AE Mobile Wiki

Wavelynx — Google Wallet issuance

google walletandroid22 steps6 actors
Triggers
  • Partner submits provisioning request via Wavelynx Wallet API
  • End-user taps 'Add to Google Wallet' on the AE-supplied surface
00 / 22
TLSmTLSJWEKMS-wrapx-api-keyPartnerpartnerWavelynxserviceGoogle Cloud KMSkmsNXP MIFARE2GOmediatorGoogle WalletwalletEnd-user devicedevice1POST /provisioning (display, role, photo, group_id)Crosses trust boundary2Create digitization referenceCrosses trust boundary3digitization reference + correlationId4Persist credential record (status PENDING)5201 Created (vuid + Google add-to-wallet link)6User initiates Add to Google Wallet7Add-to-Wallet request (digitization reference)8GET fetchCardPayload / fetchCardMetadata (by correlationId)Crosses trust boundary9Decrypt master keyset for partner site10Master keyset (memory only, not persisted)11Diversify per-credential key, JWE-encrypt12Assemble bundle — DESFire EV2 profile, JWE-wrapped keys, pa…13Encrypted payload14Credential payload15Deliver and provision pass on device16Provisioning confirmation17Status update18POST cardStatusChanged (status ACTIVE)Crosses trust boundary19Update credential status → ACTIVE20Webhook (status ACTIVE)Crosses trust boundary21200 OK (synchronous response to NXP)22200 OK (webhook acknowledged)
TLS· TLS 1.2+ · Bearer JWT (ECC P-256)mTLS· mTLS · JWT client-credentialsJWE· JWE (JSON Web Encryption)KMS-wrap· KMS RSA-OAEP unwrapx-api-key· HTTPS · x-api-key
Crosses a trust boundary
Source
Verifying access