From aa1a6c76b1775694bfff0ae3adaac1eb489d3234 Mon Sep 17 00:00:00 2001
From: beltram <beltram.maldant@gmail.com>
Date: Fri, 10 Mar 2023 14:02:25 +0100
Subject: [PATCH] feat: support qualified client id from wire clients with : as
 delimiter

---
 acme/src/identifier.rs                        |   2 +-
 acme/src/order.rs                             |  17 +-
 cli/src/access_generate.rs                    |   2 +-
 cli/src/access_verify.rs                      |   2 +-
 e2e-identity/README.md                        | 646 +++++++++---------
 e2e-identity/src/lib.rs                       |   8 +-
 e2e-identity/tests/api.rs                     |   8 +-
 e2e-identity/tests/utils/cfg.rs               |   2 +-
 e2e-identity/tests/utils/fmk.rs               |   6 +-
 .../tests/utils/wire_server/server_api.rs     |   2 +-
 jwt/src/access/generate.rs                    |   6 +-
 jwt/src/access/mod.rs                         |   2 +-
 jwt/src/dpop/generate.rs                      |   2 +-
 jwt/src/dpop/mod.rs                           |   2 +-
 jwt/src/jwt/verify.rs                         |   2 +-
 jwt/src/model/client_id.rs                    | 241 +++++--
 jwt/src/test_utils/access.rs                  |   2 +-
 jwt/src/test_utils/dpop.rs                    |   2 +-
 18 files changed, 527 insertions(+), 427 deletions(-)

diff --git a/acme/src/identifier.rs b/acme/src/identifier.rs
index 9c230f2a..7e42a275 100644
--- a/acme/src/identifier.rs
+++ b/acme/src/identifier.rs
@@ -10,7 +10,7 @@ pub enum AcmeIdentifier {
 
 impl AcmeIdentifier {
     pub fn try_new(display_name: String, domain: String, client_id: ClientId, handle: String) -> RustyAcmeResult<Self> {
-        let client_id = client_id.to_subject();
+        let client_id = client_id.to_uri();
         let identifier = WireIdentifier {
             display_name,
             domain,
diff --git a/acme/src/order.rs b/acme/src/order.rs
index 9bdf9319..62c3819f 100644
--- a/acme/src/order.rs
+++ b/acme/src/order.rs
@@ -1,15 +1,16 @@
-use crate::prelude::*;
 use rusty_jwt_tools::prelude::*;
 
+use crate::prelude::*;
+
 // Order creation
 impl RustyAcme {
     /// create a new order
     /// see [RFC 8555 Section 7.4](https://www.rfc-editor.org/rfc/rfc8555.html#section-7.4).
     #[allow(clippy::too_many_arguments)]
     pub fn new_order_request(
-        display_name: String,
+        display_name: &str,
         client_id: ClientId,
-        handle: String,
+        handle: &str,
         expiry: core::time::Duration,
         directory: &AcmeDirectory,
         account: &AcmeAccount,
@@ -21,7 +22,12 @@ impl RustyAcme {
         let acct_url = account.acct_url()?;
 
         let domain = client_id.domain.clone();
-        let identifiers = vec![AcmeIdentifier::try_new(display_name, domain, client_id, handle)?];
+        let identifiers = vec![AcmeIdentifier::try_new(
+            display_name.to_string(),
+            domain,
+            client_id,
+            handle.to_string(),
+        )?];
         let not_before = time::OffsetDateTime::now_utc();
         let not_after = not_before + expiry;
         let payload = AcmeOrderRequest {
@@ -231,10 +237,11 @@ pub enum AcmeOrderStatus {
 
 #[cfg(test)]
 mod tests {
-    use super::*;
     use serde_json::json;
     use wasm_bindgen_test::*;
 
+    use super::*;
+
     wasm_bindgen_test_configure!(run_in_browser);
 
     mod json {
diff --git a/cli/src/access_generate.rs b/cli/src/access_generate.rs
index 68bbc57a..3b57d80c 100644
--- a/cli/src/access_generate.rs
+++ b/cli/src/access_generate.rs
@@ -57,7 +57,7 @@ impl AccessGenerate {
             extra_claims: None,
         };
         let nonce: BackendNonce = self.nonce.into();
-        let client_id: ClientId = self.client_id.as_str().try_into().expect("Invalid 'client_id'");
+        let client_id = ClientId::try_from_uri(&self.client_id).expect("Invalid 'client_id'");
         let expiry = core::time::Duration::from_secs(self.expiry);
 
         let client_dpop_token =
diff --git a/cli/src/access_verify.rs b/cli/src/access_verify.rs
index 07392d4f..02bdb770 100644
--- a/cli/src/access_verify.rs
+++ b/cli/src/access_verify.rs
@@ -46,7 +46,7 @@ impl AccessVerify {
             .trim()
             .to_string();
 
-        let client_id: ClientId = self.client_id.as_str().try_into().expect("Invalid 'client_id'");
+        let client_id = ClientId::try_from_uri(&self.client_id).expect("Invalid 'client_id'");
         let challenge: AcmeNonce = self.challenge.into();
         let (_, backend_pk) = parse_public_key_pem(read_file(Some(&self.key)).unwrap());
 
diff --git a/e2e-identity/README.md b/e2e-identity/README.md
index b1401482..d22ff8cb 100644
--- a/e2e-identity/README.md
+++ b/e2e-identity/README.md
@@ -11,14 +11,14 @@ sequenceDiagram
     acme-server->>-wire-client: 201
     wire-client->>+acme-server: 🔒 POST /acme/wire/new-order
     acme-server->>-wire-client: 201
-    wire-client->>+acme-server: 🔒 POST /acme/wire/authz/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9
+    wire-client->>+acme-server: 🔒 POST /acme/wire/authz/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD
     acme-server->>-wire-client: 200
     wire-client->>+wire-server:  GET /clients/token/nonce
     wire-server->>-wire-client: 200
     wire-client->>wire-client: create DPoP token
-    wire-client->>+wire-server:  POST /clients/1020340586340102579/access-token
+    wire-client->>+wire-server:  POST /clients/5512380144665194603/access-token
     wire-server->>-wire-client: 200
-    wire-client->>+acme-server: 🔒 POST /acme/wire/challenge/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9/0H2Qr2LfBEj0SCIycIYtWJLyTcY5U4AW
+    wire-client->>+acme-server: 🔒 POST /acme/wire/challenge/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD/HhFufnzfL9abzJzpUNeblQGthEcrac9J
     acme-server->>-wire-client: 200
     wire-client->>+wire-server:  GET /login
     wire-server->>wire-server: verifier & challenge codes
@@ -32,19 +32,19 @@ sequenceDiagram
     authorization-server->>authorization-server: verify verifier & challenge codes
     authorization-server->>-wire-server: 200
     wire-server->>-wire-client: 200
-    wire-client->>+acme-server: 🔒 POST /acme/wire/challenge/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9/tlKZbv1pdNIo8WaWQq2GRtbov3TXPDui
+    wire-client->>+acme-server: 🔒 POST /acme/wire/challenge/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD/wimvHnzRMq5quCx5oGME98k21k0HEtyI
     acme-server->>-wire-client: 200
-    wire-client->>+acme-server: 🔒 POST /acme/wire/order/GABvJPMf7CqbdUqnJTyX8T2EbIzfDCtW
+    wire-client->>+acme-server: 🔒 POST /acme/wire/order/yuiEjO5FoYP7Z2rOTPDDNEOzLuPMt8R1
     acme-server->>-wire-client: 200
-    wire-client->>+acme-server: 🔒 POST /acme/wire/order/GABvJPMf7CqbdUqnJTyX8T2EbIzfDCtW/finalize
+    wire-client->>+acme-server: 🔒 POST /acme/wire/order/yuiEjO5FoYP7Z2rOTPDDNEOzLuPMt8R1/finalize
     acme-server->>-wire-client: 200
-    wire-client->>+acme-server: 🔒 POST /acme/wire/certificate/HxDzSMtcRmY1avHP4iT86D0qog6Vj0tA
+    wire-client->>+acme-server: 🔒 POST /acme/wire/certificate/C6BUkXe2ZQbPzbWJGQWN0lhwQlhjf31Y
     acme-server->>-wire-client: 200
 ```
 ### Initial setup with ACME server
 #### 1. fetch acme directory for hyperlinks
 ```http request
-GET https://stepca:55834/acme/wire/directory
+GET https://stepca:56174/acme/wire/directory
                         /acme/{acme-provisioner}/directory
 ```
 #### 2. get the ACME directory with links for newNonce, newAccount & newOrder
@@ -54,37 +54,37 @@ content-type: application/json
 ```
 ```json
 {
-  "newNonce": "https://stepca:55834/acme/wire/new-nonce",
-  "newAccount": "https://stepca:55834/acme/wire/new-account",
-  "newOrder": "https://stepca:55834/acme/wire/new-order"
+  "newNonce": "https://stepca:56174/acme/wire/new-nonce",
+  "newAccount": "https://stepca:56174/acme/wire/new-account",
+  "newOrder": "https://stepca:56174/acme/wire/new-order"
 }
 ```
 #### 3. fetch a new nonce for the very first request
 ```http request
-HEAD https://stepca:55834/acme/wire/new-nonce
+HEAD https://stepca:56174/acme/wire/new-nonce
                          /acme/{acme-provisioner}/new-nonce
 ```
 #### 4. get a nonce for creating an account
 ```http request
 200
 cache-control: no-store
-link: <https://stepca:55834/acme/wire/directory>;rel="index"
-replay-nonce: ck0wNFV6d0pjb0xYR1NyYVdzWXNwU3IyQVVLNWx4MGw
+link: <https://stepca:56174/acme/wire/directory>;rel="index"
+replay-nonce: Wm0wNHl5VmJJcm1RRTA3UHJvUzNYT29kNjFoa0FnUTM
 ```
 ```text
-ck0wNFV6d0pjb0xYR1NyYVdzWXNwU3IyQVVLNWx4MGw
+Wm0wNHl5VmJJcm1RRTA3UHJvUzNYT29kNjFoa0FnUTM
 ```
 #### 5. create a new account
 ```http request
-POST https://stepca:55834/acme/wire/new-account
+POST https://stepca:56174/acme/wire/new-account
                          /acme/{acme-provisioner}/new-account
 content-type: application/jose+json
 ```
 ```json
 {
-  "protected": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCIsImp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6Inl4eUtWVXVBbnpiOWZ1WDBKb3VWWXhGbVRLdHJyVHNWM0ZxQWRWQUhjT2MifSwibm9uY2UiOiJjazB3TkZWNmQwcGpiMHhZUjFOeVlWZHpXWE53VTNJeVFWVkxOV3g0TUd3IiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6NTU4MzQvYWNtZS93aXJlL25ldy1hY2NvdW50In0",
+  "protected": "eyJhbGciOiJFZERTQSIsInR5cCI6IkpXVCIsImp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6IjduUEVUOTdGQUxWQWJMTGwyQWRSdlNsMW56c0YxTklDR3h4LUFEN3E0Q3MifSwibm9uY2UiOiJXbTB3TkhsNVZtSkpjbTFSUlRBM1VISnZVek5ZVDI5a05qRm9hMEZuVVRNIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6NTYxNzQvYWNtZS93aXJlL25ldy1hY2NvdW50In0",
   "payload": "eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6dHJ1ZSwiY29udGFjdCI6WyJ1bmtub3duQGV4YW1wbGUuY29tIl0sIm9ubHlSZXR1cm5FeGlzdGluZyI6ZmFsc2V9",
-  "signature": "mgkvWh5OPNMS-VDROCnQOkRpMeT4bCTGtADuNv9SooXl1vRgRFnuwFfj9CB3iM_7xW_-N1OAt5LQ8h93QQCCAA"
+  "signature": "ZAs8TC6UkPFjmEIAcICeKpQhIKgIzx34Mr8HuNXkwHyCSwqC8KgnMgsUAU9n-1e1WG2etJbZzNcbn5yyizKEDg"
 }
 ```
 ```json
@@ -95,10 +95,10 @@ content-type: application/jose+json
     "jwk": {
       "kty": "OKP",
       "crv": "Ed25519",
-      "x": "yxyKVUuAnzb9fuX0JouVYxFmTKtrrTsV3FqAdVAHcOc"
+      "x": "7nPET97FALVAbLLl2AdRvSl1nzsF1NICGxx-AD7q4Cs"
     },
-    "nonce": "ck0wNFV6d0pjb0xYR1NyYVdzWXNwU3IyQVVLNWx4MGw",
-    "url": "https://stepca:55834/acme/wire/new-account"
+    "nonce": "Wm0wNHl5VmJJcm1RRTA3UHJvUzNYT29kNjFoa0FnUTM",
+    "url": "https://stepca:56174/acme/wire/new-account"
   },
   "payload": {
     "termsOfServiceAgreed": true,
@@ -114,48 +114,48 @@ content-type: application/jose+json
 201
 cache-control: no-store
 content-type: application/json
-link: <https://stepca:55834/acme/wire/directory>;rel="index"
-location: https://stepca:55834/acme/wire/account/M9tVubnIBqarkKabBABx7PMSB8pKNCau
-replay-nonce: TE80R1g0NjQzckhYbmwyamlkTDJIVXNtbzJ1NXNhZ1g
+link: <https://stepca:56174/acme/wire/directory>;rel="index"
+location: https://stepca:56174/acme/wire/account/1pajXcmM0Q2pGlvNuYMVDfArKKXE4R8k
+replay-nonce: YzVnZUh3Q2Q2MnJsbzljQnZIV084TGpIeWJ0V0hCVks
 ```
 ```json
 {
   "status": "valid",
-  "orders": "https://stepca:55834/acme/wire/account/M9tVubnIBqarkKabBABx7PMSB8pKNCau/orders"
+  "orders": "https://stepca:56174/acme/wire/account/1pajXcmM0Q2pGlvNuYMVDfArKKXE4R8k/orders"
 }
 ```
 ### Request a certificate with relevant identifiers
 #### 7. create a new order
 ```http request
-POST https://stepca:55834/acme/wire/new-order
+POST https://stepca:56174/acme/wire/new-order
                          /acme/{acme-provisioner}/new-order
 content-type: application/jose+json
 ```
 ```json
 {
-  "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjU1ODM0L2FjbWUvd2lyZS9hY2NvdW50L005dFZ1Ym5JQnFhcmtLYWJCQUJ4N1BNU0I4cEtOQ2F1IiwidHlwIjoiSldUIiwibm9uY2UiOiJURTgwUjFnME5qUXpja2hZYm13eWFtbGtUREpJVlhOdGJ6SjFOWE5oWjFnIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6NTU4MzQvYWNtZS93aXJlL25ldy1vcmRlciJ9",
-  "payload": "eyJpZGVudGlmaWVycyI6W3sidHlwZSI6IndpcmVhcHAtaWQiLCJ2YWx1ZSI6IntcIm5hbWVcIjpcIlNtaXRoLCBBbGljZSBNIChRQSlcIixcImRvbWFpblwiOlwid2lyZS5jb21cIixcImNsaWVudC1pZFwiOlwiaW06d2lyZWFwcD1OR1ZoTXpCak5ESXdaVEUyTkdSalpXRXhZekZrTXpNd01XWXhNV1l6TUdVL2UyOGZhNWI3NmI3MzFiM0B3aXJlLmNvbVwiLFwiaGFuZGxlXCI6XCJpbTp3aXJlYXBwPWFsaWNlLnNtaXRoLnFhQHdpcmUuY29tXCJ9In1dLCJub3RCZWZvcmUiOiIyMDIzLTAzLTA5VDE3OjQ1OjMxLjY5NjEwNFoiLCJub3RBZnRlciI6IjIwMjMtMDMtMDlUMTg6NDU6MzEuNjk2MTA0WiJ9",
-  "signature": "EzwJT--UASnjlnrzYwARK4y7rgdg4io_Z6cbPZMVZJPk983tKBzwJAB7DZSoAXa2eGK0Ze7RDU2aFoKSzSNfBA"
+  "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjU2MTc0L2FjbWUvd2lyZS9hY2NvdW50LzFwYWpYY21NMFEycEdsdk51WU1WRGZBcktLWEU0UjhrIiwidHlwIjoiSldUIiwibm9uY2UiOiJZelZuWlVoM1EyUTJNbkpzYnpsalFuWklWMDg0VEdwSWVXSjBWMGhDVmtzIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6NTYxNzQvYWNtZS93aXJlL25ldy1vcmRlciJ9",
+  "payload": "eyJpZGVudGlmaWVycyI6W3sidHlwZSI6IndpcmVhcHAtaWQiLCJ2YWx1ZSI6IntcIm5hbWVcIjpcIlNtaXRoLCBBbGljZSBNIChRQSlcIixcImRvbWFpblwiOlwid2lyZS5jb21cIixcImNsaWVudC1pZFwiOlwiaW06d2lyZWFwcD1OVFkxT0RJeFpETTJOVEUyTkRJMk9HRmtPV1EwTnpWak0yVTFNR1kzT1dFLzRjN2ZlODg5MjVhZjcwNmJAd2lyZS5jb21cIixcImhhbmRsZVwiOlwiaW06d2lyZWFwcD1hbGljZS5zbWl0aC5xYUB3aXJlLmNvbVwifSJ9XSwibm90QmVmb3JlIjoiMjAyMy0wMy0xMFQxNDoyNTozMC44MTg0MTZaIiwibm90QWZ0ZXIiOiIyMDIzLTAzLTEwVDE1OjI1OjMwLjgxODQxNloifQ",
+  "signature": "DzZKjTKRp3k360gArQWT-tmuTZ2kgzEyFY1UMNABvVh48y65YOxCAObFPrHazfVVouruc7B-dfpNkU_OsvNeDg"
 }
 ```
 ```json
 {
   "protected": {
     "alg": "EdDSA",
-    "kid": "https://stepca:55834/acme/wire/account/M9tVubnIBqarkKabBABx7PMSB8pKNCau",
+    "kid": "https://stepca:56174/acme/wire/account/1pajXcmM0Q2pGlvNuYMVDfArKKXE4R8k",
     "typ": "JWT",
-    "nonce": "TE80R1g0NjQzckhYbmwyamlkTDJIVXNtbzJ1NXNhZ1g",
-    "url": "https://stepca:55834/acme/wire/new-order"
+    "nonce": "YzVnZUh3Q2Q2MnJsbzljQnZIV084TGpIeWJ0V0hCVks",
+    "url": "https://stepca:56174/acme/wire/new-order"
   },
   "payload": {
     "identifiers": [
       {
         "type": "wireapp-id",
-        "value": "{\"name\":\"Smith, Alice M (QA)\",\"domain\":\"wire.com\",\"client-id\":\"im:wireapp=NGVhMzBjNDIwZTE2NGRjZWExYzFkMzMwMWYxMWYzMGU/e28fa5b76b731b3@wire.com\",\"handle\":\"im:wireapp=alice.smith.qa@wire.com\"}"
+        "value": "{\"name\":\"Smith, Alice M (QA)\",\"domain\":\"wire.com\",\"client-id\":\"im:wireapp=NTY1ODIxZDM2NTE2NDI2OGFkOWQ0NzVjM2U1MGY3OWE/4c7fe88925af706b@wire.com\",\"handle\":\"im:wireapp=alice.smith.qa@wire.com\"}"
       }
     ],
-    "notBefore": "2023-03-09T17:45:31.696104Z",
-    "notAfter": "2023-03-09T18:45:31.696104Z"
+    "notBefore": "2023-03-10T14:25:30.818416Z",
+    "notAfter": "2023-03-10T15:25:30.818416Z"
   }
 }
 ```
@@ -164,50 +164,50 @@ content-type: application/jose+json
 201
 cache-control: no-store
 content-type: application/json
-link: <https://stepca:55834/acme/wire/directory>;rel="index"
-location: https://stepca:55834/acme/wire/order/GABvJPMf7CqbdUqnJTyX8T2EbIzfDCtW
-replay-nonce: dEVMSGtzU1c1V1FTTHFtaUxQMnU5bHZSeVFqUlNwT24
+link: <https://stepca:56174/acme/wire/directory>;rel="index"
+location: https://stepca:56174/acme/wire/order/yuiEjO5FoYP7Z2rOTPDDNEOzLuPMt8R1
+replay-nonce: MjFuSEdsb2VXMVozY3Y2djFFMW9VcjlldlN4NXdsZzY
 ```
 ```json
 {
   "status": "pending",
-  "finalize": "https://stepca:55834/acme/wire/order/GABvJPMf7CqbdUqnJTyX8T2EbIzfDCtW/finalize",
+  "finalize": "https://stepca:56174/acme/wire/order/yuiEjO5FoYP7Z2rOTPDDNEOzLuPMt8R1/finalize",
   "identifiers": [
     {
       "type": "wireapp-id",
-      "value": "{\"name\":\"Smith, Alice M (QA)\",\"domain\":\"wire.com\",\"client-id\":\"im:wireapp=NGVhMzBjNDIwZTE2NGRjZWExYzFkMzMwMWYxMWYzMGU/e28fa5b76b731b3@wire.com\",\"handle\":\"im:wireapp=alice.smith.qa@wire.com\"}"
+      "value": "{\"name\":\"Smith, Alice M (QA)\",\"domain\":\"wire.com\",\"client-id\":\"im:wireapp=NTY1ODIxZDM2NTE2NDI2OGFkOWQ0NzVjM2U1MGY3OWE/4c7fe88925af706b@wire.com\",\"handle\":\"im:wireapp=alice.smith.qa@wire.com\"}"
     }
   ],
   "authorizations": [
-    "https://stepca:55834/acme/wire/authz/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9"
+    "https://stepca:56174/acme/wire/authz/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD"
   ],
-  "expires": "2023-03-10T17:45:31Z",
-  "notBefore": "2023-03-09T17:45:31.696104Z",
-  "notAfter": "2023-03-09T18:45:31.696104Z"
+  "expires": "2023-03-11T14:25:30Z",
+  "notBefore": "2023-03-10T14:25:30.818416Z",
+  "notAfter": "2023-03-10T15:25:30.818416Z"
 }
 ```
 ### Display-name and handle already authorized
 #### 9. fetch challenge
 ```http request
-POST https://stepca:55834/acme/wire/authz/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9
+POST https://stepca:56174/acme/wire/authz/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD
                          /acme/{acme-provisioner}/authz/{authz-id}
 content-type: application/jose+json
 ```
 ```json
 {
-  "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjU1ODM0L2FjbWUvd2lyZS9hY2NvdW50L005dFZ1Ym5JQnFhcmtLYWJCQUJ4N1BNU0I4cEtOQ2F1IiwidHlwIjoiSldUIiwibm9uY2UiOiJkRVZNU0d0elUxYzFWMUZUVEhGdGFVeFFNblU1YkhaU2VWRnFVbE53VDI0IiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6NTU4MzQvYWNtZS93aXJlL2F1dGh6L043a0lvZnlsZ0w1M2VkaWN6UnF5UTBZRkdaM0hrb1g5In0",
+  "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjU2MTc0L2FjbWUvd2lyZS9hY2NvdW50LzFwYWpYY21NMFEycEdsdk51WU1WRGZBcktLWEU0UjhrIiwidHlwIjoiSldUIiwibm9uY2UiOiJNakZ1U0Vkc2IyVlhNVm96WTNZMmRqRkZNVzlWY2psbGRsTjROWGRzWnpZIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6NTYxNzQvYWNtZS93aXJlL2F1dGh6L3Y0eGJESk5Oa29qbmlNOFBpS0w5QnpwR3RWWk10MWdEIn0",
   "payload": "",
-  "signature": "ZrKWpYEuChEFKO8TokJmPncdPnEJ5mi7aV2g8G0i3EvQpcokyXnATx8AvzMORX_JC5UEq1o_QKviYZFbuOdrCQ"
+  "signature": "SbAQFaeDS6oBtC7Pt_3a_V-OAPlHXdQVKXJpwtxf40uQ0f4Ci6QA9QKFonzF-9LNmJ5jCEdQyZApPIw9yHJhDw"
 }
 ```
 ```json
 {
   "protected": {
     "alg": "EdDSA",
-    "kid": "https://stepca:55834/acme/wire/account/M9tVubnIBqarkKabBABx7PMSB8pKNCau",
+    "kid": "https://stepca:56174/acme/wire/account/1pajXcmM0Q2pGlvNuYMVDfArKKXE4R8k",
     "typ": "JWT",
-    "nonce": "dEVMSGtzU1c1V1FTTHFtaUxQMnU5bHZSeVFqUlNwT24",
-    "url": "https://stepca:55834/acme/wire/authz/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9"
+    "nonce": "MjFuSEdsb2VXMVozY3Y2djFFMW9VcjlldlN4NXdsZzY",
+    "url": "https://stepca:56174/acme/wire/authz/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD"
   },
   "payload": {}
 }
@@ -217,38 +217,38 @@ content-type: application/jose+json
 200
 cache-control: no-store
 content-type: application/json
-link: <https://stepca:55834/acme/wire/directory>;rel="index"
-location: https://stepca:55834/acme/wire/authz/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9
-replay-nonce: NU5hMlFtSmd1T0t2M2lmM2htQjJsOVBBSnBqQ2l6eUk
+link: <https://stepca:56174/acme/wire/directory>;rel="index"
+location: https://stepca:56174/acme/wire/authz/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD
+replay-nonce: Y3lHbTVwT2VHY04zdTZEbXdTYWhQQVI2b0tuT0Y0Wlk
 ```
 ```json
 {
   "status": "pending",
-  "expires": "2023-03-10T17:45:31Z",
+  "expires": "2023-03-11T14:25:30Z",
   "challenges": [
     {
       "type": "wire-oidc-01",
-      "url": "https://stepca:55834/acme/wire/challenge/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9/tlKZbv1pdNIo8WaWQq2GRtbov3TXPDui",
+      "url": "https://stepca:56174/acme/wire/challenge/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD/wimvHnzRMq5quCx5oGME98k21k0HEtyI",
       "status": "pending",
-      "token": "BZSI5HrCT40ZAZ2JbxE1lwJXxwPWMTh9"
+      "token": "KiiBV21e0RqtqqgjVtKWSRJKGjQZJvkq"
     },
     {
       "type": "wire-dpop-01",
-      "url": "https://stepca:55834/acme/wire/challenge/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9/0H2Qr2LfBEj0SCIycIYtWJLyTcY5U4AW",
+      "url": "https://stepca:56174/acme/wire/challenge/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD/HhFufnzfL9abzJzpUNeblQGthEcrac9J",
       "status": "pending",
-      "token": "BZSI5HrCT40ZAZ2JbxE1lwJXxwPWMTh9"
+      "token": "KiiBV21e0RqtqqgjVtKWSRJKGjQZJvkq"
     }
   ],
   "identifier": {
     "type": "wireapp-id",
-    "value": "{\"name\":\"Smith, Alice M (QA)\",\"domain\":\"wire.com\",\"client-id\":\"im:wireapp=NGVhMzBjNDIwZTE2NGRjZWExYzFkMzMwMWYxMWYzMGU/e28fa5b76b731b3@wire.com\",\"handle\":\"im:wireapp=alice.smith.qa@wire.com\"}"
+    "value": "{\"name\":\"Smith, Alice M (QA)\",\"domain\":\"wire.com\",\"client-id\":\"im:wireapp=NTY1ODIxZDM2NTE2NDI2OGFkOWQ0NzVjM2U1MGY3OWE/4c7fe88925af706b@wire.com\",\"handle\":\"im:wireapp=alice.smith.qa@wire.com\"}"
   }
 }
 ```
 ### Client fetches JWT DPoP access token (with wire-server)
 #### 11. fetch a nonce from wire-server
 ```http request
-GET http://wire.com:23659/clients/token/nonce
+GET http://wire.com:22059/clients/token/nonce
 ```
 #### 12. get wire-server nonce
 ```http request
@@ -256,7 +256,7 @@ GET http://wire.com:23659/clients/token/nonce
 
 ```
 ```text
-VkVFZ1B0Slp2eFhFWU4wVXZuMFBtWkxwTTlaY0VLOG0
+S01MZm9FSzkyWlZxMEdOazMxMnVZQ25IQ25JbVpiUTA
 ```
 #### 13. create client DPoP token
 
@@ -264,21 +264,21 @@ VkVFZ1B0Slp2eFhFWU4wVXZuMFBtWkxwTTlaY0VLOG0
 <details>
 <summary><b>Dpop token</b></summary>
 
-See it on [jwt.io](https://jwt.io/#id_token=eyJhbGciOiJFZERTQSIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6Ik9LUCIsImNydiI6IkVkMjU1MTkiLCJ4IjoieXh5S1ZVdUFuemI5ZnVYMEpvdVZZeEZtVEt0cnJUc1YzRnFBZFZBSGNPYyJ9fQ.eyJpYXQiOjE2NzgzODM5MzEsImV4cCI6MTY3ODQ3MDMzMSwibmJmIjoxNjc4MzgzOTMxLCJzdWIiOiJpbTp3aXJlYXBwPU5HVmhNekJqTkRJd1pURTJOR1JqWldFeFl6RmtNek13TVdZeE1XWXpNR1UvZTI4ZmE1Yjc2YjczMWIzQHdpcmUuY29tIiwianRpIjoiYTA3OTdiZGYtN2I0Ny00OWE1LWJlYTUtNWMzMGYzOTkzMzA3Iiwibm9uY2UiOiJWa1ZGWjFCMFNscDJlRmhGV1U0d1ZYWnVNRkJ0V2t4d1RUbGFZMFZMT0cwIiwiaHRtIjoiUE9TVCIsImh0dSI6Imh0dHA6Ly93aXJlLmNvbToyMzY1OS8iLCJjaGFsIjoiQlpTSTVIckNUNDBaQVoySmJ4RTFsd0pYeHdQV01UaDkifQ.sGsPzh9tlbr6CqYIMWc--RncO9e5dyDA4l8Xt_CMdcyT8DXVHILTNEsUEP28o1BwcP53JZWcmSVihbd8ChQsCw)
+See it on [jwt.io](https://jwt.io/#id_token=eyJhbGciOiJFZERTQSIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6Ik9LUCIsImNydiI6IkVkMjU1MTkiLCJ4IjoiN25QRVQ5N0ZBTFZBYkxMbDJBZFJ2U2wxbnpzRjFOSUNHeHgtQUQ3cTRDcyJ9fQ.eyJpYXQiOjE2Nzg0NTgzMzAsImV4cCI6MTY3ODU0NDczMCwibmJmIjoxNjc4NDU4MzMwLCJzdWIiOiJpbTp3aXJlYXBwPU5UWTFPREl4WkRNMk5URTJOREkyT0dGa09XUTBOelZqTTJVMU1HWTNPV0UvNGM3ZmU4ODkyNWFmNzA2YkB3aXJlLmNvbSIsImp0aSI6IjM4NWEyMDc5LTdlZDAtNDYyMS1hY2EwLWY0N2IzNTY0OGRkOCIsIm5vbmNlIjoiUzAxTVptOUZTemt5V2xaeE1FZE9hek14TW5WWlEyNUlRMjVKYlZwaVVUQSIsImh0bSI6IlBPU1QiLCJodHUiOiJodHRwOi8vd2lyZS5jb206MjIwNTkvIiwiY2hhbCI6IktpaUJWMjFlMFJxdHFxZ2pWdEtXU1JKS0dqUVpKdmtxIn0.4mMGocS8eKJM1_JFp06Fyr8gq4IP4Ho18Tv9kshKH5-fK8DYIDKYLlAQ_5E2qpgn9qDO0Ima6esSx0DKXPMBDg)
 
 Raw:
 ```text
 eyJhbGciOiJFZERTQSIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6Ik9L
-UCIsImNydiI6IkVkMjU1MTkiLCJ4IjoieXh5S1ZVdUFuemI5ZnVYMEpvdVZZeEZt
-VEt0cnJUc1YzRnFBZFZBSGNPYyJ9fQ.eyJpYXQiOjE2NzgzODM5MzEsImV4cCI6M
-TY3ODQ3MDMzMSwibmJmIjoxNjc4MzgzOTMxLCJzdWIiOiJpbTp3aXJlYXBwPU5HV
-mhNekJqTkRJd1pURTJOR1JqWldFeFl6RmtNek13TVdZeE1XWXpNR1UvZTI4ZmE1Y
-jc2YjczMWIzQHdpcmUuY29tIiwianRpIjoiYTA3OTdiZGYtN2I0Ny00OWE1LWJlY
-TUtNWMzMGYzOTkzMzA3Iiwibm9uY2UiOiJWa1ZGWjFCMFNscDJlRmhGV1U0d1ZYW
-nVNRkJ0V2t4d1RUbGFZMFZMT0cwIiwiaHRtIjoiUE9TVCIsImh0dSI6Imh0dHA6L
-y93aXJlLmNvbToyMzY1OS8iLCJjaGFsIjoiQlpTSTVIckNUNDBaQVoySmJ4RTFsd
-0pYeHdQV01UaDkifQ.sGsPzh9tlbr6CqYIMWc--RncO9e5dyDA4l8Xt_CMdcyT8D
-XVHILTNEsUEP28o1BwcP53JZWcmSVihbd8ChQsCw
+UCIsImNydiI6IkVkMjU1MTkiLCJ4IjoiN25QRVQ5N0ZBTFZBYkxMbDJBZFJ2U2wx
+bnpzRjFOSUNHeHgtQUQ3cTRDcyJ9fQ.eyJpYXQiOjE2Nzg0NTgzMzAsImV4cCI6M
+TY3ODU0NDczMCwibmJmIjoxNjc4NDU4MzMwLCJzdWIiOiJpbTp3aXJlYXBwPU5UW
+TFPREl4WkRNMk5URTJOREkyT0dGa09XUTBOelZqTTJVMU1HWTNPV0UvNGM3ZmU4O
+DkyNWFmNzA2YkB3aXJlLmNvbSIsImp0aSI6IjM4NWEyMDc5LTdlZDAtNDYyMS1hY
+2EwLWY0N2IzNTY0OGRkOCIsIm5vbmNlIjoiUzAxTVptOUZTemt5V2xaeE1FZE9he
+k14TW5WWlEyNUlRMjVKYlZwaVVUQSIsImh0bSI6IlBPU1QiLCJodHUiOiJodHRwO
+i8vd2lyZS5jb206MjIwNTkvIiwiY2hhbCI6IktpaUJWMjFlMFJxdHFxZ2pWdEtXU
+1JKS0dqUVpKdmtxIn0.4mMGocS8eKJM1_JFp06Fyr8gq4IP4Ho18Tv9kshKH5-fK
+8DYIDKYLlAQ_5E2qpgn9qDO0Ima6esSx0DKXPMBDg
 ```
 
 Decoded:
@@ -290,22 +290,22 @@ Decoded:
   "jwk": {
     "kty": "OKP",
     "crv": "Ed25519",
-    "x": "yxyKVUuAnzb9fuX0JouVYxFmTKtrrTsV3FqAdVAHcOc"
+    "x": "7nPET97FALVAbLLl2AdRvSl1nzsF1NICGxx-AD7q4Cs"
   }
 }
 ```
 
 ```json
 {
-  "iat": 1678383931,
-  "exp": 1678470331,
-  "nbf": 1678383931,
-  "sub": "im:wireapp=NGVhMzBjNDIwZTE2NGRjZWExYzFkMzMwMWYxMWYzMGU/e28fa5b76b731b3@wire.com",
-  "jti": "a0797bdf-7b47-49a5-bea5-5c30f3993307",
-  "nonce": "VkVFZ1B0Slp2eFhFWU4wVXZuMFBtWkxwTTlaY0VLOG0",
+  "iat": 1678458330,
+  "exp": 1678544730,
+  "nbf": 1678458330,
+  "sub": "im:wireapp=NTY1ODIxZDM2NTE2NDI2OGFkOWQ0NzVjM2U1MGY3OWE/4c7fe88925af706b@wire.com",
+  "jti": "385a2079-7ed0-4621-aca0-f47b35648dd8",
+  "nonce": "S01MZm9FSzkyWlZxMEdOazMxMnVZQ25IQ25JbVpiUTA",
   "htm": "POST",
-  "htu": "http://wire.com:23659/",
-  "chal": "BZSI5HrCT40ZAZ2JbxE1lwJXxwPWMTh9"
+  "htu": "http://wire.com:22059/",
+  "chal": "KiiBV21e0RqtqqgjVtKWSRJKGjQZJvkq"
 }
 ```
 
@@ -313,10 +313,10 @@ Decoded:
 ✅ Signature Verified with key:
 ```text
 -----BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEIFY6sSWYmflcVf67iGKDA+opq44kq1EWQo/IRyI33E6v
+MC4CAQAwBQYDK2VwBCIEIN+ksseZ2FFrFvVJPPz1bjP2HhpMLKDbvwfYQ21ltWRk
 -----END PRIVATE KEY-----
 -----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEAyxyKVUuAnzb9fuX0JouVYxFmTKtrrTsV3FqAdVAHcOc=
+MCowBQYDK2VwAyEA7nPET97FALVAbLLl2AdRvSl1nzsF1NICGxx+AD7q4Cs=
 -----END PUBLIC KEY-----
 ```
 
@@ -325,9 +325,9 @@ MCowBQYDK2VwAyEAyxyKVUuAnzb9fuX0JouVYxFmTKtrrTsV3FqAdVAHcOc=
 
 #### 14. trade client DPoP token for an access token
 ```http request
-POST http://wire.com:23659/clients/1020340586340102579/access-token
+POST http://wire.com:22059/clients/5512380144665194603/access-token
                           /clients/{wire-client-id}/access-token
-dpop: ZXlKaGJHY2lPaUpGWkVSVFFTSXNJblI1Y0NJNkltUndiM0FyYW5kMElpd2lhbmRySWpwN0ltdDBlU0k2SWs5TFVDSXNJbU55ZGlJNklrVmtNalUxTVRraUxDSjRJam9pZVhoNVMxWlZkVUZ1ZW1JNVpuVllNRXB2ZFZaWmVFWnRWRXQwY25KVWMxWXpSbkZCWkZaQlNHTlBZeUo5ZlEuZXlKcFlYUWlPakUyTnpnek9ETTVNekVzSW1WNGNDSTZNVFkzT0RRM01ETXpNU3dpYm1KbUlqb3hOamM0TXpnek9UTXhMQ0p6ZFdJaU9pSnBiVHAzYVhKbFlYQndQVTVIVm1oTmVrSnFUa1JKZDFwVVJUSk9SMUpxV2xkRmVGbDZSbXROZWsxM1RWZFplRTFYV1hwTlIxVXZaVEk0Wm1FMVlqYzJZamN6TVdJelFIZHBjbVV1WTI5dElpd2lhblJwSWpvaVlUQTNPVGRpWkdZdE4ySTBOeTAwT1dFMUxXSmxZVFV0TldNek1HWXpPVGt6TXpBM0lpd2libTl1WTJVaU9pSldhMVpHV2pGQ01GTnNjREpsUm1oR1YxVTBkMVpZV25WTlJrSjBWMnQ0ZDFSVWJHRlpNRlpNVDBjd0lpd2lhSFJ0SWpvaVVFOVRWQ0lzSW1oMGRTSTZJbWgwZEhBNkx5OTNhWEpsTG1OdmJUb3lNelkxT1M4aUxDSmphR0ZzSWpvaVFscFRTVFZJY2tOVU5EQmFRVm95U21KNFJURnNkMHBZZUhkUVYwMVVhRGtpZlEuc0dzUHpoOXRsYnI2Q3FZSU1XYy0tUm5jTzllNWR5REE0bDhYdF9DTWRjeVQ4RFhWSElMVE5Fc1VFUDI4bzFCd2NQNTNKWldjbVNWaWhiZDhDaFFzQ3c
+dpop: ZXlKaGJHY2lPaUpGWkVSVFFTSXNJblI1Y0NJNkltUndiM0FyYW5kMElpd2lhbmRySWpwN0ltdDBlU0k2SWs5TFVDSXNJbU55ZGlJNklrVmtNalUxTVRraUxDSjRJam9pTjI1UVJWUTVOMFpCVEZaQllreE1iREpCWkZKMlUyd3hibnB6UmpGT1NVTkhlSGd0UVVRM2NUUkRjeUo5ZlEuZXlKcFlYUWlPakUyTnpnME5UZ3pNekFzSW1WNGNDSTZNVFkzT0RVME5EY3pNQ3dpYm1KbUlqb3hOamM0TkRVNE16TXdMQ0p6ZFdJaU9pSnBiVHAzYVhKbFlYQndQVTVVV1RGUFJFbDRXa1JOTWs1VVJUSk9SRWt5VDBkR2EwOVhVVEJPZWxacVRUSlZNVTFIV1ROUFYwVXZOR00zWm1VNE9Ea3lOV0ZtTnpBMllrQjNhWEpsTG1OdmJTSXNJbXAwYVNJNklqTTROV0V5TURjNUxUZGxaREF0TkRZeU1TMWhZMkV3TFdZME4ySXpOVFkwT0dSa09DSXNJbTV2Ym1ObElqb2lVekF4VFZwdE9VWlRlbXQ1VjJ4YWVFMUZaRTloZWsxNFRXNVdXbEV5TlVsUk1qVktZbFp3YVZWVVFTSXNJbWgwYlNJNklsQlBVMVFpTENKb2RIVWlPaUpvZEhSd09pOHZkMmx5WlM1amIyMDZNakl3TlRrdklpd2lZMmhoYkNJNklrdHBhVUpXTWpGbE1GSnhkSEZ4WjJwV2RFdFhVMUpLUzBkcVVWcEtkbXR4SW4wLjRtTUdvY1M4ZUtKTTFfSkZwMDZGeXI4Z3E0SVA0SG8xOFR2OWtzaEtINS1mSzhEWUlES1lMbEFRXzVFMnFwZ245cURPMEltYTZlc1N4MERLWFBNQkRn
 ```
 #### 15. get a Dpop access token from wire-server
 ```http request
@@ -337,7 +337,7 @@ dpop: ZXlKaGJHY2lPaUpGWkVSVFFTSXNJblI1Y0NJNkltUndiM0FyYW5kMElpd2lhbmRySWpwN0ltdD
 ```json
 {
   "expires_in": 2082008461,
-  "token": "eyJhbGciOiJFZERTQSIsInR5cCI6ImF0K2p3dCIsImp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6InRJVlV4Q0hqSnFCOGpQdFpHSXRVQzZKNV9pVjY5U0pmWktEcVlBN2ZFZUkifX0.eyJpYXQiOjE2NzgzODM5MzEsImV4cCI6MTY4NjE1OTkzMSwibmJmIjoxNjc4MzgzOTMxLCJpc3MiOiJodHRwOi8vd2lyZS5jb206MjM2NTkvIiwic3ViIjoiaW06d2lyZWFwcD1OR1ZoTXpCak5ESXdaVEUyTkdSalpXRXhZekZrTXpNd01XWXhNV1l6TUdVL2UyOGZhNWI3NmI3MzFiM0B3aXJlLmNvbSIsImF1ZCI6Imh0dHA6Ly93aXJlLmNvbToyMzY1OS8iLCJqdGkiOiJhNGNlZjAxZS00YWM0LTRjY2QtOTA3MC0wZDg5NTMwMjY5ZTYiLCJub25jZSI6IlZrVkZaMUIwU2xwMmVGaEZXVTR3VlhadU1GQnRXa3h3VFRsYVkwVkxPRzAiLCJjaGFsIjoiQlpTSTVIckNUNDBaQVoySmJ4RTFsd0pYeHdQV01UaDkiLCJjbmYiOnsia2lkIjoiLUx5eG1vRnBjR01yZzJOMHdyTVBTdW9LdFdkQkdUeWxQVmU1Y3pHOGVncyJ9LCJwcm9vZiI6ImV5SmhiR2NpT2lKRlpFUlRRU0lzSW5SNWNDSTZJbVJ3YjNBcmFuZDBJaXdpYW5kcklqcDdJbXQwZVNJNklrOUxVQ0lzSW1OeWRpSTZJa1ZrTWpVMU1Ua2lMQ0o0SWpvaWVYaDVTMVpWZFVGdWVtSTVablZZTUVwdmRWWlplRVp0VkV0MGNuSlVjMVl6Um5GQlpGWkJTR05QWXlKOWZRLmV5SnBZWFFpT2pFMk56Z3pPRE01TXpFc0ltVjRjQ0k2TVRZM09EUTNNRE16TVN3aWJtSm1Jam94TmpjNE16Z3pPVE14TENKemRXSWlPaUpwYlRwM2FYSmxZWEJ3UFU1SFZtaE5la0pxVGtSSmQxcFVSVEpPUjFKcVdsZEZlRmw2Um10TmVrMTNUVmRaZUUxWFdYcE5SMVV2WlRJNFptRTFZamMyWWpjek1XSXpRSGRwY21VdVkyOXRJaXdpYW5ScElqb2lZVEEzT1RkaVpHWXROMkkwTnkwME9XRTFMV0psWVRVdE5XTXpNR1l6T1Rrek16QTNJaXdpYm05dVkyVWlPaUpXYTFaR1dqRkNNRk5zY0RKbFJtaEdWMVUwZDFaWVduVk5Sa0owVjJ0NGQxUlViR0ZaTUZaTVQwY3dJaXdpYUhSdElqb2lVRTlUVkNJc0ltaDBkU0k2SW1oMGRIQTZMeTkzYVhKbExtTnZiVG95TXpZMU9TOGlMQ0pqYUdGc0lqb2lRbHBUU1RWSWNrTlVOREJhUVZveVNtSjRSVEZzZDBwWWVIZFFWMDFVYURraWZRLnNHc1B6aDl0bGJyNkNxWUlNV2MtLVJuY085ZTVkeURBNGw4WHRfQ01kY3lUOERYVkhJTFRORXNVRVAyOG8xQndjUDUzSlpXY21TVmloYmQ4Q2hRc0N3IiwiY2xpZW50X2lkIjoiaW06d2lyZWFwcD1OR1ZoTXpCak5ESXdaVEUyTkdSalpXRXhZekZrTXpNd01XWXhNV1l6TUdVL2UyOGZhNWI3NmI3MzFiM0B3aXJlLmNvbSIsImFwaV92ZXJzaW9uIjozLCJzY29wZSI6IndpcmVfY2xpZW50X2lkIn0.q-CdDcc_Js1YfU1g3_eqsf8E8gR6gtLSSGurHJduoDfA9a0RBMZktYikD1vQ-89X3Ot3Q1ymEDADeW3sTcI-AQ",
+  "token": "eyJhbGciOiJFZERTQSIsInR5cCI6ImF0K2p3dCIsImp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6InhYM1JCNDFpTU1FMEJ3dWtENWRHbkFoc1NnV09fdEVZSkRwejdWU2EtM2cifX0.eyJpYXQiOjE2Nzg0NTgzMzAsImV4cCI6MTY4NjIzNDMzMCwibmJmIjoxNjc4NDU4MzMwLCJpc3MiOiJodHRwOi8vd2lyZS5jb206MjIwNTkvIiwic3ViIjoiaW06d2lyZWFwcD1OVFkxT0RJeFpETTJOVEUyTkRJMk9HRmtPV1EwTnpWak0yVTFNR1kzT1dFLzRjN2ZlODg5MjVhZjcwNmJAd2lyZS5jb20iLCJhdWQiOiJodHRwOi8vd2lyZS5jb206MjIwNTkvIiwianRpIjoiMjMxOWFiODktZTVkMS00MzAxLWJlMWMtM2FiNjFhNGIwMzI3Iiwibm9uY2UiOiJTMDFNWm05RlN6a3lXbFp4TUVkT2F6TXhNblZaUTI1SVEyNUpiVnBpVVRBIiwiY2hhbCI6IktpaUJWMjFlMFJxdHFxZ2pWdEtXU1JKS0dqUVpKdmtxIiwiY25mIjp7ImtpZCI6Im9hRU9XdjVHdTBUTFRwRDVyUmxoODc2TGFrNE0yWFFhMjYzV3FHSVBkX1kifSwicHJvb2YiOiJleUpoYkdjaU9pSkZaRVJUUVNJc0luUjVjQ0k2SW1Sd2IzQXJhbmQwSWl3aWFuZHJJanA3SW10MGVTSTZJazlMVUNJc0ltTnlkaUk2SWtWa01qVTFNVGtpTENKNElqb2lOMjVRUlZRNU4wWkJURlpCWWt4TWJESkJaRkoyVTJ3eGJucHpSakZPU1VOSGVIZ3RRVVEzY1RSRGN5SjlmUS5leUpwWVhRaU9qRTJOemcwTlRnek16QXNJbVY0Y0NJNk1UWTNPRFUwTkRjek1Dd2libUptSWpveE5qYzRORFU0TXpNd0xDSnpkV0lpT2lKcGJUcDNhWEpsWVhCd1BVNVVXVEZQUkVsNFdrUk5NazVVUlRKT1JFa3lUMGRHYTA5WFVUQk9lbFpxVFRKVk1VMUhXVE5QVjBVdk5HTTNabVU0T0RreU5XRm1OekEyWWtCM2FYSmxMbU52YlNJc0ltcDBhU0k2SWpNNE5XRXlNRGM1TFRkbFpEQXRORFl5TVMxaFkyRXdMV1kwTjJJek5UWTBPR1JrT0NJc0ltNXZibU5sSWpvaVV6QXhUVnB0T1VaVGVtdDVWMnhhZUUxRlpFOWhlazE0VFc1V1dsRXlOVWxSTWpWS1lsWndhVlZVUVNJc0ltaDBiU0k2SWxCUFUxUWlMQ0pvZEhVaU9pSm9kSFJ3T2k4dmQybHlaUzVqYjIwNk1qSXdOVGt2SWl3aVkyaGhiQ0k2SWt0cGFVSldNakZsTUZKeGRIRnhaMnBXZEV0WFUxSktTMGRxVVZwS2RtdHhJbjAuNG1NR29jUzhlS0pNMV9KRnAwNkZ5cjhncTRJUDRIbzE4VHY5a3NoS0g1LWZLOERZSURLWUxsQVFfNUUycXBnbjlxRE8wSW1hNmVzU3gwREtYUE1CRGciLCJjbGllbnRfaWQiOiJpbTp3aXJlYXBwPU5UWTFPREl4WkRNMk5URTJOREkyT0dGa09XUTBOelZqTTJVMU1HWTNPV0UvNGM3ZmU4ODkyNWFmNzA2YkB3aXJlLmNvbSIsImFwaV92ZXJzaW9uIjozLCJzY29wZSI6IndpcmVfY2xpZW50X2lkIn0.UPaQcsPNwaxpGS_eOt-NMOjlUkNiL05Lshr5NGgXmmksQoYsgq5UX6TQG6UPHNrv78b1jfIfxcLb0U37BaRACA",
   "type": "DPoP"
 }
 ```
@@ -345,40 +345,40 @@ dpop: ZXlKaGJHY2lPaUpGWkVSVFFTSXNJblI1Y0NJNkltUndiM0FyYW5kMElpd2lhbmRySWpwN0ltdD
 <details>
 <summary><b>Access token</b></summary>
 
-See it on [jwt.io](https://jwt.io/#id_token=eyJhbGciOiJFZERTQSIsInR5cCI6ImF0K2p3dCIsImp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6InRJVlV4Q0hqSnFCOGpQdFpHSXRVQzZKNV9pVjY5U0pmWktEcVlBN2ZFZUkifX0.eyJpYXQiOjE2NzgzODM5MzEsImV4cCI6MTY4NjE1OTkzMSwibmJmIjoxNjc4MzgzOTMxLCJpc3MiOiJodHRwOi8vd2lyZS5jb206MjM2NTkvIiwic3ViIjoiaW06d2lyZWFwcD1OR1ZoTXpCak5ESXdaVEUyTkdSalpXRXhZekZrTXpNd01XWXhNV1l6TUdVL2UyOGZhNWI3NmI3MzFiM0B3aXJlLmNvbSIsImF1ZCI6Imh0dHA6Ly93aXJlLmNvbToyMzY1OS8iLCJqdGkiOiJhNGNlZjAxZS00YWM0LTRjY2QtOTA3MC0wZDg5NTMwMjY5ZTYiLCJub25jZSI6IlZrVkZaMUIwU2xwMmVGaEZXVTR3VlhadU1GQnRXa3h3VFRsYVkwVkxPRzAiLCJjaGFsIjoiQlpTSTVIckNUNDBaQVoySmJ4RTFsd0pYeHdQV01UaDkiLCJjbmYiOnsia2lkIjoiLUx5eG1vRnBjR01yZzJOMHdyTVBTdW9LdFdkQkdUeWxQVmU1Y3pHOGVncyJ9LCJwcm9vZiI6ImV5SmhiR2NpT2lKRlpFUlRRU0lzSW5SNWNDSTZJbVJ3YjNBcmFuZDBJaXdpYW5kcklqcDdJbXQwZVNJNklrOUxVQ0lzSW1OeWRpSTZJa1ZrTWpVMU1Ua2lMQ0o0SWpvaWVYaDVTMVpWZFVGdWVtSTVablZZTUVwdmRWWlplRVp0VkV0MGNuSlVjMVl6Um5GQlpGWkJTR05QWXlKOWZRLmV5SnBZWFFpT2pFMk56Z3pPRE01TXpFc0ltVjRjQ0k2TVRZM09EUTNNRE16TVN3aWJtSm1Jam94TmpjNE16Z3pPVE14TENKemRXSWlPaUpwYlRwM2FYSmxZWEJ3UFU1SFZtaE5la0pxVGtSSmQxcFVSVEpPUjFKcVdsZEZlRmw2Um10TmVrMTNUVmRaZUUxWFdYcE5SMVV2WlRJNFptRTFZamMyWWpjek1XSXpRSGRwY21VdVkyOXRJaXdpYW5ScElqb2lZVEEzT1RkaVpHWXROMkkwTnkwME9XRTFMV0psWVRVdE5XTXpNR1l6T1Rrek16QTNJaXdpYm05dVkyVWlPaUpXYTFaR1dqRkNNRk5zY0RKbFJtaEdWMVUwZDFaWVduVk5Sa0owVjJ0NGQxUlViR0ZaTUZaTVQwY3dJaXdpYUhSdElqb2lVRTlUVkNJc0ltaDBkU0k2SW1oMGRIQTZMeTkzYVhKbExtTnZiVG95TXpZMU9TOGlMQ0pqYUdGc0lqb2lRbHBUU1RWSWNrTlVOREJhUVZveVNtSjRSVEZzZDBwWWVIZFFWMDFVYURraWZRLnNHc1B6aDl0bGJyNkNxWUlNV2MtLVJuY085ZTVkeURBNGw4WHRfQ01kY3lUOERYVkhJTFRORXNVRVAyOG8xQndjUDUzSlpXY21TVmloYmQ4Q2hRc0N3IiwiY2xpZW50X2lkIjoiaW06d2lyZWFwcD1OR1ZoTXpCak5ESXdaVEUyTkdSalpXRXhZekZrTXpNd01XWXhNV1l6TUdVL2UyOGZhNWI3NmI3MzFiM0B3aXJlLmNvbSIsImFwaV92ZXJzaW9uIjozLCJzY29wZSI6IndpcmVfY2xpZW50X2lkIn0.q-CdDcc_Js1YfU1g3_eqsf8E8gR6gtLSSGurHJduoDfA9a0RBMZktYikD1vQ-89X3Ot3Q1ymEDADeW3sTcI-AQ)
+See it on [jwt.io](https://jwt.io/#id_token=eyJhbGciOiJFZERTQSIsInR5cCI6ImF0K2p3dCIsImp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6InhYM1JCNDFpTU1FMEJ3dWtENWRHbkFoc1NnV09fdEVZSkRwejdWU2EtM2cifX0.eyJpYXQiOjE2Nzg0NTgzMzAsImV4cCI6MTY4NjIzNDMzMCwibmJmIjoxNjc4NDU4MzMwLCJpc3MiOiJodHRwOi8vd2lyZS5jb206MjIwNTkvIiwic3ViIjoiaW06d2lyZWFwcD1OVFkxT0RJeFpETTJOVEUyTkRJMk9HRmtPV1EwTnpWak0yVTFNR1kzT1dFLzRjN2ZlODg5MjVhZjcwNmJAd2lyZS5jb20iLCJhdWQiOiJodHRwOi8vd2lyZS5jb206MjIwNTkvIiwianRpIjoiMjMxOWFiODktZTVkMS00MzAxLWJlMWMtM2FiNjFhNGIwMzI3Iiwibm9uY2UiOiJTMDFNWm05RlN6a3lXbFp4TUVkT2F6TXhNblZaUTI1SVEyNUpiVnBpVVRBIiwiY2hhbCI6IktpaUJWMjFlMFJxdHFxZ2pWdEtXU1JKS0dqUVpKdmtxIiwiY25mIjp7ImtpZCI6Im9hRU9XdjVHdTBUTFRwRDVyUmxoODc2TGFrNE0yWFFhMjYzV3FHSVBkX1kifSwicHJvb2YiOiJleUpoYkdjaU9pSkZaRVJUUVNJc0luUjVjQ0k2SW1Sd2IzQXJhbmQwSWl3aWFuZHJJanA3SW10MGVTSTZJazlMVUNJc0ltTnlkaUk2SWtWa01qVTFNVGtpTENKNElqb2lOMjVRUlZRNU4wWkJURlpCWWt4TWJESkJaRkoyVTJ3eGJucHpSakZPU1VOSGVIZ3RRVVEzY1RSRGN5SjlmUS5leUpwWVhRaU9qRTJOemcwTlRnek16QXNJbVY0Y0NJNk1UWTNPRFUwTkRjek1Dd2libUptSWpveE5qYzRORFU0TXpNd0xDSnpkV0lpT2lKcGJUcDNhWEpsWVhCd1BVNVVXVEZQUkVsNFdrUk5NazVVUlRKT1JFa3lUMGRHYTA5WFVUQk9lbFpxVFRKVk1VMUhXVE5QVjBVdk5HTTNabVU0T0RreU5XRm1OekEyWWtCM2FYSmxMbU52YlNJc0ltcDBhU0k2SWpNNE5XRXlNRGM1TFRkbFpEQXRORFl5TVMxaFkyRXdMV1kwTjJJek5UWTBPR1JrT0NJc0ltNXZibU5sSWpvaVV6QXhUVnB0T1VaVGVtdDVWMnhhZUUxRlpFOWhlazE0VFc1V1dsRXlOVWxSTWpWS1lsWndhVlZVUVNJc0ltaDBiU0k2SWxCUFUxUWlMQ0pvZEhVaU9pSm9kSFJ3T2k4dmQybHlaUzVqYjIwNk1qSXdOVGt2SWl3aVkyaGhiQ0k2SWt0cGFVSldNakZsTUZKeGRIRnhaMnBXZEV0WFUxSktTMGRxVVZwS2RtdHhJbjAuNG1NR29jUzhlS0pNMV9KRnAwNkZ5cjhncTRJUDRIbzE4VHY5a3NoS0g1LWZLOERZSURLWUxsQVFfNUUycXBnbjlxRE8wSW1hNmVzU3gwREtYUE1CRGciLCJjbGllbnRfaWQiOiJpbTp3aXJlYXBwPU5UWTFPREl4WkRNMk5URTJOREkyT0dGa09XUTBOelZqTTJVMU1HWTNPV0UvNGM3ZmU4ODkyNWFmNzA2YkB3aXJlLmNvbSIsImFwaV92ZXJzaW9uIjozLCJzY29wZSI6IndpcmVfY2xpZW50X2lkIn0.UPaQcsPNwaxpGS_eOt-NMOjlUkNiL05Lshr5NGgXmmksQoYsgq5UX6TQG6UPHNrv78b1jfIfxcLb0U37BaRACA)
 
 Raw:
 ```text
 eyJhbGciOiJFZERTQSIsInR5cCI6ImF0K2p3dCIsImp3ayI6eyJrdHkiOiJPS1Ai
-LCJjcnYiOiJFZDI1NTE5IiwieCI6InRJVlV4Q0hqSnFCOGpQdFpHSXRVQzZKNV9p
-VjY5U0pmWktEcVlBN2ZFZUkifX0.eyJpYXQiOjE2NzgzODM5MzEsImV4cCI6MTY4
-NjE1OTkzMSwibmJmIjoxNjc4MzgzOTMxLCJpc3MiOiJodHRwOi8vd2lyZS5jb206
-MjM2NTkvIiwic3ViIjoiaW06d2lyZWFwcD1OR1ZoTXpCak5ESXdaVEUyTkdSalpX
-RXhZekZrTXpNd01XWXhNV1l6TUdVL2UyOGZhNWI3NmI3MzFiM0B3aXJlLmNvbSIs
-ImF1ZCI6Imh0dHA6Ly93aXJlLmNvbToyMzY1OS8iLCJqdGkiOiJhNGNlZjAxZS00
-YWM0LTRjY2QtOTA3MC0wZDg5NTMwMjY5ZTYiLCJub25jZSI6IlZrVkZaMUIwU2xw
-MmVGaEZXVTR3VlhadU1GQnRXa3h3VFRsYVkwVkxPRzAiLCJjaGFsIjoiQlpTSTVI
-ckNUNDBaQVoySmJ4RTFsd0pYeHdQV01UaDkiLCJjbmYiOnsia2lkIjoiLUx5eG1v
-RnBjR01yZzJOMHdyTVBTdW9LdFdkQkdUeWxQVmU1Y3pHOGVncyJ9LCJwcm9vZiI6
-ImV5SmhiR2NpT2lKRlpFUlRRU0lzSW5SNWNDSTZJbVJ3YjNBcmFuZDBJaXdpYW5k
-cklqcDdJbXQwZVNJNklrOUxVQ0lzSW1OeWRpSTZJa1ZrTWpVMU1Ua2lMQ0o0SWpv
-aWVYaDVTMVpWZFVGdWVtSTVablZZTUVwdmRWWlplRVp0VkV0MGNuSlVjMVl6Um5G
-QlpGWkJTR05QWXlKOWZRLmV5SnBZWFFpT2pFMk56Z3pPRE01TXpFc0ltVjRjQ0k2
-TVRZM09EUTNNRE16TVN3aWJtSm1Jam94TmpjNE16Z3pPVE14TENKemRXSWlPaUpw
-YlRwM2FYSmxZWEJ3UFU1SFZtaE5la0pxVGtSSmQxcFVSVEpPUjFKcVdsZEZlRmw2
-Um10TmVrMTNUVmRaZUUxWFdYcE5SMVV2WlRJNFptRTFZamMyWWpjek1XSXpRSGRw
-Y21VdVkyOXRJaXdpYW5ScElqb2lZVEEzT1RkaVpHWXROMkkwTnkwME9XRTFMV0ps
-WVRVdE5XTXpNR1l6T1Rrek16QTNJaXdpYm05dVkyVWlPaUpXYTFaR1dqRkNNRk5z
-Y0RKbFJtaEdWMVUwZDFaWVduVk5Sa0owVjJ0NGQxUlViR0ZaTUZaTVQwY3dJaXdp
-YUhSdElqb2lVRTlUVkNJc0ltaDBkU0k2SW1oMGRIQTZMeTkzYVhKbExtTnZiVG95
-TXpZMU9TOGlMQ0pqYUdGc0lqb2lRbHBUU1RWSWNrTlVOREJhUVZveVNtSjRSVEZz
-ZDBwWWVIZFFWMDFVYURraWZRLnNHc1B6aDl0bGJyNkNxWUlNV2MtLVJuY085ZTVk
-eURBNGw4WHRfQ01kY3lUOERYVkhJTFRORXNVRVAyOG8xQndjUDUzSlpXY21TVmlo
-YmQ4Q2hRc0N3IiwiY2xpZW50X2lkIjoiaW06d2lyZWFwcD1OR1ZoTXpCak5ESXda
-VEUyTkdSalpXRXhZekZrTXpNd01XWXhNV1l6TUdVL2UyOGZhNWI3NmI3MzFiM0B3
-aXJlLmNvbSIsImFwaV92ZXJzaW9uIjozLCJzY29wZSI6IndpcmVfY2xpZW50X2lk
-In0.q-CdDcc_Js1YfU1g3_eqsf8E8gR6gtLSSGurHJduoDfA9a0RBMZktYikD1vQ
--89X3Ot3Q1ymEDADeW3sTcI-AQ
+LCJjcnYiOiJFZDI1NTE5IiwieCI6InhYM1JCNDFpTU1FMEJ3dWtENWRHbkFoc1Nn
+V09fdEVZSkRwejdWU2EtM2cifX0.eyJpYXQiOjE2Nzg0NTgzMzAsImV4cCI6MTY4
+NjIzNDMzMCwibmJmIjoxNjc4NDU4MzMwLCJpc3MiOiJodHRwOi8vd2lyZS5jb206
+MjIwNTkvIiwic3ViIjoiaW06d2lyZWFwcD1OVFkxT0RJeFpETTJOVEUyTkRJMk9H
+RmtPV1EwTnpWak0yVTFNR1kzT1dFLzRjN2ZlODg5MjVhZjcwNmJAd2lyZS5jb20i
+LCJhdWQiOiJodHRwOi8vd2lyZS5jb206MjIwNTkvIiwianRpIjoiMjMxOWFiODkt
+ZTVkMS00MzAxLWJlMWMtM2FiNjFhNGIwMzI3Iiwibm9uY2UiOiJTMDFNWm05RlN6
+a3lXbFp4TUVkT2F6TXhNblZaUTI1SVEyNUpiVnBpVVRBIiwiY2hhbCI6IktpaUJW
+MjFlMFJxdHFxZ2pWdEtXU1JKS0dqUVpKdmtxIiwiY25mIjp7ImtpZCI6Im9hRU9X
+djVHdTBUTFRwRDVyUmxoODc2TGFrNE0yWFFhMjYzV3FHSVBkX1kifSwicHJvb2Yi
+OiJleUpoYkdjaU9pSkZaRVJUUVNJc0luUjVjQ0k2SW1Sd2IzQXJhbmQwSWl3aWFu
+ZHJJanA3SW10MGVTSTZJazlMVUNJc0ltTnlkaUk2SWtWa01qVTFNVGtpTENKNElq
+b2lOMjVRUlZRNU4wWkJURlpCWWt4TWJESkJaRkoyVTJ3eGJucHpSakZPU1VOSGVI
+Z3RRVVEzY1RSRGN5SjlmUS5leUpwWVhRaU9qRTJOemcwTlRnek16QXNJbVY0Y0NJ
+Nk1UWTNPRFUwTkRjek1Dd2libUptSWpveE5qYzRORFU0TXpNd0xDSnpkV0lpT2lK
+cGJUcDNhWEpsWVhCd1BVNVVXVEZQUkVsNFdrUk5NazVVUlRKT1JFa3lUMGRHYTA5
+WFVUQk9lbFpxVFRKVk1VMUhXVE5QVjBVdk5HTTNabVU0T0RreU5XRm1OekEyWWtC
+M2FYSmxMbU52YlNJc0ltcDBhU0k2SWpNNE5XRXlNRGM1TFRkbFpEQXRORFl5TVMx
+aFkyRXdMV1kwTjJJek5UWTBPR1JrT0NJc0ltNXZibU5sSWpvaVV6QXhUVnB0T1Va
+VGVtdDVWMnhhZUUxRlpFOWhlazE0VFc1V1dsRXlOVWxSTWpWS1lsWndhVlZVUVNJ
+c0ltaDBiU0k2SWxCUFUxUWlMQ0pvZEhVaU9pSm9kSFJ3T2k4dmQybHlaUzVqYjIw
+Nk1qSXdOVGt2SWl3aVkyaGhiQ0k2SWt0cGFVSldNakZsTUZKeGRIRnhaMnBXZEV0
+WFUxSktTMGRxVVZwS2RtdHhJbjAuNG1NR29jUzhlS0pNMV9KRnAwNkZ5cjhncTRJ
+UDRIbzE4VHY5a3NoS0g1LWZLOERZSURLWUxsQVFfNUUycXBnbjlxRE8wSW1hNmVz
+U3gwREtYUE1CRGciLCJjbGllbnRfaWQiOiJpbTp3aXJlYXBwPU5UWTFPREl4WkRN
+Mk5URTJOREkyT0dGa09XUTBOelZqTTJVMU1HWTNPV0UvNGM3ZmU4ODkyNWFmNzA2
+YkB3aXJlLmNvbSIsImFwaV92ZXJzaW9uIjozLCJzY29wZSI6IndpcmVfY2xpZW50
+X2lkIn0.UPaQcsPNwaxpGS_eOt-NMOjlUkNiL05Lshr5NGgXmmksQoYsgq5UX6TQ
+G6UPHNrv78b1jfIfxcLb0U37BaRACA
 ```
 
 Decoded:
@@ -390,27 +390,27 @@ Decoded:
   "jwk": {
     "kty": "OKP",
     "crv": "Ed25519",
-    "x": "tIVUxCHjJqB8jPtZGItUC6J5_iV69SJfZKDqYA7fEeI"
+    "x": "xX3RB41iMME0BwukD5dGnAhsSgWO_tEYJDpz7VSa-3g"
   }
 }
 ```
 
 ```json
 {
-  "iat": 1678383931,
-  "exp": 1686159931,
-  "nbf": 1678383931,
-  "iss": "http://wire.com:23659/",
-  "sub": "im:wireapp=NGVhMzBjNDIwZTE2NGRjZWExYzFkMzMwMWYxMWYzMGU/e28fa5b76b731b3@wire.com",
-  "aud": "http://wire.com:23659/",
-  "jti": "a4cef01e-4ac4-4ccd-9070-0d89530269e6",
-  "nonce": "VkVFZ1B0Slp2eFhFWU4wVXZuMFBtWkxwTTlaY0VLOG0",
-  "chal": "BZSI5HrCT40ZAZ2JbxE1lwJXxwPWMTh9",
+  "iat": 1678458330,
+  "exp": 1686234330,
+  "nbf": 1678458330,
+  "iss": "http://wire.com:22059/",
+  "sub": "im:wireapp=NTY1ODIxZDM2NTE2NDI2OGFkOWQ0NzVjM2U1MGY3OWE/4c7fe88925af706b@wire.com",
+  "aud": "http://wire.com:22059/",
+  "jti": "2319ab89-e5d1-4301-be1c-3ab61a4b0327",
+  "nonce": "S01MZm9FSzkyWlZxMEdOazMxMnVZQ25IQ25JbVpiUTA",
+  "chal": "KiiBV21e0RqtqqgjVtKWSRJKGjQZJvkq",
   "cnf": {
-    "kid": "-LyxmoFpcGMrg2N0wrMPSuoKtWdBGTylPVe5czG8egs"
+    "kid": "oaEOWv5Gu0TLTpD5rRlh876Lak4M2XQa263WqGIPd_Y"
   },
-  "proof": "eyJhbGciOiJFZERTQSIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6Ik9LUCIsImNydiI6IkVkMjU1MTkiLCJ4IjoieXh5S1ZVdUFuemI5ZnVYMEpvdVZZeEZtVEt0cnJUc1YzRnFBZFZBSGNPYyJ9fQ.eyJpYXQiOjE2NzgzODM5MzEsImV4cCI6MTY3ODQ3MDMzMSwibmJmIjoxNjc4MzgzOTMxLCJzdWIiOiJpbTp3aXJlYXBwPU5HVmhNekJqTkRJd1pURTJOR1JqWldFeFl6RmtNek13TVdZeE1XWXpNR1UvZTI4ZmE1Yjc2YjczMWIzQHdpcmUuY29tIiwianRpIjoiYTA3OTdiZGYtN2I0Ny00OWE1LWJlYTUtNWMzMGYzOTkzMzA3Iiwibm9uY2UiOiJWa1ZGWjFCMFNscDJlRmhGV1U0d1ZYWnVNRkJ0V2t4d1RUbGFZMFZMT0cwIiwiaHRtIjoiUE9TVCIsImh0dSI6Imh0dHA6Ly93aXJlLmNvbToyMzY1OS8iLCJjaGFsIjoiQlpTSTVIckNUNDBaQVoySmJ4RTFsd0pYeHdQV01UaDkifQ.sGsPzh9tlbr6CqYIMWc--RncO9e5dyDA4l8Xt_CMdcyT8DXVHILTNEsUEP28o1BwcP53JZWcmSVihbd8ChQsCw",
-  "client_id": "im:wireapp=NGVhMzBjNDIwZTE2NGRjZWExYzFkMzMwMWYxMWYzMGU/e28fa5b76b731b3@wire.com",
+  "proof": "eyJhbGciOiJFZERTQSIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6Ik9LUCIsImNydiI6IkVkMjU1MTkiLCJ4IjoiN25QRVQ5N0ZBTFZBYkxMbDJBZFJ2U2wxbnpzRjFOSUNHeHgtQUQ3cTRDcyJ9fQ.eyJpYXQiOjE2Nzg0NTgzMzAsImV4cCI6MTY3ODU0NDczMCwibmJmIjoxNjc4NDU4MzMwLCJzdWIiOiJpbTp3aXJlYXBwPU5UWTFPREl4WkRNMk5URTJOREkyT0dGa09XUTBOelZqTTJVMU1HWTNPV0UvNGM3ZmU4ODkyNWFmNzA2YkB3aXJlLmNvbSIsImp0aSI6IjM4NWEyMDc5LTdlZDAtNDYyMS1hY2EwLWY0N2IzNTY0OGRkOCIsIm5vbmNlIjoiUzAxTVptOUZTemt5V2xaeE1FZE9hek14TW5WWlEyNUlRMjVKYlZwaVVUQSIsImh0bSI6IlBPU1QiLCJodHUiOiJodHRwOi8vd2lyZS5jb206MjIwNTkvIiwiY2hhbCI6IktpaUJWMjFlMFJxdHFxZ2pWdEtXU1JKS0dqUVpKdmtxIn0.4mMGocS8eKJM1_JFp06Fyr8gq4IP4Ho18Tv9kshKH5-fK8DYIDKYLlAQ_5E2qpgn9qDO0Ima6esSx0DKXPMBDg",
+  "client_id": "im:wireapp=NTY1ODIxZDM2NTE2NDI2OGFkOWQ0NzVjM2U1MGY3OWE/4c7fe88925af706b@wire.com",
   "api_version": 3,
   "scope": "wire_client_id"
 }
@@ -420,10 +420,10 @@ Decoded:
 ✅ Signature Verified with key:
 ```text
 -----BEGIN PRIVATE KEY-----
-MC4CAQAwBQYDK2VwBCIEIJjmII0n1bfs1c+9UdG/tN3WZHKA/2IFSeb7Sf80pA3N
+MC4CAQAwBQYDK2VwBCIEIBml61q/M1JIzgKzLkuivjclsclyoJQLMT2tn1vhh2Cn
 -----END PRIVATE KEY-----
 -----BEGIN PUBLIC KEY-----
-MCowBQYDK2VwAyEAtIVUxCHjJqB8jPtZGItUC6J5/iV69SJfZKDqYA7fEeI=
+MCowBQYDK2VwAyEAxX3RB41iMME0BwukD5dGnAhsSgWO/tEYJDpz7VSa+3g=
 -----END PUBLIC KEY-----
 ```
 
@@ -433,28 +433,28 @@ MCowBQYDK2VwAyEAtIVUxCHjJqB8jPtZGItUC6J5/iV69SJfZKDqYA7fEeI=
 ### Client provides access token
 #### 16. validate Dpop challenge (clientId)
 ```http request
-POST https://stepca:55834/acme/wire/challenge/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9/0H2Qr2LfBEj0SCIycIYtWJLyTcY5U4AW
+POST https://stepca:56174/acme/wire/challenge/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD/HhFufnzfL9abzJzpUNeblQGthEcrac9J
                          /acme/{acme-provisioner}/challenge/{authz-id}/{challenge-id}
 content-type: application/jose+json
 ```
 ```json
 {
-  "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjU1ODM0L2FjbWUvd2lyZS9hY2NvdW50L005dFZ1Ym5JQnFhcmtLYWJCQUJ4N1BNU0I4cEtOQ2F1IiwidHlwIjoiSldUIiwibm9uY2UiOiJOVTVoTWxGdFNtZDFUMHQyTTJsbU0yaHRRakpzT1ZCQlNuQnFRMmw2ZVVrIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6NTU4MzQvYWNtZS93aXJlL2NoYWxsZW5nZS9ON2tJb2Z5bGdMNTNlZGljelJxeVEwWUZHWjNIa29YOS8wSDJRcjJMZkJFajBTQ0l5Y0lZdFdKTHlUY1k1VTRBVyJ9",
-  "payload": "eyJhY2Nlc3NfdG9rZW4iOiJleUpoYkdjaU9pSkZaRVJUUVNJc0luUjVjQ0k2SW1GMEsycDNkQ0lzSW1wM2F5STZleUpyZEhraU9pSlBTMUFpTENKamNuWWlPaUpGWkRJMU5URTVJaXdpZUNJNkluUkpWbFY0UTBocVNuRkNPR3BRZEZwSFNYUlZRelpLTlY5cFZqWTVVMHBtV2t0RWNWbEJOMlpGWlVraWZYMC5leUpwWVhRaU9qRTJOemd6T0RNNU16RXNJbVY0Y0NJNk1UWTROakUxT1Rrek1Td2libUptSWpveE5qYzRNemd6T1RNeExDSnBjM01pT2lKb2RIUndPaTh2ZDJseVpTNWpiMjA2TWpNMk5Ua3ZJaXdpYzNWaUlqb2lhVzA2ZDJseVpXRndjRDFPUjFab1RYcENhazVFU1hkYVZFVXlUa2RTYWxwWFJYaFpla1pyVFhwTmQwMVhXWGhOVjFsNlRVZFZMMlV5T0daaE5XSTNObUkzTXpGaU0wQjNhWEpsTG1OdmJTSXNJbUYxWkNJNkltaDBkSEE2THk5M2FYSmxMbU52YlRveU16WTFPUzhpTENKcWRHa2lPaUpoTkdObFpqQXhaUzAwWVdNMExUUmpZMlF0T1RBM01DMHdaRGc1TlRNd01qWTVaVFlpTENKdWIyNWpaU0k2SWxaclZrWmFNVUl3VTJ4d01tVkdhRVpYVlRSM1ZsaGFkVTFHUW5SWGEzaDNWRlJzWVZrd1ZreFBSekFpTENKamFHRnNJam9pUWxwVFNUVklja05VTkRCYVFWb3lTbUo0UlRGc2QwcFllSGRRVjAxVWFEa2lMQ0pqYm1ZaU9uc2lhMmxrSWpvaUxVeDVlRzF2Um5CalIwMXlaekpPTUhkeVRWQlRkVzlMZEZka1FrZFVlV3hRVm1VMVkzcEhPR1ZuY3lKOUxDSndjbTl2WmlJNkltVjVTbWhpUjJOcFQybEtSbHBGVWxSUlUwbHpTVzVTTldORFNUWkpiVkozWWpOQmNtRnVaREJKYVhkcFlXNWtja2xxY0RkSmJYUXdaVk5KTmtsck9VeFZRMGx6U1cxT2VXUnBTVFpKYTFaclRXcFZNVTFVYTJsTVEwbzBTV3B2YVdWWWFEVlRNVnBXWkZWR2RXVnRTVFZhYmxaWlRVVndkbVJXV2xwbFJWcDBWa1YwTUdOdVNsVmpNVmw2VW01R1FscEdXa0pUUjA1UVdYbEtPV1pSTG1WNVNuQlpXRkZwVDJwRk1rNTZaM3BQUkUwMVRYcEZjMGx0VmpSalEwazJUVlJaTTA5RVVUTk5SRTE2VFZOM2FXSnRTbTFKYW05NFRtcGpORTE2WjNwUFZFMTRURU5LZW1SWFNXbFBhVXB3WWxSd00yRllTbXhaV0VKM1VGVTFTRlp0YUU1bGEwcHhWR3RTU21ReGNGVlNWRXBQVWpGS2NWZHNaRVpsUm13MlVtMTBUbVZyTVROVVZtUmFaVVV4V0ZkWWNFNVNNVlYyV2xSSk5GcHRSVEZaYW1NeVdXcGplazFYU1hwUlNHUndZMjFWZFZreU9YUkphWGRwWVc1U2NFbHFiMmxaVkVFelQxUmthVnBIV1hST01ra3dUbmt3TUU5WFJURk1WMHBzV1ZSVmRFNVhUWHBOUjFsNlQxUnJlazE2UVROSmFYZHBZbTA1ZFZreVZXbFBhVXBYWVRGYVIxZHFSa05OUms1elkwUktiRkp0YUVkV01WVXdaREZhV1ZkdVZrNVNhMG93VmpKME5HUXhVbFZpUjBaYVRVWmFUVlF3WTNkSmFYZHBZVWhTZEVscWIybFZSVGxVVmtOSmMwbHRhREJrVTBrMlNXMW9NR1JJUVRaTWVUa3pZVmhLYkV4dFRuWmlWRzk1VFhwWk1VOVRPR2xNUTBwcVlVZEdjMGxxYjJsUmJIQlVVMVJXU1dOclRsVk9SRUpoVVZadmVWTnRTalJTVkVaelpEQndXV1ZJWkZGV01ERlZZVVJyYVdaUkxuTkhjMUI2YURsMGJHSnlOa054V1VsTlYyTXRMVkp1WTA4NVpUVmtlVVJCTkd3NFdIUmZRMDFrWTNsVU9FUllWa2hKVEZST1JYTlZSVkF5T0c4eFFuZGpVRFV6U2xwWFkyMVRWbWxvWW1RNFEyaFJjME4zSWl3aVkyeHBaVzUwWDJsa0lqb2lhVzA2ZDJseVpXRndjRDFPUjFab1RYcENhazVFU1hkYVZFVXlUa2RTYWxwWFJYaFpla1pyVFhwTmQwMVhXWGhOVjFsNlRVZFZMMlV5T0daaE5XSTNObUkzTXpGaU0wQjNhWEpsTG1OdmJTSXNJbUZ3YVY5MlpYSnphVzl1SWpvekxDSnpZMjl3WlNJNkluZHBjbVZmWTJ4cFpXNTBYMmxrSW4wLnEtQ2REY2NfSnMxWWZVMWczX2Vxc2Y4RThnUjZndExTU0d1ckhKZHVvRGZBOWEwUkJNWmt0WWlrRDF2US04OVgzT3QzUTF5bUVEQURlVzNzVGNJLUFRIn0",
-  "signature": "xLFkSS_xmKqUV8aAqn3UwnX-DgUXfCm71UCBXsyoN-rjG5OASJ7WHGOLys37CZlcxNsLmJuedpFeghfTpjGeCA"
+  "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjU2MTc0L2FjbWUvd2lyZS9hY2NvdW50LzFwYWpYY21NMFEycEdsdk51WU1WRGZBcktLWEU0UjhrIiwidHlwIjoiSldUIiwibm9uY2UiOiJZM2xIYlRWd1QyVkhZMDR6ZFRaRWJYZFRZV2hRUVZJMmIwdHVUMFkwV2xrIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6NTYxNzQvYWNtZS93aXJlL2NoYWxsZW5nZS92NHhiREpOTmtvam5pTThQaUtMOUJ6cEd0VlpNdDFnRC9IaEZ1Zm56Zkw5YWJ6SnpwVU5lYmxRR3RoRWNyYWM5SiJ9",
+  "payload": "eyJhY2Nlc3NfdG9rZW4iOiJleUpoYkdjaU9pSkZaRVJUUVNJc0luUjVjQ0k2SW1GMEsycDNkQ0lzSW1wM2F5STZleUpyZEhraU9pSlBTMUFpTENKamNuWWlPaUpGWkRJMU5URTVJaXdpZUNJNkluaFlNMUpDTkRGcFRVMUZNRUozZFd0RU5XUkhia0ZvYzFOblYwOWZkRVZaU2tSd2VqZFdVMkV0TTJjaWZYMC5leUpwWVhRaU9qRTJOemcwTlRnek16QXNJbVY0Y0NJNk1UWTROakl6TkRNek1Dd2libUptSWpveE5qYzRORFU0TXpNd0xDSnBjM01pT2lKb2RIUndPaTh2ZDJseVpTNWpiMjA2TWpJd05Ua3ZJaXdpYzNWaUlqb2lhVzA2ZDJseVpXRndjRDFPVkZreFQwUkplRnBFVFRKT1ZFVXlUa1JKTWs5SFJtdFBWMUV3VG5wV2FrMHlWVEZOUjFrelQxZEZMelJqTjJabE9EZzVNalZoWmpjd05tSkFkMmx5WlM1amIyMGlMQ0poZFdRaU9pSm9kSFJ3T2k4dmQybHlaUzVqYjIwNk1qSXdOVGt2SWl3aWFuUnBJam9pTWpNeE9XRmlPRGt0WlRWa01TMDBNekF4TFdKbE1XTXRNMkZpTmpGaE5HSXdNekkzSWl3aWJtOXVZMlVpT2lKVE1ERk5XbTA1UmxONmEzbFhiRnA0VFVWa1QyRjZUWGhOYmxaYVVUSTFTVkV5TlVwaVZuQnBWVlJCSWl3aVkyaGhiQ0k2SWt0cGFVSldNakZsTUZKeGRIRnhaMnBXZEV0WFUxSktTMGRxVVZwS2RtdHhJaXdpWTI1bUlqcDdJbXRwWkNJNkltOWhSVTlYZGpWSGRUQlVURlJ3UkRWeVVteG9PRGMyVEdGck5FMHlXRkZoTWpZelYzRkhTVkJrWDFraWZTd2ljSEp2YjJZaU9pSmxlVXBvWWtkamFVOXBTa1phUlZKVVVWTkpjMGx1VWpWalEwazJTVzFTZDJJelFYSmhibVF3U1dsM2FXRnVaSEpKYW5BM1NXMTBNR1ZUU1RaSmF6bE1WVU5KYzBsdFRubGthVWsyU1d0V2EwMXFWVEZOVkd0cFRFTktORWxxYjJsT01qVlJVbFpSTlU0d1drSlVSbHBDV1d0NFRXSkVTa0phUmtveVZUSjNlR0p1Y0hwU2FrWlBVMVZPU0dWSVozUlJWVkV6WTFSU1JHTjVTamxtVVM1bGVVcHdXVmhSYVU5cVJUSk9lbWN3VGxSbmVrMTZRWE5KYlZZMFkwTkpOazFVV1ROUFJGVXdUa1JqZWsxRGQybGliVXB0U1dwdmVFNXFZelJPUkZVMFRYcE5kMHhEU25wa1YwbHBUMmxLY0dKVWNETmhXRXBzV1ZoQ2QxQlZOVlZYVkVaUVVrVnNORmRyVWs1TmF6VlZVbFJLVDFKRmEzbFVNR1JIWVRBNVdGVlVRazlsYkZweFZGUktWazFWTVVoWFZFNVFWakJWZGs1SFRUTmFiVlUwVDBScmVVNVhSbTFPZWtFeVdXdENNMkZZU214TWJVNTJZbE5KYzBsdGNEQmhVMGsyU1dwTk5FNVhSWGxOUkdNMVRGUmtiRnBFUVhST1JGbDVUVk14YUZreVJYZE1WMWt3VGpKSmVrNVVXVEJQUjFKclQwTkpjMGx0TlhaaWJVNXNTV3B2YVZWNlFYaFVWbkIwVDFWYVZHVnRkRFZXTW5oaFpVVXhSbHBGT1dobGF6RTBWRmMxVjFkc1JYbE9WV3hTVFdwV1MxbHNXbmRoVmxaVlVWTkpjMGx0YURCaVUwazJTV3hDVUZVeFVXbE1RMHB2WkVoVmFVOXBTbTlrU0ZKM1QyazRkbVF5YkhsYVV6VnFZakl3TmsxcVNYZE9WR3QyU1dsM2FWa3lhR2hpUTBrMlNXdDBjR0ZWU2xkTmFrWnNUVVpLZUdSSVJuaGFNbkJYWkVWMFdGVXhTa3RUTUdSeFZWWndTMlJ0ZEhoSmJqQXVORzFOUjI5alV6aGxTMHBOTVY5S1JuQXdOa1o1Y2pobmNUUkpVRFJJYnpFNFZIWTVhM05vUzBnMUxXWkxPRVJaU1VSTFdVeHNRVkZmTlVVeWNYQm5iamx4UkU4d1NXMWhObVZ6VTNnd1JFdFlVRTFDUkdjaUxDSmpiR2xsYm5SZmFXUWlPaUpwYlRwM2FYSmxZWEJ3UFU1VVdURlBSRWw0V2tSTk1rNVVSVEpPUkVreVQwZEdhMDlYVVRCT2VsWnFUVEpWTVUxSFdUTlBWMFV2TkdNM1ptVTRPRGt5TldGbU56QTJZa0IzYVhKbExtTnZiU0lzSW1Gd2FWOTJaWEp6YVc5dUlqb3pMQ0p6WTI5d1pTSTZJbmRwY21WZlkyeHBaVzUwWDJsa0luMC5VUGFRY3NQTndheHBHU19lT3QtTk1PamxVa05pTDA1THNocjVOR2dYbW1rc1FvWXNncTVVWDZUUUc2VVBITnJ2NzhiMWpmSWZ4Y0xiMFUzN0JhUkFDQSJ9",
+  "signature": "BD0vDPvaulMwUcbp99MUduvHcuJM0q6w-aJJ0s0gWSAu_G8j2zZxPQVhSDnmxG-LI5BXFnZxTOnCVv15-orNDA"
 }
 ```
 ```json
 {
   "protected": {
     "alg": "EdDSA",
-    "kid": "https://stepca:55834/acme/wire/account/M9tVubnIBqarkKabBABx7PMSB8pKNCau",
+    "kid": "https://stepca:56174/acme/wire/account/1pajXcmM0Q2pGlvNuYMVDfArKKXE4R8k",
     "typ": "JWT",
-    "nonce": "NU5hMlFtSmd1T0t2M2lmM2htQjJsOVBBSnBqQ2l6eUk",
-    "url": "https://stepca:55834/acme/wire/challenge/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9/0H2Qr2LfBEj0SCIycIYtWJLyTcY5U4AW"
+    "nonce": "Y3lHbTVwT2VHY04zdTZEbXdTYWhQQVI2b0tuT0Y0Wlk",
+    "url": "https://stepca:56174/acme/wire/challenge/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD/HhFufnzfL9abzJzpUNeblQGthEcrac9J"
   },
   "payload": {
-    "access_token": "eyJhbGciOiJFZERTQSIsInR5cCI6ImF0K2p3dCIsImp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6InRJVlV4Q0hqSnFCOGpQdFpHSXRVQzZKNV9pVjY5U0pmWktEcVlBN2ZFZUkifX0.eyJpYXQiOjE2NzgzODM5MzEsImV4cCI6MTY4NjE1OTkzMSwibmJmIjoxNjc4MzgzOTMxLCJpc3MiOiJodHRwOi8vd2lyZS5jb206MjM2NTkvIiwic3ViIjoiaW06d2lyZWFwcD1OR1ZoTXpCak5ESXdaVEUyTkdSalpXRXhZekZrTXpNd01XWXhNV1l6TUdVL2UyOGZhNWI3NmI3MzFiM0B3aXJlLmNvbSIsImF1ZCI6Imh0dHA6Ly93aXJlLmNvbToyMzY1OS8iLCJqdGkiOiJhNGNlZjAxZS00YWM0LTRjY2QtOTA3MC0wZDg5NTMwMjY5ZTYiLCJub25jZSI6IlZrVkZaMUIwU2xwMmVGaEZXVTR3VlhadU1GQnRXa3h3VFRsYVkwVkxPRzAiLCJjaGFsIjoiQlpTSTVIckNUNDBaQVoySmJ4RTFsd0pYeHdQV01UaDkiLCJjbmYiOnsia2lkIjoiLUx5eG1vRnBjR01yZzJOMHdyTVBTdW9LdFdkQkdUeWxQVmU1Y3pHOGVncyJ9LCJwcm9vZiI6ImV5SmhiR2NpT2lKRlpFUlRRU0lzSW5SNWNDSTZJbVJ3YjNBcmFuZDBJaXdpYW5kcklqcDdJbXQwZVNJNklrOUxVQ0lzSW1OeWRpSTZJa1ZrTWpVMU1Ua2lMQ0o0SWpvaWVYaDVTMVpWZFVGdWVtSTVablZZTUVwdmRWWlplRVp0VkV0MGNuSlVjMVl6Um5GQlpGWkJTR05QWXlKOWZRLmV5SnBZWFFpT2pFMk56Z3pPRE01TXpFc0ltVjRjQ0k2TVRZM09EUTNNRE16TVN3aWJtSm1Jam94TmpjNE16Z3pPVE14TENKemRXSWlPaUpwYlRwM2FYSmxZWEJ3UFU1SFZtaE5la0pxVGtSSmQxcFVSVEpPUjFKcVdsZEZlRmw2Um10TmVrMTNUVmRaZUUxWFdYcE5SMVV2WlRJNFptRTFZamMyWWpjek1XSXpRSGRwY21VdVkyOXRJaXdpYW5ScElqb2lZVEEzT1RkaVpHWXROMkkwTnkwME9XRTFMV0psWVRVdE5XTXpNR1l6T1Rrek16QTNJaXdpYm05dVkyVWlPaUpXYTFaR1dqRkNNRk5zY0RKbFJtaEdWMVUwZDFaWVduVk5Sa0owVjJ0NGQxUlViR0ZaTUZaTVQwY3dJaXdpYUhSdElqb2lVRTlUVkNJc0ltaDBkU0k2SW1oMGRIQTZMeTkzYVhKbExtTnZiVG95TXpZMU9TOGlMQ0pqYUdGc0lqb2lRbHBUU1RWSWNrTlVOREJhUVZveVNtSjRSVEZzZDBwWWVIZFFWMDFVYURraWZRLnNHc1B6aDl0bGJyNkNxWUlNV2MtLVJuY085ZTVkeURBNGw4WHRfQ01kY3lUOERYVkhJTFRORXNVRVAyOG8xQndjUDUzSlpXY21TVmloYmQ4Q2hRc0N3IiwiY2xpZW50X2lkIjoiaW06d2lyZWFwcD1OR1ZoTXpCak5ESXdaVEUyTkdSalpXRXhZekZrTXpNd01XWXhNV1l6TUdVL2UyOGZhNWI3NmI3MzFiM0B3aXJlLmNvbSIsImFwaV92ZXJzaW9uIjozLCJzY29wZSI6IndpcmVfY2xpZW50X2lkIn0.q-CdDcc_Js1YfU1g3_eqsf8E8gR6gtLSSGurHJduoDfA9a0RBMZktYikD1vQ-89X3Ot3Q1ymEDADeW3sTcI-AQ"
+    "access_token": "eyJhbGciOiJFZERTQSIsInR5cCI6ImF0K2p3dCIsImp3ayI6eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5IiwieCI6InhYM1JCNDFpTU1FMEJ3dWtENWRHbkFoc1NnV09fdEVZSkRwejdWU2EtM2cifX0.eyJpYXQiOjE2Nzg0NTgzMzAsImV4cCI6MTY4NjIzNDMzMCwibmJmIjoxNjc4NDU4MzMwLCJpc3MiOiJodHRwOi8vd2lyZS5jb206MjIwNTkvIiwic3ViIjoiaW06d2lyZWFwcD1OVFkxT0RJeFpETTJOVEUyTkRJMk9HRmtPV1EwTnpWak0yVTFNR1kzT1dFLzRjN2ZlODg5MjVhZjcwNmJAd2lyZS5jb20iLCJhdWQiOiJodHRwOi8vd2lyZS5jb206MjIwNTkvIiwianRpIjoiMjMxOWFiODktZTVkMS00MzAxLWJlMWMtM2FiNjFhNGIwMzI3Iiwibm9uY2UiOiJTMDFNWm05RlN6a3lXbFp4TUVkT2F6TXhNblZaUTI1SVEyNUpiVnBpVVRBIiwiY2hhbCI6IktpaUJWMjFlMFJxdHFxZ2pWdEtXU1JKS0dqUVpKdmtxIiwiY25mIjp7ImtpZCI6Im9hRU9XdjVHdTBUTFRwRDVyUmxoODc2TGFrNE0yWFFhMjYzV3FHSVBkX1kifSwicHJvb2YiOiJleUpoYkdjaU9pSkZaRVJUUVNJc0luUjVjQ0k2SW1Sd2IzQXJhbmQwSWl3aWFuZHJJanA3SW10MGVTSTZJazlMVUNJc0ltTnlkaUk2SWtWa01qVTFNVGtpTENKNElqb2lOMjVRUlZRNU4wWkJURlpCWWt4TWJESkJaRkoyVTJ3eGJucHpSakZPU1VOSGVIZ3RRVVEzY1RSRGN5SjlmUS5leUpwWVhRaU9qRTJOemcwTlRnek16QXNJbVY0Y0NJNk1UWTNPRFUwTkRjek1Dd2libUptSWpveE5qYzRORFU0TXpNd0xDSnpkV0lpT2lKcGJUcDNhWEpsWVhCd1BVNVVXVEZQUkVsNFdrUk5NazVVUlRKT1JFa3lUMGRHYTA5WFVUQk9lbFpxVFRKVk1VMUhXVE5QVjBVdk5HTTNabVU0T0RreU5XRm1OekEyWWtCM2FYSmxMbU52YlNJc0ltcDBhU0k2SWpNNE5XRXlNRGM1TFRkbFpEQXRORFl5TVMxaFkyRXdMV1kwTjJJek5UWTBPR1JrT0NJc0ltNXZibU5sSWpvaVV6QXhUVnB0T1VaVGVtdDVWMnhhZUUxRlpFOWhlazE0VFc1V1dsRXlOVWxSTWpWS1lsWndhVlZVUVNJc0ltaDBiU0k2SWxCUFUxUWlMQ0pvZEhVaU9pSm9kSFJ3T2k4dmQybHlaUzVqYjIwNk1qSXdOVGt2SWl3aVkyaGhiQ0k2SWt0cGFVSldNakZsTUZKeGRIRnhaMnBXZEV0WFUxSktTMGRxVVZwS2RtdHhJbjAuNG1NR29jUzhlS0pNMV9KRnAwNkZ5cjhncTRJUDRIbzE4VHY5a3NoS0g1LWZLOERZSURLWUxsQVFfNUUycXBnbjlxRE8wSW1hNmVzU3gwREtYUE1CRGciLCJjbGllbnRfaWQiOiJpbTp3aXJlYXBwPU5UWTFPREl4WkRNMk5URTJOREkyT0dGa09XUTBOelZqTTJVMU1HWTNPV0UvNGM3ZmU4ODkyNWFmNzA2YkB3aXJlLmNvbSIsImFwaV92ZXJzaW9uIjozLCJzY29wZSI6IndpcmVfY2xpZW50X2lkIn0.UPaQcsPNwaxpGS_eOt-NMOjlUkNiL05Lshr5NGgXmmksQoYsgq5UX6TQG6UPHNrv78b1jfIfxcLb0U37BaRACA"
   }
 }
 ```
@@ -463,17 +463,17 @@ content-type: application/jose+json
 200
 cache-control: no-store
 content-type: application/json
-link: <https://stepca:55834/acme/wire/directory>;rel="index"
-link: <https://stepca:55834/acme/wire/authz/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9>;rel="up"
-location: https://stepca:55834/acme/wire/challenge/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9/0H2Qr2LfBEj0SCIycIYtWJLyTcY5U4AW
-replay-nonce: S2dhUzBrcE82VXVVSHgwREUyVWxhV3BJbTlQZkR4YjY
+link: <https://stepca:56174/acme/wire/directory>;rel="index"
+link: <https://stepca:56174/acme/wire/authz/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD>;rel="up"
+location: https://stepca:56174/acme/wire/challenge/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD/HhFufnzfL9abzJzpUNeblQGthEcrac9J
+replay-nonce: aXR5S1dSNE02QU5jVUJqbjBmckRPdTB5QzBmbUZiMk8
 ```
 ```json
 {
   "type": "wire-dpop-01",
-  "url": "https://stepca:55834/acme/wire/challenge/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9/0H2Qr2LfBEj0SCIycIYtWJLyTcY5U4AW",
+  "url": "https://stepca:56174/acme/wire/challenge/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD/HhFufnzfL9abzJzpUNeblQGthEcrac9J",
   "status": "valid",
-  "token": "BZSI5HrCT40ZAZ2JbxE1lwJXxwPWMTh9"
+  "token": "KiiBV21e0RqtqqgjVtKWSRJKGjQZJvkq"
 }
 ```
 ### Authenticate end user using Open ID Connect implicit flow
@@ -481,26 +481,26 @@ replay-nonce: S2dhUzBrcE82VXVVSHgwREUyVWxhV3BJbTlQZkR4YjY
 ```http request
 GET http://wire.com/login
 accept: */*
-host: wire.com:23659
+host: wire.com:22059
 ```
 #### 19. Resource server generates Verifier & Challenge Codes
 
 ```text
-code_verifier=cChEbFe3I98pUmxJU5mz16s0mZ9XKY9IDhRYla-k-0s&code_challenge=5o2QYx0Iqb8tXXMJ0yFiH4bnpqIB98dzaZwy3laTl-4
+code_verifier=B3_EoPiu80bdkKM-xaG7y8uulHHGUlK4j4baZTir-TE&code_challenge=Qd08I3QywmT-hymmgKvNgv11tW3eaNXBq-zVJ5IdwEQ
 ```
 #### 20. Resource server calls authorize url
 ```http request
-GET http://dex:19864/dex/auth?response_type=code&client_id=wireapp&state=0Gn02_jFb14BSXvgq7YukQ&code_challenge=5o2QYx0Iqb8tXXMJ0yFiH4bnpqIB98dzaZwy3laTl-4&code_challenge_method=S256&redirect_uri=http%3A%2F%2Fwire.com%3A23659%2Fcallback&scope=openid+profile&nonce=TR4lljTcDGgbie1j5ZvE3g
+GET http://dex:18165/dex/auth?response_type=code&client_id=wireapp&state=bzr-5Kp9OmXvwb2ZFbRzUw&code_challenge=Qd08I3QywmT-hymmgKvNgv11tW3eaNXBq-zVJ5IdwEQ&code_challenge_method=S256&redirect_uri=http%3A%2F%2Fwire.com%3A22059%2Fcallback&scope=openid+profile&nonce=fyH6ZnfiJyPvxPoLXRjmdg
 ```
 #### 21. Authorization server redirects to login prompt
 
 
 ```text
-200 http://dex:19864/dex/auth/ldap/login?back=&state=g423eydcckmqu646op6pmebb2
+200 http://dex:18165/dex/auth/ldap/login?back=&state=huekzfdrooccycexo42p65p43
 {
+    "date": "Fri, 10 Mar 2023 14:25:30 GMT",
     "content-type": "text/html",
     "content-length": "1525",
-    "date": "Thu, 09 Mar 2023 17:45:31 GMT",
 }
 ```
 
@@ -532,7 +532,7 @@ GET http://dex:19864/dex/auth?response_type=code&client_id=wireapp&state=0Gn02_j
 
 <div class="theme-panel">
   <h2 class="theme-heading">Log in to Your Account</h2>
-  <form method="post" action="/dex/auth/ldap/login?back=&amp;state=g423eydcckmqu646op6pmebb2">
+  <form method="post" action="/dex/auth/ldap/login?back=&amp;state=huekzfdrooccycexo42p65p43">
     <div class="theme-form-row">
       <div class="theme-form-label">
         <label for="userid">Email Address</label>
@@ -566,19 +566,19 @@ GET http://dex:19864/dex/auth?response_type=code&client_id=wireapp&state=0Gn02_j
 
 #### 22. Client submits the login form
 ```http request
-POST http://dex:19864/dex/auth/ldap/login?back=&state=g423eydcckmqu646op6pmebb2
+POST http://dex:18165/dex/auth/ldap/login?back=&state=huekzfdrooccycexo42p65p43
 content-type: application/x-www-form-urlencoded
 ```
 ```text
-login=alicesmith%40wire.com&password=foo
+password=foo&login=alicesmith%40wire.com
 ```
 #### 23. (Optional) Authorization server presents consent form to client
 
 
 ```text
-200 http://dex:19864/dex/approval?req=g423eydcckmqu646op6pmebb2&hmac=_CA4V5bc8qJ63UQGdhuIDbZDcVJ8-tw62YGfy10zsPs
+200 http://dex:18165/dex/approval?req=huekzfdrooccycexo42p65p43&hmac=T66PQEH6RPhMF6G5gieief8UXHH6sGT5uw_Anekthck
 {
-    "date": "Thu, 09 Mar 2023 17:45:31 GMT",
+    "date": "Fri, 10 Mar 2023 14:25:31 GMT",
     "content-length": "1713",
     "content-type": "text/html",
 }
@@ -629,7 +629,7 @@ login=alicesmith%40wire.com&password=foo
   <div>
     <div class="theme-form-row">
       <form method="post">
-        <input type="hidden" name="req" value="g423eydcckmqu646op6pmebb2"/>
+        <input type="hidden" name="req" value="huekzfdrooccycexo42p65p43"/>
         <input type="hidden" name="approval" value="approve">
         <button type="submit" class="dex-btn theme-btn--success">
             <span class="dex-btn-text">Grant Access</span>
@@ -638,7 +638,7 @@ login=alicesmith%40wire.com&password=foo
     </div>
     <div class="theme-form-row">
       <form method="post">
-        <input type="hidden" name="req" value="g423eydcckmqu646op6pmebb2"/>
+        <input type="hidden" name="req" value="huekzfdrooccycexo42p65p43"/>
         <input type="hidden" name="approval" value="rejected">
         <button type="submit" class="dex-btn theme-btn-provider">
             <span class="dex-btn-text">Cancel</span>
@@ -661,73 +661,73 @@ login=alicesmith%40wire.com&password=foo
 
 #### 24. Client submits consent form
 ```http request
-POST http://dex:19864/dex/approval?req=g423eydcckmqu646op6pmebb2&hmac=_CA4V5bc8qJ63UQGdhuIDbZDcVJ8-tw62YGfy10zsPs
+POST http://dex:18165/dex/approval?req=huekzfdrooccycexo42p65p43&hmac=T66PQEH6RPhMF6G5gieief8UXHH6sGT5uw_Anekthck
 content-type: application/x-www-form-urlencoded
 ```
 ```text
-req=g423eydcckmqu646op6pmebb2&approval=approve
+approval=approve&req=huekzfdrooccycexo42p65p43
 ```
 #### 25. Authorization server calls callback url with authorization code
 ```http request
 GET http://wire.com/callback
 accept: */*
-referer: http://dex:19864/dex/approval?req=g423eydcckmqu646op6pmebb2&hmac=_CA4V5bc8qJ63UQGdhuIDbZDcVJ8-tw62YGfy10zsPs
-host: wire.com:23659
+referer: http://dex:18165/dex/approval?req=huekzfdrooccycexo42p65p43&hmac=T66PQEH6RPhMF6G5gieief8UXHH6sGT5uw_Anekthck
+host: wire.com:22059
 ```
 #### 26. Resource server call /oauth/token to get Id token
 ```http request
-POST http://dex:19864/dex/token
+POST http://dex:18165/dex/token
 accept: application/json
 content-type: application/x-www-form-urlencoded
-authorization: Basic d2lyZWFwcDpTMGRUZEZoNVozRlFOMVZsYmpWaGRqRnRWM014WW1Wdw==
+authorization: Basic d2lyZWFwcDpUbFpFY3pGMFlWRnBRVFpCV0hsV2EzbEplRWRhT1ZOWQ==
 ```
 ```text
-grant_type=authorization_code&code=mj3bspx46xqccscxrgz4ma55a&code_verifier=cChEbFe3I98pUmxJU5mz16s0mZ9XKY9IDhRYla-k-0s&redirect_uri=http%3A%2F%2Fwire.com%3A23659%2Fcallback
+grant_type=authorization_code&code=exevplhvka4vng5vvdw7dzobj&code_verifier=B3_EoPiu80bdkKM-xaG7y8uulHHGUlK4j4baZTir-TE&redirect_uri=http%3A%2F%2Fwire.com%3A22059%2Fcallback
 ```
 #### 27. Authorization server validates Verifier & Challenge Codes
 
 ```text
-code_verifier=cChEbFe3I98pUmxJU5mz16s0mZ9XKY9IDhRYla-k-0s&code_challenge=5o2QYx0Iqb8tXXMJ0yFiH4bnpqIB98dzaZwy3laTl-4
+code_verifier=B3_EoPiu80bdkKM-xaG7y8uulHHGUlK4j4baZTir-TE&code_challenge=Qd08I3QywmT-hymmgKvNgv11tW3eaNXBq-zVJ5IdwEQ
 ```
 #### 28. Authorization server returns Access & Id token
 
 ```text
 {
-  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjU5MGJlMzQ1MWMzYTYxMTgwMDU1ODE0ZWU2ZDZjNTVjZWZkMDk3NGYifQ.eyJpc3MiOiJodHRwOi8vZGV4OjE5ODY0L2RleCIsInN1YiI6IkNrOXBiVHAzYVhKbFlYQndQVTVIVm1oTmVrSnFUa1JKZDFwVVJUSk9SMUpxV2xkRmVGbDZSbXROZWsxM1RWZFplRTFYV1hwTlIxVXZaVEk0Wm1FMVlqYzJZamN6TVdJelFIZHBjbVV1WTI5dEVnUnNaR0Z3IiwiYXVkIjoid2lyZWFwcCIsImV4cCI6MTY3ODQ3MDMzMSwiaWF0IjoxNjc4MzgzOTMxLCJub25jZSI6IlRSNGxsalRjREdnYmllMWo1WnZFM2ciLCJhdF9oYXNoIjoiRnBjNW5NdlI1UVR3eVR3WXRKTEdyUSIsIm5hbWUiOiJpbTp3aXJlYXBwPWFsaWNlLnNtaXRoLnFhQHdpcmUuY29tIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiU21pdGgsIEFsaWNlIE0gKFFBKSJ9.BGP1l-Ol9Jlj61-VGQ58y6o-y2C48nLeS7O0dNiT1-PnOnb9cU-KtFBaFj6kC4nVsGi-Cm4HKI2HIrKgaTmG5W4jeZe-kGagMBEhKr1doMXkW7AQdxS4me2zLE4x8-q3jhxZatZLhfEs7j96w4YMfeigB3qGZwOI7Noa4q9xw7_PloYmFUHsIZPkFSfA3ZCWVVZWqnZe94Fqr6FC8wFvycavbWvGSzAcRCGcrbMDjMF424MPZafuLYXW_r_ERwuWyrXYCe51QCrlQVXGg3acRndPYztiBnaKU-fWji2TQnG-k3ER04xw4CCX-Cso6zp57jAQX0Vrbhc2NP75tHnS2A",
+  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjI0YjhjNmE3NDdlZWZkODhhMTg3NzExNGRjNWVlZmFlNTlmY2QzOGUifQ.eyJpc3MiOiJodHRwOi8vZGV4OjE4MTY1L2RleCIsInN1YiI6IkNsQnBiVHAzYVhKbFlYQndQVTVVV1RGUFJFbDRXa1JOTWs1VVJUSk9SRWt5VDBkR2EwOVhVVEJPZWxacVRUSlZNVTFIV1ROUFYwVXZOR00zWm1VNE9Ea3lOV0ZtTnpBMllrQjNhWEpsTG1OdmJSSUViR1JoY0EiLCJhdWQiOiJ3aXJlYXBwIiwiZXhwIjoxNjc4NTQ0NzMxLCJpYXQiOjE2Nzg0NTgzMzEsIm5vbmNlIjoiZnlINlpuZmlKeVB2eFBvTFhSam1kZyIsImF0X2hhc2giOiI4TEI3S282VHBCNEJsXzNLZWEteTBnIiwibmFtZSI6ImltOndpcmVhcHA9YWxpY2Uuc21pdGgucWFAd2lyZS5jb20iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJTbWl0aCwgQWxpY2UgTSAoUUEpIn0.VozYP2G3cub9Ebtemr2soq-kNh7cnd1dUUioOACMwq6-xHDtukrumZU3NnBh4Q4EsSLmdu6Wvw255HUS7nXa9hvXjd51Ukqg1yXw_1q77ojHJszooE5iUqfePrKW5fOQMnjrCrp1nZgW5Lmc8h9hEXd7xcvhv5xlIyBgKMVFIwX4R_D8p61gy1rUIk1LS8-Iwv4lzyHt4bLA58TSgKVEzbesjqbNH1sbwCGRshsOmeWwe9m89iqEUU7n-hy6CSzysD6OiWCZA9UQ09WC0v8nswq7Wjff-dvbR2et-Ad372a5ht-lyow-8Wn1O0j3lgQe6Z4qjOohouWJXuDPyLRASA",
   "token_type": "bearer",
   "expires_in": 86399,
-  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjU5MGJlMzQ1MWMzYTYxMTgwMDU1ODE0ZWU2ZDZjNTVjZWZkMDk3NGYifQ.eyJpc3MiOiJodHRwOi8vZGV4OjE5ODY0L2RleCIsInN1YiI6IkNrOXBiVHAzYVhKbFlYQndQVTVIVm1oTmVrSnFUa1JKZDFwVVJUSk9SMUpxV2xkRmVGbDZSbXROZWsxM1RWZFplRTFYV1hwTlIxVXZaVEk0Wm1FMVlqYzJZamN6TVdJelFIZHBjbVV1WTI5dEVnUnNaR0Z3IiwiYXVkIjoid2lyZWFwcCIsImV4cCI6MTY3ODQ3MDMzMSwiaWF0IjoxNjc4MzgzOTMxLCJub25jZSI6IlRSNGxsalRjREdnYmllMWo1WnZFM2ciLCJhdF9oYXNoIjoid2J3dzRBQkJMT0FqQ2VZUUE2R3FWQSIsImNfaGFzaCI6IkQ3WTBiX3QxVEx5XzIwLXlLSHZ6OUEiLCJuYW1lIjoiaW06d2lyZWFwcD1hbGljZS5zbWl0aC5xYUB3aXJlLmNvbSIsInByZWZlcnJlZF91c2VybmFtZSI6IlNtaXRoLCBBbGljZSBNIChRQSkifQ.slayWNQdWMISxWpcNefdbWsV2SDYPvGi47bADwu9kTYk59gwLOBUL5N6Qr0hnPrstFxLwo3Tr5qNROMaGwnNeGRSg9nFMO6B_ke5lUbyB4I9W6spmnL0_XMnjvDqEH1pG88vQ9B2IiuSIvIGUOW9S5WS2Y0vT6jPc3p7zUZuRQf5hqMXCzN1aFgG9tjhp0Fck321y6a7k-LCAg1oDc5yrth3egcRuicz6VCF0u9wKc1K9fij5NfpJkQTyO_a4iLpkoWVAN2jU1Uppl88yG7OZpIRuG4WYtLKuXqZ13SUpCFd52i_46d-GwkdzS4g-mpdDwHifuqflguKoaOu8y5TYA"
+  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjI0YjhjNmE3NDdlZWZkODhhMTg3NzExNGRjNWVlZmFlNTlmY2QzOGUifQ.eyJpc3MiOiJodHRwOi8vZGV4OjE4MTY1L2RleCIsInN1YiI6IkNsQnBiVHAzYVhKbFlYQndQVTVVV1RGUFJFbDRXa1JOTWs1VVJUSk9SRWt5VDBkR2EwOVhVVEJPZWxacVRUSlZNVTFIV1ROUFYwVXZOR00zWm1VNE9Ea3lOV0ZtTnpBMllrQjNhWEpsTG1OdmJSSUViR1JoY0EiLCJhdWQiOiJ3aXJlYXBwIiwiZXhwIjoxNjc4NTQ0NzMxLCJpYXQiOjE2Nzg0NTgzMzEsIm5vbmNlIjoiZnlINlpuZmlKeVB2eFBvTFhSam1kZyIsImF0X2hhc2giOiJtYmV6dmtOZ1A3cFItYlNkMW50b3VBIiwiY19oYXNoIjoibVRheU1ERTFvTnpmUnN3WVJFM05wZyIsIm5hbWUiOiJpbTp3aXJlYXBwPWFsaWNlLnNtaXRoLnFhQHdpcmUuY29tIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiU21pdGgsIEFsaWNlIE0gKFFBKSJ9.LIUquCfeokMqgoL8AC5q-5NQ4iOfahiIovvx5CkkRwiULnkXYSu5nOEG6zuYkShsW_Ml-3VyQ8AkQCihvcdKvZBiltKZWwS6erEOqtk_Nvd6aLAdcCUGB12JRcPcedoqR1XbMlHENmHCvV0_cqgtANyNOlR14ZVjO1mazWkMEI4D7TVhaR8IuWWsyHhrTatxvUvx1Dk38TJrgyh7nGrj5Tn5SinEHc1YKPZfVBaAaNpIr0RCzV4OfQJzPNNhvoDmA5zGKSgoZNyk1yWvp_vNIMd8MEUamJTyD367IqIrEin1ZCFiJXw1_e1c-5iuWiyVGe0Gl3Ch1s0T73JxtVQn8w"
 }
 ```
 #### 29. Resource server returns Id token to client
 
 ```text
-eyJhbGciOiJSUzI1NiIsImtpZCI6IjU5MGJlMzQ1MWMzYTYxMTgwMDU1ODE0ZWU2ZDZjNTVjZWZkMDk3NGYifQ.eyJpc3MiOiJodHRwOi8vZGV4OjE5ODY0L2RleCIsInN1YiI6IkNrOXBiVHAzYVhKbFlYQndQVTVIVm1oTmVrSnFUa1JKZDFwVVJUSk9SMUpxV2xkRmVGbDZSbXROZWsxM1RWZFplRTFYV1hwTlIxVXZaVEk0Wm1FMVlqYzJZamN6TVdJelFIZHBjbVV1WTI5dEVnUnNaR0Z3IiwiYXVkIjoid2lyZWFwcCIsImV4cCI6MTY3ODQ3MDMzMSwiaWF0IjoxNjc4MzgzOTMxLCJub25jZSI6IlRSNGxsalRjREdnYmllMWo1WnZFM2ciLCJhdF9oYXNoIjoid2J3dzRBQkJMT0FqQ2VZUUE2R3FWQSIsImNfaGFzaCI6IkQ3WTBiX3QxVEx5XzIwLXlLSHZ6OUEiLCJuYW1lIjoiaW06d2lyZWFwcD1hbGljZS5zbWl0aC5xYUB3aXJlLmNvbSIsInByZWZlcnJlZF91c2VybmFtZSI6IlNtaXRoLCBBbGljZSBNIChRQSkifQ.slayWNQdWMISxWpcNefdbWsV2SDYPvGi47bADwu9kTYk59gwLOBUL5N6Qr0hnPrstFxLwo3Tr5qNROMaGwnNeGRSg9nFMO6B_ke5lUbyB4I9W6spmnL0_XMnjvDqEH1pG88vQ9B2IiuSIvIGUOW9S5WS2Y0vT6jPc3p7zUZuRQf5hqMXCzN1aFgG9tjhp0Fck321y6a7k-LCAg1oDc5yrth3egcRuicz6VCF0u9wKc1K9fij5NfpJkQTyO_a4iLpkoWVAN2jU1Uppl88yG7OZpIRuG4WYtLKuXqZ13SUpCFd52i_46d-GwkdzS4g-mpdDwHifuqflguKoaOu8y5TYA
+eyJhbGciOiJSUzI1NiIsImtpZCI6IjI0YjhjNmE3NDdlZWZkODhhMTg3NzExNGRjNWVlZmFlNTlmY2QzOGUifQ.eyJpc3MiOiJodHRwOi8vZGV4OjE4MTY1L2RleCIsInN1YiI6IkNsQnBiVHAzYVhKbFlYQndQVTVVV1RGUFJFbDRXa1JOTWs1VVJUSk9SRWt5VDBkR2EwOVhVVEJPZWxacVRUSlZNVTFIV1ROUFYwVXZOR00zWm1VNE9Ea3lOV0ZtTnpBMllrQjNhWEpsTG1OdmJSSUViR1JoY0EiLCJhdWQiOiJ3aXJlYXBwIiwiZXhwIjoxNjc4NTQ0NzMxLCJpYXQiOjE2Nzg0NTgzMzEsIm5vbmNlIjoiZnlINlpuZmlKeVB2eFBvTFhSam1kZyIsImF0X2hhc2giOiJtYmV6dmtOZ1A3cFItYlNkMW50b3VBIiwiY19oYXNoIjoibVRheU1ERTFvTnpmUnN3WVJFM05wZyIsIm5hbWUiOiJpbTp3aXJlYXBwPWFsaWNlLnNtaXRoLnFhQHdpcmUuY29tIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiU21pdGgsIEFsaWNlIE0gKFFBKSJ9.LIUquCfeokMqgoL8AC5q-5NQ4iOfahiIovvx5CkkRwiULnkXYSu5nOEG6zuYkShsW_Ml-3VyQ8AkQCihvcdKvZBiltKZWwS6erEOqtk_Nvd6aLAdcCUGB12JRcPcedoqR1XbMlHENmHCvV0_cqgtANyNOlR14ZVjO1mazWkMEI4D7TVhaR8IuWWsyHhrTatxvUvx1Dk38TJrgyh7nGrj5Tn5SinEHc1YKPZfVBaAaNpIr0RCzV4OfQJzPNNhvoDmA5zGKSgoZNyk1yWvp_vNIMd8MEUamJTyD367IqIrEin1ZCFiJXw1_e1c-5iuWiyVGe0Gl3Ch1s0T73JxtVQn8w
 ```
 #### 30. validate oidc challenge (userId + displayName)
 
 <details>
 <summary><b>Id token</b></summary>
 
-See it on [jwt.io](https://jwt.io/#id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjU5MGJlMzQ1MWMzYTYxMTgwMDU1ODE0ZWU2ZDZjNTVjZWZkMDk3NGYifQ.eyJpc3MiOiJodHRwOi8vZGV4OjE5ODY0L2RleCIsInN1YiI6IkNrOXBiVHAzYVhKbFlYQndQVTVIVm1oTmVrSnFUa1JKZDFwVVJUSk9SMUpxV2xkRmVGbDZSbXROZWsxM1RWZFplRTFYV1hwTlIxVXZaVEk0Wm1FMVlqYzJZamN6TVdJelFIZHBjbVV1WTI5dEVnUnNaR0Z3IiwiYXVkIjoid2lyZWFwcCIsImV4cCI6MTY3ODQ3MDMzMSwiaWF0IjoxNjc4MzgzOTMxLCJub25jZSI6IlRSNGxsalRjREdnYmllMWo1WnZFM2ciLCJhdF9oYXNoIjoid2J3dzRBQkJMT0FqQ2VZUUE2R3FWQSIsImNfaGFzaCI6IkQ3WTBiX3QxVEx5XzIwLXlLSHZ6OUEiLCJuYW1lIjoiaW06d2lyZWFwcD1hbGljZS5zbWl0aC5xYUB3aXJlLmNvbSIsInByZWZlcnJlZF91c2VybmFtZSI6IlNtaXRoLCBBbGljZSBNIChRQSkifQ.slayWNQdWMISxWpcNefdbWsV2SDYPvGi47bADwu9kTYk59gwLOBUL5N6Qr0hnPrstFxLwo3Tr5qNROMaGwnNeGRSg9nFMO6B_ke5lUbyB4I9W6spmnL0_XMnjvDqEH1pG88vQ9B2IiuSIvIGUOW9S5WS2Y0vT6jPc3p7zUZuRQf5hqMXCzN1aFgG9tjhp0Fck321y6a7k-LCAg1oDc5yrth3egcRuicz6VCF0u9wKc1K9fij5NfpJkQTyO_a4iLpkoWVAN2jU1Uppl88yG7OZpIRuG4WYtLKuXqZ13SUpCFd52i_46d-GwkdzS4g-mpdDwHifuqflguKoaOu8y5TYA)
+See it on [jwt.io](https://jwt.io/#id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjI0YjhjNmE3NDdlZWZkODhhMTg3NzExNGRjNWVlZmFlNTlmY2QzOGUifQ.eyJpc3MiOiJodHRwOi8vZGV4OjE4MTY1L2RleCIsInN1YiI6IkNsQnBiVHAzYVhKbFlYQndQVTVVV1RGUFJFbDRXa1JOTWs1VVJUSk9SRWt5VDBkR2EwOVhVVEJPZWxacVRUSlZNVTFIV1ROUFYwVXZOR00zWm1VNE9Ea3lOV0ZtTnpBMllrQjNhWEpsTG1OdmJSSUViR1JoY0EiLCJhdWQiOiJ3aXJlYXBwIiwiZXhwIjoxNjc4NTQ0NzMxLCJpYXQiOjE2Nzg0NTgzMzEsIm5vbmNlIjoiZnlINlpuZmlKeVB2eFBvTFhSam1kZyIsImF0X2hhc2giOiJtYmV6dmtOZ1A3cFItYlNkMW50b3VBIiwiY19oYXNoIjoibVRheU1ERTFvTnpmUnN3WVJFM05wZyIsIm5hbWUiOiJpbTp3aXJlYXBwPWFsaWNlLnNtaXRoLnFhQHdpcmUuY29tIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiU21pdGgsIEFsaWNlIE0gKFFBKSJ9.LIUquCfeokMqgoL8AC5q-5NQ4iOfahiIovvx5CkkRwiULnkXYSu5nOEG6zuYkShsW_Ml-3VyQ8AkQCihvcdKvZBiltKZWwS6erEOqtk_Nvd6aLAdcCUGB12JRcPcedoqR1XbMlHENmHCvV0_cqgtANyNOlR14ZVjO1mazWkMEI4D7TVhaR8IuWWsyHhrTatxvUvx1Dk38TJrgyh7nGrj5Tn5SinEHc1YKPZfVBaAaNpIr0RCzV4OfQJzPNNhvoDmA5zGKSgoZNyk1yWvp_vNIMd8MEUamJTyD367IqIrEin1ZCFiJXw1_e1c-5iuWiyVGe0Gl3Ch1s0T73JxtVQn8w)
 
 Raw:
 ```text
-eyJhbGciOiJSUzI1NiIsImtpZCI6IjU5MGJlMzQ1MWMzYTYxMTgwMDU1ODE0ZWU2
-ZDZjNTVjZWZkMDk3NGYifQ.eyJpc3MiOiJodHRwOi8vZGV4OjE5ODY0L2RleCIsI
-nN1YiI6IkNrOXBiVHAzYVhKbFlYQndQVTVIVm1oTmVrSnFUa1JKZDFwVVJUSk9SM
-UpxV2xkRmVGbDZSbXROZWsxM1RWZFplRTFYV1hwTlIxVXZaVEk0Wm1FMVlqYzJZa
-mN6TVdJelFIZHBjbVV1WTI5dEVnUnNaR0Z3IiwiYXVkIjoid2lyZWFwcCIsImV4c
-CI6MTY3ODQ3MDMzMSwiaWF0IjoxNjc4MzgzOTMxLCJub25jZSI6IlRSNGxsalRjR
-EdnYmllMWo1WnZFM2ciLCJhdF9oYXNoIjoid2J3dzRBQkJMT0FqQ2VZUUE2R3FWQ
-SIsImNfaGFzaCI6IkQ3WTBiX3QxVEx5XzIwLXlLSHZ6OUEiLCJuYW1lIjoiaW06d
-2lyZWFwcD1hbGljZS5zbWl0aC5xYUB3aXJlLmNvbSIsInByZWZlcnJlZF91c2Vyb
-mFtZSI6IlNtaXRoLCBBbGljZSBNIChRQSkifQ.slayWNQdWMISxWpcNefdbWsV2S
-DYPvGi47bADwu9kTYk59gwLOBUL5N6Qr0hnPrstFxLwo3Tr5qNROMaGwnNeGRSg9
-nFMO6B_ke5lUbyB4I9W6spmnL0_XMnjvDqEH1pG88vQ9B2IiuSIvIGUOW9S5WS2Y
-0vT6jPc3p7zUZuRQf5hqMXCzN1aFgG9tjhp0Fck321y6a7k-LCAg1oDc5yrth3eg
-cRuicz6VCF0u9wKc1K9fij5NfpJkQTyO_a4iLpkoWVAN2jU1Uppl88yG7OZpIRuG
-4WYtLKuXqZ13SUpCFd52i_46d-GwkdzS4g-mpdDwHifuqflguKoaOu8y5TYA
+eyJhbGciOiJSUzI1NiIsImtpZCI6IjI0YjhjNmE3NDdlZWZkODhhMTg3NzExNGRj
+NWVlZmFlNTlmY2QzOGUifQ.eyJpc3MiOiJodHRwOi8vZGV4OjE4MTY1L2RleCIsI
+nN1YiI6IkNsQnBiVHAzYVhKbFlYQndQVTVVV1RGUFJFbDRXa1JOTWs1VVJUSk9SR
+Wt5VDBkR2EwOVhVVEJPZWxacVRUSlZNVTFIV1ROUFYwVXZOR00zWm1VNE9Ea3lOV
+0ZtTnpBMllrQjNhWEpsTG1OdmJSSUViR1JoY0EiLCJhdWQiOiJ3aXJlYXBwIiwiZ
+XhwIjoxNjc4NTQ0NzMxLCJpYXQiOjE2Nzg0NTgzMzEsIm5vbmNlIjoiZnlINlpuZ
+mlKeVB2eFBvTFhSam1kZyIsImF0X2hhc2giOiJtYmV6dmtOZ1A3cFItYlNkMW50b
+3VBIiwiY19oYXNoIjoibVRheU1ERTFvTnpmUnN3WVJFM05wZyIsIm5hbWUiOiJpb
+Tp3aXJlYXBwPWFsaWNlLnNtaXRoLnFhQHdpcmUuY29tIiwicHJlZmVycmVkX3VzZ
+XJuYW1lIjoiU21pdGgsIEFsaWNlIE0gKFFBKSJ9.LIUquCfeokMqgoL8AC5q-5NQ
+4iOfahiIovvx5CkkRwiULnkXYSu5nOEG6zuYkShsW_Ml-3VyQ8AkQCihvcdKvZBi
+ltKZWwS6erEOqtk_Nvd6aLAdcCUGB12JRcPcedoqR1XbMlHENmHCvV0_cqgtANyN
+OlR14ZVjO1mazWkMEI4D7TVhaR8IuWWsyHhrTatxvUvx1Dk38TJrgyh7nGrj5Tn5
+SinEHc1YKPZfVBaAaNpIr0RCzV4OfQJzPNNhvoDmA5zGKSgoZNyk1yWvp_vNIMd8
+MEUamJTyD367IqIrEin1ZCFiJXw1_e1c-5iuWiyVGe0Gl3Ch1s0T73JxtVQn8w
 ```
 
 Decoded:
@@ -735,20 +735,20 @@ Decoded:
 ```json
 {
   "alg": "RS256",
-  "kid": "590be3451c3a61180055814ee6d6c55cefd0974f"
+  "kid": "24b8c6a747eefd88a1877114dc5eefae59fcd38e"
 }
 ```
 
 ```json
 {
-  "iss": "http://dex:19864/dex",
-  "sub": "Ck9pbTp3aXJlYXBwPU5HVmhNekJqTkRJd1pURTJOR1JqWldFeFl6RmtNek13TVdZeE1XWXpNR1UvZTI4ZmE1Yjc2YjczMWIzQHdpcmUuY29tEgRsZGFw",
+  "iss": "http://dex:18165/dex",
+  "sub": "ClBpbTp3aXJlYXBwPU5UWTFPREl4WkRNMk5URTJOREkyT0dGa09XUTBOelZqTTJVMU1HWTNPV0UvNGM3ZmU4ODkyNWFmNzA2YkB3aXJlLmNvbRIEbGRhcA",
   "aud": "wireapp",
-  "exp": 1678470331,
-  "iat": 1678383931,
-  "nonce": "TR4lljTcDGgbie1j5ZvE3g",
-  "at_hash": "wbww4ABBLOAjCeYQA6GqVA",
-  "c_hash": "D7Y0b_t1TLy_20-yKHvz9A",
+  "exp": 1678544731,
+  "iat": 1678458331,
+  "nonce": "fyH6ZnfiJyPvxPoLXRjmdg",
+  "at_hash": "mbezvkNgP7pR-bSd1ntouA",
+  "c_hash": "mTayMDE1oNzfRswYRE3Npg",
   "name": "im:wireapp=alice.smith.qa@wire.com",
   "preferred_username": "Smith, Alice M (QA)"
 }
@@ -758,13 +758,13 @@ Decoded:
 ✅ Signature Verified with key:
 ```text
 -----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtuFjEQ9j4p3lIKvEvpgK
-2wVmJ0FzFy5pKUUNgtyNu5M5yvDRf8iNdlkq1Sqq/Zrnnnaoe5T/Um/Or5eePRh9
-pdCTrcv9iP4UtKXZBuK9nofxtVP/RuZ/sFn0+FF4Oaijvf5LUmcvG0BfXVqyyPQP
-hPvDclKxYbt7lrjIfU8dKmXEWDlIMNoK334sRS+nPnnFpzq5iVX4WnPvMCmskLB/
-8OSO69fCBS5ERLCZmbNWKpEFiPYfPQwLap/aJJoDueklUM2V9KILR71TI3wPqsXs
-tYBBxOfn8SwWklFmb0NLAkkqdkrUHQSNb9PLVPncjcpCISrzeTvI1+3M3Aari1e+
-nQIDAQAB
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1rWQQAvuiah87LOEqUGe
+i9jDxL+EzkkrkH0DFnaSXkyfB97nV4GtTwmC5cPkZwAG/3OWqEzlOoxKMvjLbHQz
+AaC1n6ZpOxpIlok03oIxsFsPbdmOYCYWQm04iaKLqw/xHirCYNHAsZOe8ku7pEvq
+1BFEDBvGvHH9wD0FEcEznN3WRenu3GmNzSTXlQq942AjCzP6KLLGoyR31P1I70uu
+NZgKXSx+b8ZzkCm6+xtFTcKqWflowyKmZ0bpCpdHeoHhw2/H613PRmbuC39PjmUA
+uBkrwNDp2c57dXGfRXtqXbCb6/qGXD1Q11hnnH+7cR6FnjrlMTmjM95cSKk5puC7
+dwIDAQAB
 -----END PUBLIC KEY-----
 ```
 
@@ -773,29 +773,29 @@ nQIDAQAB
 
 Note: The ACME provisioner is configured with rules for transforming values received in the token into a Wire handle and display name.
 ```http request
-POST https://stepca:55834/acme/wire/challenge/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9/tlKZbv1pdNIo8WaWQq2GRtbov3TXPDui
+POST https://stepca:56174/acme/wire/challenge/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD/wimvHnzRMq5quCx5oGME98k21k0HEtyI
                          /acme/{acme-provisioner}/challenge/{authz-id}/{challenge-id}
 content-type: application/jose+json
 ```
 ```json
 {
-  "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjU1ODM0L2FjbWUvd2lyZS9hY2NvdW50L005dFZ1Ym5JQnFhcmtLYWJCQUJ4N1BNU0I4cEtOQ2F1IiwidHlwIjoiSldUIiwibm9uY2UiOiJTMmRoVXpCcmNFODJWWFZWU0hnd1JFVXlWV3hoVjNCSmJUbFFaa1I0WWpZIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6NTU4MzQvYWNtZS93aXJlL2NoYWxsZW5nZS9ON2tJb2Z5bGdMNTNlZGljelJxeVEwWUZHWjNIa29YOS90bEtaYnYxcGROSW84V2FXUXEyR1J0Ym92M1RYUER1aSJ9",
-  "payload": "eyJpZF90b2tlbiI6ImV5SmhiR2NpT2lKU1V6STFOaUlzSW10cFpDSTZJalU1TUdKbE16UTFNV016WVRZeE1UZ3dNRFUxT0RFMFpXVTJaRFpqTlRWalpXWmtNRGszTkdZaWZRLmV5SnBjM01pT2lKb2RIUndPaTh2WkdWNE9qRTVPRFkwTDJSbGVDSXNJbk4xWWlJNklrTnJPWEJpVkhBellWaEtiRmxZUW5kUVZUVklWbTFvVG1WclNuRlVhMUpLWkRGd1ZWSlVTazlTTVVweFYyeGtSbVZHYkRaU2JYUk9aV3N4TTFSV1pGcGxSVEZZVjFod1RsSXhWWFphVkVrMFdtMUZNVmxxWXpKWmFtTjZUVmRKZWxGSVpIQmpiVlYxV1RJNWRFVm5Vbk5hUjBaM0lpd2lZWFZrSWpvaWQybHlaV0Z3Y0NJc0ltVjRjQ0k2TVRZM09EUTNNRE16TVN3aWFXRjBJam94TmpjNE16Z3pPVE14TENKdWIyNWpaU0k2SWxSU05HeHNhbFJqUkVkblltbGxNV28xV25aRk0yY2lMQ0poZEY5b1lYTm9Jam9pZDJKM2R6UkJRa0pNVDBGcVEyVlpVVUUyUjNGV1FTSXNJbU5mYUdGemFDSTZJa1EzV1RCaVgzUXhWRXg1WHpJd0xYbExTSFo2T1VFaUxDSnVZVzFsSWpvaWFXMDZkMmx5WldGd2NEMWhiR2xqWlM1emJXbDBhQzV4WVVCM2FYSmxMbU52YlNJc0luQnlaV1psY25KbFpGOTFjMlZ5Ym1GdFpTSTZJbE50YVhSb0xDQkJiR2xqWlNCTklDaFJRU2tpZlEuc2xheVdOUWRXTUlTeFdwY05lZmRiV3NWMlNEWVB2R2k0N2JBRHd1OWtUWWs1OWd3TE9CVUw1TjZRcjBoblByc3RGeEx3bzNUcjVxTlJPTWFHd25OZUdSU2c5bkZNTzZCX2tlNWxVYnlCNEk5VzZzcG1uTDBfWE1uanZEcUVIMXBHODh2UTlCMklpdVNJdklHVU9XOVM1V1MyWTB2VDZqUGMzcDd6VVp1UlFmNWhxTVhDek4xYUZnRzl0amhwMEZjazMyMXk2YTdrLUxDQWcxb0RjNXlydGgzZWdjUnVpY3o2VkNGMHU5d0tjMUs5ZmlqNU5mcEprUVR5T19hNGlMcGtvV1ZBTjJqVTFVcHBsODh5RzdPWnBJUnVHNFdZdExLdVhxWjEzU1VwQ0ZkNTJpXzQ2ZC1Hd2tkelM0Zy1tcGREd0hpZnVxZmxndUtvYU91OHk1VFlBIiwia2V5YXV0aCI6IkJaU0k1SHJDVDQwWkFaMkpieEUxbHdKWHh3UFdNVGg5LjY5RG0wZlFGYmVTUmlxdWVmTzVlR2M1ancwRHlkbVF2OEFLZVhsLU0xQmcifQ",
-  "signature": "7HAWdjLOfKlxPKiGIP_uHBZHUvSYApKl2Aj1XnUIQ5EQWInEec5N-w6zqmFuDfSZ5SYHX3TX7SAnXUb-qEavAw"
+  "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjU2MTc0L2FjbWUvd2lyZS9hY2NvdW50LzFwYWpYY21NMFEycEdsdk51WU1WRGZBcktLWEU0UjhrIiwidHlwIjoiSldUIiwibm9uY2UiOiJhWFI1UzFkU05FMDJRVTVqVlVKcWJqQm1ja1JQZFRCNVF6Qm1iVVppTWs4IiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6NTYxNzQvYWNtZS93aXJlL2NoYWxsZW5nZS92NHhiREpOTmtvam5pTThQaUtMOUJ6cEd0VlpNdDFnRC93aW12SG56Uk1xNXF1Q3g1b0dNRTk4azIxazBIRXR5SSJ9",
+  "payload": "eyJpZF90b2tlbiI6ImV5SmhiR2NpT2lKU1V6STFOaUlzSW10cFpDSTZJakkwWWpoak5tRTNORGRsWldaa09EaGhNVGczTnpFeE5HUmpOV1ZsWm1GbE5UbG1ZMlF6T0dVaWZRLmV5SnBjM01pT2lKb2RIUndPaTh2WkdWNE9qRTRNVFkxTDJSbGVDSXNJbk4xWWlJNklrTnNRbkJpVkhBellWaEtiRmxZUW5kUVZUVlZWMVJHVUZKRmJEUlhhMUpPVFdzMVZWSlVTazlTUld0NVZEQmtSMkV3T1ZoVlZFSlBaV3hhY1ZSVVNsWk5WVEZJVjFST1VGWXdWWFpPUjAweldtMVZORTlFYTNsT1YwWnRUbnBCTWxsclFqTmhXRXBzVEcxT2RtSlNTVVZpUjFKb1kwRWlMQ0poZFdRaU9pSjNhWEpsWVhCd0lpd2laWGh3SWpveE5qYzROVFEwTnpNeExDSnBZWFFpT2pFMk56ZzBOVGd6TXpFc0ltNXZibU5sSWpvaVpubElObHB1Wm1sS2VWQjJlRkJ2VEZoU2FtMWtaeUlzSW1GMFgyaGhjMmdpT2lKdFltVjZkbXRPWjFBM2NGSXRZbE5rTVc1MGIzVkJJaXdpWTE5b1lYTm9Jam9pYlZSaGVVMUVSVEZ2VG5wbVVuTjNXVkpGTTA1d1p5SXNJbTVoYldVaU9pSnBiVHAzYVhKbFlYQndQV0ZzYVdObExuTnRhWFJvTG5GaFFIZHBjbVV1WTI5dElpd2ljSEpsWm1WeWNtVmtYM1Z6WlhKdVlXMWxJam9pVTIxcGRHZ3NJRUZzYVdObElFMGdLRkZCS1NKOS5MSVVxdUNmZW9rTXFnb0w4QUM1cS01TlE0aU9mYWhpSW92dng1Q2trUndpVUxua1hZU3U1bk9FRzZ6dVlrU2hzV19NbC0zVnlROEFrUUNpaHZjZEt2WkJpbHRLWld3UzZlckVPcXRrX052ZDZhTEFkY0NVR0IxMkpSY1BjZWRvcVIxWGJNbEhFTm1IQ3ZWMF9jcWd0QU55Tk9sUjE0WlZqTzFtYXpXa01FSTREN1RWaGFSOEl1V1dzeUhoclRhdHh2VXZ4MURrMzhUSnJneWg3bkdyajVUbjVTaW5FSGMxWUtQWmZWQmFBYU5wSXIwUkN6VjRPZlFKelBOTmh2b0RtQTV6R0tTZ29aTnlrMXlXdnBfdk5JTWQ4TUVVYW1KVHlEMzY3SXFJckVpbjFaQ0ZpSlh3MV9lMWMtNWl1V2l5VkdlMEdsM0NoMXMwVDczSnh0VlFuOHciLCJrZXlhdXRoIjoiS2lpQlYyMWUwUnF0cXFnalZ0S1dTUkpLR2pRWkp2a3EublFLWVBSZzY1YTFHRXFIdU1Kd0pCTjA1cnBWS2VxblcxTnlvdkVBcVB5QSJ9",
+  "signature": "0ZM1fVpwaeLGw_eorKs0L-cEC1pPKTHF6b7xZwRw632wc5he-96pteeFiRFWKYcFNfX2TV14OXnXsqS0PWSnAw"
 }
 ```
 ```json
 {
   "protected": {
     "alg": "EdDSA",
-    "kid": "https://stepca:55834/acme/wire/account/M9tVubnIBqarkKabBABx7PMSB8pKNCau",
+    "kid": "https://stepca:56174/acme/wire/account/1pajXcmM0Q2pGlvNuYMVDfArKKXE4R8k",
     "typ": "JWT",
-    "nonce": "S2dhUzBrcE82VXVVSHgwREUyVWxhV3BJbTlQZkR4YjY",
-    "url": "https://stepca:55834/acme/wire/challenge/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9/tlKZbv1pdNIo8WaWQq2GRtbov3TXPDui"
+    "nonce": "aXR5S1dSNE02QU5jVUJqbjBmckRPdTB5QzBmbUZiMk8",
+    "url": "https://stepca:56174/acme/wire/challenge/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD/wimvHnzRMq5quCx5oGME98k21k0HEtyI"
   },
   "payload": {
-    "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjU5MGJlMzQ1MWMzYTYxMTgwMDU1ODE0ZWU2ZDZjNTVjZWZkMDk3NGYifQ.eyJpc3MiOiJodHRwOi8vZGV4OjE5ODY0L2RleCIsInN1YiI6IkNrOXBiVHAzYVhKbFlYQndQVTVIVm1oTmVrSnFUa1JKZDFwVVJUSk9SMUpxV2xkRmVGbDZSbXROZWsxM1RWZFplRTFYV1hwTlIxVXZaVEk0Wm1FMVlqYzJZamN6TVdJelFIZHBjbVV1WTI5dEVnUnNaR0Z3IiwiYXVkIjoid2lyZWFwcCIsImV4cCI6MTY3ODQ3MDMzMSwiaWF0IjoxNjc4MzgzOTMxLCJub25jZSI6IlRSNGxsalRjREdnYmllMWo1WnZFM2ciLCJhdF9oYXNoIjoid2J3dzRBQkJMT0FqQ2VZUUE2R3FWQSIsImNfaGFzaCI6IkQ3WTBiX3QxVEx5XzIwLXlLSHZ6OUEiLCJuYW1lIjoiaW06d2lyZWFwcD1hbGljZS5zbWl0aC5xYUB3aXJlLmNvbSIsInByZWZlcnJlZF91c2VybmFtZSI6IlNtaXRoLCBBbGljZSBNIChRQSkifQ.slayWNQdWMISxWpcNefdbWsV2SDYPvGi47bADwu9kTYk59gwLOBUL5N6Qr0hnPrstFxLwo3Tr5qNROMaGwnNeGRSg9nFMO6B_ke5lUbyB4I9W6spmnL0_XMnjvDqEH1pG88vQ9B2IiuSIvIGUOW9S5WS2Y0vT6jPc3p7zUZuRQf5hqMXCzN1aFgG9tjhp0Fck321y6a7k-LCAg1oDc5yrth3egcRuicz6VCF0u9wKc1K9fij5NfpJkQTyO_a4iLpkoWVAN2jU1Uppl88yG7OZpIRuG4WYtLKuXqZ13SUpCFd52i_46d-GwkdzS4g-mpdDwHifuqflguKoaOu8y5TYA",
-    "keyauth": "BZSI5HrCT40ZAZ2JbxE1lwJXxwPWMTh9.69Dm0fQFbeSRiquefO5eGc5jw0DydmQv8AKeXl-M1Bg"
+    "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjI0YjhjNmE3NDdlZWZkODhhMTg3NzExNGRjNWVlZmFlNTlmY2QzOGUifQ.eyJpc3MiOiJodHRwOi8vZGV4OjE4MTY1L2RleCIsInN1YiI6IkNsQnBiVHAzYVhKbFlYQndQVTVVV1RGUFJFbDRXa1JOTWs1VVJUSk9SRWt5VDBkR2EwOVhVVEJPZWxacVRUSlZNVTFIV1ROUFYwVXZOR00zWm1VNE9Ea3lOV0ZtTnpBMllrQjNhWEpsTG1OdmJSSUViR1JoY0EiLCJhdWQiOiJ3aXJlYXBwIiwiZXhwIjoxNjc4NTQ0NzMxLCJpYXQiOjE2Nzg0NTgzMzEsIm5vbmNlIjoiZnlINlpuZmlKeVB2eFBvTFhSam1kZyIsImF0X2hhc2giOiJtYmV6dmtOZ1A3cFItYlNkMW50b3VBIiwiY19oYXNoIjoibVRheU1ERTFvTnpmUnN3WVJFM05wZyIsIm5hbWUiOiJpbTp3aXJlYXBwPWFsaWNlLnNtaXRoLnFhQHdpcmUuY29tIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiU21pdGgsIEFsaWNlIE0gKFFBKSJ9.LIUquCfeokMqgoL8AC5q-5NQ4iOfahiIovvx5CkkRwiULnkXYSu5nOEG6zuYkShsW_Ml-3VyQ8AkQCihvcdKvZBiltKZWwS6erEOqtk_Nvd6aLAdcCUGB12JRcPcedoqR1XbMlHENmHCvV0_cqgtANyNOlR14ZVjO1mazWkMEI4D7TVhaR8IuWWsyHhrTatxvUvx1Dk38TJrgyh7nGrj5Tn5SinEHc1YKPZfVBaAaNpIr0RCzV4OfQJzPNNhvoDmA5zGKSgoZNyk1yWvp_vNIMd8MEUamJTyD367IqIrEin1ZCFiJXw1_e1c-5iuWiyVGe0Gl3Ch1s0T73JxtVQn8w",
+    "keyauth": "KiiBV21e0RqtqqgjVtKWSRJKGjQZJvkq.nQKYPRg65a1GEqHuMJwJBN05rpVKeqnW1NyovEAqPyA"
   }
 }
 ```
@@ -804,41 +804,41 @@ content-type: application/jose+json
 200
 cache-control: no-store
 content-type: application/json
-link: <https://stepca:55834/acme/wire/directory>;rel="index"
-link: <https://stepca:55834/acme/wire/authz/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9>;rel="up"
-location: https://stepca:55834/acme/wire/challenge/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9/tlKZbv1pdNIo8WaWQq2GRtbov3TXPDui
-replay-nonce: em44SEJiblZKMEprY3dsekc0SGpsNEg4elhQS29xUkk
+link: <https://stepca:56174/acme/wire/directory>;rel="index"
+link: <https://stepca:56174/acme/wire/authz/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD>;rel="up"
+location: https://stepca:56174/acme/wire/challenge/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD/wimvHnzRMq5quCx5oGME98k21k0HEtyI
+replay-nonce: Uk05dXJ6UHVobGtYR1FzWURWMWUxWEZ2RHhCSlRMUjk
 ```
 ```json
 {
   "type": "wire-oidc-01",
-  "url": "https://stepca:55834/acme/wire/challenge/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9/tlKZbv1pdNIo8WaWQq2GRtbov3TXPDui",
+  "url": "https://stepca:56174/acme/wire/challenge/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD/wimvHnzRMq5quCx5oGME98k21k0HEtyI",
   "status": "valid",
-  "token": "BZSI5HrCT40ZAZ2JbxE1lwJXxwPWMTh9"
+  "token": "KiiBV21e0RqtqqgjVtKWSRJKGjQZJvkq"
 }
 ```
 ### Client presents a CSR and gets its certificate
 #### 32. verify the status of the order
 ```http request
-POST https://stepca:55834/acme/wire/order/GABvJPMf7CqbdUqnJTyX8T2EbIzfDCtW
+POST https://stepca:56174/acme/wire/order/yuiEjO5FoYP7Z2rOTPDDNEOzLuPMt8R1
                          /acme/{acme-provisioner}/order/{order-id}
 content-type: application/jose+json
 ```
 ```json
 {
-  "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjU1ODM0L2FjbWUvd2lyZS9hY2NvdW50L005dFZ1Ym5JQnFhcmtLYWJCQUJ4N1BNU0I4cEtOQ2F1IiwidHlwIjoiSldUIiwibm9uY2UiOiJlbTQ0U0VKaWJsWktNRXByWTNkc2VrYzBTR3BzTkVnNGVsaFFTMjl4VWtrIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6NTU4MzQvYWNtZS93aXJlL29yZGVyL0dBQnZKUE1mN0NxYmRVcW5KVHlYOFQyRWJJemZEQ3RXIn0",
+  "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjU2MTc0L2FjbWUvd2lyZS9hY2NvdW50LzFwYWpYY21NMFEycEdsdk51WU1WRGZBcktLWEU0UjhrIiwidHlwIjoiSldUIiwibm9uY2UiOiJVazA1ZFhKNlVIVm9iR3RZUjFGeldVUldNV1V4V0VaMlJIaENTbFJNVWprIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6NTYxNzQvYWNtZS93aXJlL29yZGVyL3l1aUVqTzVGb1lQN1oyck9UUERETkVPekx1UE10OFIxIn0",
   "payload": "",
-  "signature": "heNltR-aVATd6yPWCiEsDfNTXcOeZgH5y75m9tvcVE6bp4q8cGWrr4iFaEmiUOOVGUsWUYcVn4AtwbKMFA5DCw"
+  "signature": "5WO87kQmLRemaS7EjDV00OHxxNYTtYlphNhbi4HSHVBCrWvZ_EpDjHod00-LixpjOA8KijWOayCPZiWsaXZPCw"
 }
 ```
 ```json
 {
   "protected": {
     "alg": "EdDSA",
-    "kid": "https://stepca:55834/acme/wire/account/M9tVubnIBqarkKabBABx7PMSB8pKNCau",
+    "kid": "https://stepca:56174/acme/wire/account/1pajXcmM0Q2pGlvNuYMVDfArKKXE4R8k",
     "typ": "JWT",
-    "nonce": "em44SEJiblZKMEprY3dsekc0SGpsNEg4elhQS29xUkk",
-    "url": "https://stepca:55834/acme/wire/order/GABvJPMf7CqbdUqnJTyX8T2EbIzfDCtW"
+    "nonce": "Uk05dXJ6UHVobGtYR1FzWURWMWUxWEZ2RHhCSlRMUjk",
+    "url": "https://stepca:56174/acme/wire/order/yuiEjO5FoYP7Z2rOTPDDNEOzLuPMt8R1"
   },
   "payload": {}
 }
@@ -848,52 +848,52 @@ content-type: application/jose+json
 200
 cache-control: no-store
 content-type: application/json
-link: <https://stepca:55834/acme/wire/directory>;rel="index"
-location: https://stepca:55834/acme/wire/order/GABvJPMf7CqbdUqnJTyX8T2EbIzfDCtW
-replay-nonce: TzFMYkJyVWMyc1NLM1c0WEgwM1ltWDgxc3NKT3EyR0Q
+link: <https://stepca:56174/acme/wire/directory>;rel="index"
+location: https://stepca:56174/acme/wire/order/yuiEjO5FoYP7Z2rOTPDDNEOzLuPMt8R1
+replay-nonce: UllrTmVmMUUxUDZpSE0wb2xIVHRqbWNBQ1kzVVZUUFc
 ```
 ```json
 {
   "status": "ready",
-  "finalize": "https://stepca:55834/acme/wire/order/GABvJPMf7CqbdUqnJTyX8T2EbIzfDCtW/finalize",
+  "finalize": "https://stepca:56174/acme/wire/order/yuiEjO5FoYP7Z2rOTPDDNEOzLuPMt8R1/finalize",
   "identifiers": [
     {
       "type": "wireapp-id",
-      "value": "{\"name\":\"Smith, Alice M (QA)\",\"domain\":\"wire.com\",\"client-id\":\"im:wireapp=NGVhMzBjNDIwZTE2NGRjZWExYzFkMzMwMWYxMWYzMGU/e28fa5b76b731b3@wire.com\",\"handle\":\"im:wireapp=alice.smith.qa@wire.com\"}"
+      "value": "{\"name\":\"Smith, Alice M (QA)\",\"domain\":\"wire.com\",\"client-id\":\"im:wireapp=NTY1ODIxZDM2NTE2NDI2OGFkOWQ0NzVjM2U1MGY3OWE/4c7fe88925af706b@wire.com\",\"handle\":\"im:wireapp=alice.smith.qa@wire.com\"}"
     }
   ],
   "authorizations": [
-    "https://stepca:55834/acme/wire/authz/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9"
+    "https://stepca:56174/acme/wire/authz/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD"
   ],
-  "expires": "2023-03-10T17:45:31Z",
-  "notBefore": "2023-03-09T17:45:31.696104Z",
-  "notAfter": "2023-03-09T18:45:31.696104Z"
+  "expires": "2023-03-11T14:25:30Z",
+  "notBefore": "2023-03-10T14:25:30.818416Z",
+  "notAfter": "2023-03-10T15:25:30.818416Z"
 }
 ```
 #### 34. create a CSR and call finalize url
 ```http request
-POST https://stepca:55834/acme/wire/order/GABvJPMf7CqbdUqnJTyX8T2EbIzfDCtW/finalize
+POST https://stepca:56174/acme/wire/order/yuiEjO5FoYP7Z2rOTPDDNEOzLuPMt8R1/finalize
                          /acme/{acme-provisioner}/order/{order-id}/finalize
 content-type: application/jose+json
 ```
 ```json
 {
-  "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjU1ODM0L2FjbWUvd2lyZS9hY2NvdW50L005dFZ1Ym5JQnFhcmtLYWJCQUJ4N1BNU0I4cEtOQ2F1IiwidHlwIjoiSldUIiwibm9uY2UiOiJUekZNWWtKeVZXTXljMU5MTTFjMFdFZ3dNMWx0V0RneGMzTktUM0V5UjBRIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6NTU4MzQvYWNtZS93aXJlL29yZGVyL0dBQnZKUE1mN0NxYmRVcW5KVHlYOFQyRWJJemZEQ3RXL2ZpbmFsaXplIn0",
-  "payload": "eyJjc3IiOiJNSUlCVHpDQ0FRRUNBUUF3T1RFa01DSUdDMkNHU0FHRy1FSURBWUZ4REJOVGJXbDBhQ3dnUVd4cFkyVWdUU0FvVVVFcE1SRXdEd1lEVlFRS0RBaDNhWEpsTG1OdmJUQXFNQVVHQXl0bGNBTWhBTXNjaWxWTGdKODJfWDdsOUNhTGxXTVJaa3lyYTYwN0ZkeGFnSFZRQjNEbm9JR1VNSUdSQmdrcWhraUc5dzBCQ1E0eGdZTXdnWUF3ZmdZRFZSMFJCSGN3ZFlaUGFXMDZkMmx5WldGd2NEMXVaM1pvYlhwaWFtNWthWGQ2ZEdVeWJtZHlhbnAzWlhoNWVtWnJiWHB0ZDIxM2VYaHRkM2w2YldkMUwyVXlPR1poTldJM05tSTNNekZpTTBCM2FYSmxMbU52YllZaWFXMDZkMmx5WldGd2NEMWhiR2xqWlM1emJXbDBhQzV4WVVCM2FYSmxMbU52YlRBRkJnTXJaWEFEUVFCQUdoejhzVDZvbWoyZUdteUJFMGo2YTl2Zm5zRW9QVmVyMFZtcVIwMmpLcXBhSHE5djFwUGJTSzg1MmVvUUVHYWdpWjRMSEpNbXRReE9oMDRyOTJNRyJ9",
-  "signature": "Ufq6lFwm6uTnwKRKf56DM6hRLPEDaDuvzGfh7f2k6nwOW9jRPIBZI5XM9v0G-okpdcmhB5yYRJkivEtX9HhpAg"
+  "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjU2MTc0L2FjbWUvd2lyZS9hY2NvdW50LzFwYWpYY21NMFEycEdsdk51WU1WRGZBcktLWEU0UjhrIiwidHlwIjoiSldUIiwibm9uY2UiOiJVbGxyVG1WbU1VVXhVRFpwU0Uwd2IyeElWSFJxYldOQlExa3pWVlpVVUZjIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6NTYxNzQvYWNtZS93aXJlL29yZGVyL3l1aUVqTzVGb1lQN1oyck9UUERETkVPekx1UE10OFIxL2ZpbmFsaXplIn0",
+  "payload": "eyJjc3IiOiJNSUlCVURDQ0FRSUNBUUF3T1RFa01DSUdDMkNHU0FHRy1FSURBWUZ4REJOVGJXbDBhQ3dnUVd4cFkyVWdUU0FvVVVFcE1SRXdEd1lEVlFRS0RBaDNhWEpsTG1OdmJUQXFNQVVHQXl0bGNBTWhBTzV6eEVfZXhRQzFRR3l5NWRnSFViMHBkWjg3QmRUU0Foc2NmZ0EtNnVBcm9JR1ZNSUdTQmdrcWhraUc5dzBCQ1E0eGdZUXdnWUV3ZndZRFZSMFJCSGd3ZG9aUWFXMDZkMmx5WldGd2NEMXVkSGt4YjJScGVIcGtiVEp1ZEdVeWJtUnBNbTluWm10dmQzRXdibnAyYW0weWRURnRaM2t6YjNkbEx6UmpOMlpsT0RnNU1qVmhaamN3Tm1KQWQybHlaUzVqYjIyR0ltbHRPbmRwY21WaGNIQTlZV3hwWTJVdWMyMXBkR2d1Y1dGQWQybHlaUzVqYjIwd0JRWURLMlZ3QTBFQUxENnplSHpBOHRvNXNwY09OTVItS1FYWTA0X21RbEFCV3VqRDh3b0wzdDFQejVBYXU1MVNvMEJyelRseDl1eXZPS0ZqRjlycW5oSm9XbEdmb1dkOEFBIn0",
+  "signature": "zjJTG4FauzAeblGs-rwbteT14W68Fpd0Q1dwn_1mIHe3BkzMwN63zNpJipHQsFvfOiSPCiFgQEYiYpveJXIQAA"
 }
 ```
 ```json
 {
   "protected": {
     "alg": "EdDSA",
-    "kid": "https://stepca:55834/acme/wire/account/M9tVubnIBqarkKabBABx7PMSB8pKNCau",
+    "kid": "https://stepca:56174/acme/wire/account/1pajXcmM0Q2pGlvNuYMVDfArKKXE4R8k",
     "typ": "JWT",
-    "nonce": "TzFMYkJyVWMyc1NLM1c0WEgwM1ltWDgxc3NKT3EyR0Q",
-    "url": "https://stepca:55834/acme/wire/order/GABvJPMf7CqbdUqnJTyX8T2EbIzfDCtW/finalize"
+    "nonce": "UllrTmVmMUUxUDZpSE0wb2xIVHRqbWNBQ1kzVVZUUFc",
+    "url": "https://stepca:56174/acme/wire/order/yuiEjO5FoYP7Z2rOTPDDNEOzLuPMt8R1/finalize"
   },
   "payload": {
-    "csr": "MIIBTzCCAQECAQAwOTEkMCIGC2CGSAGG-EIDAYFxDBNTbWl0aCwgQWxpY2UgTSAoUUEpMREwDwYDVQQKDAh3aXJlLmNvbTAqMAUGAytlcAMhAMscilVLgJ82_X7l9CaLlWMRZkyra607FdxagHVQB3DnoIGUMIGRBgkqhkiG9w0BCQ4xgYMwgYAwfgYDVR0RBHcwdYZPaW06d2lyZWFwcD1uZ3ZobXpiam5kaXd6dGUybmdyanp3ZXh5emZrbXptd213eXhtd3l6bWd1L2UyOGZhNWI3NmI3MzFiM0B3aXJlLmNvbYYiaW06d2lyZWFwcD1hbGljZS5zbWl0aC5xYUB3aXJlLmNvbTAFBgMrZXADQQBAGhz8sT6omj2eGmyBE0j6a9vfnsEoPVer0VmqR02jKqpaHq9v1pPbSK852eoQEGagiZ4LHJMmtQxOh04r92MG"
+    "csr": "MIIBUDCCAQICAQAwOTEkMCIGC2CGSAGG-EIDAYFxDBNTbWl0aCwgQWxpY2UgTSAoUUEpMREwDwYDVQQKDAh3aXJlLmNvbTAqMAUGAytlcAMhAO5zxE_exQC1QGyy5dgHUb0pdZ87BdTSAhscfgA-6uAroIGVMIGSBgkqhkiG9w0BCQ4xgYQwgYEwfwYDVR0RBHgwdoZQaW06d2lyZWFwcD1udHkxb2RpeHpkbTJudGUybmRpMm9nZmtvd3Ewbnp2am0ydTFtZ3kzb3dlLzRjN2ZlODg5MjVhZjcwNmJAd2lyZS5jb22GImltOndpcmVhcHA9YWxpY2Uuc21pdGgucWFAd2lyZS5jb20wBQYDK2VwA0EALD6zeHzA8to5spcONMR-KQXY04_mQlABWujD8woL3t1Pz5Aau51So0BrzTlx9uyvOKFjF9rqnhJoWlGfoWd8AA"
   }
 }
 ```
@@ -901,14 +901,14 @@ content-type: application/jose+json
 openssl -verify ✅
 ```
 -----BEGIN CERTIFICATE REQUEST-----
-MIIBTzCCAQECAQAwOTEkMCIGC2CGSAGG+EIDAYFxDBNTbWl0aCwgQWxpY2UgTSAo
-UUEpMREwDwYDVQQKDAh3aXJlLmNvbTAqMAUGAytlcAMhAMj4HcHDGNFEVp/eC91n
-zFsRgMfuTMvmtMavJ0+rQf+ooIGUMIGRBgkqhkiG9w0BCQ4xgYMwgYAwfgYDVR0R
-BHcwdYZPaW06d2lyZWFwcD1uZ3ZobXpiam5kaXd6dGUybmdyanp3ZXh5emZrbXpt
-d213eXhtd3l6bWd1L2UyOGZhNWI3NmI3MzFiM0B3aXJlLmNvbYYiaW06d2lyZWFw
-cD1hbGljZS5zbWl0aC5xYUB3aXJlLmNvbTAFBgMrZXADQQA1RE2MAQ2Je/Py6stv
-E2gno7XIAzCAVSh+VmsEC27IpwNwY7X5zQKuBhvhbdfzjZJ8nqrI8oEFGxaV/1pm
-k8sP
+MIIBUDCCAQICAQAwOTEkMCIGC2CGSAGG+EIDAYFxDBNTbWl0aCwgQWxpY2UgTSAo
+UUEpMREwDwYDVQQKDAh3aXJlLmNvbTAqMAUGAytlcAMhACzutjeSaTOZGwppuaNL
+4CX6JJLiLLDY/CTYARti7GVIoIGVMIGSBgkqhkiG9w0BCQ4xgYQwgYEwfwYDVR0R
+BHgwdoZQaW06d2lyZWFwcD1udHkxb2RpeHpkbTJudGUybmRpMm9nZmtvd3Ewbnp2
+am0ydTFtZ3kzb3dlLzRjN2ZlODg5MjVhZjcwNmJAd2lyZS5jb22GImltOndpcmVh
+cHA9YWxpY2Uuc21pdGgucWFAd2lyZS5jb20wBQYDK2VwA0EAbRCqvToqRfRAmRn1
+AwOft/zH5SHq6lBOlPbj3S16k1MUsxgwK0eMLt/c5qlSMyZXlDi0DCCNiztH8dbc
+bf2nBA==
 -----END CERTIFICATE REQUEST-----
 
 ```
@@ -921,19 +921,19 @@ Certificate Request:
             Public Key Algorithm: ED25519
                 ED25519 Public-Key:
                 pub:
-                    c8:f8:1d:c1:c3:18:d1:44:56:9f:de:0b:dd:67:cc:
-                    5b:11:80:c7:ee:4c:cb:e6:b4:c6:af:27:4f:ab:41:
-                    ff:a8
+                    2c:ee:b6:37:92:69:33:99:1b:0a:69:b9:a3:4b:e0:
+                    25:fa:24:92:e2:2c:b0:d8:fc:24:d8:01:1b:62:ec:
+                    65:48
         Attributes:
             Requested Extensions:
                 X509v3 Subject Alternative Name: 
-                    URI:im:wireapp=ngvhmzbjndiwzte2ngrjzwexyzfkmzmwmwyxmwyzmgu/e28fa5b76b731b3@wire.com, URI:im:wireapp=alice.smith.qa@wire.com
+                    URI:im:wireapp=nty1odixzdm2nte2ndi2ogfkowq0nzvjm2u1mgy3owe/4c7fe88925af706b@wire.com, URI:im:wireapp=alice.smith.qa@wire.com
     Signature Algorithm: ED25519
     Signature Value:
-        35:44:4d:8c:01:0d:89:7b:f3:f2:ea:cb:6f:13:68:27:a3:b5:
-        c8:03:30:80:55:28:7e:56:6b:04:0b:6e:c8:a7:03:70:63:b5:
-        f9:cd:02:ae:06:1b:e1:6d:d7:f3:8d:92:7c:9e:aa:c8:f2:81:
-        05:1b:16:95:ff:5a:66:93:cb:0f
+        6d:10:aa:bd:3a:2a:45:f4:40:99:19:f5:03:03:9f:b7:fc:c7:
+        e5:21:ea:ea:50:4e:94:f6:e3:dd:2d:7a:93:53:14:b3:18:30:
+        2b:47:8c:2e:df:dc:e6:a9:52:33:26:57:94:38:b4:0c:20:8d:
+        8b:3b:47:f1:d6:dc:6d:fd:a7:04
 
 ```
 
@@ -942,50 +942,50 @@ Certificate Request:
 200
 cache-control: no-store
 content-type: application/json
-link: <https://stepca:55834/acme/wire/directory>;rel="index"
-location: https://stepca:55834/acme/wire/order/GABvJPMf7CqbdUqnJTyX8T2EbIzfDCtW
-replay-nonce: SGdxN3NGQjhwTTRSYk5zWXpRbDJUcUl6dDdmaDFGSFo
+link: <https://stepca:56174/acme/wire/directory>;rel="index"
+location: https://stepca:56174/acme/wire/order/yuiEjO5FoYP7Z2rOTPDDNEOzLuPMt8R1
+replay-nonce: ZFptT2xiSHRUa0VYV2pJUGJrWWdjT0sxbGI0UXNNUFk
 ```
 ```json
 {
-  "certificate": "https://stepca:55834/acme/wire/certificate/HxDzSMtcRmY1avHP4iT86D0qog6Vj0tA",
+  "certificate": "https://stepca:56174/acme/wire/certificate/C6BUkXe2ZQbPzbWJGQWN0lhwQlhjf31Y",
   "status": "valid",
-  "finalize": "https://stepca:55834/acme/wire/order/GABvJPMf7CqbdUqnJTyX8T2EbIzfDCtW/finalize",
+  "finalize": "https://stepca:56174/acme/wire/order/yuiEjO5FoYP7Z2rOTPDDNEOzLuPMt8R1/finalize",
   "identifiers": [
     {
       "type": "wireapp-id",
-      "value": "{\"name\":\"Smith, Alice M (QA)\",\"domain\":\"wire.com\",\"client-id\":\"im:wireapp=NGVhMzBjNDIwZTE2NGRjZWExYzFkMzMwMWYxMWYzMGU/e28fa5b76b731b3@wire.com\",\"handle\":\"im:wireapp=alice.smith.qa@wire.com\"}"
+      "value": "{\"name\":\"Smith, Alice M (QA)\",\"domain\":\"wire.com\",\"client-id\":\"im:wireapp=NTY1ODIxZDM2NTE2NDI2OGFkOWQ0NzVjM2U1MGY3OWE/4c7fe88925af706b@wire.com\",\"handle\":\"im:wireapp=alice.smith.qa@wire.com\"}"
     }
   ],
   "authorizations": [
-    "https://stepca:55834/acme/wire/authz/N7kIofylgL53ediczRqyQ0YFGZ3HkoX9"
+    "https://stepca:56174/acme/wire/authz/v4xbDJNNkojniM8PiKL9BzpGtVZMt1gD"
   ],
-  "expires": "2023-03-10T17:45:31Z",
-  "notBefore": "2023-03-09T17:45:31.696104Z",
-  "notAfter": "2023-03-09T18:45:31.696104Z"
+  "expires": "2023-03-11T14:25:30Z",
+  "notBefore": "2023-03-10T14:25:30.818416Z",
+  "notAfter": "2023-03-10T15:25:30.818416Z"
 }
 ```
 #### 36. fetch the certificate
 ```http request
-POST https://stepca:55834/acme/wire/certificate/HxDzSMtcRmY1avHP4iT86D0qog6Vj0tA
+POST https://stepca:56174/acme/wire/certificate/C6BUkXe2ZQbPzbWJGQWN0lhwQlhjf31Y
                          /acme/{acme-provisioner}/certificate/{certificate-id}
 content-type: application/jose+json
 ```
 ```json
 {
-  "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjU1ODM0L2FjbWUvd2lyZS9hY2NvdW50L005dFZ1Ym5JQnFhcmtLYWJCQUJ4N1BNU0I4cEtOQ2F1IiwidHlwIjoiSldUIiwibm9uY2UiOiJTR2R4TjNOR1FqaHdUVFJTWWs1eldYcFJiREpVY1VsNmREZG1hREZHU0ZvIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6NTU4MzQvYWNtZS93aXJlL2NlcnRpZmljYXRlL0h4RHpTTXRjUm1ZMWF2SFA0aVQ4NkQwcW9nNlZqMHRBIn0",
+  "protected": "eyJhbGciOiJFZERTQSIsImtpZCI6Imh0dHBzOi8vc3RlcGNhOjU2MTc0L2FjbWUvd2lyZS9hY2NvdW50LzFwYWpYY21NMFEycEdsdk51WU1WRGZBcktLWEU0UjhrIiwidHlwIjoiSldUIiwibm9uY2UiOiJaRnB0VDJ4aVNIUlVhMFZZVjJwSlVHSnJXV2RqVDBzeGJHSTBVWE5OVUZrIiwidXJsIjoiaHR0cHM6Ly9zdGVwY2E6NTYxNzQvYWNtZS93aXJlL2NlcnRpZmljYXRlL0M2QlVrWGUyWlFiUHpiV0pHUVdOMGxod1FsaGpmMzFZIn0",
   "payload": "",
-  "signature": "PhC3dPhIzPNv4qfQnVVky1yaSm_Kr3lkrVDwkcplbgWY9zUqgQrtj2HOJkm6f8gA5XVrXjQn1-9FicilO6MABg"
+  "signature": "aQ6ZKT_10NJ7Dxd1JVPUIVb7JgzqxdppBa2jzAZU3EiDSVMIGsnOnpX9HgRLq_vjCE6alVOtisPlErhzC7bUCA"
 }
 ```
 ```json
 {
   "protected": {
     "alg": "EdDSA",
-    "kid": "https://stepca:55834/acme/wire/account/M9tVubnIBqarkKabBABx7PMSB8pKNCau",
+    "kid": "https://stepca:56174/acme/wire/account/1pajXcmM0Q2pGlvNuYMVDfArKKXE4R8k",
     "typ": "JWT",
-    "nonce": "SGdxN3NGQjhwTTRSYk5zWXpRbDJUcUl6dDdmaDFGSFo",
-    "url": "https://stepca:55834/acme/wire/certificate/HxDzSMtcRmY1avHP4iT86D0qog6Vj0tA"
+    "nonce": "ZFptT2xiSHRUa0VYV2pJUGJrWWdjT0sxbGI0UXNNUFk",
+    "url": "https://stepca:56174/acme/wire/certificate/C6BUkXe2ZQbPzbWJGQWN0lhwQlhjf31Y"
   },
   "payload": {}
 }
@@ -995,32 +995,32 @@ content-type: application/jose+json
 200
 cache-control: no-store
 content-type: application/pem-certificate-chain
-link: <https://stepca:55834/acme/wire/directory>;rel="index"
-replay-nonce: eDRnWkFSZkg0M0lkU2VZcDVIY1pST3d2RDNVZDJDMWQ
+link: <https://stepca:56174/acme/wire/directory>;rel="index"
+replay-nonce: Zklad2N4SXBTejNMSjRUWEhRczZxYmJqeW1JRHVsaTI
 ```
 ```json
 [
-  "MIICQzCCAemgAwIBAgIRAMjEd86A3Wdpd1O5Fqo23lEwCgYIKoZIzj0EAwIwLjEN\nMAsGA1UEChMEd2lyZTEdMBsGA1UEAxMUd2lyZSBJbnRlcm1lZGlhdGUgQ0EwHhcN\nMjMwMzA5MTc0NTMxWhcNMjMwMzA5MTg0NTMxWjAxMREwDwYDVQQKEwh3aXJlLmNv\nbTEcMBoGA1UEAxMTU21pdGgsIEFsaWNlIE0gKFFBKTAqMAUGAytlcAMhAMscilVL\ngJ82/X7l9CaLlWMRZkyra607FdxagHVQB3Dno4IBEjCCAQ4wDgYDVR0PAQH/BAQD\nAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU+BQ5\nwb2oq5+y+sikd6G2E0QL4JowHwYDVR0jBBgwFoAUel0wq4WPec6urBmogrwaM1xf\nzzAwfgYDVR0RBHcwdYYiaW06d2lyZWFwcD1hbGljZS5zbWl0aC5xYUB3aXJlLmNv\nbYZPaW06d2lyZWFwcD1uZ3ZobXpiam5kaXd6dGUybmdyanp3ZXh5emZrbXptd213\neXhtd3l6bWd1L2UyOGZhNWI3NmI3MzFiM0B3aXJlLmNvbTAdBgwrBgEEAYKkZMYo\nQAEEDTALAgEGBAR3aXJlBAAwCgYIKoZIzj0EAwIDSAAwRQIhALpj+vDTy0ZhupPv\n60mm/R8FG1+WfJVurm347iTiFnwvAiBlxS2NcJ0hA2bqDOY2OjniMXqtd/33ruVx\nn7Omklha6g==",
-  "MIIBujCCAV+gAwIBAgIRAJzKx+gx9Im3GaKmZHu8Vi4wCgYIKoZIzj0EAwIwJjEN\nMAsGA1UEChMEd2lyZTEVMBMGA1UEAxMMd2lyZSBSb290IENBMB4XDTIzMDMwOTE3\nNDUyNloXDTMzMDMwNjE3NDUyNlowLjENMAsGA1UEChMEd2lyZTEdMBsGA1UEAxMU\nd2lyZSBJbnRlcm1lZGlhdGUgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATA\nkL7iEjti0jZUzddvyNz7s6bz9nT9wE3i/6m3wJIUBOmmxjGtL7zei10Ug0shUAy9\nwi6gzOO2nLO8M5Ng5I2Jo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgw\nBgEB/wIBADAdBgNVHQ4EFgQUel0wq4WPec6urBmogrwaM1xfzzAwHwYDVR0jBBgw\nFoAUTvCb6QFlsO03eCI1y6/BHRKC+x0wCgYIKoZIzj0EAwIDSQAwRgIhANblRvok\nQrGKa/Yf2LZ29J2DpnRtl9clsb9wnD/xXp+yAiEAwURTfSSMOPEKwRBRU2Ot/6R5\nPE0YTICFWBpg2Lack54="
+  "MIICQjCCAemgAwIBAgIQauc/szmug2UeuQ++F7wHkTAKBggqhkjOPQQDAjAuMQ0w\nCwYDVQQKEwR3aXJlMR0wGwYDVQQDExR3aXJlIEludGVybWVkaWF0ZSBDQTAeFw0y\nMzAzMTAxNDI1MzBaFw0yMzAzMTAxNTI1MzBaMDExETAPBgNVBAoTCHdpcmUuY29t\nMRwwGgYDVQQDExNTbWl0aCwgQWxpY2UgTSAoUUEpMCowBQYDK2VwAyEA7nPET97F\nALVAbLLl2AdRvSl1nzsF1NICGxx+AD7q4CujggETMIIBDzAOBgNVHQ8BAf8EBAMC\nB4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBSbpb/z\nlTTEQ+hf+v9Fp8rnN7e0HDAfBgNVHSMEGDAWgBQ2o1Ed9kvLld5UNeOHbpoGHrSg\nODB/BgNVHREEeDB2hiJpbTp3aXJlYXBwPWFsaWNlLnNtaXRoLnFhQHdpcmUuY29t\nhlBpbTp3aXJlYXBwPW50eTFvZGl4emRtMm50ZTJuZGkyb2dma293cTBuenZqbTJ1\nMW1neTNvd2UvNGM3ZmU4ODkyNWFmNzA2YkB3aXJlLmNvbTAdBgwrBgEEAYKkZMYo\nQAEEDTALAgEGBAR3aXJlBAAwCgYIKoZIzj0EAwIDRwAwRAIgAk2y+hH3IuPgvqVU\nMqk75P7bx5WK1e/+XJiTL876RckCIF3oZypaWt2jfryEiZgCIrlt+lvXKhcwohQe\nP0USu+JH",
+  "MIIBuDCCAV6gAwIBAgIQWuwbXT9P2dGehuG4yN4QbzAKBggqhkjOPQQDAjAmMQ0w\nCwYDVQQKEwR3aXJlMRUwEwYDVQQDEwx3aXJlIFJvb3QgQ0EwHhcNMjMwMzEwMTQy\nNTI2WhcNMzMwMzA3MTQyNTI2WjAuMQ0wCwYDVQQKEwR3aXJlMR0wGwYDVQQDExR3\naXJlIEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDzD\nGaocGuIyleFg1HUrFuvwFXx3JyZya/MbabqcnySHQYvBAykfhbxfergavo1vN3P4\nCSjOM79sKl3zRlfsO6yjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG\nAQH/AgEAMB0GA1UdDgQWBBQ2o1Ed9kvLld5UNeOHbpoGHrSgODAfBgNVHSMEGDAW\ngBSWK0xz7lHIHXSwcAekr6L7ITUhETAKBggqhkjOPQQDAgNIADBFAiBhzO6wqzqM\nXXysWIhnuxetkYZuctVdSgbOanhWdh0FjgIhAJX3+MibsoIHDoNtfE0bgkSbc3ub\nuHZg3cRULTngBaaW"
 ]
 ```
 ###### Certificate #1
 openssl -verify ✅
 ```
 -----BEGIN CERTIFICATE-----
-MIICQzCCAemgAwIBAgIRAMjEd86A3Wdpd1O5Fqo23lEwCgYIKoZIzj0EAwIwLjEN
-MAsGA1UEChMEd2lyZTEdMBsGA1UEAxMUd2lyZSBJbnRlcm1lZGlhdGUgQ0EwHhcN
-MjMwMzA5MTc0NTMxWhcNMjMwMzA5MTg0NTMxWjAxMREwDwYDVQQKEwh3aXJlLmNv
-bTEcMBoGA1UEAxMTU21pdGgsIEFsaWNlIE0gKFFBKTAqMAUGAytlcAMhAMscilVL
-gJ82/X7l9CaLlWMRZkyra607FdxagHVQB3Dno4IBEjCCAQ4wDgYDVR0PAQH/BAQD
-AgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQU+BQ5
-wb2oq5+y+sikd6G2E0QL4JowHwYDVR0jBBgwFoAUel0wq4WPec6urBmogrwaM1xf
-zzAwfgYDVR0RBHcwdYYiaW06d2lyZWFwcD1hbGljZS5zbWl0aC5xYUB3aXJlLmNv
-bYZPaW06d2lyZWFwcD1uZ3ZobXpiam5kaXd6dGUybmdyanp3ZXh5emZrbXptd213
-eXhtd3l6bWd1L2UyOGZhNWI3NmI3MzFiM0B3aXJlLmNvbTAdBgwrBgEEAYKkZMYo
-QAEEDTALAgEGBAR3aXJlBAAwCgYIKoZIzj0EAwIDSAAwRQIhALpj+vDTy0ZhupPv
-60mm/R8FG1+WfJVurm347iTiFnwvAiBlxS2NcJ0hA2bqDOY2OjniMXqtd/33ruVx
-n7Omklha6g==
+MIICQjCCAemgAwIBAgIQauc/szmug2UeuQ++F7wHkTAKBggqhkjOPQQDAjAuMQ0w
+CwYDVQQKEwR3aXJlMR0wGwYDVQQDExR3aXJlIEludGVybWVkaWF0ZSBDQTAeFw0y
+MzAzMTAxNDI1MzBaFw0yMzAzMTAxNTI1MzBaMDExETAPBgNVBAoTCHdpcmUuY29t
+MRwwGgYDVQQDExNTbWl0aCwgQWxpY2UgTSAoUUEpMCowBQYDK2VwAyEA7nPET97F
+ALVAbLLl2AdRvSl1nzsF1NICGxx+AD7q4CujggETMIIBDzAOBgNVHQ8BAf8EBAMC
+B4AwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBSbpb/z
+lTTEQ+hf+v9Fp8rnN7e0HDAfBgNVHSMEGDAWgBQ2o1Ed9kvLld5UNeOHbpoGHrSg
+ODB/BgNVHREEeDB2hiJpbTp3aXJlYXBwPWFsaWNlLnNtaXRoLnFhQHdpcmUuY29t
+hlBpbTp3aXJlYXBwPW50eTFvZGl4emRtMm50ZTJuZGkyb2dma293cTBuenZqbTJ1
+MW1neTNvd2UvNGM3ZmU4ODkyNWFmNzA2YkB3aXJlLmNvbTAdBgwrBgEEAYKkZMYo
+QAEEDTALAgEGBAR3aXJlBAAwCgYIKoZIzj0EAwIDRwAwRAIgAk2y+hH3IuPgvqVU
+Mqk75P7bx5WK1e/+XJiTL876RckCIF3oZypaWt2jfryEiZgCIrlt+lvXKhcwohQe
+P0USu+JH
 -----END CERTIFICATE-----
 ```
 ```
@@ -1028,39 +1028,39 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            c8:c4:77:ce:80:dd:67:69:77:53:b9:16:aa:36:de:51
+            6a:e7:3f:b3:39:ae:83:65:1e:b9:0f:be:17:bc:07:91
         Signature Algorithm: ecdsa-with-SHA256
         Issuer: O = wire, CN = wire Intermediate CA
         Validity
-            Not Before: Mar  9 17:45:31 2023 GMT
-            Not After : Mar  9 18:45:31 2023 GMT
+            Not Before: Mar 10 14:25:30 2023 GMT
+            Not After : Mar 10 15:25:30 2023 GMT
         Subject: O = wire.com, CN = "Smith, Alice M (QA)"
         Subject Public Key Info:
             Public Key Algorithm: ED25519
                 ED25519 Public-Key:
                 pub:
-                    cb:1c:8a:55:4b:80:9f:36:fd:7e:e5:f4:26:8b:95:
-                    63:11:66:4c:ab:6b:ad:3b:15:dc:5a:80:75:50:07:
-                    70:e7
+                    ee:73:c4:4f:de:c5:00:b5:40:6c:b2:e5:d8:07:51:
+                    bd:29:75:9f:3b:05:d4:d2:02:1b:1c:7e:00:3e:ea:
+                    e0:2b
         X509v3 extensions:
             X509v3 Key Usage: critical
                 Digital Signature
             X509v3 Extended Key Usage: 
                 TLS Web Server Authentication, TLS Web Client Authentication
             X509v3 Subject Key Identifier: 
-                F8:14:39:C1:BD:A8:AB:9F:B2:FA:C8:A4:77:A1:B6:13:44:0B:E0:9A
+                9B:A5:BF:F3:95:34:C4:43:E8:5F:FA:FF:45:A7:CA:E7:37:B7:B4:1C
             X509v3 Authority Key Identifier: 
-                7A:5D:30:AB:85:8F:79:CE:AE:AC:19:A8:82:BC:1A:33:5C:5F:CF:30
+                36:A3:51:1D:F6:4B:CB:95:DE:54:35:E3:87:6E:9A:06:1E:B4:A0:38
             X509v3 Subject Alternative Name: 
-                URI:im:wireapp=alice.smith.qa@wire.com, URI:im:wireapp=ngvhmzbjndiwzte2ngrjzwexyzfkmzmwmwyxmwyzmgu/e28fa5b76b731b3@wire.com
+                URI:im:wireapp=alice.smith.qa@wire.com, URI:im:wireapp=nty1odixzdm2nte2ndi2ogfkowq0nzvjm2u1mgy3owe/4c7fe88925af706b@wire.com
             1.3.6.1.4.1.37476.9000.64.1: 
                 0......wire..
     Signature Algorithm: ecdsa-with-SHA256
     Signature Value:
-        30:45:02:21:00:ba:63:fa:f0:d3:cb:46:61:ba:93:ef:eb:49:
-        a6:fd:1f:05:1b:5f:96:7c:95:6e:ae:6d:f8:ee:24:e2:16:7c:
-        2f:02:20:65:c5:2d:8d:70:9d:21:03:66:ea:0c:e6:36:3a:39:
-        e2:31:7a:ad:77:fd:f7:ae:e5:71:9f:b3:a6:92:58:5a:ea
+        30:44:02:20:02:4d:b2:fa:11:f7:22:e3:e0:be:a5:54:32:a9:
+        3b:e4:fe:db:c7:95:8a:d5:ef:fe:5c:98:93:2f:ce:fa:45:c9:
+        02:20:5d:e8:67:2a:5a:5a:dd:a3:7e:bc:84:89:98:02:22:b9:
+        6d:fa:5b:d7:2a:17:30:a2:14:1e:3f:45:12:bb:e2:47
 
 ```
 
@@ -1068,16 +1068,16 @@ Certificate:
 openssl -verify ✅
 ```
 -----BEGIN CERTIFICATE-----
-MIIBujCCAV+gAwIBAgIRAJzKx+gx9Im3GaKmZHu8Vi4wCgYIKoZIzj0EAwIwJjEN
-MAsGA1UEChMEd2lyZTEVMBMGA1UEAxMMd2lyZSBSb290IENBMB4XDTIzMDMwOTE3
-NDUyNloXDTMzMDMwNjE3NDUyNlowLjENMAsGA1UEChMEd2lyZTEdMBsGA1UEAxMU
-d2lyZSBJbnRlcm1lZGlhdGUgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATA
-kL7iEjti0jZUzddvyNz7s6bz9nT9wE3i/6m3wJIUBOmmxjGtL7zei10Ug0shUAy9
-wi6gzOO2nLO8M5Ng5I2Jo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgw
-BgEB/wIBADAdBgNVHQ4EFgQUel0wq4WPec6urBmogrwaM1xfzzAwHwYDVR0jBBgw
-FoAUTvCb6QFlsO03eCI1y6/BHRKC+x0wCgYIKoZIzj0EAwIDSQAwRgIhANblRvok
-QrGKa/Yf2LZ29J2DpnRtl9clsb9wnD/xXp+yAiEAwURTfSSMOPEKwRBRU2Ot/6R5
-PE0YTICFWBpg2Lack54=
+MIIBuDCCAV6gAwIBAgIQWuwbXT9P2dGehuG4yN4QbzAKBggqhkjOPQQDAjAmMQ0w
+CwYDVQQKEwR3aXJlMRUwEwYDVQQDEwx3aXJlIFJvb3QgQ0EwHhcNMjMwMzEwMTQy
+NTI2WhcNMzMwMzA3MTQyNTI2WjAuMQ0wCwYDVQQKEwR3aXJlMR0wGwYDVQQDExR3
+aXJlIEludGVybWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDzD
+GaocGuIyleFg1HUrFuvwFXx3JyZya/MbabqcnySHQYvBAykfhbxfergavo1vN3P4
+CSjOM79sKl3zRlfsO6yjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG
+AQH/AgEAMB0GA1UdDgQWBBQ2o1Ed9kvLld5UNeOHbpoGHrSgODAfBgNVHSMEGDAW
+gBSWK0xz7lHIHXSwcAekr6L7ITUhETAKBggqhkjOPQQDAgNIADBFAiBhzO6wqzqM
+XXysWIhnuxetkYZuctVdSgbOanhWdh0FjgIhAJX3+MibsoIHDoNtfE0bgkSbc3ub
+uHZg3cRULTngBaaW
 -----END CERTIFICATE-----
 ```
 ```
@@ -1085,22 +1085,22 @@ Certificate:
     Data:
         Version: 3 (0x2)
         Serial Number:
-            9c:ca:c7:e8:31:f4:89:b7:19:a2:a6:64:7b:bc:56:2e
+            5a:ec:1b:5d:3f:4f:d9:d1:9e:86:e1:b8:c8:de:10:6f
         Signature Algorithm: ecdsa-with-SHA256
         Issuer: O = wire, CN = wire Root CA
         Validity
-            Not Before: Mar  9 17:45:26 2023 GMT
-            Not After : Mar  6 17:45:26 2033 GMT
+            Not Before: Mar 10 14:25:26 2023 GMT
+            Not After : Mar  7 14:25:26 2033 GMT
         Subject: O = wire, CN = wire Intermediate CA
         Subject Public Key Info:
             Public Key Algorithm: id-ecPublicKey
                 Public-Key: (256 bit)
                 pub:
-                    04:c0:90:be:e2:12:3b:62:d2:36:54:cd:d7:6f:c8:
-                    dc:fb:b3:a6:f3:f6:74:fd:c0:4d:e2:ff:a9:b7:c0:
-                    92:14:04:e9:a6:c6:31:ad:2f:bc:de:8b:5d:14:83:
-                    4b:21:50:0c:bd:c2:2e:a0:cc:e3:b6:9c:b3:bc:33:
-                    93:60:e4:8d:89
+                    04:3c:c3:19:aa:1c:1a:e2:32:95:e1:60:d4:75:2b:
+                    16:eb:f0:15:7c:77:27:26:72:6b:f3:1b:69:ba:9c:
+                    9f:24:87:41:8b:c1:03:29:1f:85:bc:5f:7a:b8:1a:
+                    be:8d:6f:37:73:f8:09:28:ce:33:bf:6c:2a:5d:f3:
+                    46:57:ec:3b:ac
                 ASN1 OID: prime256v1
                 NIST CURVE: P-256
         X509v3 extensions:
@@ -1109,14 +1109,14 @@ Certificate:
             X509v3 Basic Constraints: critical
                 CA:TRUE, pathlen:0
             X509v3 Subject Key Identifier: 
-                7A:5D:30:AB:85:8F:79:CE:AE:AC:19:A8:82:BC:1A:33:5C:5F:CF:30
+                36:A3:51:1D:F6:4B:CB:95:DE:54:35:E3:87:6E:9A:06:1E:B4:A0:38
             X509v3 Authority Key Identifier: 
-                4E:F0:9B:E9:01:65:B0:ED:37:78:22:35:CB:AF:C1:1D:12:82:FB:1D
+                96:2B:4C:73:EE:51:C8:1D:74:B0:70:07:A4:AF:A2:FB:21:35:21:11
     Signature Algorithm: ecdsa-with-SHA256
     Signature Value:
-        30:46:02:21:00:d6:e5:46:fa:24:42:b1:8a:6b:f6:1f:d8:b6:
-        76:f4:9d:83:a6:74:6d:97:d7:25:b1:bf:70:9c:3f:f1:5e:9f:
-        b2:02:21:00:c1:44:53:7d:24:8c:38:f1:0a:c1:10:51:53:63:
-        ad:ff:a4:79:3c:4d:18:4c:80:85:58:1a:60:d8:b6:9c:93:9e
+        30:45:02:20:61:cc:ee:b0:ab:3a:8c:5d:7c:ac:58:88:67:bb:
+        17:ad:91:86:6e:72:d5:5d:4a:06:ce:6a:78:56:76:1d:05:8e:
+        02:21:00:95:f7:f8:c8:9b:b2:82:07:0e:83:6d:7c:4d:1b:82:
+        44:9b:73:7b:9b:b8:76:60:dd:c4:54:2d:39:e0:05:a6:96
 
 ```
diff --git a/e2e-identity/src/lib.rs b/e2e-identity/src/lib.rs
index 46db45ca..1622e575 100644
--- a/e2e-identity/src/lib.rs
+++ b/e2e-identity/src/lib.rs
@@ -115,16 +115,16 @@ impl RustyE2eIdentity {
     #[allow(clippy::too_many_arguments)]
     pub fn acme_new_order_request(
         &self,
-        display_name: String,
-        client_id: String,
-        handle: String,
+        display_name: &str,
+        client_id: &str,
+        handle: &str,
         expiry: core::time::Duration,
         directory: &AcmeDirectory,
         account: &E2eiAcmeAccount,
         previous_nonce: String,
     ) -> E2eIdentityResult<Json> {
         let account = serde_json::from_value(account.clone().into())?;
-        let client_id = ClientId::try_from_qualified(client_id.as_str())?;
+        let client_id = ClientId::try_from_qualified(client_id)?;
         let order_req = RustyAcme::new_order_request(
             display_name,
             client_id,
diff --git a/e2e-identity/tests/api.rs b/e2e-identity/tests/api.rs
index 8b00c55e..00749086 100644
--- a/e2e-identity/tests/api.rs
+++ b/e2e-identity/tests/api.rs
@@ -20,7 +20,7 @@ fn e2e_api() {
         let user_id = base64::prelude::BASE64_URL_SAFE_NO_PAD.encode(user_id.to_string());
         let client_id = random::<u64>();
         let domain = "example.org";
-        let qualified_client_id = format!("{user_id}/{client_id:x}@{domain}");
+        let qualified_client_id = format!("{user_id}:{client_id:x}@{domain}");
 
         let display_name = "Smith, Alice M (QA)".to_string();
         let qualified_handle = format!("alice.smith.qa@{domain}");
@@ -73,9 +73,9 @@ fn e2e_api() {
             let expiry = core::time::Duration::from_secs(3600); // 1h
             let _order_request = enrollment
                 .acme_new_order_request(
-                    display_name,
-                    qualified_client_id.clone(),
-                    qualified_handle,
+                    &display_name,
+                    &qualified_client_id,
+                    &qualified_handle,
                     expiry,
                     &directory,
                     &account,
diff --git a/e2e-identity/tests/utils/cfg.rs b/e2e-identity/tests/utils/cfg.rs
index c7b91f85..3c843fca 100644
--- a/e2e-identity/tests/utils/cfg.rs
+++ b/e2e-identity/tests/utils/cfg.rs
@@ -108,7 +108,7 @@ impl<'a> E2eTest<'a> {
                 email: email.to_string(),
                 password: password.to_string(),
                 domain: domain.to_string(),
-                sub: sub.to_subject(),
+                sub: sub.to_uri(),
             },
             dex_cfg: DexCfg {
                 host: dex_host,
diff --git a/e2e-identity/tests/utils/fmk.rs b/e2e-identity/tests/utils/fmk.rs
index 538a311a..664cd8c3 100644
--- a/e2e-identity/tests/utils/fmk.rs
+++ b/e2e-identity/tests/utils/fmk.rs
@@ -136,9 +136,9 @@ impl<'a> E2eTest<'a> {
         self.display_step("create a new order");
         let expiry = core::time::Duration::from_secs(3600); // 1h
         let order_request = RustyAcme::new_order_request(
-            self.display_name.clone(),
+            &self.display_name,
             self.sub.clone(),
-            self.handle.clone(),
+            &self.handle,
             expiry,
             directory,
             account,
@@ -267,7 +267,7 @@ impl<'a> E2eTest<'a> {
         let b64 = |v: &str| base64::prelude::BASE64_URL_SAFE_NO_PAD.encode(v);
 
         // cheat to share test context
-        ctx_store("client-id", self.sub.to_subject());
+        ctx_store("client-id", self.sub.to_uri());
         ctx_store("backend-kp", self.backend_kp.to_string());
         ctx_store("hash-alg", self.hash_alg.to_string());
         ctx_store("wire-server-uri", self.wire_server_uri());
diff --git a/e2e-identity/tests/utils/wire_server/server_api.rs b/e2e-identity/tests/utils/wire_server/server_api.rs
index 34a82089..6ae9cddf 100644
--- a/e2e-identity/tests/utils/wire_server/server_api.rs
+++ b/e2e-identity/tests/utils/wire_server/server_api.rs
@@ -47,7 +47,7 @@ pub async fn wire_api(req: Request<Body>) -> Result<Response<Body>, hyper::Error
 
 fn generate_access_token(dpop: &str, nonce: BackendNonce) -> serde_json::Value {
     let client_id = ctx_get("client-id").unwrap();
-    let client_id: ClientId = client_id.as_str().try_into().unwrap();
+    let client_id = ClientId::try_from_uri(&client_id).unwrap();
     let backend_kp: Pem = ctx_get("backend-kp").unwrap().into();
     let hash_alg: HashAlgorithm = ctx_get("hash-alg").unwrap().parse().unwrap();
     let htu: Htu = ctx_get("wire-server-uri").unwrap().as_str().try_into().unwrap();
diff --git a/jwt/src/access/generate.rs b/jwt/src/access/generate.rs
index 8a9e46e6..6af621e7 100644
--- a/jwt/src/access/generate.rs
+++ b/jwt/src/access/generate.rs
@@ -95,7 +95,7 @@ impl RustyJwtTools {
                 challenge: proof_claims.custom.challenge,
                 cnf,
                 proof: proof.to_string(),
-                client_id: client_id.to_subject(),
+                client_id: client_id.to_uri(),
                 api_version: Access::WIRE_SERVER_API_VERSION,
                 scope: Access::DEFAULT_SCOPE.to_string(),
                 extra_claims: proof_claims.custom.extra_claims,
@@ -364,8 +364,8 @@ mod tests {
 
                 let backend_key = JwtKey::from((ciphersuite.key.alg, backend_key));
                 let claims = backend_key.claims::<Access>(&token);
-                assert_eq!(claims.subject, Some(sub.to_subject()));
-                assert_eq!(claims.custom.client_id, sub.to_subject());
+                assert_eq!(claims.subject, Some(sub.to_uri()));
+                assert_eq!(claims.custom.client_id, sub.to_uri());
             }
 
             #[apply(all_ciphersuites)]
diff --git a/jwt/src/access/mod.rs b/jwt/src/access/mod.rs
index 61aed774..dfa151bb 100644
--- a/jwt/src/access/mod.rs
+++ b/jwt/src/access/mod.rs
@@ -65,7 +65,7 @@ impl Access {
         let exp = Duration::from_secs(Self::EXP);
         Claims::with_custom_claims(self, exp)
             .with_jwt_id(new_jti())
-            .with_subject(client_id.to_subject())
+            .with_subject(client_id.to_uri())
             .with_nonce(nonce.to_string())
             .with_issuer(issuer)
             .with_audience(audience)
diff --git a/jwt/src/dpop/generate.rs b/jwt/src/dpop/generate.rs
index 2439fa06..c52e5b7a 100644
--- a/jwt/src/dpop/generate.rs
+++ b/jwt/src/dpop/generate.rs
@@ -463,7 +463,7 @@ pub mod tests {
             .unwrap();
             let claims = key.claims::<Dpop>(&token);
             assert!(claims.subject.is_some());
-            assert_eq!(claims.subject.unwrap(), client_id.to_subject())
+            assert_eq!(claims.subject.unwrap(), client_id.to_uri())
         }
 
         #[apply(all_keys)]
diff --git a/jwt/src/dpop/mod.rs b/jwt/src/dpop/mod.rs
index ebee3067..a8a48ceb 100644
--- a/jwt/src/dpop/mod.rs
+++ b/jwt/src/dpop/mod.rs
@@ -51,6 +51,6 @@ impl Dpop {
         Claims::with_custom_claims(self, expiry)
             .with_jwt_id(new_jti())
             .with_nonce(nonce.to_string())
-            .with_subject(client_id.to_subject())
+            .with_subject(client_id.to_uri())
     }
 }
diff --git a/jwt/src/jwt/verify.rs b/jwt/src/jwt/verify.rs
index 235a30d2..4b798a65 100644
--- a/jwt/src/jwt/verify.rs
+++ b/jwt/src/jwt/verify.rs
@@ -22,7 +22,7 @@ impl From<&Verify<'_>> for VerificationOptions {
         Self {
             accept_future: false,
             required_key_id: None, // we don't verify 'jti', just enforce its presence
-            required_subject: Some(v.client_id.to_subject()),
+            required_subject: Some(v.client_id.to_uri()),
             required_nonce: v.backend_nonce.map(|n| n.to_string()),
             time_tolerance: Some(UnixTimeStamp::from_secs(v.leeway as u64)),
             ..Default::default()
diff --git a/jwt/src/model/client_id.rs b/jwt/src/model/client_id.rs
index 7d2e7d50..a9dc3e12 100644
--- a/jwt/src/model/client_id.rs
+++ b/jwt/src/model/client_id.rs
@@ -14,25 +14,6 @@ pub struct ClientId {
     pub domain: String,
 }
 
-impl TryFrom<&str> for ClientId {
-    type Error = RustyJwtError;
-
-    fn try_from(client_id: &str) -> RustyJwtResult<Self> {
-        let rest = client_id
-            .strip_prefix(Self::URI_PREFIX)
-            .ok_or(RustyJwtError::InvalidClientId)?;
-        ClientId::try_from_qualified(rest)
-    }
-}
-
-impl TryFrom<&[u8]> for ClientId {
-    type Error = RustyJwtError;
-
-    fn try_from(client_id: &[u8]) -> RustyJwtResult<Self> {
-        core::str::from_utf8(client_id)?.try_into()
-    }
-}
-
 impl ClientId {
     #[cfg(test)]
     pub const DEFAULT_USER: Uuid = uuid::uuid!("4af3df2e-5c01-422f-baa1-d75546b92aa7");
@@ -40,6 +21,12 @@ impl ClientId {
     /// URI prefix for all subject URIs
     pub const URI_PREFIX: &'static str = "im:wireapp=";
 
+    /// Between user-id & client-id when converted to an URI
+    pub const URI_DELIMITER: &'static str = "/";
+
+    /// Between user-id & client-id when parsed from Wire clients
+    pub const CLIENT_DELIMITER: &'static str = ":";
+
     /// Constructor
     pub fn try_new(user: impl AsRef<str>, client: u64, domain: &str) -> RustyJwtResult<Self> {
         let user = uuid::Uuid::try_from(user.as_ref()).map_err(|_| RustyJwtError::InvalidClientId)?;
@@ -57,9 +44,23 @@ impl ClientId {
         Ok(Self { user, client, domain })
     }
 
+    /// Parse from an URI e.g. `im:wireapp={userId}/{clientId}@{domain}`
+    pub fn try_from_uri(client_id: &str) -> RustyJwtResult<Self> {
+        let client_id = client_id
+            .strip_prefix(Self::URI_PREFIX)
+            .ok_or(RustyJwtError::InvalidClientId)?;
+        Self::parse_client_id(client_id, Self::URI_DELIMITER)
+    }
+
     /// Constructor for clientId usually used by Wire client application. Does not have the prefix
+    /// and uses ':' instead of '/' as delimiter
+    /// e.g. `im:wireapp={userId}:{clientId}@{domain}`
     pub fn try_from_qualified(client_id: &str) -> RustyJwtResult<Self> {
-        let (user, rest) = client_id.split_once('/').ok_or(RustyJwtError::InvalidClientId)?;
+        Self::parse_client_id(client_id, Self::CLIENT_DELIMITER)
+    }
+
+    fn parse_client_id(client_id: &str, delimiter: &'static str) -> RustyJwtResult<Self> {
+        let (user, rest) = client_id.split_once(delimiter).ok_or(RustyJwtError::InvalidClientId)?;
         let user = Self::parse_user(user)?;
         let (client, domain) = rest.split_once('@').ok_or(RustyJwtError::InvalidClientId)?;
         let client = u64::from_str_radix(client, 16).map_err(|_| RustyJwtError::InvalidClientId)?;
@@ -71,9 +72,15 @@ impl ClientId {
     }
 
     /// Into JWT 'sub' claim
-    pub fn to_subject(&self) -> String {
+    pub fn to_uri(&self) -> String {
         let user = base64::prelude::BASE64_URL_SAFE_NO_PAD.encode(self.user.as_simple().to_string());
-        format!("{}{user}/{:x}@{}", Self::URI_PREFIX, self.client, self.domain)
+        format!(
+            "{}{user}{}{:x}@{}",
+            Self::URI_PREFIX,
+            Self::URI_DELIMITER,
+            self.client,
+            self.domain
+        )
     }
 
     fn parse_user(user: impl AsRef<[u8]>) -> RustyJwtResult<Uuid> {
@@ -90,7 +97,7 @@ impl serde::Serialize for ClientId {
     where
         S: serde::Serializer,
     {
-        serializer.serialize_str(&self.to_subject())
+        serializer.serialize_str(&self.to_uri())
     }
 }
 
@@ -124,9 +131,10 @@ impl ClientId {
 
 #[cfg(test)]
 mod tests {
-    use super::*;
     use std::str::FromStr as _;
 
+    use super::*;
+
     mod constructor {
         use super::*;
 
@@ -153,19 +161,23 @@ mod tests {
         }
     }
 
-    mod to_subject {
+    mod to_uri {
         use super::*;
 
         #[test]
-        fn to_subject_should_succeed() {
+        fn to_uri_should_succeed() {
             let user = "4af3df2e-5c01-422f-baa1-d75546b92aa7";
             let domain = "wire.com";
             let client_id = ClientId::try_new(user, u64::MAX, domain).unwrap();
             let base64_user = "NGFmM2RmMmU1YzAxNDIyZmJhYTFkNzU1NDZiOTJhYTc";
             let hex_client = "ffffffffffffffff";
             assert_eq!(
-                &client_id.to_subject(),
-                &format!("{}{base64_user}/{hex_client}@{domain}", ClientId::URI_PREFIX)
+                &client_id.to_uri(),
+                &format!(
+                    "{}{base64_user}{}{hex_client}@{domain}",
+                    ClientId::URI_PREFIX,
+                    ClientId::URI_DELIMITER
+                )
             );
         }
     }
@@ -173,57 +185,138 @@ mod tests {
     mod parse {
         use super::*;
 
-        #[test]
-        fn parse_subject_should_succeed() {
-            let user = "NGFmM2RmMmU1YzAxNDIyZmJhYTFkNzU1NDZiOTJhYTc";
-            let client = "1a2b";
-            let domain = "wire.com".to_string();
-            let subject = format!("{}{user}/{client}@{domain}", ClientId::URI_PREFIX);
-            let parsed = ClientId::try_from(subject.as_str()).unwrap();
-            assert_eq!(
-                parsed,
-                ClientId {
-                    user: Uuid::from_str(&ClientId::DEFAULT_USER.to_string()).unwrap(),
-                    client: 6699,
-                    domain,
-                }
-            );
-        }
+        const USER_ID: &str = "NGFmM2RmMmU1YzAxNDIyZmJhYTFkNzU1NDZiOTJhYTc";
+        const CLIENT_ID: &str = "1a2b";
+        const DOMAIN: &str = "wire.com";
 
-        #[test]
-        fn parse_subject_should_fail_when_invalid_uuid_user() {
-            let invalid_user = format!("{}abcd", "NGFmM2RmMmU1YzAxNDIyZmJhYTFkNzU1NDZiOTJhYTc");
-            let client = "1a2b";
-            let subject = format!("{}{invalid_user}/{client}@wire.com", ClientId::URI_PREFIX);
-            let parsed = ClientId::try_from(subject.as_str());
-            assert!(matches!(parsed.unwrap_err(), RustyJwtError::InvalidClientId));
-        }
+        mod uri {
+            use super::*;
 
-        #[test]
-        fn parse_subject_should_fail_when_invalid_uri_prefix() {
-            let user = "NGFmM2RmMmU1YzAxNDIyZmJhYTFkNzU1NDZiOTJhYTc";
-            let client = "1a2b";
-            let subject = format!("impp:not:wireapp={user}/{client}@wire.com");
-            let parsed = ClientId::try_from(subject.as_str());
-            assert!(matches!(parsed.unwrap_err(), RustyJwtError::InvalidClientId));
-        }
+            #[test]
+            fn should_succeed() {
+                let subject = format!("{}{USER_ID}/{CLIENT_ID}@{DOMAIN}", ClientId::URI_PREFIX);
+                let parsed = ClientId::try_from_uri(&subject).unwrap();
+                assert_eq!(
+                    parsed,
+                    ClientId {
+                        user: Uuid::from_str(&ClientId::DEFAULT_USER.to_string()).unwrap(),
+                        client: 6699,
+                        domain: DOMAIN.to_string(),
+                    }
+                );
+            }
 
-        #[test]
-        fn parse_subject_should_fail_when_invalid_hex_client() {
-            let user = "NGFmM2RmMmU1YzAxNDIyZmJhYTFkNzU1NDZiOTJhYTc";
-            let invalid_client = "1g2g";
-            let subject = format!("{}{user}/{invalid_client}@wire.com", ClientId::URI_PREFIX);
-            let parsed = ClientId::try_from(subject.as_str());
-            assert!(matches!(parsed.unwrap_err(), RustyJwtError::InvalidClientId));
+            #[test]
+            fn should_fail_when_invalid_uuid_user() {
+                let invalid_user = format!("{}abcd", USER_ID);
+                let subject = format!("{}{invalid_user}/{CLIENT_ID}@{DOMAIN}", ClientId::URI_PREFIX);
+                let parsed = ClientId::try_from_uri(&subject);
+                assert!(matches!(parsed.unwrap_err(), RustyJwtError::InvalidClientId));
+            }
+
+            #[test]
+            fn should_fail_when_invalid_uri_prefix() {
+                let subject = format!("im:not:wireapp={USER_ID}/{CLIENT_ID}@{DOMAIN}");
+                let parsed = ClientId::try_from_uri(&subject);
+                assert!(matches!(parsed.unwrap_err(), RustyJwtError::InvalidClientId));
+            }
+
+            #[test]
+            fn should_fail_when_invalid_delimiter() {
+                let delimiter = "@";
+                let subject = format!("{}{USER_ID}{delimiter}{CLIENT_ID}@{DOMAIN}", ClientId::URI_PREFIX);
+                let parsed = ClientId::try_from_uri(&subject);
+                assert!(matches!(parsed.unwrap_err(), RustyJwtError::InvalidClientId));
+            }
+
+            #[test]
+            fn should_fail_when_using_client_delimiter() {
+                let delimiter = ClientId::CLIENT_DELIMITER;
+                let subject = format!("{}{USER_ID}{delimiter}{CLIENT_ID}@{DOMAIN}", ClientId::URI_PREFIX);
+                let parsed = ClientId::try_from_uri(&subject);
+                assert!(matches!(parsed.unwrap_err(), RustyJwtError::InvalidClientId));
+            }
+
+            #[test]
+            fn should_fail_when_invalid_hex_client() {
+                let invalid_client = "1g2g";
+                let subject = format!("{}{USER_ID}/{invalid_client}@{DOMAIN}", ClientId::URI_PREFIX);
+                let parsed = ClientId::try_from_uri(&subject);
+                assert!(matches!(parsed.unwrap_err(), RustyJwtError::InvalidClientId));
+            }
+
+            #[test]
+            fn should_fail_when_client_too_large() {
+                let invalid_client = u128::MAX;
+                let subject = format!("{}{USER_ID}/{invalid_client:x}@{DOMAIN}", ClientId::URI_PREFIX);
+                let parsed = ClientId::try_from_uri(&subject);
+                assert!(matches!(parsed.unwrap_err(), RustyJwtError::InvalidClientId));
+            }
         }
 
-        #[test]
-        fn parse_subject_should_fail_when_client_too_large() {
-            let user = "NGFmM2RmMmU1YzAxNDIyZmJhYTFkNzU1NDZiOTJhYTc";
-            let invalid_client = u128::MAX;
-            let subject = format!("{}{user}/{invalid_client:x}@wire.com", ClientId::URI_PREFIX);
-            let parsed = ClientId::try_from(subject.as_str());
-            assert!(matches!(parsed.unwrap_err(), RustyJwtError::InvalidClientId));
+        mod client {
+            use super::*;
+
+            #[test]
+            fn should_succeed() {
+                let subject = format!("{USER_ID}:{CLIENT_ID}@{DOMAIN}");
+                let parsed = ClientId::try_from_qualified(&subject).unwrap();
+                assert_eq!(
+                    parsed,
+                    ClientId {
+                        user: Uuid::from_str(&ClientId::DEFAULT_USER.to_string()).unwrap(),
+                        client: 6699,
+                        domain: DOMAIN.to_string(),
+                    }
+                );
+            }
+
+            #[test]
+            fn should_fail_when_invalid_uuid_user() {
+                let invalid_user = format!("{}abcd", USER_ID);
+                let subject = format!("{invalid_user}:{CLIENT_ID}@{DOMAIN}");
+                let parsed = ClientId::try_from_qualified(&subject);
+                assert!(matches!(parsed.unwrap_err(), RustyJwtError::InvalidClientId));
+            }
+
+            #[test]
+            fn should_fail_when_uri_prefix() {
+                let subject = format!("{}{USER_ID}:{CLIENT_ID}@{DOMAIN}", ClientId::URI_PREFIX);
+                let parsed = ClientId::try_from_qualified(&subject);
+                assert!(matches!(parsed.unwrap_err(), RustyJwtError::InvalidClientId));
+            }
+
+            #[test]
+            fn should_fail_when_invalid_delimiter() {
+                let delimiter = "@";
+                let subject = format!("{USER_ID}{delimiter}{CLIENT_ID}@{DOMAIN}");
+                let parsed = ClientId::try_from_qualified(&subject);
+                assert!(matches!(parsed.unwrap_err(), RustyJwtError::InvalidClientId));
+            }
+
+            #[test]
+            fn should_fail_when_using_uri_delimiter() {
+                let delimiter = ClientId::URI_DELIMITER;
+                let subject = format!("{USER_ID}{delimiter}{CLIENT_ID}@{DOMAIN}");
+                let parsed = ClientId::try_from_qualified(&subject);
+                assert!(matches!(parsed.unwrap_err(), RustyJwtError::InvalidClientId));
+            }
+
+            #[test]
+            fn should_fail_when_invalid_hex_client() {
+                let invalid_client = "1g2g";
+                let subject = format!("{USER_ID}:{invalid_client}@{DOMAIN}");
+                let parsed = ClientId::try_from_qualified(&subject);
+                assert!(matches!(parsed.unwrap_err(), RustyJwtError::InvalidClientId));
+            }
+
+            #[test]
+            fn should_fail_when_client_too_large() {
+                let invalid_client = u128::MAX;
+                let subject = format!("{USER_ID}:{invalid_client:x}@{DOMAIN}");
+                let parsed = ClientId::try_from_qualified(&subject);
+                assert!(matches!(parsed.unwrap_err(), RustyJwtError::InvalidClientId));
+            }
         }
     }
 }
diff --git a/jwt/src/test_utils/access.rs b/jwt/src/test_utils/access.rs
index f0431033..39dc6b70 100644
--- a/jwt/src/test_utils/access.rs
+++ b/jwt/src/test_utils/access.rs
@@ -99,7 +99,7 @@ impl AccessBuilder {
     fn claims(&self) -> JWTClaims<TestAccess> {
         let exp = Duration::from_days(2);
         let mut claims = Claims::with_custom_claims(self.access.clone(), exp);
-        claims.subject = self.sub.as_ref().map(|c| c.to_subject());
+        claims.subject = self.sub.as_ref().map(|c| c.to_uri());
         claims.nonce = self.nonce.as_ref().map(|n| n.as_str().to_string());
         claims.jwt_id = self.jti.clone();
         claims.issued_at = self.iat;
diff --git a/jwt/src/test_utils/dpop.rs b/jwt/src/test_utils/dpop.rs
index c5f735ca..a0e3c632 100644
--- a/jwt/src/test_utils/dpop.rs
+++ b/jwt/src/test_utils/dpop.rs
@@ -91,7 +91,7 @@ impl DpopBuilder {
     fn claims(&self) -> JWTClaims<TestDpop> {
         let exp = Duration::from_days(2);
         let mut claims = Claims::with_custom_claims(self.dpop.clone(), exp);
-        claims.subject = self.sub.as_ref().map(|c| c.to_subject());
+        claims.subject = self.sub.as_ref().map(|c| c.to_uri());
         claims.nonce = self.nonce.as_ref().map(|n| n.as_str().to_string());
         claims.jwt_id = self.jti.clone();
         claims.issued_at = self.iat;