Can anyone share some information about the /capabilities endpoint. The developers site mentions that the endpoint should be implemented, and, if called without an access-token, it should return the public capabilities only, fine with me. But what about an explanation of what the ‘iss’, ‘sub’ members are to be used for?. What is the intended behaviour if I would call the /capabilities endpoint, with a certain access-token, should the service only return capabilities that have a ‘sub’ equal to the ‘sub’ of the access-token (so the identity of the caller). So in short: I am looking for a description of the intended use of the endpoint, I guess that will also make clear to me what the members of the capability JSON are meant to be used for.
In short, the capabilities endpoint is meant to display the capabilities (i.e. endpoints) of a certain iSHARE member, being either a Service Provider, Authority Register or even the Scheme Owner. For security reasons, you may want to display some endpoints only for iSHARE members and some for everyone!
That’s why there are ‘public’ endpoints and ‘restricted’ endpoints. The public endpoints will return to everyone, and you don’t need an (iSHARE) access token for them. The ristricted endpoints will only be visible to those who will be ‘iSHARE members’ and can therefore get an access token.
As for the ‘iss’ and ‘sub’. In case there is no access token, these are a bit uncomfortable as there is no identifiable recipient. In this case (the Scheme Owner) seems to respond with its own EORI number and I think that’s reasonable (to return your own EORI instead of the recipients, as there is no recipient).