Skip to content


This page contains summaries of updates made to the Digidentity SERMI documentation.


As of June 14th, a 422 status will be returned for an authorisation request if the concerning smart card has not been created yet. This prevents confusion regarding why a smartcard has not been approved, even though the authorisation request was sent successfully.

Please make sure your application waits for the /sermi/{{ioe/rsse}} calls to complete before sending an approval action through /sermi/{{ioe/rsse}}/authorization.


As of June 7th 2024, it will no longer be possible to make SERMI CAB API calls to endpoints. This change supports an update announced in June of last year whereby CABs were requested to direct their API calls to instead.

To avoid disruption, we request that CABs review the endpoints listed in our CAB API specification and ensure their applications have been updated to the correct paths.


An update has been released to the CAB API to more strictly validate type values for all endpoints.

Previously, requests to the CAB API with a mismatching type were still accepted in most cases. As of this release, endpoints require that the type value match our API specification exactly. We advise that CABs review our CAB API specification to ensure that the values in use are correct.

Where an incorrect type is provided, CABs will reach a status 422 error with the error code type_invalid.


RSSs can now generate chain authorisation requests on behalf of their employees via a dedicated API endpoint. Further details can be found on the RSS API page (discontinued).

The RSS API has been formally discontinued by SERMI. A proposal has been made to reinstate the feature in the future and is currently under review by the SERMI organisation.


  • IOE and RSSE authorisations can now be renewed via endpoints in the SERMI CAB API specification. Authorisations are eligible for renewal within 30 days of expiry
  • Clarifications regarding allowed characters have been added to the User attributes page and SERMI CAB API specification


It is no longer mandatory to specify an email address when creating an IOE or RSSE via the SERMI CAB API.

According to scheme rules, the Trust Centre may not process any personal data for employees. As this includes employee names in business email addresses, the email address field had limited use and has now been removed from our API specification. Email addresses can still be optionally specified via the API if they do not contain employee personal data.


General documentation update, with a focus on the following pages:

  • User attributes, and Authorisation have been updated with more detailed information regarding the RSSE login flow
  • API Integration has been updated with examples of the UID sets to be expected from the user_info response for both IOE and RSSE logins


The specification for the SERMI CAB API has been updated with examples of RSS and RSSE creation


The User attributes page has been updated as follows:

  • CABUIDs may now only contain upper-case letters
  • IOUIDs will in some cases contain values other than a VAT number (due to the inclusion of personal data in VAT numbers in some regions)

Additionally, the following changes have been made within the specification for the SERMI CAB API:

  • Endpoints have been moved from to
  • Endpoints now require authorisation via a combination of OAuth client credentials and API-Key. CABs who have already been onboarded will receive notifications in the following week with additional credentials


UID attributes are now available via the user_info response. To test this feature, VMs will need to:

  • Adjust the scopes provided in the authorisation request as detailed in API Integration
  • Create new IOE test accounts with UID attributes enabled. Our customer success team will roll out QR codes to already-onboarded VMs over the next month which testers can scan to complete their registrations in one step

The User attributes page has been updated to reflect this update, and now contains information regarding the newly-confirmed RSSUID and RSSEUID.

Finally, documentation for the SERMI CAB API has been expanded.


Due to a restructure in the way personal data will be processed by the Trust Centre, all documentation pages have been updated to reflect the following changes:

  • IOs and IOEs will no longer provide their personal details on the Digidentity web page. These will be verified by the CAB, and then all relevant UIDs will be supplied to Digidentity via our CAB API. Once the user has been registered, the CAB will send the user a QR code to create their certificate in the Digidentity app
  • As a result of the change above, it will no longer be necessary to implement a separate 'Legal Representative' flow to retrieve IO details via the user_info response. OIDC flows will now receive only the IOEUID, IOUID, and CABUID attributes, and Digidentity will remove the possibility for VMs to retrieve further personal details in a future release


  • Removed document requirements for registration (as documents will no longer be provided directly to the TC)


  • Moved documentation from PDF version 2022-v3 to web-based format
  • Updated and expanded all sections