================================================================================
KORENET RAILS — TENANT WELCOME PACK · CREDENTIALS
Tenant: Investec Bank Limited
Tenant Type: Investment Bank
Subdomain: investec.korenet.cloud
Portal: https://korenet.cloud
Generated: April 20, 2026
Kore Collective (Pty) Ltd · Registration: 2020/118214/07
================================================================================

SWIFT Code:       INVLZAJJ
Branch Code:      580105
Jurisdiction:     SARB
Regulatory Tier:  TIER_1_INSTITUTIONAL
Weekly Limit:     500000000.00

ENDPOINTS
---------
Portal:           https://korenet.cloud
Rails (tenant):   https://investec.korenet.cloud
KoreNet API:      https://api.korenet.cloud
OAuth 2.0:        https://auth.korenet.cloud
Token URL:        https://auth.korenet.cloud/oauth2/token
JWKS URL:         https://auth.korenet.cloud/.well-known/jwks.json

OAUTH 2.0 CLIENT (grant_type=client_credentials)
------------------------------------------------
client_id:     in_872facac585b8fbcf113fca804bf2f13
client_secret: REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT
audience:      https://api.korenet.cloud https://investec.korenet.cloud
scope:         rails:read rails:write transfers:read transfers:write vault:read ledger:read sentinel:read kip:submit vault:write vault:pair treasury:read treasury:write nostro:read nostro:write compliance:read

ROLES & PERMISSIONS
-------------------
Roles:       tenant-admin, rails-operator, investment-bank-officer, treasury-operator
Permissions: rails.dispatch, rails.status, transfers.initiate, transfers.query, vault.query, ledger.query, sentinel.events.read, kip.submit, vault.pair, vault.pair_bank_account, treasury.operations, nostro.manage, compliance.submit_report

JWT BEARER TOKEN (Valid until April 20, 2027)
------------------------------------------
REDACTED.JWT.BEARER_TOKEN_PROVIDED_AT_BUILD

JWT DETAILS
-----------
Algorithm: HS256
Key ID:    korenet-rails-hs256-g1
Issuer:    https://auth.korenet.cloud
Audience:  https://api.korenet.cloud, https://investec.korenet.cloud
Subject:   tenant:investec
Issued:    April 20, 2026
Expires:   April 20, 2027
jti:       6c6fb5438400f5606c2926d29933fb0a
HS256 secret (keep secret — do NOT commit):
REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT

MTLS CLIENT CERTIFICATE
-----------------------
Common Name:         investec.korenet.cloud
Subject:             ZA, ST = Gauteng, L = Johannesburg, O = KoreNet Rails, OU = Investec Bank Limited, CN = investec.korenet.cloud, emailAddress = ops@investec.korenet.cloud
Organization:        KoreNet Rails
Organizational Unit: Investec Bank Limited
Valid From:          April 20, 2026
Valid Until:         April 20, 2027
Key Size:            4096-bit RSA
SHA-256 fingerprint: C8:08:2F:6E:D7:FD:0D:55:C6:7F:47:2E:44:49:90:4F:DD:77:A8:59:CD:B1:36:65:2C:40:C0:68:C8:88:0C:DC
SHA-1  fingerprint:  54:00:2C:E9:BF:44:34:A1:2B:D9:E0:81:09:EE:4C:38:BB:33:DD:F7
PFX passphrase:      REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT

Issuing CA: KoreNet Issuing CA G1
CA SHA-256 fingerprint: 3B:00:22:A6:82:DE:78:58:9B:F4:8A:ED:9F:72:26:87:4C:13:C0:82:61:76:7D:BC:63:0D:82:4F:16:D6:F5:4D

Certificate files (in certificates/):
- investec-client.crt           · X.509 client certificate
- investec-client.key           · 4096-bit RSA private key
- investec-client.pem           · cert + key (for curl --cert)
- investec-client.fullchain.pem · client + CA (for server validation)
- investec-client.pfx           · PKCS12 bundle (PFX password above)
- korenet-issuing-ca.crt           · KoreNet Issuing CA G1 (public only)

ENVIRONMENT VARIABLES
---------------------
export INVESTEC_TENANT="investec"
export INVESTEC_SUBDOMAIN="investec.korenet.cloud"
export INVESTEC_PORTAL_URL="https://korenet.cloud"
export INVESTEC_RAILS_URL="https://investec.korenet.cloud"
export INVESTEC_API_URL="https://api.korenet.cloud"
export INVESTEC_OAUTH_URL="https://auth.korenet.cloud"
export INVESTEC_CLIENT_ID="in_872facac585b8fbcf113fca804bf2f13"
export INVESTEC_CLIENT_SECRET="REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT"
export INVESTEC_JWT="REDACTED.JWT.BEARER_TOKEN_PROVIDED_AT_BUILD"
export INVESTEC_JWT_SECRET="REDACTED.JWT.BEARER_TOKEN_PROVIDED_AT_BUILD"
export INVESTEC_CERT="certificates/investec-client.crt"
export INVESTEC_KEY="certificates/investec-client.key"
export INVESTEC_PFX="certificates/investec-client.pfx"
export INVESTEC_PFX_PASS="REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT"
export INVESTEC_CA="certificates/korenet-issuing-ca.crt"

QUICK TEST COMMANDS
-------------------
# 1. Mint an OAuth access token (production pattern)
curl -X POST "$INVESTEC_OAUTH_URL/oauth2/token" \
     --cert "$INVESTEC_CERT" --key "$INVESTEC_KEY" \
     --cacert "$INVESTEC_CA" \
     -u "$INVESTEC_CLIENT_ID:$INVESTEC_CLIENT_SECRET" \
     -d "grant_type=client_credentials&scope=rails:read rails:write transfers:read transfers:write vault:read ledger:read sentinel:read kip:submit vault:write vault:pair treasury:read treasury:write nostro:read nostro:write compliance:read"

# 2. Call tenant rails (mTLS + Bearer JWT)
curl --cert "$INVESTEC_CERT" --key "$INVESTEC_KEY" --cacert "$INVESTEC_CA" \
     -H "Authorization: Bearer $INVESTEC_JWT" \
     "$INVESTEC_RAILS_URL/api/v1/health"

SUPPORT
-------
Portal:           https://korenet.cloud
Onboarding:       onboarding@korenet.cloud
Technical:        dev-support@korenet.cloud
Security / abuse: security@korenet.cloud
Emergency:        emergency@korenet.cloud

SECURITY NOTES
--------------
- Rotate client_secret and JWT signing secret before April 20, 2027.
- Never commit this file to version control.
- mTLS is MANDATORY — bearer tokens alone are rejected by the rails endpoint.
- Every request is LICK-signed server-side and anchored to KoreChain.
- Sentinel Tier-B monitoring applies; anomalous traffic is fail-closed.
- 2-Signatory Quorum required for sovereign governance actions.

================================================================================
END OF CREDENTIALS FILE
