-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathconnector-openapi.yml
More file actions
1658 lines (1618 loc) · 71.5 KB
/
Copy pathconnector-openapi.yml
File metadata and controls
1658 lines (1618 loc) · 71.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
openapi: 3.0.4
info:
title: Connector Registry API
version: 0.1.0
x-contract-version: v1
x-contract-stability: stable
x-products: [vdx]
description: |
Register and operate connector instances that can act as sources, destinations, or both.
The API is mounted as a singular product API at `/api/connector/v1`; resources inside the API
use plural REST paths.
The connector REST contract is v1-stable. Compatible additions may appear, but existing
response fields, path names, operation ids, and request shapes are governed as public
integration and SDK-facing contract surface.
The model deliberately separates transport from data:
- `AccessProtocol` describes how a connector reaches a system, such as HTTPS, JDBC, S3,
Kafka, OIDC, or vault access.
- `ResourceKind` describes the logical resource being accessed, such as tabular data,
documents, claim sets, event streams, files, secrets, credentials, or presentations.
- `RepresentationKind` describes the serialization or data representation, such as JSON,
JSON-LD, CSV, JWT, RDF, Parquet, text, or binary.
- `ContractKind` describes the schema or contract source, such as OpenAPI, JSON Schema,
SQL schema, RDF shape, OIDC discovery, or CSV profile.
A connector instance is represented as a Party and can be assigned Identities. Identifiers are
always nested under Identity, matching the existing Party -> Identity -> Identifier model. This
allows external systems, technical accounts, issuers, relying parties, APIs, and LOB systems to
have durable identities without flattening identifiers directly onto connectors.
Routes compose source and destination operation bindings with optional transformations. This
supports current issuance use cases, CSV import/export, vault/blob materialization, HTTP/OpenAPI
connector runtimes, SQL connector runtimes, OIDC claim sources, forms, workflows, and future governance
controls without coupling the API to one credential or form pipeline.
contact:
name: Product Engineering
email: support@example.com
url: https://example.com
license:
name: Apache 2.0
url: https://www.apache.org/licenses/LICENSE-2.0
servers:
- url: https://api.example.com/api/connector/v1
description: Production server.
- url: http://localhost:8080/api/connector/v1
description: Local development server.
security:
- bearer: []
tags:
- name: Connectors
description: Register connector instances as durable Party-backed integration endpoints.
- name: ConnectorIdentities
description: Read Party identities and nested identifiers assigned through connector create/update or Party APIs.
- name: ConnectorResources
description: Attach described resources to connector instances.
- name: ResourceDescriptors
description: Describe data shapes, contracts, fields, and semantic meaning independent of transport.
- name: OperationBindings
description: Bind connector operations to resources, protocols, transformations, and delivery policies.
- name: SemanticBindings
description: Bind resource fields and connector resources to semantic model references.
- name: ConnectorInvocationBindings
description: Bind product and protocol invocation stages to persisted connector routes, operations, logical context, and governance defaults.
- name: LogicalConnectionBindings
description: Scope physical connector instances to tenant, organization, brand, channel, and caller-specific logical usage contexts.
- name: RouteExposures
description: Describe externally callable route capabilities and their authorization, schema, subset, rate, and audit constraints.
- name: ConnectorDataProducts
description: Describe connector-exposed data products, catalog offers, transfer types, and governance scope without implementing DSP/DCAT wire behavior.
- name: Transformations
description: Define reusable transformations between resource descriptors.
- name: Routes
description: Compose source and destination operation bindings with optional transformation and trigger policy.
- name: Runs
description: Observe connector route and operation executions.
paths:
/connectors:
get:
operationId: listConnectorInstances
summary: List connector instances
description: |
Lists connector instances registered for the tenant. Use this endpoint to find durable
integration endpoints by connector family, data-flow role, or logical operation support.
A connector instance is not itself a resource shape; resource descriptors and operation
bindings describe what the connector can read or write.
tags: [Connectors]
parameters:
- $ref: './connector-components.yml#/components/parameters/ConnectorType'
- $ref: './connector-components.yml#/components/parameters/Role'
- $ref: './connector-components.yml#/components/parameters/OperationKind'
- $ref: './common-components.yml#/components/parameters/Page'
- $ref: './common-components.yml#/components/parameters/Size'
responses:
'200':
description: Paged connector instances.
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectorInstancePage'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
post:
operationId: createConnectorInstance
summary: Create a connector instance
description: |
Creates the connector instance and its backing Party. The request must include the
connector identity data needed to bind or create the Party identity up front. Identifiers
must be supplied inside an identity.
tags: [Connectors]
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectorInstanceCreateRequest'
responses:
'201':
description: Connector instance created.
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectorInstance'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
/connectors/{connectorInstanceId}:
get:
operationId: getConnectorInstance
summary: Get a connector instance
description: |
Reads one connector instance, including its backing Party id, assigned identities,
endpoint references, credential references, settings bindings, and default policies.
Secret values are never returned.
tags: [Connectors]
parameters:
- $ref: './connector-components.yml#/components/parameters/ConnectorInstanceId'
responses:
'200':
description: Connector instance.
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectorInstance'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
patch:
operationId: updateConnectorInstance
summary: Update a connector instance
description: |
Updates connector instance metadata, lifecycle state, supported operations, and default
policies. Use lifecycleStatus=SUSPENDED to stop new route runs without deleting durable
configuration or Party identity information.
tags: [Connectors]
parameters:
- $ref: './connector-components.yml#/components/parameters/ConnectorInstanceId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectorInstanceUpdateRequest'
responses:
'200':
description: Connector instance updated.
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectorInstance'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
delete:
operationId: deleteConnectorInstance
summary: Delete a connector instance
description: |
Deletes or tombstones the connector registration according to the runtime implementation.
This removes the connector registry entry, but implementations should treat Party,
Identity, Identifier, audit, and historical run data according to their own retention rules.
tags: [Connectors]
parameters:
- $ref: './connector-components.yml#/components/parameters/ConnectorInstanceId'
responses:
'204':
description: Connector instance deleted.
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
/connectors/{connectorInstanceId}/identities:
get:
operationId: listConnectorIdentities
summary: List connector identities
description: |
Lists identities assigned to the connector's backing Party. Identifiers are returned nested
under each identity, preserving the Party -> Identity -> Identifier model.
tags: [ConnectorIdentities]
parameters:
- $ref: './connector-components.yml#/components/parameters/ConnectorInstanceId'
- $ref: './common-components.yml#/components/parameters/Page'
- $ref: './common-components.yml#/components/parameters/Size'
responses:
'200':
description: Paged identities assigned to the connector Party.
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectorIdentityPage'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
/connectors/{connectorInstanceId}/resources:
get:
operationId: listConnectorResources
summary: List resources attached to a connector
description: |
Lists resource descriptors attached to a connector instance for source and destination use.
The attached resource adds connector-local access details such as external resource name,
endpoint id, and access protocol; the descriptor remains the reusable logical data shape.
tags: [ConnectorResources]
parameters:
- $ref: './connector-components.yml#/components/parameters/ConnectorInstanceId'
- $ref: './connector-components.yml#/components/parameters/Role'
- $ref: './connector-components.yml#/components/parameters/ResourceKind'
- $ref: './common-components.yml#/components/parameters/Page'
- $ref: './common-components.yml#/components/parameters/Size'
responses:
'200':
description: Paged resources attached to the connector.
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectorResourcePage'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
post:
operationId: attachConnectorResource
summary: Attach a resource descriptor to a connector
description: |
Attaches a reusable resource descriptor to a connector instance. For example, the same
employee profile descriptor can be attached to an HTTP/OpenAPI connector over HTTPS, a CSV
resource accessed over VAULT, and a SQL connector accessed over JDBC without changing the descriptor.
tags: [ConnectorResources]
parameters:
- $ref: './connector-components.yml#/components/parameters/ConnectorInstanceId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/AttachConnectorResourceRequest'
responses:
'201':
description: Resource attached to the connector.
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectorResource'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
/connectors/{connectorInstanceId}/discoveryruns:
post:
operationId: createConnectorDiscoveryRun
summary: Discover connector resources
description: |
Runs connector discovery and returns suggested resource descriptors and operation hints.
Discovery results are advisory; callers must create resource descriptors and operation
bindings explicitly before routes can use them.
tags: [ConnectorResources]
parameters:
- $ref: './connector-components.yml#/components/parameters/ConnectorInstanceId'
requestBody:
required: false
content:
application/json:
schema:
$ref: '#/components/schemas/DiscoverResourcesRequest'
responses:
'200':
description: Discovery result with suggested resource descriptors.
content:
application/json:
schema:
$ref: '#/components/schemas/DiscoveryResult'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
/connectors/{connectorInstanceId}/healthchecks:
post:
operationId: createConnectorHealthCheck
summary: Check connector health
description: |
Performs a health check for the connector instance and optionally its dependencies, such as
endpoint reachability, credentials, contract availability, or operation-specific readiness.
The health result is observational and does not change connector lifecycle status.
tags: [Connectors]
parameters:
- $ref: './connector-components.yml#/components/parameters/ConnectorInstanceId'
requestBody:
required: false
content:
application/json:
schema:
$ref: '#/components/schemas/HealthCheckRequest'
responses:
'200':
description: Connector health result.
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectorHealth'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
/resource/descriptors:
get:
operationId: listResourceDescriptors
summary: List resource descriptors
description: |
Lists reusable resource descriptors. Descriptors describe the logical resource, data
representation, structural contract, fields, semantic bindings, sensitivity, and retention
hints independently from connector transport.
tags: [ResourceDescriptors]
parameters:
- $ref: './connector-components.yml#/components/parameters/ResourceKind'
- $ref: './common-components.yml#/components/parameters/Page'
- $ref: './common-components.yml#/components/parameters/Size'
responses:
'200':
description: Paged resource descriptors.
content:
application/json:
schema:
$ref: '#/components/schemas/ResourceDescriptorPage'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
post:
operationId: createResourceDescriptor
summary: Create a resource descriptor
description: |
Creates a reusable descriptor for data that can flow through connectors. Use this for CSV
rows, REST payloads, OIDC claim sets, SQL tables, vault objects, forms, workflow payloads,
credentials, presentations, and future resource types.
tags: [ResourceDescriptors]
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ResourceDescriptorCreateRequest'
responses:
'201':
description: Resource descriptor created.
content:
application/json:
schema:
$ref: '#/components/schemas/ResourceDescriptor'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
/resource/descriptors/{resourceDescriptorId}:
get:
operationId: getResourceDescriptor
summary: Get a resource descriptor
description: |
Reads one resource descriptor including field metadata, contract reference, representation,
and semantic/governance hints. The descriptor does not contain connector credentials or
transport endpoint details.
tags: [ResourceDescriptors]
parameters:
- $ref: './connector-components.yml#/components/parameters/ResourceDescriptorId'
responses:
'200':
description: Resource descriptor.
content:
application/json:
schema:
$ref: '#/components/schemas/ResourceDescriptor'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
patch:
operationId: updateResourceDescriptor
summary: Update a resource descriptor
description: |
Updates descriptor metadata, resource classification, representation, contract reference,
or governance metadata. Field-level changes are managed through the fields subresource.
tags: [ResourceDescriptors]
parameters:
- $ref: './connector-components.yml#/components/parameters/ResourceDescriptorId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ResourceDescriptorUpdateRequest'
responses:
'200':
description: Resource descriptor updated.
content:
application/json:
schema:
$ref: '#/components/schemas/ResourceDescriptor'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
/resource/descriptors/{resourceDescriptorId}/fields:
get:
operationId: listFieldDescriptors
summary: List resource descriptor fields
description: |
Lists fields declared for a resource descriptor. Fields carry path/column names, value
type hints, required/multi-valued semantics, semantic attribute references, sensitivity,
and optional retention metadata.
tags: [ResourceDescriptors]
parameters:
- $ref: './connector-components.yml#/components/parameters/ResourceDescriptorId'
- $ref: './common-components.yml#/components/parameters/Page'
- $ref: './common-components.yml#/components/parameters/Size'
responses:
'200':
description: Paged field descriptors.
content:
application/json:
schema:
$ref: '#/components/schemas/FieldDescriptorPage'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
post:
operationId: createFieldDescriptor
summary: Add a field descriptor
description: |
Adds a field to a descriptor. Use this to document a CSV column, JSON path, SQL column,
OIDC claim, form field, credential claim, or presentation attribute that can be validated,
mapped, governed, or transformed.
tags: [ResourceDescriptors]
parameters:
- $ref: './connector-components.yml#/components/parameters/ResourceDescriptorId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/FieldDescriptorInput'
responses:
'201':
description: Field descriptor created.
content:
application/json:
schema:
$ref: '#/components/schemas/FieldDescriptor'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
/operation/bindings:
get:
operationId: listOperationBindings
summary: List operation bindings
description: |
Lists connector operation bindings. Operation bindings connect connector instances,
attached resources, logical operation kinds, connector-local operation names, protocols,
transformations, delivery behavior, and egress policies.
tags: [OperationBindings]
parameters:
- $ref: './connector-components.yml#/components/parameters/ConnectorType'
- $ref: './connector-components.yml#/components/parameters/OperationKind'
- $ref: './connector-components.yml#/components/parameters/Role'
- $ref: './common-components.yml#/components/parameters/Page'
- $ref: './common-components.yml#/components/parameters/Size'
responses:
'200':
description: Paged operation bindings.
content:
application/json:
schema:
$ref: '#/components/schemas/OperationBindingPage'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
post:
operationId: createOperationBinding
summary: Create an operation binding
description: |
Creates a source or destination operation binding. A source READ binding can later be
paired with a destination WRITE binding in a route, optionally with a transformation
between their resource descriptors.
tags: [OperationBindings]
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/OperationBindingCreateRequest'
responses:
'201':
description: Operation binding created.
content:
application/json:
schema:
$ref: '#/components/schemas/OperationBinding'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
/operation/bindings/{bindingId}:
get:
operationId: getOperationBinding
summary: Get an operation binding
description: |
Reads one operation binding, including connector-local operation name, protocol, request
and response descriptors, transformation reference, delivery settings, and egress policy.
tags: [OperationBindings]
parameters:
- $ref: './connector-components.yml#/components/parameters/BindingId'
responses:
'200':
description: Operation binding.
content:
application/json:
schema:
$ref: '#/components/schemas/OperationBinding'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
patch:
operationId: updateOperationBinding
summary: Update an operation binding
description: |
Updates an operation binding without changing unrelated connector or resource descriptor
state. Use this for contract changes, renamed operation ids, updated delivery policies,
or new transformation references.
tags: [OperationBindings]
parameters:
- $ref: './connector-components.yml#/components/parameters/BindingId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/OperationBindingUpdateRequest'
responses:
'200':
description: Operation binding updated.
content:
application/json:
schema:
$ref: '#/components/schemas/OperationBinding'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
delete:
operationId: deleteOperationBinding
summary: Delete an operation binding
description: |
Deletes an operation binding. Implementations should reject deletion while active routes
still depend on the binding, or require those routes to be updated first.
tags: [OperationBindings]
parameters:
- $ref: './connector-components.yml#/components/parameters/BindingId'
responses:
'204':
description: Operation binding deleted.
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
/semantic/bindings:
get:
operationId: listSemanticConnectorBindings
summary: List semantic connector bindings
description: |
Lists semantic bindings for connector resources and fields. These bindings let the platform
understand that an external field represents an employee email, SSN, customer id, supplier
relationship, policy classification, or other semantic concept.
tags: [SemanticBindings]
parameters:
- $ref: './connector-components.yml#/components/parameters/ConnectorType'
- $ref: './connector-components.yml#/components/parameters/ResourceKind'
- $ref: './common-components.yml#/components/parameters/Page'
- $ref: './common-components.yml#/components/parameters/Size'
responses:
'200':
description: Paged semantic connector bindings.
content:
application/json:
schema:
$ref: '#/components/schemas/SemanticConnectorBindingPage'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
post:
operationId: createSemanticConnectorBinding
summary: Create a semantic connector binding
description: |
Creates a semantic binding for a connector resource or field. This is the link that allows
validation, documentation, mapping, and future policy checks to reason over external data
using the same semantic model as credential designs, forms, parties, and relationships.
tags: [SemanticBindings]
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/SemanticConnectorBindingCreateRequest'
responses:
'201':
description: Semantic connector binding created.
content:
application/json:
schema:
$ref: '#/components/schemas/SemanticConnectorBinding'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
/invocation/bindings:
get:
operationId: listConnectorInvocationBindings
summary: List connector invocation bindings
description: |
Lists persisted invocation bindings that connect product or protocol lifecycle stages to
connector routes, operations, logical connection bindings, subset mappings, governance, and
execution policies. These records are the registry surface used when an issuer, verifier,
form, portal, or workflow needs a durable connector action at a named stage.
tags: [ConnectorInvocationBindings]
parameters:
- name: ownerSurface
in: query
required: false
description: Filter by the product or protocol surface that owns the invocation.
schema:
$ref: './connector-components.yml#/components/schemas/ConnectorOwnerSurface'
example: OID4VCI
- name: ownerReference
in: query
required: false
description: Filter by owner-specific reference, such as issuer configuration id, verifier profile id, form id, or workflow id.
schema:
type: string
example: issuer-config-1
- name: stage
in: query
required: false
description: Filter by product or protocol lifecycle stage.
schema:
$ref: './connector-components.yml#/components/schemas/ConnectorInvocationStage'
example: OID4VCI_CREDENTIAL_REQUEST
- name: role
in: query
required: false
description: Filter by the connector's invocation role at the lifecycle stage.
schema:
$ref: './connector-components.yml#/components/schemas/ConnectorInvocationRole'
example: VAULT_RETENTION
- name: logicalConnectionBindingId
in: query
required: false
description: Filter by logical connection binding used by the invocation.
schema:
$ref: './connector-components.yml#/components/schemas/LogicalConnectionBindingId'
example: brand-a-proof-vault
- $ref: './common-components.yml#/components/parameters/Page'
- $ref: './common-components.yml#/components/parameters/Size'
responses:
'200':
description: Paged connector invocation bindings.
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectorInvocationBindingPage'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
post:
operationId: createConnectorInvocationBinding
summary: Create a connector invocation binding
description: |
Creates or replaces a durable invocation binding for a product or protocol lifecycle stage.
The stored binding carries the physical or logical connector target, subset mapping,
governance metadata, Party anchors, materialization policy, and execution policy that the
runtime will attach to resulting connector runs.
tags: [ConnectorInvocationBindings]
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectorInvocationBindingCreateRequest'
responses:
'201':
description: Connector invocation binding created.
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectorInvocationBinding'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
/invocation/bindings/{invocationBindingId}:
get:
operationId: getConnectorInvocationBinding
summary: Get a connector invocation binding
description: Reads one persisted invocation binding by id.
tags: [ConnectorInvocationBindings]
parameters:
- $ref: './connector-components.yml#/components/parameters/InvocationBindingId'
responses:
'200':
description: Connector invocation binding.
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectorInvocationBinding'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
/logical/bindings:
get:
operationId: listLogicalConnectionBindings
summary: List logical connection bindings
description: |
Lists logical usage bindings for physical connector instances. Logical bindings let one
connector instance be safely reused across tenants, organization units, brands, legal
entities, channels, and caller contexts while keeping discriminator, auth overlay,
governance, and catalog projection metadata explicit.
tags: [LogicalConnectionBindings]
parameters:
- name: physicalConnectorInstanceId
in: query
required: false
description: Filter by the physical connector instance backing the logical binding.
schema:
$ref: './connector-components.yml#/components/schemas/ConnectorInstanceId'
example: 8a7f09af-7ac9-4d96-91f9-a2a252f4aa4b
- name: organizationUnitId
in: query
required: false
description: Filter by organization unit in the logical context.
schema:
type: string
example: nl-ops
- name: brandId
in: query
required: false
description: Filter by brand in the logical context.
schema:
type: string
example: brand-a
- $ref: './common-components.yml#/components/parameters/Page'
- $ref: './common-components.yml#/components/parameters/Size'
responses:
'200':
description: Paged logical connection bindings.
content:
application/json:
schema:
$ref: '#/components/schemas/LogicalConnectionBindingPage'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
post:
operationId: createLogicalConnectionBinding
summary: Create a logical connection binding
description: |
Creates or replaces a logical connection binding for a physical connector instance. Use this
resource to declare tenant, OU, brand, channel, caller, auth overlay, grant, governance, and
system-catalog projection metadata without duplicating the physical connector registration.
tags: [LogicalConnectionBindings]
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/LogicalConnectionBindingCreateRequest'
responses:
'201':
description: Logical connection binding created.
content:
application/json:
schema:
$ref: '#/components/schemas/LogicalConnectionBinding'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
/logical/bindings/{logicalConnectionBindingId}:
get:
operationId: getLogicalConnectionBinding
summary: Get a logical connection binding
description: Reads one logical connection binding by id.
tags: [LogicalConnectionBindings]
parameters:
- $ref: './connector-components.yml#/components/parameters/LogicalConnectionBindingId'
responses:
'200':
description: Logical connection binding.
content:
application/json:
schema:
$ref: '#/components/schemas/LogicalConnectionBinding'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
/route/exposures:
get:
operationId: listRouteExposureDescriptors
summary: List route exposure descriptors
description: |
Lists externally callable route exposure descriptors. Exposure descriptors are registry
records for external read/write capabilities, including accepted auth methods, caller Party
and relationship constraints, schemas, subset mapping, payload/rate limits, and audit category.
tags: [RouteExposures]
parameters:
- name: logicalConnectionBindingId
in: query
required: false
description: Filter by logical connection binding backing the exposed capability.
schema:
$ref: './connector-components.yml#/components/schemas/LogicalConnectionBindingId'
example: brand-a-proof-vault
- name: exchangeMode
in: query
required: false
description: Filter by the route exposure exchange quadrant.
schema:
$ref: './connector-components.yml#/components/schemas/ConnectorExchangeMode'
example: EXTERNALLY_INITIATED_READ_FROM_VDX
- $ref: './common-components.yml#/components/parameters/Page'
- $ref: './common-components.yml#/components/parameters/Size'
responses:
'200':
description: Paged route exposure descriptors.
content:
application/json:
schema:
$ref: '#/components/schemas/RouteExposureDescriptorPage'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
post:
operationId: createRouteExposureDescriptor
summary: Create a route exposure descriptor
description: |
Creates or replaces a route exposure descriptor for an externally initiated connector
capability. This registers the externally callable surface but does not by itself implement
the runtime endpoint for the external caller.
tags: [RouteExposures]
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/RouteExposureDescriptorCreateRequest'
responses:
'201':
description: Route exposure descriptor created.
content:
application/json:
schema:
$ref: '#/components/schemas/RouteExposureDescriptor'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
/route/exposures/{exposureDescriptorId}:
get:
operationId: getRouteExposureDescriptor
summary: Get a route exposure descriptor
description: Reads one route exposure descriptor by id.
tags: [RouteExposures]
parameters:
- $ref: './connector-components.yml#/components/parameters/ExposureDescriptorId'
responses:
'200':
description: Route exposure descriptor.
content:
application/json:
schema:
$ref: '#/components/schemas/RouteExposureDescriptor'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
/route/exposures/{exposureDescriptorId}/read:
post:
operationId: executeRouteExposureRead
summary: Execute an externally initiated route exposure read
description: |
Executes an explicitly registered external-read route exposure. The caller supplies the
authenticated Party context, governed canonical fields already eligible for projection,
governance metadata, a policy decision, and optional cursor state. The response is an
approved governed view with manifest, policy lineage, selected fields, and cursor state.
This endpoint does not expose internal connector records, Party tables, vault rows, or
semantic stores directly.
tags: [RouteExposures]
parameters:
- $ref: './connector-components.yml#/components/parameters/ExposureDescriptorId'
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/RouteExposureExternalReadRequest'
responses:
'200':
description: Governed external-read view.
content:
application/json:
schema:
$ref: '#/components/schemas/ConnectorExternalReadResponse'
'400':
$ref: './common-components.yml#/components/responses/ValidationError'
'401':
$ref: './common-components.yml#/components/responses/Unauthorized'
'403':
$ref: './common-components.yml#/components/responses/Forbidden'
'404':
$ref: './common-components.yml#/components/responses/NotFound'
/route/exposures/{exposureDescriptorId}/write:
post:
operationId: executeRouteExposureWrite
summary: Execute an externally initiated route exposure write
description: |
Executes an explicitly registered external-write route exposure. The caller supplies the
authenticated Party context, governed payload envelope, field mappings, governance metadata,
policy decision, optional idempotency key, and optional Party projection candidates. The
response is an accepted, minimized, redacted, quarantined, or rejected governed-ingress
receipt with canonical-field mapping, projection-candidate ids, policy lineage, idempotency
result, payload hash, and later-use availability scope.
tags: [RouteExposures]
parameters:
- $ref: './connector-components.yml#/components/parameters/ExposureDescriptorId'
requestBody: