AE Mobile Wiki

Wavelynx — Apple Wallet issuance

apple walletios17 steps5 actors
Triggers
  • Partner submits provisioning request via Wavelynx Wallet API
  • End-user taps 'Add to Apple Wallet' on the AE-supplied surface
00 / 17
TLSmTLSKMS-wrapx-api-keyPartnerpartnerWavelynxserviceGoogle Cloud KMSkmsApple WalletwalletEnd-user devicedevice1POST /provisioning (display, role, photo, group_id)Crosses trust boundary2Persist credential record (status PENDING)3201 Created (vuid)4User initiates Add to Apple Wallet5Server-to-server fetch — provisioning bundle / pass credential dataCrosses trust boundary6Decrypt master keyset for partner site7Master keyset (memory only, not persisted)8Diversify per-credential key, wrap per Apple key-wrapping s…9Assemble bundle — DESFire profile, wrapped keys, pass displ…10Provisioning bundle (JWS signed)Crosses trust boundary11Deliver and provision pass on device12Provisioning confirmation13POST eventNotification (PROVISIONED)Crosses trust boundary14Update credential status → ACTIVE15Webhook (status ACTIVE)Crosses trust boundary16200 OK (synchronous response to Apple)17200 OK (webhook acknowledged)
TLS· TLS 1.2+ · Bearer JWT (ECC P-256)mTLS· mTLS · JWS (ECC P-256)KMS-wrap· KMS RSA-OAEP unwrapx-api-key· HTTPS · x-api-key
Crosses a trust boundary
Source
Verifying access