docs: mi/3243/op-grant-revocation (#3359)

* docs: mi/3243/op-grant-revocation

- New Open Payments submenu under requirements
- Moved IdP and managing wallet address keys management section under the OP submenu
- New page for viewing and revoking grants (need to fill in query and mutation input details, and example requests and responses).

* docs: mi/3243/op-grant-revocation

Fix broken links as a result of moving IdP page to requirements/open-payments

* dcos: mi/3243/op-grant-revocation

* docs: mi/324/op-grant-revocation

resolve merge conflicts

* docs: mi/3243/op-grant-revocation

* docs: mi/3243/op-grant-revocation

Updated styling on GraphQL operations.

Author: hajjimo

packages/documentation/astro.config.mjs

@@ -147,8 +147,22 @@ export default defineConfig({
                   link: '/integration/requirements/sending-fees'
                 },
                 {
-                  label: 'Identity provider (IdP)',
-                  link: '/integration/requirements/idp'
+                  label: 'Open Payments',
+                  collapsed: true,
+                  items: [
+                    {
+                      label: 'Identity provider (IdP)',
+                      link: '/integration/requirements/open-payments/idp'
+                    },
+                    {
+                      label: 'Managing wallet address keys',
+                      link: '/integration/requirements/open-payments/wallet-keys'
+                    },
+                    {
+                      label: 'Viewing and revoking grants',
+                      link: '/integration/requirements/open-payments/grants-revoking'
+                    }
+                  ]
                 }
               ]
             },

packages/documentation/src/content/docs/integration/deployment/services/auth-service.mdx

@@ -38,13 +38,13 @@ Review the <LinkOut href="https://openpayments.dev/introduction/client-keys/">Op
 
 An identity provider (IdP) is a system or service that manages user authentication, identity information, and consent. When you use your Google Account credentials to “Sign in with Google” on an app or website, for example, Google is acting as your identity provider.
 
-You must integrate with an [IdP](/integration/requirements/idp) when using Rafiki's `auth` service because the Open Payments standard requires interactive outgoing payment _grant_ requests. In an interactive request, there must be explicit interaction by an individual (for example, a client's end-user) to approve or deny the grant. In this case, the grant must be explicitly approved before an outgoing payment is created.
+You must integrate with an [IdP](/integration/requirements/open-payments/idp) when using Rafiki's `auth` service because the Open Payments standard requires interactive outgoing payment _grant_ requests. In an interactive request, there must be explicit interaction by an individual (for example, a client's end-user) to approve or deny the grant. In this case, the grant must be explicitly approved before an outgoing payment is created.
 
 :::note
 Rafiki’s [`frontend`](/integration/deployment/services/frontend-service) service requires an IdP for authentication and user management of your [Rafiki Admin](/admin/admin-user-guide) users. Out of the box, Rafiki uses Ory Kratos, a cloud-based user management system. Kratos is for internal use only and **cannot** be used as your customer-facing Open Payments authorization server.
 :::
 
-For more information about interactive grants and how they work with identity providers, review the [Identity Provider](/integration/requirements/idp) page and the <LinkOut href="https://openpayments.dev/introduction/grants/">Grant negotiation and authorization</LinkOut> page in the Open Payments docs.
+For more information about interactive grants and how they work with identity providers, review the [Identity Provider](/integration/requirements/open-payments/idp) page and the <LinkOut href="https://openpayments.dev/introduction/grants/">Grant negotiation and authorization</LinkOut> page in the Open Payments docs.
 
 ## GraphQL Auth Admin API
 

packages/documentation/src/content/docs/integration/requirements/open-payments/grants-revoking.mdx

@@ -0,0 +1,185 @@
+---
+title: Viewing and revoking grants
+---
+
+import { Badge, Tabs, TabItem } from '@astrojs/starlight/components'
+import { Mermaid, CodeBlock, LinkOut } from '@interledger/docs-design-system'
+
+Grants are the mechanism in Open Payments by which your account holders give permission to a client application to access their accounts and send payments on their behalf. Providing your account holders the ability to view and revoke grants is not required to implement and operate Rafiki, but allowing them to do so is critical to providing an optimal user experience.
+
+## View grants
+
+Use the `Grants` GraphQL query to look up all grants associated with a wallet address.
+
+<Tabs>
+<TabItem label='Operation'>
+```graphql
+query Grants(
+  $after: String
+  $before: String
+  $first: Int
+  $last: Int
+  $filter: GrantFilter
+) {
+  grants(
+    after: $after
+    before: $before
+    first: $first
+    last: $last
+    filter: $filter
+  ) {
+    edges {
+      cursor
+      node {
+        id
+        client
+        createdAt
+        state
+        access {
+          createdAt
+          id
+          identifier
+          limits {
+            interval
+            receiveAmount {
+              assetScale
+              value
+              assetCode
+            }
+            receiver
+            debitAmount {
+              assetCode
+              assetScale
+              value
+            }
+          }
+          actions
+          type
+        }
+      }
+    }
+    pageInfo {
+      endCursor
+      hasNextPage
+      hasPreviousPage
+      startCursor
+    }
+  }
+}
+```
+</TabItem>
+
+<TabItem label='Arguments'>
+```json
+{
+  "input": {
+    "after": null,
+    "before": null,
+    "first": null,
+    "last": null,
+    "filter": {
+        "state": {
+            "in": ["PROCESSING", "PENDING", "APPROVED", "FINALIZED"]
+        },
+        "identifier": {
+            "in": ["https://cloud-nine-wallet-backend/accounts/gfranklin"]
+        }
+    }
+}
+}
+```
+</TabItem>
+
+<TabItem label='Response'>
+```json
+{
+  "data": {
+    "grants": {
+      "edges": [
+        {
+          "cursor": "82637448-30d2-4242-9c85-464821dfbaf5",
+          "node": {
+            "id": "82637448-30d2-4242-9c85-464821dfbaf5",
+            "client": "https://happy-life-bank-backend/accounts/pfry",
+            "createdAt": "2025-03-27T13:48:23.615Z",
+            "state": "APPROVED",
+            "access": [
+              {
+                "createdAt": "2025-03-27T13:48:23.617Z",
+                "id": "05a5413b-7009-4ce1-949a-e0ff1b243268",
+                "identifier": "https://cloud-nine-wallet-backend/accounts/gfranklin",
+                "limits": {
+                  "interval": null,
+                  "receiveAmount": {
+                    "assetScale": 2,
+                    "value": "100",
+                    "assetCode": "USD"
+                  },
+                  "receiver": null,
+                  "debitAmount": {
+                    "assetCode": "USD",
+                    "assetScale": 2,
+                    "value": "205"
+                  }
+                },
+                "actions": [
+                  "create",
+                  "read",
+                  "list"
+                ],
+                "type": "outgoing-payment"
+              }
+            ]
+          }
+        }
+      ],
+      "pageInfo": {
+        "endCursor": "82637448-30d2-4242-9c85-464821dfbaf5",
+        "hasNextPage": false,
+        "hasPreviousPage": false,
+        "startCursor": "82637448-30d2-4242-9c85-464821dfbaf5"
+      }
+    }
+  }
+}
+```
+</TabItem>
+</Tabs>
+
+## Revoke a grant
+
+Use the `revokeGrant` GraphQL mutation to revoke a particular grant.
+
+<Tabs>
+<TabItem label='Operation'>
+```graphql
+mutation revokeGrant($input: RevokeGrantInput!) {
+    revokeGrant(input: $input) {
+        id
+    }
+}
+```
+</TabItem>
+
+<TabItem label='Arguments'>
+```json
+{
+    "input": {
+        "grantId": "2117891e-4b89-42ae-984e-e0762d5888c1"
+    }
+}
+```
+</TabItem>
+
+<TabItem label='Response'>
+```json
+{
+  "data": {
+    "revokeGrant": {
+      "id": "2117891e-4b89-42ae-984e-e0762d5888c1"
+    }
+  }
+}
+```
+</TabItem>
+</Tabs>

packages/documentation/src/content/docs/integration/requirements/idp.mdx renamed to packages/documentation/src/content/docs/integration/requirements/open-payments/idp.mdx

@@ -0,0 +1,158 @@
+---
+title: Wallet address keys
+---
+
+import { LinkOut } from '@interledger/docs-design-system'
+import { CodeBlock } from '@interledger/docs-design-system'
+import { Tabs, TabItem } from '@astrojs/starlight/components'
+
+Creating a public-private key pair for each wallet address is not required when integrating with Rafiki.
+
+You only need to create key pairs for wallet addresses if you want to allow your account holders to use/be Open Payments clients under their wallet addresses. For more information, review the Open Payments documentation about <LinkOut href="https://openpayments.dev/resources/glossary/#client">clients</LinkOut> and <LinkOut href="https://openpayments.dev/introduction/client-keys/">client keys</LinkOut>.
+
+## Create a wallet address key pair
+
+Use the `createWalletAddressKey` GraphQL mutation to create a key pair and associate it with a wallet address.
+
+<Tabs>
+<TabItem label='Operation'>
+```graphql
+mutation CreateWalletAddressKey($input: CreateWalletAddressKeyInput!) {
+  createWalletAddressKey(input: $input) {
+    code
+    message
+    success
+    walletAddressKey {
+      id
+      walletAddressId
+      revoked
+      jwk {
+        alg
+        crv
+        kid
+        kty
+        x
+      }
+      createdAt
+    }
+  }
+}
+```
+</TabItem>
+
+<TabItem label='Arguments'>
+
+```json
+{
+  "input": {
+    "jwk": {
+      "kid": "keyid-97a3a431-8ee1-48fc-ac85-70e2f5eba8e5",
+      "x": "ubqoInifJ5sssIPPnQR1gVPfmoZnJtPhTkyMXNoJF_8",
+      "alg": "EdDSA",
+      "kty": "OKP",
+      "crv": "Ed25519"
+    },
+    "walletAddressId": "695e7546-1803-4b45-96b6-6a53f4082018"
+  }
+}
+```
+
+The request is a standard request to create a JSON Web Key (JWK), which is a JSON data structure that represents a cryptographic key. <LinkOut href='https://datatracker.ietf.org/doc/html/rfc7517#section-4'>Section 4</LinkOut> of the JWK specification describes the format and associated parameters `kty`, `alg`, and `kid`. <LinkOut href='https://datatracker.ietf.org/doc/html/rfc7518#section-6'>Section 6</LinkOut> of the JSON Web Algorithms (JWA) specification describes the cryptographic algorithm for the keys and associated parameters `kty`, `crv`, and `x`.
+
+Open Payments <LinkOut href="https://openpayments.dev/apis/wallet-address-server/operations/get-wallet-address-keys/">requires</LinkOut> the following values.
+
+<div class="overflow-table">
+
+| Parameter | Required value | Description                                                                   |
+| --------- | -------------- | ----------------------------------------------------------------------------- |
+| `alg`     | `EdDSA`        | The algorithm used to generate the key pair                                   |
+| `kty`     | `OKP`          | The key type identifying the cryptographic algorithm family used with the key |
+| `crv`     | `Ed25519`      | The cryptographic curve used with the key                                     |
+
+</div>
+
+Additionally, the request must contain the `walletAddressId` of the wallet address that the key pair will be associated with.
+
+</TabItem>
+
+<TabItem label = 'Response'>
+
+```json
+{
+  "data": {
+    "createWalletAddressKey": {
+      "code": "200",
+      "message": "Added Key To Wallet Address",
+      "success": true,
+      "walletAddressKey": {
+        "id": "f2953571-f10c-44eb-ab41-4450a7ad6771",
+        "walletAddressId": "695e7546-1803-4b45-96b6-6a53f4082018",
+        "revoked": false,
+        "jwk": {
+          "alg": "EdDSA",
+          "crv": "Ed25519",
+          "kid": "keyid-97a3a431-8ee1-48fc-ac85-70e2f5eba8e5",
+          "kty": "OKP",
+          "x": "ubqoInifJ5sssIPPnQR1gVPfmoZnJtPhTkyMXNoJF_8"
+        },
+        "createdAt": "2023-03-03T09:26:41.424Z"
+      }
+    }
+  }
+}
+```
+
+</TabItem>
+</Tabs>
+
+## Revoke a wallet address key
+
+Use the `revokeWalletAddressKey` GraphQL mutation to revoke a public key associated with a wallet address. Open Payments requests using this key for request signatures will be denied going forward.
+
+<Tabs>
+<TabItem label = 'Operation'>
+
+```graphql
+mutation RevokeWalletAddressKey($input: RevokeWalletAddressKeyInput!) {
+  revokeWalletAddressKey(input: $input) {
+    walletAddressKey {
+      id
+      revoked
+      walletAddressId
+      createdAt
+    }
+  }
+}
+```
+
+</TabItem>
+
+<TabItem label = 'Arguments'>
+```json
+{
+  "input": {
+    "id": "e7532552-cff9-4ffe-883e-56613d3ae611"
+  }
+}
+```
+</TabItem>
+
+<TabItem label = 'Response'>
+
+```json
+{
+  "data": {
+    "revokeWalletAddressKey": {
+      "walletAddressKey": {
+        "id": "f2953571-f10c-44eb-ab41-4450a7ad6771",
+        "revoked": true,
+        "walletAddressId": "695e7546-1803-4b45-96b6-6a53f4082018",
+        "createdAt": "2023-03-03T09:26:41.424Z"
+      }
+    }
+  }
+}
+```
+
+</TabItem>
+</Tabs>

packages/documentation/src/content/docs/integration/requirements/open-payments/wallet-keys.mdx

@@ -57,7 +57,7 @@ An identity provider (IdP) is a system or service that stores and manages user i
 
 You must integrate with an IdP if you plan to use the authorization server provided through Rafiki's auth service. The authorization server requires consent be collected via an interactive grant before an outgoing payment request is issued. The purpose of the IdP is to handle the authentication and consent required to authorize the interactive grant request.
 
-[Integrate Rafiki with your IdP](/integration/requirements/idp)
+[Integrate Rafiki with your IdP](/integration/requirements/open-payments/idp)
 
 ## Integration checklist