Customers can then get a JWT with these credentials and access their profile, wallets, cards etc. This is necessary when tenants want to give their customers direct access to the APIs or for customers using companion Apps. If using PKI, to generate a public/private key combination use openssl: openssl req -nodes -x509 -sha256 -newkey rsa:4096 -keyout "PrivateKey.key" -out "PublicKey.crt" -days 99999 Then extract the base64 public key from the certificate as follows: openssl x509 -in PublicKey.crt -pubkey -noout | grep -v "-----" | base64 -d| base64 -w0 For generating a special CAP (card access password) for a customer to view unmasked card details but without creating a proper identity on Eclipse, one can create an identity with identity "CAP".If this is done with a tenant JWT and no password then a random password is generated by Eclipse and SMS'd to the customers phone on profile. If CAP is passed with no JWT and no password then an SMS with an OTP is sent to the customer. This API can then be called passing CAP, a password to set and the OTP (again with no JWT).Note that a CAP cannot be used for getting a JWT. It can only be used to get card details. To create a WebAuthN identity, just pass an identity. Then proceed with getting a login-challenge to initiate the WebAuthN registration process.