Step 3. Create a business member

Continuing from the previous step, TokenClient defines where your private keys will be stored and accessed. Alias specifies your business web domain, an email address, or your certificate depending on the Alias.Type you choose. A verifiable web domain, email address, or eIDAS certificate becomes your unique alias, one that no other business member can use.

We'll use the SDK's createMember method to accomplish this.

public static Member createMember() {

 

    // First, create the client (see Step 2), which communicates with the Token.io cloud.

    try {

         Path keys = Files.createDirectories(Paths.get("./keys"));

         TokenClient tokenClient = TokenClient.builder()

             .withKeyStore(new UnsecuredFileSystemKeyStore(keys.toFile()))

             .connectTo(SANDBOX)

             .build();

 

         // Next, build an alias (must be verifiable for production).

         // You can add more than one alias.

         // If the alias you provide is already being used by another member,

         // an exception will be thrown and you will have to provide another alias.

         // Here, we used a random domain, which is fine for test environments like

         // our sandbox. For production, you must provide your verified business domain

         //  -- e.g., "your-business-domain.com".

 

         Alias alias = Alias.newBuilder()

             .setType(Alias.Type.DOMAIN)

             .setValue(randomAlphabetic(10).toLowerCase() + "noverify.com")

             .build();

 

         Member newMember = tokenClient.createMemberBlocking(alias);

 

         // recover member by verifying email if keys are lost

         newMember.useDefaultRecoveryRule();

         return newMember;

 

         } catch(IOException ioe) {

         throw new RuntimeException(ioe);

    }

}

To create a member under the realm of a bank with an eIDAS alias, see Digital Identification Using eIDAS in Production below.

If you need to securely store keys elsewhere (in a directory other than ./keys), implement an IKeyStore using the SDK's UnsecuredFileSystemKeyStore class as a guide. See Managing Your Keys for more on key storage and management.

Also, as introduced above, you can set Alias.Type to either EMAIL, DOMAIN or EIDAS.

Important: A verifiable DOMAIN or EIDAS certificate number must be used when deploying to production. However, an email address, notional or real, works fine in the sandbox, as long as it's unique.

Digital Identification Using eIDAS in Production

eIDAS establishes "basic and reasonable standards for digital identification." In other words, an eIDAS certificate issued by a confirms the identity of the bearer to a reasonable legal certainty for purposes of conducting business online using the public network.

The electronic identification methods imposed by the eIDAS regulation ensure that companies do not require the physical presence of their customers in a commercial office or branch to operate or, for example, to open a bank account.

A is a type of qualified digital certificate under the trust services defined in the eIDAS Regulation. These trust services are defined as electronic services, normally provided by trust service providers (QTSPs), which consist of electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and website authentication. For website authentication, QWACs are issued to assure authentication between a website and a natural or legal person, offering website visitors proof that any business conducted on the site is protected, and there is a legitimate entity behind the website.

Under eIDAS, the QTSP validates your organization's ownership or control of the domain. It typically does this by sharing a random value with you to install on specific locations, or by performing a response challenge to pre-approved email addresses. Above all, the QTSP validates the information you provide in the Certificate Request, confirming most of these elements in independent sources, reaching out if more information is required.

For certificates, the QTSP further requires your:

  • information from a national competent authority in Europe with the designated authority to register and authorize
  • Payment Provider Type – , , and/or
  • Payment Provider Number – a registration or authorization number that has been assigned to the PSP by the NCA where the PSP is registered or authorized

For more about member creation and registration using eIDAS, see Create, Register, Recover and/or Verify a Member with an eIDAS Certificate.