================================================================================
KORENET RAILS — TENANT WELCOME PACK · CREDENTIALS
Tenant: Absa Bank Limited
Tenant Type: Commercial Bank
Subdomain: absa.korenet.cloud
Portal: https://korenet.cloud
Generated: April 20, 2026
Kore Collective (Pty) Ltd · Registration: 2020/118214/07
================================================================================

SWIFT Code:       ABSAZAJJ
Branch Code:      632005
Jurisdiction:     SARB
Regulatory Tier:  TIER_1_INSTITUTIONAL
Weekly Limit:     500000000.00

ENDPOINTS
---------
Portal:           https://korenet.cloud
Rails (tenant):   https://absa.korenet.cloud
KoreNet API:      https://api.korenet.cloud
OAuth 2.0:        https://auth.korenet.cloud
Token URL:        https://auth.korenet.cloud/oauth2/token
JWKS URL:         https://auth.korenet.cloud/.well-known/jwks.json

OAUTH 2.0 CLIENT (grant_type=client_credentials)
------------------------------------------------
client_id:     ab_82a8255771006bc898b51ae691172e2e
client_secret: REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT
audience:      https://api.korenet.cloud https://absa.korenet.cloud
scope:         rails:read rails:write transfers:read transfers:write vault:read ledger:read sentinel:read kip:submit vault:write vault:pair transfers:bulk compliance:read

ROLES & PERMISSIONS
-------------------
Roles:       tenant-admin, rails-operator, commercial-bank-officer
Permissions: rails.dispatch, rails.status, transfers.initiate, transfers.query, vault.query, ledger.query, sentinel.events.read, kip.submit, vault.pair, vault.pair_bank_account, transfers.bulk_dispatch, compliance.submit_report

JWT BEARER TOKEN (Valid until April 20, 2027)
------------------------------------------
REDACTED.JWT.BEARER_TOKEN_PROVIDED_AT_BUILD

JWT DETAILS
-----------
Algorithm: HS256
Key ID:    korenet-rails-hs256-g1
Issuer:    https://auth.korenet.cloud
Audience:  https://api.korenet.cloud, https://absa.korenet.cloud
Subject:   tenant:absa
Issued:    April 20, 2026
Expires:   April 20, 2027
jti:       f0c5ee19c68d2513d2348d6047a75d84
HS256 secret (keep secret — do NOT commit):
REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT

MTLS CLIENT CERTIFICATE
-----------------------
Common Name:         absa.korenet.cloud
Subject:             ZA, ST = Gauteng, L = Johannesburg, O = KoreNet Rails, OU = Absa Bank Limited, CN = absa.korenet.cloud, emailAddress = ops@absa.korenet.cloud
Organization:        KoreNet Rails
Organizational Unit: Absa Bank Limited
Valid From:          April 20, 2026
Valid Until:         April 20, 2027
Key Size:            4096-bit RSA
SHA-256 fingerprint: D2:EC:64:82:92:55:D9:65:CF:65:2E:E5:52:50:51:E0:B0:28:3B:86:C9:94:AB:E1:AF:27:BA:09:70:7E:18:9F
SHA-1  fingerprint:  E3:90:84:02:49:FA:B7:35:2E:91:F8:83:5F:2D:29:B7:FC:E8:0F:06
PFX passphrase:      REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT

Issuing CA: KoreNet Issuing CA G1
CA SHA-256 fingerprint: 3B:00:22:A6:82:DE:78:58:9B:F4:8A:ED:9F:72:26:87:4C:13:C0:82:61:76:7D:BC:63:0D:82:4F:16:D6:F5:4D

Certificate files (in certificates/):
- absa-client.crt           · X.509 client certificate
- absa-client.key           · 4096-bit RSA private key
- absa-client.pem           · cert + key (for curl --cert)
- absa-client.fullchain.pem · client + CA (for server validation)
- absa-client.pfx           · PKCS12 bundle (PFX password above)
- korenet-issuing-ca.crt           · KoreNet Issuing CA G1 (public only)

ENVIRONMENT VARIABLES
---------------------
export ABSA_TENANT="absa"
export ABSA_SUBDOMAIN="absa.korenet.cloud"
export ABSA_PORTAL_URL="https://korenet.cloud"
export ABSA_RAILS_URL="https://absa.korenet.cloud"
export ABSA_API_URL="https://api.korenet.cloud"
export ABSA_OAUTH_URL="https://auth.korenet.cloud"
export ABSA_CLIENT_ID="ab_82a8255771006bc898b51ae691172e2e"
export ABSA_CLIENT_SECRET="REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT"
export ABSA_JWT="REDACTED.JWT.BEARER_TOKEN_PROVIDED_AT_BUILD"
export ABSA_JWT_SECRET="REDACTED.JWT.BEARER_TOKEN_PROVIDED_AT_BUILD"
export ABSA_CERT="certificates/absa-client.crt"
export ABSA_KEY="certificates/absa-client.key"
export ABSA_PFX="certificates/absa-client.pfx"
export ABSA_PFX_PASS="REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT"
export ABSA_CA="certificates/korenet-issuing-ca.crt"

QUICK TEST COMMANDS
-------------------
# 1. Mint an OAuth access token (production pattern)
curl -X POST "$ABSA_OAUTH_URL/oauth2/token" \
     --cert "$ABSA_CERT" --key "$ABSA_KEY" \
     --cacert "$ABSA_CA" \
     -u "$ABSA_CLIENT_ID:$ABSA_CLIENT_SECRET" \
     -d "grant_type=client_credentials&scope=rails:read rails:write transfers:read transfers:write vault:read ledger:read sentinel:read kip:submit vault:write vault:pair transfers:bulk compliance:read"

# 2. Call tenant rails (mTLS + Bearer JWT)
curl --cert "$ABSA_CERT" --key "$ABSA_KEY" --cacert "$ABSA_CA" \
     -H "Authorization: Bearer $ABSA_JWT" \
     "$ABSA_RAILS_URL/api/v1/health"

SUPPORT
-------
Portal:           https://korenet.cloud
Onboarding:       onboarding@korenet.cloud
Technical:        dev-support@korenet.cloud
Security / abuse: security@korenet.cloud
Emergency:        emergency@korenet.cloud

SECURITY NOTES
--------------
- Rotate client_secret and JWT signing secret before April 20, 2027.
- Never commit this file to version control.
- mTLS is MANDATORY — bearer tokens alone are rejected by the rails endpoint.
- Every request is LICK-signed server-side and anchored to KoreChain.
- Sentinel Tier-B monitoring applies; anomalous traffic is fail-closed.
- 2-Signatory Quorum required for sovereign governance actions.

================================================================================
END OF CREDENTIALS FILE
