| Mode | Used for | What happens |
|---|---|---|
sign | TPA signing | User signs a specific legal document (hash-bound) |
auth | PDPC consent | User identifies themselves + checks consent box |
Countries
| Country | Location | Default provider | UI language |
|---|---|---|---|
| 🇸🇪 Sweden | se | se-bankid | sv |
| 🇳🇴 Norway | no | no-bankid-oidc | no |
| 🇩🇰 Denmark | dk | dk-mitid | da |
| 🇫🇮 Finland | fi | user picks | fi |
fi-mv-telia, fi-tupas, or fi-vrk. Denmark also supports legacy dk-nemid.
How the token flow works
Server-side token generation
OpenCard generates an outbound JWT for Assently with claims:iss,aud,jti,iat,exphst,dnm(host/domain binding)response_mode: form_postredirect_uri→ the POST sign endpoint
Inbound validation
When Assently returnsidentityToken:
- Validated against
ASSENTLY_IDENTITYpublic key - Claims extracted:
| JWT claim | Stored as |
|---|---|
sub.national_id | ssn (encrypted) |
provider (first 2 chars) | country |
sub.full_name or name parts | name |
| Full claims JSON | signature (encrypted) |
TPA signing page
URL:GET /accounts/{accountId}/tpas/{tpaId}/sign/{token}
No login required. The 40-char token in the URL is the authentication.
What the user sees:
- TPA legal text (rendered markdown)
- “Sign” button → Assently widget
- eID provider selection (country-specific)
- Document signing with legal text hash:
POST /accounts/{accountId}/tpas/{tpaId}/sign/{token}
Body: identityToken={assently_jwt}
CSRF exempt on POST (external redirect from Assently).
PDPC signing page
URL:GET /accounts/{accountId}/pdpcs/{pdpcId}/sign/{token}
What the user sees:
- PDPC legal text
- Checkbox: “I have read the text above”
- “Approve & Identify” button
- Assently widget in
authmode (identity only, no document hash)
identityToken
On success:
- Identity created/found by SSN
- Card holder linked
- PDPC marked signed
- Signed PDF generated + emailed to cardholder
card_holder.signed.pdpcwebhook fires
Supported languages for legal text
Templates available in:sv, no, da, en, fi
Query available languages: