Create a software statement

POST /organisations/{OrganisationId}/softwarestatements

oAuth

Headers

x-fapi-auth-date string

The time when the PSU last logged in with the TPP. All dates in the HTTP headers are represented as RFC 7231 Full Dates. An example is below: Sun, 10 Sep 2017 19:43:31 UTC

Format should match the following pattern: ^(Mon|Tue|Wed|Thu|Fri|Sat|Sun), \d{2} (Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec) \d{4} \d{2}:\d{2}:\d{2} (GMT|UTC)$.
x-fapi-customer-ip-address string

The PSU's IP address if the PSU is currently logged in with the TPP.
x-fapi-interaction-id string

An RFC4122 UID used as a correlation id.
x-customer-user-agent string

Indicates the user-agent that the PSU is using.

Path parameters

OrganisationId string Required

The organisation ID

Minimum length is 1, maximum length is 40. Format should match the following pattern: ^[^<>]*$.

application/json

Body Required

AdditionalSoftwareMetadata string

Extra metadata defined by the org admins to be loaded into the software statement and made avaiable during introspection

Maximum length is 255. Format should match the following pattern: ^[^<>]*$.
ApiWebhookUri array[string(uri)]

A compliant URI

Maximum length of each is 255. Format of each should match the following pattern: ^(https:\/\/[^\s/?#]+(?:\/[^\s\/?#]+)*)$.
ClientName string Required

Software Statement client name

Maximum length is 255. Format should match the following pattern: ^[^<>]*$.
ClientUri string(uri)

The Software Statement client compliant URI

Maximum length is 255. Format should match the following pattern: ^(http://|https://).*.
Description string

Software Statement description

Maximum length is 255. Format should match the following pattern: ^[^<>]*$.
Environment string

The additional check for software statement, this field can avoid environment checks.

Maximum length is 40. Format should match the following pattern: ^[^<>]*$.
Flags array[string]

Unique ID of the flag

Maximum length of each is 40. Format of each should match the following pattern: ^[^<>]*$.
HomepageUri string(uri)

The URI for the website with details about the application and its services

Maximum length is 255. Format should match the following pattern: ^(http://|https://).*.
IdTokenSignedResponseAlgorithm string

Signing algorithm that a client expects the server to return an id_token with. Must be PS256

Values are PS256 or RS256. Default value is PS256.
LogoUri string(uri) Required

A compliant URI

Format should match the following pattern: ^(http://|https://).*.(svg|png|jpg|jpeg)$|(data:image/[a-zA-Z0-9;+=-]+,[A-Za-z0-9+/]*={0,2})$.
Mode string

Software Statement mode

Values are Live or Test. Default value is Live.
NotificationWebhook string(uri)

A compliant URI

Maximum length is 255. Format should match the following pattern: ^(http://|https://).*.
OnBehalfOf string

A reference to fourth party organisation resource on the RTS Directory if the registering Org is acting on behalf of another

Maximum length is 255. Format should match the following pattern: ^[^<>]*$.
OpenidFederationEnabled boolean

Is this software statement enabled for federation

Default value is false.
OpenidFederationEntityManagementType string

The type of federation management that applies to this software statement

Values are openid_entity_federation_managed or openid_entity_self_managed.
OriginUri array[string(uri)]

A compliant URI

Maximum length of each is 255. Format of each should match the following pattern: ^https:\/\/(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]+(?::\d+)?(?:\/[a-zA-Z0-9-._~!$&'()*+,;=:@\/?%]*)?(?:\?[a-zA-Z0-9-._~!$&'()*+,;=:@\/?%]*)?(?:#[a-zA-Z0-9-._~!$&'()*+,;=:@\/?%]*)?$|(^android:apk-key-hash:[a-zA-Z0-9-]+)|(^ios:bundle-id:[a-zA-Z][-a-zA-Z0-9]*\.([a-zA-Z][-a-zA-Z0-9]*\.?)+)$.
PolicyUri string(uri)

A compliant URI string that points to a human-readable privacy policy document

Maximum length is 255. Format should match the following pattern: ^(http://|https://).*.
PostLogoutRedirectUris array[string(uri)]

A compliant URI

Maximum length of each is 255. Format of each should match the following pattern: ^(http://|https://).*.
RedirectUri array[string(uri)] Required

A compliant URI

Maximum length of each is 255. Format of each should match the following pattern: ^(http://|https://).*.
RelatedAuthorisationServer string(uuid) | null

ID of the Authorisation Server that is connected to this Software Statement
RequireSignedRequestObject boolean

Require a signed request object. If this is set to false, the client will not be FAPI compliant

Default value is true.
Roles array[object]
Hide Roles attributes Show Roles attributes object
- AuthorisationDomain string Required
  
  Authorisation domain for the authority
  
  Minimum length is 1, maximum length is 30.
- Role string Required
  
  The authorisation domain role name
  
  Minimum length is 1, maximum length is 60. Format should match the following pattern: ^[^<>]*$.
- Status string Required
  
  Current status of this resource
  
  Values are Active or Inactive. Default value is Active.
SoftwareVersion string

Software Statement version as provided by the organisation's software team

Maximum length is 40.
TermsOfServiceUri string(uri) | null

A compliant URI

Maximum length is 255. Format should match the following pattern: ^(http://|https://).*.
TlsClientCertificateBoundAccessTokens boolean

Are the tokens issued for this client bound to a client tls certificate

Default value is true.
TokenEndpointAuthMethod string

Token endpoint authentication method

Minimum length is 1, maximum length is 60. Values are private_key_jwt, tls_client_auth, or client_secret_basic. Default value is private_key_jwt.
Version number Deprecated

Software Statement version as provided by the organisation's software team

Maximum length is 40.

Responses

201 application/json

Get the software statements with the given id
Hide headers attribute Show headers attribute
- x-fapi-interaction-id string
  
  An RFC4122 UID used as a correlation id.
  
  Minimum length is 1, maximum length is 100. Format should match the following pattern: ^[a-zA-Z0-9][a-zA-Z0-9\-]{0,99}$.
Hide response attributes Show response attributes object
- AdditionalSoftwareMetadata string
  
  Extra metadata defined by the org admins to be loaded into the software statement and made avaiable during introspection
  
  Maximum length is 255. Format should match the following pattern: ^[^<>]*$.
- ApiWebhookUri array[string(uri)]
  
  A compliant URI
  
  Maximum length of each is 255. Format of each should match the following pattern: ^(https:\/\/[^\s/?#]+(?:\/[^\s\/?#]+)*)$.
- ClientId string
  
  Software Statement client Id
  
  Maximum length is 255. Format should match the following pattern: ^[^<>]*$.
- ClientName string
  
  Software Statement client name
  
  Maximum length is 255. Format should match the following pattern: ^[^<>]*$.
- ClientSecret string
  
  The client secret, only returned when a client is created/updated to have client_secret_basic auth type
  
  Maximum length is 255.
- ClientUri string(uri)
  
  The Software Statement client compliant URI
  
  Maximum length is 255. Format should match the following pattern: ^(http://|https://).*.
- CreatedAt string(date-time)
- Description string
  
  Software Statement description
  
  Maximum length is 255. Format should match the following pattern: ^[^<>]*$.
- Environment string
  
  The additional check for software statement, this field can avoid
  
  Maximum length is 40. Format should match the following pattern: ^[^<>]*$.
- FederationEndpoint string(uri)
  
  The federation endpoint for the Authorisation Server
  
  Maximum length is 255. Format should match the following pattern: ^(https://).*.
- Flags array[object]
  
  Hide Flags attributes Show Flags attributes object
  
  AccessLevel integer Required
  
  The access level of a flag as a number. The higher the number, the more sensitive it is
  
  Description string
  
  The description of this flag
  
  Maximum length is 255. Format should match the following pattern: ^[^<>]*$.
  
  Name string Required
  
  The name of this flag
  
  Maximum length is 255. Format should match the following pattern: ^[^<>]*$.
  
  Status string Required
  
  Current status of this resource
  
  Values are Active or Inactive. Default value is Active.
  
  Type string Required
  
  The type of this tag
  
  Values are Organisation, Software_Statement, or Authorisation_Server.
  
  Value string Required
  
  The value of this flag
  
  Maximum length is 255. Format should match the following pattern: ^[^<>]*$.
- HomepageUri string(uri)
  
  The URI for the website with details about the application and its services
  
  Maximum length is 255. Format should match the following pattern: ^(http://|https://).*.
- IdTokenSignedResponseAlgorithm string
  
  Signing algorithm that a client expects the server to return an id_token with. Must be PS256
  
  Values are PS256 or RS256. Default value is PS256.
- Locked boolean
  
  Flag shows if assertion has been generated on the software statement - will be set to true when assertion is generated
- LogoUri string(uri)
  
  A compliant URI
  
  Format should match the following pattern: ^(http://|https://).*.(svg|png|jpg|jpeg)$|(data:image/[a-zA-Z0-9;+=-]+,[A-Za-z0-9+/]*={0,2})$.
- Mode string
  
  Software Statement mode
  
  Values are Live or Test. Default value is Live.
- NotificationWebhook string(uri)
  
  A compliant URI
  
  Maximum length is 255. Format should match the following pattern: ^(http://|https://).*.
- NotificationWebhookStatus string
  
  Values are Pending, Confirmed, or Deactivated. Default value is Pending.
- OnBehalfOf string
  
  A reference to fourth party organisation resource on the RTS Directory if the registering Org is acting on behalf of another
  
  Maximum length is 255. Format should match the following pattern: ^[^<>]*$.
- OpenidFederationEnabled boolean
  
  Is this software statement enabled for federation
  
  Default value is false.
- OpenidFederationEntityManagementType string
  
  The type of federation management that applies to this software statement
  
  Values are openid_entity_federation_managed or openid_entity_self_managed.
- OrganisationId string
  
  Unique ID associated with the organisation
  
  Minimum length is 1, maximum length is 40. Format should match the following pattern: ^[^<>]*$.
- OriginUri array[string(uri)]
  
  A compliant URI
  
  Maximum length of each is 255. Format of each should match the following pattern: ^https:\/\/(?:[a-zA-Z0-9-]+\.)+[a-zA-Z]+(?::\d+)?(?:\/[a-zA-Z0-9-._~!$&'()*+,;=:@\/?%]*)?(?:\?[a-zA-Z0-9-._~!$&'()*+,;=:@\/?%]*)?(?:#[a-zA-Z0-9-._~!$&'()*+,;=:@\/?%]*)?$|(^android:apk-key-hash:[a-zA-Z0-9-]+)|(^ios:bundle-id:[a-zA-Z][-a-zA-Z0-9]*\.([a-zA-Z][-a-zA-Z0-9]*\.?)+)$.
- PolicyUri string(uri)
  
  A compliant URI string that points to a human-readable privacy policy document
  
  Maximum length is 255. Format should match the following pattern: ^(http://|https://).*.
- PostLogoutRedirectUris array[string(uri)]
  
  A compliant URI
  
  Maximum length of each is 255. Format of each should match the following pattern: ^(http://|https://).*.
- RedirectUri array[string(uri)]
  
  A compliant URI
  
  Maximum length of each is 255. Format of each should match the following pattern: ^(http://|https://).*.
- RelatedAuthorisationServer string(uuid) | null
  
  ID of the Authorisation Server that is connected to this Software Statement
- RequireSignedRequestObject boolean
  
  Require a signed request object. If this is set to false, the client will not be FAPI compliant
  
  Default value is true.
- RtsClientCreated boolean
  
  Client created flag
- SoftwareStatementId string
  
  Unique Software Statement Id
  
  Maximum length is 40. Format should match the following pattern: ^[^<>]*$.
- SoftwareVersion string
  
  Software Statement version as provided by the organisation's software team
  
  Maximum length is 40.
- Status string
  
  Is this software statement Active/Suspended/Inactive
  
  Values are Active, Suspended, or Inactive. Default value is Active.
- TermsOfServiceUri string(uri)
  
  The Software Statement terms of service compliant URI
  
  Maximum length is 255. Format should match the following pattern: ^(http://|https://).*.
- TlsClientCertificateBoundAccessTokens boolean
  
  Are the tokens issued for this client bound to a client tls certificate
  
  Default value is true.
- TokenEndpointAuthMethod string
  
  Token endpoint authentication method
  
  Minimum length is 1, maximum length is 60. Values are private_key_jwt, tls_client_auth, or client_secret_basic. Default value is private_key_jwt.
- UpdateFailed boolean
  
  Flag shows if software statement is in failed update state
- UpdateFailedReason string
  
  Error message describing why the update failed
  
  Format should match the following pattern: ^[^<>]*$.
- Version number Deprecated
  
  Software Statement version as provided by the organisation's software team
  
  Maximum length is 40.
400 application/json

Bad Request
Hide headers attribute Show headers attribute
- x-fapi-interaction-id string
  
  An RFC4122 UID used as a correlation id.
  
  Minimum length is 1, maximum length is 100. Format should match the following pattern: ^[a-zA-Z0-9][a-zA-Z0-9\-]{0,99}$.
Hide response attribute Show response attribute object
- errors array[string]
  
  Validation Error messages
401

Unauthorized
Hide headers attribute Show headers attribute
- x-fapi-interaction-id string
  
  An RFC4122 UID used as a correlation id.
  
  Minimum length is 1, maximum length is 100. Format should match the following pattern: ^[a-zA-Z0-9][a-zA-Z0-9\-]{0,99}$.
403

Forbidden
Hide headers attribute Show headers attribute
- x-fapi-interaction-id string
  
  An RFC4122 UID used as a correlation id.
  
  Minimum length is 1, maximum length is 100. Format should match the following pattern: ^[a-zA-Z0-9][a-zA-Z0-9\-]{0,99}$.
429

Too many requests, maximum capacity reached. Requests are now throttled.
Hide headers attribute Show headers attribute
- x-fapi-interaction-id string
  
  An RFC4122 UID used as a correlation id.
  
  Minimum length is 1, maximum length is 100. Format should match the following pattern: ^[a-zA-Z0-9][a-zA-Z0-9\-]{0,99}$.
500

Internal Server Error
Hide headers attribute Show headers attribute
- x-fapi-interaction-id string
  
  An RFC4122 UID used as a correlation id.
  
  Minimum length is 1, maximum length is 100. Format should match the following pattern: ^[a-zA-Z0-9][a-zA-Z0-9\-]{0,99}$.
502

Bad Gateway
Hide headers attribute Show headers attribute
- x-fapi-interaction-id string
  
  An RFC4122 UID used as a correlation id.
  
  Minimum length is 1, maximum length is 100. Format should match the following pattern: ^[a-zA-Z0-9][a-zA-Z0-9\-]{0,99}$.
504

Upstream timeout, insufficient capacity to serve request. More capacity being brought online. Please try again.
Hide headers attribute Show headers attribute
- x-fapi-interaction-id string
  
  An RFC4122 UID used as a correlation id.
  
  Minimum length is 1, maximum length is 100. Format should match the following pattern: ^[a-zA-Z0-9][a-zA-Z0-9\-]{0,99}$.

POST /organisations/{OrganisationId}/softwarestatements

curl \
 -X POST https://matls-api.sandbox.raidiam.io/organisations/{OrganisationId}/softwarestatements \
 -H "Authorization: Bearer $ACCESS_TOKEN" \
 -H "Content-Type: application/json" \
 -H "x-fapi-auth-date: string" \
 -H "x-fapi-customer-ip-address: string" \
 -H "x-fapi-interaction-id: string" \
 -H "x-customer-user-agent: string" \
 -d '{"AdditionalSoftwareMetadata":"string","ApiWebhookUri":["https://example.com"],"ClientName":"string","ClientUri":"https://example.com","Description":"string","Environment":"string","Flags":["f81d4fae-7dec-11d0-a765-00a0c91e6bf6"],"HomepageUri":"https://example.com","IdTokenSignedResponseAlgorithm":"PS256","LogoUri":"https://example.com","Mode":"Live","NotificationWebhook":"https://example.com","OnBehalfOf":"string","OpenidFederationEnabled":false,"OpenidFederationEntityManagementType":"openid_entity_federation_managed","OriginUri":["https://example.com"],"PolicyUri":"https://example.com","PostLogoutRedirectUris":["https://example.com"],"RedirectUri":["https://example.com"],"RelatedAuthorisationServer":"string","RequireSignedRequestObject":true,"Roles":[{"AuthorisationDomain":"string","Role":"PAGTO","Status":"Active"}],"SoftwareVersion":"string","TermsOfServiceUri":"https://example.com","TlsClientCertificateBoundAccessTokens":true,"TokenEndpointAuthMethod":"private_key_jwt","Version":42.0}'

Request examples

# Headers
x-fapi-auth-date: string
x-fapi-customer-ip-address: string
x-fapi-interaction-id: string
x-customer-user-agent: string

# Payload
{
  "AdditionalSoftwareMetadata": "string",
  "ApiWebhookUri": [
    "https://example.com"
  ],
  "ClientName": "string",
  "ClientUri": "https://example.com",
  "Description": "string",
  "Environment": "string",
  "Flags": [
    "f81d4fae-7dec-11d0-a765-00a0c91e6bf6"
  ],
  "HomepageUri": "https://example.com",
  "IdTokenSignedResponseAlgorithm": "PS256",
  "LogoUri": "https://example.com",
  "Mode": "Live",
  "NotificationWebhook": "https://example.com",
  "OnBehalfOf": "string",
  "OpenidFederationEnabled": false,
  "OpenidFederationEntityManagementType": "openid_entity_federation_managed",
  "OriginUri": [
    "https://example.com"
  ],
  "PolicyUri": "https://example.com",
  "PostLogoutRedirectUris": [
    "https://example.com"
  ],
  "RedirectUri": [
    "https://example.com"
  ],
  "RelatedAuthorisationServer": "string",
  "RequireSignedRequestObject": true,
  "Roles": [
    {
      "AuthorisationDomain": "string",
      "Role": "PAGTO",
      "Status": "Active"
    }
  ],
  "SoftwareVersion": "string",
  "TermsOfServiceUri": "https://example.com",
  "TlsClientCertificateBoundAccessTokens": true,
  "TokenEndpointAuthMethod": "private_key_jwt",
  "Version": 42.0
}

Response examples (201)

# Headers
x-fapi-interaction-id: 73cac523-d3ae-2289-b106-330a6218710d

# Payload
{
  "AdditionalSoftwareMetadata": "string",
  "ApiWebhookUri": [
    "https://example.com"
  ],
  "ClientId": "string",
  "ClientName": "string",
  "ClientSecret": "string",
  "ClientUri": "https://example.com",
  "CreatedAt": "2025-05-04T09:42:00+00:00",
  "Description": "string",
  "Environment": "string",
  "FederationEndpoint": "https://example.com",
  "Flags": [
    {
      "AccessLevel": 42,
      "Description": "string",
      "Name": "string",
      "Status": "Active",
      "Type": "Organisation",
      "Value": "string"
    }
  ],
  "HomepageUri": "https://example.com",
  "IdTokenSignedResponseAlgorithm": "PS256",
  "Locked": true,
  "LogoUri": "https://example.com",
  "Mode": "Live",
  "NotificationWebhook": "https://example.com",
  "NotificationWebhookStatus": "Pending",
  "OnBehalfOf": "string",
  "OpenidFederationEnabled": false,
  "OpenidFederationEntityManagementType": "openid_entity_federation_managed",
  "OrganisationId": "string",
  "OriginUri": [
    "https://example.com"
  ],
  "PolicyUri": "https://example.com",
  "PostLogoutRedirectUris": [
    "https://example.com"
  ],
  "RedirectUri": [
    "https://example.com"
  ],
  "RelatedAuthorisationServer": "string",
  "RequireSignedRequestObject": true,
  "RtsClientCreated": true,
  "SoftwareStatementId": "string",
  "SoftwareVersion": "string",
  "Status": "Active",
  "TermsOfServiceUri": "https://example.com",
  "TlsClientCertificateBoundAccessTokens": true,
  "TokenEndpointAuthMethod": "private_key_jwt",
  "UpdateFailed": true,
  "UpdateFailedReason": "string",
  "Version": 42.0
}

Response examples (400)

# Headers
x-fapi-interaction-id: 73cac523-d3ae-2289-b106-330a6218710d

# Payload
{
  "errors": [
    "string"
  ]
}