interledger · BlairCurrey · Jan 27, 2026
diff --git a/open-payments-specifications b/open-payments-specifications
diff --git a/packages/open-payments/src/openapi/generated/auth-server-types.ts b/packages/open-payments/src/openapi/generated/auth-server-types.ts
@@ -167,15 +167,30 @@ export interface components {
         };
         /**
          * client
-         * @description Wallet address of the client instance that is making this request.
+         * @description Client identification for grant requests.
          *
          *     When sending a non-continuation request to the AS, the client instance MUST identify itself by including the client field of the request and by signing the request.
          *
+         *     Can be either:
+         *     - A wallet address string (backwards compatible format)
+         *     - An object with either `jwk` (for directed identity) or `walletAddress` (mutually exclusive)
+         *
+         *     When using a wallet address string or the `walletAddress` property:
          *     A JSON Web Key Set document, including the public key that the client instance will use to protect this request and any continuation requests at the AS and any user-facing information about the client instance used in interactions, MUST be available at the wallet address + `/jwks.json` url.
          *
+         *     When using the `jwk` property (directed identity approach):
+         *     The client instance provides its public key directly in the request, eliminating the need for the AS to fetch it from a wallet address. This approach enhances privacy by not requiring the client to expose a persistent wallet address identifier. The `jwk` property can only be used for non-interactive grant requests (i.e.: incoming payments).
+         *
          *     If sending a grant initiation request that requires RO interaction, the wallet address MUST serve necessary client display information.
          */
-        client: string;
+        client: string | ({
+            /**
+             * Format: uri
+             * @description Wallet address of the client instance that is making this request.
+             */
+            walletAddress?: string;
+            jwk?: components["schemas"]["json-web-key"];
+        } & (unknown | unknown));
         /**
          * continue
          * @description If the AS determines that the request can be continued with additional requests, it responds with the continue field.
@@ -291,6 +306,45 @@ export interface components {
                 code?: "invalid_rotation";
             };
         };
+        /**
+         * subject
+         * @description Information about the subject for which the client is requesting information.
+         */
+        subject: {
+            /** @description A list of subject identifiers. */
+            sub_ids: {
+                /** @description Specific identifier for the subject for which the client is requesting information. */
+                id: string;
+                /**
+                 * @description The format of subject identifier that the client can accept.
+                 * @enum {string}
+                 */
+                format: "uri";
+            }[];
+        };
+        /**
+         * Ed25519 Public Key
+         * @description A JWK representation of an Ed25519 Public Key
+         */
+        "json-web-key": {
+            kid: string;
+            /**
+             * @description The cryptographic algorithm family used with the key. The only allowed value is `EdDSA`.
+             * @enum {string}
+             */
+            alg: "EdDSA";
+            /** @enum {string} */
+            use?: "sig";
+            /** @enum {string} */
+            kty: "OKP";
+            /**
+             * @description The cryptographic curve used with the key. This parameter identifies the elliptic curve (for EC keys) or the Edwards curve (for OKP keys). The only allowed value is `Ed25519`.
+             * @enum {string}
+             */
+            crv: "Ed25519";
+            /** @description The base64 url-encoded public key. */
+            x: string;
+        };
     };
     responses: never;
     parameters: never;
@@ -310,11 +364,19 @@ export interface operations {
         requestBody: {
             content: {
                 "application/json": {
+                    client: components["schemas"]["client"];
+                    interact?: components["schemas"]["interact-request"];
                     access_token: {
                         access: components["schemas"]["access"];
                     };
+                    subject?: components["schemas"]["subject"];
+                } | {
                     client: components["schemas"]["client"];
-                    interact?: components["schemas"]["interact-request"];
+                    interact: components["schemas"]["interact-request"];
+                    access_token?: {
+                        access: components["schemas"]["access"];
+                    };
+                    subject: components["schemas"]["subject"];
                 };
             };
         };
@@ -390,6 +452,7 @@ export interface operations {
                 content: {
                     "application/json": {
                         access_token?: components["schemas"]["access_token"];
+                        subject?: components["schemas"]["subject"];
                         continue: components["schemas"]["continue"];
                     };
                 };

diff --git a/packages/open-payments/src/openapi/generated/resource-server-types.ts b/packages/open-payments/src/openapi/generated/resource-server-types.ts
@@ -178,6 +178,26 @@ export interface paths {
         patch?: never;
         trace?: never;
     };
+    "/outgoing-payment-grant": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        /**
+         * Get spent amounts for current outgoing payment grant
+         * @description Returns the spent amounts for the current outgoing payment grant corresponding to the presented GNAP access token, if any. If a grant was created with an interval (recurring), the amounts returned are for the current interval.
+         */
+        get: operations["get-outgoing-payment-grant"];
+        put?: never;
+        post?: never;
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
 }
 export type webhooks = Record<string, never>;
 export interface components {
@@ -474,9 +494,9 @@ export interface components {
         /** @description URL of a wallet address hosted by a Rafiki instance. */
         "wallet-address": string;
         /** @description The signature generated based on the Signature-Input, using the signing algorithm specified in the "alg" field of the JWK. */
-        signature: components["parameters"]["optional-signature"];
+        signature: string;
         /** @description The Signature-Input field is a Dictionary structured field containing the metadata for one or more message signatures generated from components within the HTTP message.  Each member describes a single message signature.  The member's key is the label that uniquely identifies the message signature within the context of the HTTP message.  The member's value is the serialization of the covered components Inner List plus all signature metadata parameters identified by the label.  The following components MUST be included: - "@method" - "@target-uri" - "authorization".  When the message contains a request body, the covered components MUST also include the following: - "content-digest"  The keyid parameter of the signature MUST be set to the kid value of the JWK.      See [ietf-httpbis-message-signatures](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-message-signatures#section-4.1) for more details. */
-        "signature-input": components["parameters"]["optional-signature-input"];
+        "signature-input": string;
         /** @description The signature generated based on the Signature-Input, using the signing algorithm specified in the "alg" field of the JWK. */
         "optional-signature": string;
         /** @description The Signature-Input field is a Dictionary structured field containing the metadata for one or more message signatures generated from components within the HTTP message.  Each member describes a single message signature.  The member's key is the label that uniquely identifies the message signature within the context of the HTTP message.  The member's value is the serialization of the covered components Inner List plus all signature metadata parameters identified by the label.  The following components MUST be included: - "@method" - "@target-uri" - "authorization".  When the message contains a request body, the covered components MUST also include the following: - "content-digest"  The keyid parameter of the signature MUST be set to the kid value of the JWK.      See [ietf-httpbis-message-signatures](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-message-signatures#section-4.1) for more details. */
@@ -853,4 +873,34 @@ export interface operations {
             404: components["responses"]["404"];
         };
     };
+    "get-outgoing-payment-grant": {
+        parameters: {
+            query?: never;
+            header: {
+                /** @description The Signature-Input field is a Dictionary structured field containing the metadata for one or more message signatures generated from components within the HTTP message.  Each member describes a single message signature.  The member's key is the label that uniquely identifies the message signature within the context of the HTTP message.  The member's value is the serialization of the covered components Inner List plus all signature metadata parameters identified by the label.  The following components MUST be included: - "@method" - "@target-uri" - "authorization".  When the message contains a request body, the covered components MUST also include the following: - "content-digest"  The keyid parameter of the signature MUST be set to the kid value of the JWK.      See [ietf-httpbis-message-signatures](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-message-signatures#section-4.1) for more details. */
+                "Signature-Input": components["parameters"]["signature-input"];
+                /** @description The signature generated based on the Signature-Input, using the signing algorithm specified in the "alg" field of the JWK. */
+                Signature: components["parameters"]["signature"];
+            };
+            path?: never;
+            cookie?: never;
+        };
+        requestBody?: never;
+        responses: {
+            /** @description OK */
+            200: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content: {
+                    "application/json": {
+                        spentReceiveAmount?: components["schemas"]["amount"];
+                        spentDebitAmount?: components["schemas"]["amount"];
+                    };
+                };
+            };
+            401: components["responses"]["401"];
+            403: components["responses"]["403"];
+        };
+    };
 }
+5 −20		README.md
+1 −1		VERSION
+175 −20		openapi/auth-server.yaml
+45 −3		openapi/resource-server.yaml
+2 −2		openapi/wallet-address-server.yaml