Web login procedure

There is a new web session login procedure available in the Neuron®. From build 2025-08-18, clients performing web session login must follow this new procedure. For users using the browser to login, this is accomplished by simply refreshing the page to ensure the most recent javascript file is loaded when logging in.

Note: Web session login is used to access the administrative page. Agent API uses another type of login, based on JWT bearer tokens.

The client calls the /Login web resource with a JSON object payload as follows:

{
	"UserName": Required(Str(PUserName)),
	"PasswordHash": Required(Str(PPasswordHash)),
	"Nonce": Required(Str(PNonce))
}

While the web resource is the same as before, the following is new:

• A PasswordHash property is sent instead of a Password in clear text (albeit over an obligatory encrypted channel, i.e. basic authentication over HTTPS). How this password hash is computed is described below.
• A Nonce value is available. This value must be unique, and cannot be reused. It is recommended this is a base64-encoding of a sufficiently large random number, for instance a 32-byte random number, to generate sufficient entropy. Reusing a nonce value will result in an error being returned.
• The respone of the web resource is another JSON object, instead of the earlier redirection response if successful, and a session variable state change, if an error occurred.

The purpose of the change is twofold:

• Secure the login endpoint
• Allow third party clients to login using the web login.

The response to the call is a JSON object as follows:

{
	"ok": Required(Bool(POk)),
	"message": Optional(Str(PMessage))
}

If ok is false, the message will contain an error message. Note that the login will be available in the current session. To enable sessions, cookies must be enabled.

Hash Digest computation

The client needs to perform the following computations to generate the hash digest to send to the Neuron®:

1. Compute H1 = SHA3-256(UserName + ":" + Domain + ":" + Password), where Domain is the host name or main domain name of the Neuron®. It cannot be an alternative domain name, it must be the main domain name of the Neuron®.

2. Compute H2 = HMAC-SHA-256(UTF8Encode(Nonce),H1), where the UTF-8 encoded Nonce is used as key to the HMAC-SHA-256 algorithm, and H1 is used as the data whose digest is to be computed. Note that the UTF-8 encoding must not include a preamble or byte-order-mark (BOM).

3. Compute PasswordHash = BASE64(H2).

Note: For a reference implementation, see the /Login.js javascript resource on an updated Neuron®.

#new, #api, #security

Public Publish/Subscribe Web Service

Nodes that have been declared as open in XMPP Publish/Subscribe can be accessed as RSS Feeds (from build 2025-07-15). The feed contains links to the most recent items published on the node. Accessing the links will return the XML of the corresponding item.

Syntax of the URLs to access the RSS feed and corresponding items is:

https://DOMAIN/PubSub/NODE_ID

URLs of this type will return an RSS Feeds of the most recent items of the public Publish/Subscribe node with the name NODE_ID.

https://DOMAIN/PubSub/NODE_ID/ITEM_ID

URLs of this type will return the XML of the item ITEM_ID published on the public Publish/Subscribe node with the name NODE_ID.

Examples

You can try these examples to try the API:

• https://lab.tagroot.io/PubSub/ReleaseNotes
• https://lab.tagroot.io/PubSub/ReleaseNotes/2025-07-15/Build_2025_07_15_This_release_contains_the_following

The ReleaseNotes publish/subscribe node is also a Web Node, i.e. used for publishing information online. Compare the source publish/subscribe information accessible via the links above, to the corresponding web links:

• https://lab.tagroot.io/ReleaseNotes
• https://lab.tagroot.io/ReleaseNotes/2025-07-15/Build_2025_07_15_This_release_contains_the_following

#new, #features, #api, #neuron, #rss

Resending Verification Codes during Onboarding

The TAG ID Onboarding API has been updated to allow for resending verification codes, without generating new codes. There are two parts of this API:

1. For clients that access an onboarding Neuron®, the /ID/SendVerificationMessage.ws resource has been updated to allow for resending codes, by providing an Resend property in the request. If set to true, the resource will resend any existing code to the registered components, otherwise an error will be returned.

2. For clients using the Agent API, a new resource is available, permitting the resending of verification codes: /Agent/Account/ResendVerificationCodes.

Onboarding API

The /ID/SendVerificationMessage.ws now accepts payload having the following format:

{
	Nr:Optional(Str(PNr like "\\+[1-9]\\d+")),
	EMail:Optional(Str(PEMail like "[\\w\\d](\\w|\\d|[_\\.-][\\w\\d])*@(\\w|\\d|[\\.-][\\w\\d]+)+")),
	AppName:Optional(Str(PAppName)),
	Language:Optional(Str(PLanguage)),
	Resend:Optional(Bool(PResend))
}

If the Resend property is available, and is true, the method will resend any existing code to the existing number or e-mail address provided. It is not possible to send an existing code to a new number or e-mail address.

Agent API

The Agent API (from build 2025-06-02) now has a new resource: /Agent/Account/ResendVerificationCodes. This resource allows for the resending of verification codes for the account currently being created. In order to access it, the JSON Web Token (JWT) provided in the response when creating the resource must be provided. The caller also needs to provide the phone number and/or e-mail address to which codes should be resent.

Security Notice: It is not possible to resend codes for accounts, numbers or e-mail addresses that have been verified. You can only resend codes for accounts still pending verification. This includes partially verified accounts. If the phone number has been verified, but the e-mail address has not, or vice versa, you can resend the code for the unverified part, but not for the verified part. Attempting to resend codes that have been verified, will be flagged, and repetetive calls to resend codes for verified accounts, numbers or addresses may result in the temporary and then permanent blocking of the endpoint making the call.

#new, #api, #onboarding, #id

IP Location Information during Onboarding

The Onboarding API has been updated to provide some additional IP Location information during onboarding, to help clients prefill fields in ID applications.

When calling the https://id.tagroot.io/ID/CountryCode.ws web service (using POST, and Accept header set to application/json), the following information will now be available in the response:

{
    "RemoteEndPoint": string,
    "CountryCode": string,
    "PhoneCode": string,
    "Country": string,
    "Region": string,
    "City": string,
    "Latitude": double,
    "Longitude": double
}

The IP Location information is provided by IP2Location.

Note: The information provided in the response may be incorrect, so users will need to verify the information provided, before including it in any ID applications.

#new, #api, #onboarding, #id

Integrating Serpro into Neuron®-based services

You can use Serpro in Neuron®-based services, by installing the TAG.Serpro.package, available in the Packages page in the Admin menu, and use the examples provided in your own services. Serpro provides an identity application authenticator, that can be used to automate the approval of identity applications on the Neuron® where it is installed. You will need to provide a key when installing. Use the following public key:

Some more information
Package	TAG.Serpro.package
Installation key	0WMoLBoAObn+SPgJ6Zfl6iJTxhnW8050o0sHba37z+51BUHjRm3dyL08qqQ+n4iTFDL6PYVOWeAA4bda1f2a8fb0d70921434eed848e39e7
Configuring Service	/Serpro/Settings.md on the Neuron® on which the service is installed.
More information	<https://github.com/Trust-Anchor-Group/NeuronSerpro>

#features, #id, #kyc, #neuron, #api, #repository, #new