================================================================================
KORENET RAILS — TENANT WELCOME PACK · CREDENTIALS
Tenant: South African Reserve Bank (SARB)
Tenant Type: Sovereign Regulator
Subdomain: sarb.korenet.cloud
Portal: https://korenet.cloud
Generated: April 20, 2026
Kore Collective (Pty) Ltd · Registration: 2020/118214/07
================================================================================

SWIFT Code:       RESBZAJJ
Jurisdiction:     SARB
Regulatory Tier:  TIER_0_REGULATOR
Weekly Limit:     UNLIMITED

ENDPOINTS
---------
Portal:           https://korenet.cloud
Rails (tenant):   https://sarb.korenet.cloud
KoreNet API:      https://api.korenet.cloud
OAuth 2.0:        https://auth.korenet.cloud
Token URL:        https://auth.korenet.cloud/oauth2/token
JWKS URL:         https://auth.korenet.cloud/.well-known/jwks.json

OAUTH 2.0 CLIENT (grant_type=client_credentials)
------------------------------------------------
client_id:     sa_3984248a349ca484bdcf0a0ca75e42f5
client_secret: REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT
audience:      https://api.korenet.cloud https://sarb.korenet.cloud
scope:         rails:read rails:write transfers:read transfers:write vault:read ledger:read sentinel:read kip:submit vault:write vault:admin vault:extract vault:rebalance ncd:issue ncd:redeem regulator:read regulator:supervise regulator:freeze compliance:read compliance:write ledger:write lick:sign korechain:anchor apo:admin

ROLES & PERMISSIONS
-------------------
Roles:       sovereign-regulator, sarb-supervisor, vault-administrator, compliance-authority, lick-authority
Permissions: rails.dispatch, rails.status, transfers.initiate, transfers.query, vault.query, ledger.query, sentinel.events.read, kip.submit, vault.pair, vault.create_institutional, vault.extract, vault.rebalance, vault.freeze, ncd.issue, ncd.redeem, regulator.supervise, regulator.freeze_tenant, compliance.submit_report, compliance.receive_report, ledger.write, lick.sign, korechain.anchor, apo.admin

JWT BEARER TOKEN (Valid until April 20, 2027)
------------------------------------------
REDACTED.JWT.BEARER_TOKEN_PROVIDED_AT_BUILD

JWT DETAILS
-----------
Algorithm: HS256
Key ID:    korenet-rails-hs256-g1
Issuer:    https://auth.korenet.cloud
Audience:  https://api.korenet.cloud, https://sarb.korenet.cloud
Subject:   tenant:sarb
Issued:    April 20, 2026
Expires:   April 20, 2027
jti:       39b4f016a8fbb54be46d7b1d84c43774
HS256 secret (keep secret — do NOT commit):
REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT

MTLS CLIENT CERTIFICATE
-----------------------
Common Name:         sarb.korenet.cloud
Subject:             ZA, ST = Gauteng, L = Johannesburg, O = KoreNet Rails, OU = South African Reserve Bank (SARB), CN = sarb.korenet.cloud, emailAddress = ops@sarb.korenet.cloud
Organization:        KoreNet Rails
Organizational Unit: South African Reserve Bank (SARB)
Valid From:          April 20, 2026
Valid Until:         April 20, 2027
Key Size:            4096-bit RSA
SHA-256 fingerprint: C8:12:AF:59:34:D4:D5:19:10:4F:94:69:AD:30:CF:32:B9:D2:C0:15:9B:CA:07:92:08:77:5B:9B:E4:AA:60:32
SHA-1  fingerprint:  5F:B5:E5:04:E1:1A:62:6A:34:AF:25:84:69:70:C7:0A:6B:09:A4:D7
PFX passphrase:      REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT

Issuing CA: KoreNet Issuing CA G1
CA SHA-256 fingerprint: 3B:00:22:A6:82:DE:78:58:9B:F4:8A:ED:9F:72:26:87:4C:13:C0:82:61:76:7D:BC:63:0D:82:4F:16:D6:F5:4D

Certificate files (in certificates/):
- sarb-client.crt           · X.509 client certificate
- sarb-client.key           · 4096-bit RSA private key
- sarb-client.pem           · cert + key (for curl --cert)
- sarb-client.fullchain.pem · client + CA (for server validation)
- sarb-client.pfx           · PKCS12 bundle (PFX password above)
- korenet-issuing-ca.crt           · KoreNet Issuing CA G1 (public only)

ENVIRONMENT VARIABLES
---------------------
export SARB_TENANT="sarb"
export SARB_SUBDOMAIN="sarb.korenet.cloud"
export SARB_PORTAL_URL="https://korenet.cloud"
export SARB_RAILS_URL="https://sarb.korenet.cloud"
export SARB_API_URL="https://api.korenet.cloud"
export SARB_OAUTH_URL="https://auth.korenet.cloud"
export SARB_CLIENT_ID="sa_3984248a349ca484bdcf0a0ca75e42f5"
export SARB_CLIENT_SECRET="REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT"
export SARB_JWT="REDACTED.JWT.BEARER_TOKEN_PROVIDED_AT_BUILD"
export SARB_JWT_SECRET="REDACTED.JWT.BEARER_TOKEN_PROVIDED_AT_BUILD"
export SARB_CERT="certificates/sarb-client.crt"
export SARB_KEY="certificates/sarb-client.key"
export SARB_PFX="certificates/sarb-client.pfx"
export SARB_PFX_PASS="REDACTED_PROVIDED_AT_BUILD_FROM_KEY_VAULT"
export SARB_CA="certificates/korenet-issuing-ca.crt"

QUICK TEST COMMANDS
-------------------
# 1. Mint an OAuth access token (production pattern)
curl -X POST "$SARB_OAUTH_URL/oauth2/token" \
     --cert "$SARB_CERT" --key "$SARB_KEY" \
     --cacert "$SARB_CA" \
     -u "$SARB_CLIENT_ID:$SARB_CLIENT_SECRET" \
     -d "grant_type=client_credentials&scope=rails:read rails:write transfers:read transfers:write vault:read ledger:read sentinel:read kip:submit vault:write vault:admin vault:extract vault:rebalance ncd:issue ncd:redeem regulator:read regulator:supervise regulator:freeze compliance:read compliance:write ledger:write lick:sign korechain:anchor apo:admin"

# 2. Call tenant rails (mTLS + Bearer JWT)
curl --cert "$SARB_CERT" --key "$SARB_KEY" --cacert "$SARB_CA" \
     -H "Authorization: Bearer $SARB_JWT" \
     "$SARB_RAILS_URL/api/v1/health"

SUPPORT
-------
Portal:           https://korenet.cloud
Onboarding:       onboarding@korenet.cloud
Technical:        dev-support@korenet.cloud
Security / abuse: security@korenet.cloud
Emergency:        emergency@korenet.cloud

SECURITY NOTES
--------------
- Rotate client_secret and JWT signing secret before April 20, 2027.
- Never commit this file to version control.
- mTLS is MANDATORY — bearer tokens alone are rejected by the rails endpoint.
- Every request is LICK-signed server-side and anchored to KoreChain.
- Sentinel Tier-A monitoring applies; anomalous traffic is fail-closed.
- 4-Signatory Quorum required for sovereign governance actions.

================================================================================
END OF CREDENTIALS FILE
