs provisioning request to credential providerfrom actor kind: partner → serviceenvelopes: [TLS] → [none]trust crossing: yes → no1Guardian → AE NFC CloudAdmin issuance request (per-user or bulk)
- 2Wavelynx → NXP MIFARE2GO
Create digitization reference
mTLSTrust boundaryCP creates a digitization reference at a wallet mediator (e.g. NXP)Only in wavelynx— - 3NXP MIFARE2GO → Wavelynx
digitization reference + correlationId
mTLSMediator returns a digitization reference + correlation idOnly in wavelynx— - —CP assembles signed provisioning bundleOnly in hid2AE NFC Cloud → HID Origo
POST /passes — create Pass for GOOGLE_WALLET
mTLSTrust boundary - 4Wavelynx → Wavelynx
Persist credential record (status PENDING)
CP persists credential record in PENDING statefrom actor kind: service → platformto actor kind: service → platform3HID Origo → HID OrigoGenerate issuance token · associate with user
- 5Wavelynx → Partner
201 Created (vuid + Google add-to-wallet link)
TLSCP returns Add-to-Wallet link or token to partnerOnly in wavelynx— - 6End-user device → Google Wallet
User initiates Add to Google Wallet
User taps Add to Wallet on deviceOnly in wavelynx— - 7Google Wallet → NXP MIFARE2GO
Add-to-Wallet request (digitization reference)
Wallet platform fetches provisioning bundle from CPOnly in wavelynx— - 8NXP MIFARE2GO → Wavelynx
GET fetchCardPayload / fetchCardMetadata (by correlationId)
mTLSJWETrust boundaryOnly in wavelynx— - 9Wavelynx → Google Cloud KMS
Decrypt master keyset for partner site
KMS-wrapKMS unwraps master keyset for the credential providerOnly in wavelynx— - 10Google Cloud KMS → Wavelynx
Master keyset (memory only, not persisted)
KMS-wrapKMS returns keyset plaintext into memory (never persisted)Only in wavelynx— - 11Wavelynx → Wavelynx
Diversify per-credential key, JWE-encrypt
Derive per-credential key from a master keyOnly in wavelynx— - 12Wavelynx → Wavelynx
Assemble bundle — DESFire EV2 profile, JWE-wrapped keys, pass display fields
CP assembles signed provisioning bundleOnly in wavelynx— - 13Wavelynx → NXP MIFARE2GO
Encrypted payload
mTLSJWECP delivers provisioning bundle to wallet platformOnly in wavelynx— - —CP returns an issuance token the device-side SDK will redeemOnly in hid4HID Origo → AE NFC Cloud
Pass passId + issuance token
mTLS - —CP / partner delivers a redemption invitation to the userOnly in hid5AE NFC Cloud → User
Send invitation email (redemption link + temp credentials)
- —User signs in to the app (email + password / SSO / invitation cred)Only in hid6User → AE Wallet App
User opens AE Wallet App on Android device · signs in
- —Partner authenticates and requests a bearer tokenOnly in hid7AE Wallet App → AE NFC Cloud
POST /authenticate/verify
TLSTrust boundary - —App persists auth token to OS keystore and enables biometric unlockOnly in hid8AE Wallet App → AE Wallet App
Save token to Android Keystore · enable biometric
- —User taps Add to Wallet inside the credential-management appOnly in hid9User → AE Wallet App
User taps "Add to Google Wallet"
- —Device-side SDK invokes setupEndpoint to begin pass installationOnly in hid10AE Wallet App → HID Origo Android SDK
createInitializedMobileKeysManager · setupEndpoint(target .googleWallet)
- —Device-side SDK invokes setupEndpoint to begin pass installationOnly in hid11HID Origo Android SDK → HID Origo
Redeem issuance token
mTLSTrust boundary - 14NXP MIFARE2GO → Google Wallet
Credential payload
Mediator / SDK pushes the credential into the wallet platformkind: response → requestfrom actor kind: mediator → platformenvelopes: [none] → [mTLS]trust crossing: no → yes12HID Origo → Google WalletPush Seos credential to Google Wallet
mTLSTrust boundary - 15Google Wallet → End-user device
Deliver and provision pass on device
Wallet platform installs credential on devicekind: async-event → responseto actor kind: device → serviceenvelopes: [none] → [mTLS]13Google Wallet → HID Origo Android SDKPass provisioned on device
mTLS - 16End-user device → Google Wallet
Provisioning confirmation
Device confirms provisioning to wallet platformOnly in wavelynx— - 17Google Wallet → NXP MIFARE2GO
Status update
Wallet platform notifies its mediator (NXP / HID Origo) of a lifecycle eventOnly in wavelynx— - 18NXP MIFARE2GO → Wavelynx
POST cardStatusChanged (status ACTIVE)
mTLSTrust boundaryWallet sends webhook with provisioning outcomeOnly in wavelynx— - 19Wavelynx → Wavelynx
Update credential status → ACTIVE
Internal: PENDING → ACTIVE state transitionOnly in wavelynx— - 20Wavelynx → Partner
Webhook (status ACTIVE)
x-api-keyTrust boundaryCP notifies partner that credential is ACTIVEOnly in wavelynx— - 21Wavelynx → NXP MIFARE2GO
200 OK (synchronous response to NXP)
mTLSCP acks wallet platform's bundle fetchOnly in wavelynx— - 22Partner → Wavelynx
200 OK (webhook acknowledged)
x-api-keyPartner acks CP's webhook deliveryOnly in wavelynx— - —App reports back to CP that the credential was successfully issuedOnly in hid14AE Wallet App → AE NFC Cloud
api/mobilecred/card/save (mark issued)
TLS - —CP updates internal credential lifecycle statusOnly in hid15AE NFC Cloud → HID Origo
Status confirmation
mTLS
- src/wallet-api-data-flow-architecture-v1.0.12.pdf — §6.2 Issuance flow
- src/Architecture & Sequence Diagrams/Google Wallet Integration Overview.pptx — Admin-Initiated Credential Provisioning slide
- src/web/hid-origo-api/04-credential-management.md — Credential Management v3.x · platformType GOOGLE_WALLET
- src/Architecture & Sequence Diagrams/HID Android Issuance.jpg