{ "$schema": "http://json-schema.org/draft-07/schema#", "definitions": { "DeviceKeySignPayload": { "description": "Structured payloads accepted by `device/key/sign`.", "oneOf": [ { "description": "Payload bound to one remote-control controller websocket `/client` connection challenge.", "properties": { "accountUserId": { "type": "string" }, "audience": { "$ref": "#/definitions/RemoteControlClientConnectionAudience" }, "clientId": { "type": "string" }, "nonce": { "type": "string" }, "scopes": { "description": "Must contain exactly `remote_control_controller_websocket`.", "items": { "type": "string" }, "type": "array" }, "sessionId": { "description": "Backend-issued websocket session id that this proof authorizes.", "type": "string" }, "targetOrigin": { "description": "Origin of the backend endpoint that issued the challenge and will verify this proof.", "type": "string" }, "targetPath": { "description": "Websocket route path that this proof authorizes.", "type": "string" }, "tokenExpiresAt": { "description": "Remote-control token expiration as Unix seconds.", "format": "int64", "type": "integer" }, "tokenSha256Base64url": { "description": "SHA-256 of the controller-scoped remote-control token, encoded as unpadded base64url.", "type": "string" }, "type": { "enum": [ "remoteControlClientConnection" ], "title": "RemoteControlClientConnectionDeviceKeySignPayloadType", "type": "string" } }, "required": [ "accountUserId", "audience", "clientId", "nonce", "scopes", "sessionId", "targetOrigin", "targetPath", "tokenExpiresAt", "tokenSha256Base64url", "type" ], "title": "RemoteControlClientConnectionDeviceKeySignPayload", "type": "object" }, { "description": "Payload bound to a remote-control client `/client/enroll` ownership challenge.", "properties": { "accountUserId": { "type": "string" }, "audience": { "$ref": "#/definitions/RemoteControlClientEnrollmentAudience" }, "challengeExpiresAt": { "description": "Enrollment challenge expiration as Unix seconds.", "format": "int64", "type": "integer" }, "challengeId": { "description": "Backend-issued enrollment challenge id that this proof authorizes.", "type": "string" }, "clientId": { "type": "string" }, "deviceIdentitySha256Base64url": { "description": "SHA-256 of the requested device identity operation, encoded as unpadded base64url.", "type": "string" }, "nonce": { "type": "string" }, "targetOrigin": { "description": "Origin of the backend endpoint that issued the challenge and will verify this proof.", "type": "string" }, "targetPath": { "description": "HTTP route path that this proof authorizes.", "type": "string" }, "type": { "enum": [ "remoteControlClientEnrollment" ], "title": "RemoteControlClientEnrollmentDeviceKeySignPayloadType", "type": "string" } }, "required": [ "accountUserId", "audience", "challengeExpiresAt", "challengeId", "clientId", "deviceIdentitySha256Base64url", "nonce", "targetOrigin", "targetPath", "type" ], "title": "RemoteControlClientEnrollmentDeviceKeySignPayload", "type": "object" } ] }, "RemoteControlClientConnectionAudience": { "description": "Audience for a remote-control client connection device-key proof.", "enum": [ "remote_control_client_websocket" ], "type": "string" }, "RemoteControlClientEnrollmentAudience": { "description": "Audience for a remote-control client enrollment device-key proof.", "enum": [ "remote_control_client_enrollment" ], "type": "string" } }, "description": "Sign an accepted structured payload with a controller-local device key.", "properties": { "keyId": { "type": "string" }, "payload": { "$ref": "#/definitions/DeviceKeySignPayload" } }, "required": [ "keyId", "payload" ], "title": "DeviceKeySignParams", "type": "object" }