diff --git a/.gitignore b/.gitignore index 9c65be456..b73cecb8f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ target/ +.idea/ authlete.properties .settings .project diff --git a/.idea/.gitignore b/.idea/.gitignore new file mode 100644 index 000000000..26d33521a --- /dev/null +++ b/.idea/.gitignore @@ -0,0 +1,3 @@ +# Default ignored files +/shelf/ +/workspace.xml diff --git a/.idea/compiler.xml b/.idea/compiler.xml new file mode 100644 index 000000000..cca833500 --- /dev/null +++ b/.idea/compiler.xml @@ -0,0 +1,13 @@ + + + + + + + + + + + + + \ No newline at end of file diff --git a/.idea/encodings.xml b/.idea/encodings.xml new file mode 100644 index 000000000..aa00ffab7 --- /dev/null +++ b/.idea/encodings.xml @@ -0,0 +1,7 @@ + + + + + + + \ No newline at end of file diff --git a/.idea/jarRepositories.xml b/.idea/jarRepositories.xml new file mode 100644 index 000000000..712ab9d98 --- /dev/null +++ b/.idea/jarRepositories.xml @@ -0,0 +1,20 @@ + + + + + + + + + + + \ No newline at end of file diff --git a/.idea/misc.xml b/.idea/misc.xml new file mode 100644 index 000000000..9e0563eb9 --- /dev/null +++ b/.idea/misc.xml @@ -0,0 +1,12 @@ + + + + + + + + \ No newline at end of file diff --git a/.idea/vcs.xml b/.idea/vcs.xml new file mode 100644 index 000000000..35eb1ddfb --- /dev/null +++ b/.idea/vcs.xml @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/CHANGES.ja.md b/CHANGES.ja.md index 8dfd7dcfc..10a058c20 100644 --- a/CHANGES.ja.md +++ b/CHANGES.ja.md @@ -1,6 +1,50 @@ 変更点 ====== +4.35 (2026 年 01 月 10 日) +-------------------------- + +- `CredentialDeferredIssueRequest` クラス + * `isDenied()` メソッドを追加。 + * `setDenied(boolean)` メソッドを追加。 + * `getInterval()` メソッドを追加。 + * `setInterval(int)` メソッドを追加。 + +- `CredentialDeferredIssueResponse.Action` 列挙型 + * `ACCEPTED` を追加。 + * `ACCEPTED_JWT` を追加。 + +- `CredentialSingleIssueRequest` クラス + * `isDenied()` メソッドを追加。 + * `setDenied(boolean)` メソッドを追加。 + * `getInterval()` メソッドを追加。 + * `setInterval(int)` メソッドを追加。 + + +4.34 (2026 年 01 月 03 日) +-------------------------- + +- `AuthzDetailsElement` クラス + * デフォルトコンストラクタを明示的に追加。 + * コピーコンストラクタ (`AuthzDetailsElement(AuthzDetailsElement)`) を追加。 + +- `CredentialRequestInfo` クラス + * `getCredentialConfigurationId()` メソッドを追加。 + * `setCredentialConfigurationId(String)` メソッドを追加。 + * `getCredentialIdentifier()` メソッドを追加。 + * `setCredentialIdentifier(String)` メソッドを追加。 + + +4.33 (2025 年 12 月 13 日) +-------------------------- + +- `Service` クラス + * `isCimdMetadataPolicyEnabled()` メソッドを追加。 + * `setCimdMetadataPolicyEnabled(boolean)` メソッドを追加。 + * `getCimdMetadataPolicy()` メソッドを追加。 + * `setCimdMetadataPolicy(String)` メソッドを追加。 + + 4.32 (2025 年 12 月 01 日) -------------------------- diff --git a/CHANGES.md b/CHANGES.md index 993327dab..dce085556 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -1,6 +1,50 @@ CHANGES ======= +4.35 (2026-01-10) +----------------- + +- `CredentialDeferredIssueRequest` class + * Added the `isDenied()` method. + * Added the `setDenied(boolean)` method. + * Added the `getInterval()` method. + * Added the `setInterval(int)` method. + +- `CredentialDeferredIssueResponse.Action` enum + * Added `ACCEPTED`. + * Added `ACCEPTED_JWT`. + +- `CredentialSingleIssueRequest` class + * Added the `isDenied()` method. + * Added the `setDenied(boolean)` method. + * Added the `getInterval()` method. + * Added the `setInterval(int)` method. + + +4.34 (2026-01-03) +----------------- + +- `AuthzDetailsElement` class + * Added the default constructor explicitly. + * Added a copy constructor (`AuthzDetailsElement(AuthzDetailsElement)`). + +- `CredentialRequestInfo` class + * Added the `getCredentialConfigurationId()` method. + * Added the `setCredentialConfigurationId(String)` method. + * Added the `getCredentialIdentifier()` method. + * Added the `setCredentialIdentifier(String)` method. + + +4.33 (2025-12-13) +----------------- + +- `Service` class + * Added the `isCimdMetadataPolicyEnabled()` method. + * Added the `setCimdMetadataPolicyEnabled(boolean)` method. + * Added the `getCimdMetadataPolicy()` method. + * Added the `setCimdMetadataPolicy(String)` method. + + 4.32 (2025-12-01) ----------------- diff --git a/pom.xml b/pom.xml index 24682b236..b253790a5 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ com.authlete authlete-java-common - 4.33-SNAPSHOT + 4.36-SNAPSHOT jar ${project.groupId}:${project.artifactId} diff --git a/src/main/java/com/authlete/common/dto/CredentialDeferredIssueRequest.java b/src/main/java/com/authlete/common/dto/CredentialDeferredIssueRequest.java index 586316c0d..4a482873f 100644 --- a/src/main/java/com/authlete/common/dto/CredentialDeferredIssueRequest.java +++ b/src/main/java/com/authlete/common/dto/CredentialDeferredIssueRequest.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2023 Authlete, Inc. + * Copyright (C) 2023-2026 Authlete, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy of @@ -26,7 +26,7 @@ * The Authlete API is supposed to be called by the implementation of the * deferred credential endpoint. The endpoint is defined in the "OpenID for Verifiable Credential Issuance" (OID4VCI) specification. + * >OpenID for Verifiable Credential Issuance 1.0" (OID4VCI) specification. *

* *

@@ -41,14 +41,59 @@ * * *

- * The role of the {@code /vci/deferred/issue} API is to issue a credential. + * The {@code /vci/deferred/issue} API is used for one of the following purposes: *

* + *
    + *
  1. To issue a credential + *
  2. To deny the deferred credential request + *
  3. To notify that the requested credential is not ready yet + *
+ * + *

Issuing a credential

+ * + *

+ * To issue a credential, the {@code order} request parameter must be set up + * properly, and both the {@code denied} and {@code order.issuanceDeferred} + * request parameters must be set to {@code false}. + *

+ * + *

Denying a deferred credential request

+ * + *

+ * To deny the deferred credential request, the {@code denied} request parameter + * in the API call must be set to {@code true}. In this case, Authlete prepares + * a response containing {@code "error":"credential_request_denied"} and returns + * "action":"{@link CredentialDeferredIssueResponse.Action#BAD_REQUEST BAD_REQUEST}". + *

+ * + *

+ * Note that the {@code credential_request_denied} error code does not exist in + * OID4VCI 1.0 ID1. Therefore, you should not call the API with {@code denied} + * set to {@code true} when the target specification version is "1.0-ID1". + *

+ * + *

Notifying that the credential is not ready yet

+ * + *

+ * To notify that the requested credential is not ready yet, the + * {@code order.issuanceDeferred} request parameter in the API call must be + * set to {@code true}. In this case, Authlete will do one of the following: + *

+ * + *
    + *
  1. + * Prepare an error response with the {@code issuance_pending} error code for + * OID4VCI 1.0 ID1. + *
  2. + * Prepare a successful response containing the {@code transaction_id} and + * {@code interval} parameters for OID4VCI 1.0 Final or later. + *
+ * *

- * If the credential for the transaction ID is not ready, the implementation - * of the deferred credential endpoint should prepare an error response with - * {@code "error":"issuance_pending"} manually and return it to the request - * sender, without calling the {@code /vci/deferred/issue} API. + * Note that if the Authlete Server version is older than 3.0.25 and the target + * specification version is "1.0-ID1", you need to manually construct an error + * response as shown below, without using the {@code /vci/deferred/issue} API. *

* * 
@@ -61,15 +106,38 @@
  * }
  *
* + *

Interval handling

+ * + *

+ * If the {@code interval} request parameter in the API call is present and its + * value is positive, it is used as the value of the {@code interval} response + * parameter in the deferred credential response. If the {@code interval} + * request parameter is missing, zero, or negative, Authlete uses the default + * value. + *

+ * + *

+ * Note that the {@code interval} response parameter does not exist in OID4VCI + * 1.0 ID1. Therefore, you don't have to care about the {@code interval} request + * parameter if the target specification version is "1.0-ID1". + *

+ * + *

Important note

+ * + *

+ * In all cases, the {@code order.requestIdentifier} request parameter must be + * set properly. + *

+ * * @since 3.70 * @since Authlete 3.0 * - * @see OpenID for Verifiable Credential Issuance + * @see + * OpenID for Verifiable Credential Issuance 1.0 */ public class CredentialDeferredIssueRequest implements Serializable { - private static final long serialVersionUID = 1L; + private static final long serialVersionUID = 2L; /** @@ -77,6 +145,24 @@ public class CredentialDeferredIssueRequest implements Serializable */ private CredentialIssuanceOrder order; + /** + * The flag that indicates whether to deny the deferred credential request. + * + * @since 4.35 + * @since Authlete 3.0.25 + */ + private boolean denied; + + + /** + * The minimum amount of time in seconds that the Wallet SHOULD wait after + * receiving the response before sending a new request to the Deferred + * Credential Endpoint. + * + * @since 4.35 + * @since Authlete 3.0.25 + */ + private int interval; /** * Get the credential order that provides an instruction for issuing a @@ -107,4 +193,158 @@ public CredentialDeferredIssueRequest setOrder(CredentialIssuanceOrder order) return this; } + + /** + * Get the flag that indicates whether to deny the deferred credential + * request. + * + *

+ * If this parameter is set to {@code true}, the response content prepared + * by Authlete will contain {@code "error":"credential_request_denied"} + * like below. + *

+ * + * 
+     * {
+     *     "error": "credential_request_denied"
+     * }
+     *
+ * + *

+ * Note that the {@code credential_request_denied} error code does not + * exist in OID4VCI 1.0 ID1. + *

+ * + * @return + * {@code true} for generating a response content containing + * {@code "error":"credential_request_denied"}. + * + * @since 4.35 + * @since Authlete 3.0.25 + */ + public boolean isDenied() + { + return denied; + } + + + /** + * Set the flag that indicates whether to deny the deferred credential + * request. + * + *

+ * If this parameter is set to {@code true}, the response content prepared + * by Authlete will contain {@code "error":"credential_request_denied"} + * like below. + *

+ * + * 
+     * {
+     *     "error": "credential_request_denied"
+     * }
+     *
+ * + *

+ * Note that the {@code credential_request_denied} error code does not + * exist in OID4VCI 1.0 ID1. + *

+ * + * @param denied + * {@code true} for generating a response content containing + * {@code "error":"credential_request_denied"}. + * + * @return + * {@code this} object. + * + * @since 4.35 + * @since Authlete 3.0.25 + */ + public CredentialDeferredIssueRequest setDenied(boolean denied) + { + this.denied = denied; + + return this; + } + + /** + * Get the minimum amount of time in seconds that the Wallet SHOULD wait + * after receiving the response before sending a new request to the + * Deferred Credential Endpoint. + * + *

+ * The value of this parameter is used as the value of the {@code interval} + * parameter in the deferred credential response. However, the + * {@code interval} parameter is included in the deferred credential + * response only when the following conditions are met: + *

+ * + * + * + * @return + * The minimum amount of time in seconds that the Wallet SHOULD + * wait after receiving the response before sending a new request + * to the Deferred Credential Endpoint. + * + * @since 4.35 + * @since Authlete 3.0.25 + */ + public int getInterval() + { + return interval; + } + + + /** + * Set the minimum amount of time in seconds that the Wallet SHOULD wait + * after receiving the response before sending a new request to the + * Deferred Credential Endpoint. + * + *

+ * The value of this parameter is used as the value of the {@code interval} + * parameter in the deferred credential response. However, the + * {@code interval} parameter is included in the deferred credential + * response only when the following conditions are met: + *

+ * + * + * + * @param interval + * The minimum amount of time in seconds that the Wallet SHOULD + * wait after receiving the response before sending a new request + * to the Deferred Credential Endpoint. + * + * @return + * {@code this} object. + * + * @since 4.35 + * @since Authlete 3.0.25 + */ + public CredentialDeferredIssueRequest setInterval(int interval) + { + this.interval = interval; + + return this; + } } diff --git a/src/main/java/com/authlete/common/dto/CredentialDeferredIssueResponse.java b/src/main/java/com/authlete/common/dto/CredentialDeferredIssueResponse.java index e22a1efb3..312128516 100644 --- a/src/main/java/com/authlete/common/dto/CredentialDeferredIssueResponse.java +++ b/src/main/java/com/authlete/common/dto/CredentialDeferredIssueResponse.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2023 Authlete, Inc. + * Copyright (C) 2023-2026 Authlete, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy of @@ -71,6 +71,51 @@ * * *
+ *

{@code action} = {@link Action#ACCEPTED ACCEPTED}

+ * + *

+ * The {@code action} value {@link Action#ACCEPTED ACCEPTED} means that + * the requested credential is not ready yet. In this case, the + * implementation of the deferred credential endpoint should return a + * successful response to the request sender. The HTTP status code and the + * content type of the response should be 202 and {@code application/json}, + * respectively. The value of the {@code responseContent} parameter can + * be used as the message body of the response. It contains the + * "{@code transaction_id}" parameter that conforms to the specification + * of "Deferred Credential Response". + *

+ * + * 
+ * HTTP/1.1 202 Accepted
+ * Content-Type: application/json
+ * Cache-Control: no-store
+ *
+ * (Put the value of the "responseContent" parameter here.)
+ *
+ * + *
+ *

{@code action} = {@link Action#ACCEPTED_JWT ACCEPTED_JWT}

+ * + *

+ * The {@code action} value {@link Action#ACCEPTED_JWT ACCEPTED_JWT} means + * that the requested credential is not ready yet and the deferred credential + * response should be encrypted. In this case, the implementation of the + * deferred credential endpoint should return a successful response to the + * request sender. The HTTP status code and the content type of the response + * should be 202 and {@code application/jwt}, respectively. The value of the + * {@code responseContent} parameter is an encrypted JWT and can be used + * as the message body of the response. + *

+ * + * 
+ * HTTP/1.1 202 Accepted
+ * Content-Type: application/jwt
+ * Cache-Control: no-store
+ *
+ * (Put the value of the "responseContent" parameter here.)
+ *
+ * + *
*

{@code action} = {@link Action#BAD_REQUEST BAD_REQUEST}

* *

@@ -169,7 +214,7 @@ */ public class CredentialDeferredIssueResponse extends ApiResponse { - private static final long serialVersionUID = 2L; + private static final long serialVersionUID = 3L; /** @@ -197,12 +242,42 @@ public enum Action */ OK_JWT, + /** + * The requested credential is not ready yet. The implementation of + * the deferred credential endpoint should return a successful response + * with the HTTP status code "202 Accepted" and the content type + * {@code application/json}. + * + * @since 4.35 + * @since Authlete 3.0.25 + */ + ACCEPTED, + + /** + * The requested credential is not ready yet and the deferred + * credential response should be encrypted. The implementation of the + * deferred credential endpoint should return a successful response + * with the HTTP status code "202 Accepted" and the content type + * {@code application/jwt}. + * + * @since 4.35 + * @since Authlete 3.0.25 + */ + ACCEPTED_JWT, + /** * The original deferred credential request is wrong. This can happen, * for example, when the process for encrypting the deferred credential * response with the encryption parameters specified in the deferred * credential request failed. * + *

+ * Since Authlete 3.0.25, this action is returned also when the + * credential issuer has decided not to issue a credential for the + * presented transaction ID (that is, when the {@code /vci/deferred/issue} + * API is called with {@code denied} set to {@code true}). + *

+ * * @since 3.86 */ BAD_REQUEST, diff --git a/src/main/java/com/authlete/common/dto/CredentialDeferredParseResponse.java b/src/main/java/com/authlete/common/dto/CredentialDeferredParseResponse.java index 778bfda18..389148273 100644 --- a/src/main/java/com/authlete/common/dto/CredentialDeferredParseResponse.java +++ b/src/main/java/com/authlete/common/dto/CredentialDeferredParseResponse.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2023 Authlete, Inc. + * Copyright (C) 2023-2026 Authlete, Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); you may not * use this file except in compliance with the License. You may obtain a copy of @@ -33,14 +33,15 @@ * The {@code action} value {@link Action#OK OK} means that the deferred * credential request is valid. In this case, the implementation of the * deferred credential endpoint should call the {@code /vci/deferred/issue} - * API in order to issue a verifiable credential, or return the - * {@code issuance_pending} error if the verifiable credential is not ready - * yet. + * API in order to issue a verifiable credential, deny the deferred credential + * request, or notify that the requested credential is not ready yet. *

* *

- * The following is an example error response telling the request sender - * that the verifiable credential is not ready yet. + * Note that if the Authlete Server version is older than 3.0.25 and the + * target specification version is "1.0-ID1", you need to manually construct + * an error response containing {@code "error":"issuance_pending"}, as shown + * below, without using the {@code /vci/deferred/issue} API. *

* * 
diff --git a/src/main/java/com/authlete/common/dto/CredentialRequestInfo.java b/src/main/java/com/authlete/common/dto/CredentialRequestInfo.java
index 97644f91b..eb9fc9582 100644
--- a/src/main/java/com/authlete/common/dto/CredentialRequestInfo.java
+++ b/src/main/java/com/authlete/common/dto/CredentialRequestInfo.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2023-2024 Authlete, Inc.
+ * Copyright (C) 2023-2026 Authlete, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy of
@@ -32,12 +32,12 @@
  * @since 3.66
  * @since Authlete 3.0
  *
- * @see OpenID for Verifiable Credential Issuance
+ * @see 
+ *      OpenID for Verifiable Credential Issuance 1.0
  */
 public class CredentialRequestInfo implements Serializable
 {
-    private static final long serialVersionUID = 2L;
+    private static final long serialVersionUID = 3L;
 
 
     /**
@@ -72,6 +72,25 @@ public class CredentialRequestInfo implements Serializable
     private String details;
 
 
+    /**
+     * The {@code credential_configuration_id} parameter in the credential
+     * request.
+     *
+     * @since 4.34
+     * @since Authlete 3.0.25
+     */
+    private String credentialConfigurationId;
+
+
+    /**
+     * The {@code credential_identifier} parameter in the credential request.
+     *
+     * @since 4.34;
+     * @since Authlete 3.0.25
+     */
+    private String credentialIdentifier;
+
+
     /**
      * Get the identifier of the credential request.
      *
@@ -118,9 +137,18 @@ public CredentialRequestInfo setIdentifier(String identifier)
     /**
      * Get the value of the {@code format} parameter in the credential request.
      *
+     * 

+     * This {@code format} property is available only when the supported OID4VCI
+     * specification version is {@code "1.0-ID1"} (i.e., when the Service's
+     * {@code oid4vciVersion} is unset or set to {@code "1.0-ID1"}) and the
+     * credential request contains the {@code format} parameter. Note that in
+     * the final version of the specification, the {@code format} parameter is
+     * deprecated.
+     * 

+     *
      * @return
      *         The value of the {@code format} parameter in the credential request.
-     *         Such as {@code "vc+sd-jwt"}.
+     *         Such as {@code "dc+sd-jwt"}.
      */
     public String getFormat()
     {
@@ -131,9 +159,18 @@ public String getFormat()
     /**
      * Set the value of the {@code format} parameter in the credential request.
      *
+     * 

+     * This {@code format} property is available only when the supported OID4VCI
+     * specification version is {@code "1.0-ID1"} (i.e., when the Service's
+     * {@code oid4vciVersion} is unset or set to {@code "1.0-ID1"}) and the
+     * credential request contains the {@code format} parameter. Note that in
+     * the final version of the specification, the {@code format} parameter is
+     * deprecated.
+     * 

+     *
      * @param format
      *         The value of the {@code format} parameter in the credential request.
-     *         Such as {@code "jwt_vc_json"} and {@code "vc+sd-jwt"}.
+     *         Such as {@code "jwt_vc_json"} and {@code "dc+sd-jwt"}.
      *
      * @return
      *         {@code this} object.
@@ -299,4 +336,114 @@ public CredentialRequestInfo setDetails(String details)
 
         return this;
     }
+
+
+    /**
+     * Get the value of the {@code credential_configuration_id} parameter in
+     * the credential request.
+     *
+     * 

+     * This property is not available when the supported OID4VCI specification
+     * version is {@code "1.0-ID1"} (i.e., when the Service's
+     * {@code oid4vciVersion} is unset or set to {@code "1.0-ID1"}), because
+     * the {@code credential_configuration_id} parameter does not exist in
+     * OID4VCI 1.0 ID1.
+     * 

+     *
+     * @return
+     *         The value of the {@code credential_configuration_id} parameter
+     *         in the credential request.
+     *
+     * @since 4.34
+     * @since Authlete 3.0.25
+     */
+    public String getCredentialConfigurationId()
+    {
+        return credentialConfigurationId;
+    }
+
+
+    /**
+     * Set the value of the {@code credential_configuration_id} parameter in
+     * the credential request.
+     *
+     * 

+     * This property is not available when the supported OID4VCI specification
+     * version is {@code "1.0-ID1"} (i.e., when the Service's
+     * {@code oid4vciVersion} is unset or set to {@code "1.0-ID1"}), because
+     * the {@code credential_configuration_id} parameter does not exist in
+     * OID4VCI 1.0 ID1.
+     * 

+     *
+     * @param id
+     *         The value of the {@code credential_configuration_id} parameter
+     *         in the credential request.
+     *
+     * @return
+     *         {@code this} object.
+     *
+     * @since 4.34
+     * @since Authlete 3.0.25
+     */
+    public CredentialRequestInfo setCredentialConfigurationId(String id)
+    {
+        this.credentialConfigurationId = id;
+
+        return this;
+    }
+
+
+    /**
+     * Get the value of the {@code credential_identifier} parameter in the
+     * credential request.
+     *
+     * 

+     * This property is not available when the supported OID4VCI specification
+     * version is {@code "1.0-ID1"} (i.e., when the Service's
+     * {@code oid4vciVersion} is unset or set to {@code "1.0-ID1"}), because
+     * Authlete does not support the {@code credential_identifier} parameter
+     * for OID4VCI 1.0 ID1.
+     * 

+     *
+     * @return
+     *         The value of the {@code credential_identifier} parameter in the
+     *         credential request.
+     *
+     * @since 4.34
+     * @since Authlete 3.0.25
+     */
+    public String getCredentialIdentifier()
+    {
+        return credentialIdentifier;
+    }
+
+
+    /**
+     * Set the value of the {@code credential_identifier} parameter in the
+     * credential request.
+     *
+     * 

+     * This property is not available when the supported OID4VCI specification
+     * version is {@code "1.0-ID1"} (i.e., when the Service's
+     * {@code oid4vciVersion} is unset or set to {@code "1.0-ID1"}), because
+     * Authlete does not support the {@code credential_identifier} parameter
+     * for OID4VCI 1.0 ID1.
+     * 

+     *
+     * @param identifier
+     *         The value of the {@code credential_identifier} parameter in the
+     *         credential request.
+     *
+     * @return
+     *         {@code this} object.
+     *
+     * @since 4.34
+     * @since Authlete 3.0.25
+     */
+    public CredentialRequestInfo setCredentialIdentifier(String identifier)
+    {
+        this.credentialIdentifier = identifier;
+
+        return this;
+    }
 }
diff --git a/src/main/java/com/authlete/common/dto/CredentialSingleIssueRequest.java b/src/main/java/com/authlete/common/dto/CredentialSingleIssueRequest.java
index a1a36d61a..e116ca52c 100644
--- a/src/main/java/com/authlete/common/dto/CredentialSingleIssueRequest.java
+++ b/src/main/java/com/authlete/common/dto/CredentialSingleIssueRequest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2023 Authlete, Inc.
+ * Copyright (C) 2023-2026 Authlete, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy of
@@ -26,7 +26,7 @@
  * The Authlete API is supposed to be called by the implementation of the
  * credential endpoint. The endpoint is defined in the "OpenID for Verifiable Credential Issuance" (OID4VCI) specification.
+ * >OpenID for Verifiable Credential Issuance 1.0" (OID4VCI) specification.
  * 

  *
  * 

@@ -49,12 +49,12 @@
  * @since 3.67
  * @since Authlete 3.0
  *
- * @see OpenID for Verifiable Credential Issuance
+ * @see 
+ *      OpenID for Verifiable Credential Issuance 1.0
  */
 public class CredentialSingleIssueRequest implements Serializable
 {
-    private static final long serialVersionUID = 1L;
+    private static final long serialVersionUID = 2L;
 
 
     /**
@@ -69,6 +69,26 @@ public class CredentialSingleIssueRequest implements Serializable
     private CredentialIssuanceOrder order;
 
 
+    /**
+     * The flag that indicates whether to deny the credential request.
+     *
+     * @since 4.35
+     * @since Authlete 3.0.25
+     */
+    private boolean denied;
+
+
+    /**
+     * The minimum amount of time in seconds that the Wallet SHOULD wait after
+     * receiving the response before sending a new request to the Deferred
+     * Credential Endpoint.
+     *
+     * @since 4.35
+     * @since Authlete 3.0.25
+     */
+    private int interval;
+
+
     /**
      * Get the access token that was presented at the credential endpoint.
      *
@@ -127,4 +147,158 @@ public CredentialSingleIssueRequest setOrder(CredentialIssuanceOrder order)
 
         return this;
     }
+
+
+    /**
+     * Get the flag that indicates whether to deny the credential request.
+     *
+     * 

+     * If this parameter is set to {@code true}, the response content prepared
+     * by Authlete will contain {@code "error":"credential_request_denied"}
+     * like below.
+     * 

+     *
+     * 
+     * {
+     *     "error": "credential_request_denied"
+     * }
+     * 

+     *
+     * 

+     * Note that the {@code credential_request_denied} error code does not
+     * exist in OID4VCI 1.0 ID1.
+     * 

+     *
+     * @return
+     *         {@code true} for generating a response content containing
+     *         {@code "error":"credential_request_denied"}.
+     *
+     * @since 4.35
+     * @since Authlete 3.0.25
+     */
+    public boolean isDenied()
+    {
+        return denied;
+    }
+
+
+    /**
+     * Set the flag that indicates whether to deny the credential request.
+     *
+     * 

+     * If this parameter is set to {@code true}, the response content prepared
+     * by Authlete will contain {@code "error":"credential_request_denied"}
+     * like below.
+     * 

+     *
+     * 
+     * {
+     *     "error": "credential_request_denied"
+     * }
+     * 

+     *
+     * 

+     * Note that the {@code credential_request_denied} error code does not
+     * exist in OID4VCI 1.0 ID1.
+     * 

+     *
+     * @param denied
+     *         {@code true} for generating a response content containing
+     *         {@code "error":"credential_request_denied"}.
+     *
+     * @return
+     *         {@code this} object.
+     *
+     * @since 4.35
+     * @since Authlete 3.0.25
+     */
+    public CredentialSingleIssueRequest setDenied(boolean denied)
+    {
+        this.denied = denied;
+
+        return this;
+    }
+
+
+    /**
+     * Get the minimum amount of time in seconds that the Wallet SHOULD wait
+     * after receiving the response before sending a new request to the
+     * Deferred Credential Endpoint.
+     *
+     * 

+     * The value of this parameter is used as the value of the {@code interval}
+     * parameter in the credential response. However, the {@code interval}
+     * parameter is included in the credential response only when the following
+     * conditions are met:
+     * 

+     *
+     * 
+     *
+     * @return
+     *         The minimum amount of time in seconds that the Wallet SHOULD
+     *         wait after receiving the response before sending a new request
+     *         to the Deferred Credential Endpoint.
+     *
+     * @since 4.35
+     * @since Authlete 3.0.25
+     */
+    public int getInterval()
+    {
+        return interval;
+    }
+
+
+    /**
+     * Set the minimum amount of time in seconds that the Wallet SHOULD wait
+     * after receiving the response before sending a new request to the
+     * Deferred Credential Endpoint.
+     *
+     * 

+     * The value of this parameter is used as the value of the {@code interval}
+     * parameter in the credential response. However, the {@code interval}
+     * parameter is included in the credential response only when the following
+     * conditions are met:
+     * 

+     *
+     * 
+     *
+     * @param interval
+     *         The minimum amount of time in seconds that the Wallet SHOULD
+     *         wait after receiving the response before sending a new request
+     *         to the Deferred Credential Endpoint.
+     *
+     * @return
+     *         {@code this} object.
+     *
+     * @since 4.35
+     * @since Authlete 3.0.25
+     */
+    public CredentialSingleIssueRequest setInterval(int interval)
+    {
+        this.interval = interval;
+
+        return this;
+    }
 }
diff --git a/src/main/java/com/authlete/common/dto/CredentialSingleIssueResponse.java b/src/main/java/com/authlete/common/dto/CredentialSingleIssueResponse.java
index c91f0f67d..64940b10c 100644
--- a/src/main/java/com/authlete/common/dto/CredentialSingleIssueResponse.java
+++ b/src/main/java/com/authlete/common/dto/CredentialSingleIssueResponse.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2023 Authlete, Inc.
+ * Copyright (C) 2023-2026 Authlete, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not
  * use this file except in compliance with the License. You may obtain a copy of
@@ -292,6 +292,13 @@ public enum Action
          * with the encryption parameters specified in the credential request
          * failed.
          *
+         * 

+         * Since Authlete 3.0.25, this action is returned also when the
+         * credential issuer has decided not to issue a credential for the
+         * presented transaction ID (that is, when the {@code /vci/single/issue}
+         * API is called with {@code denied} set to {@code true}).
+         * 

+         *
          * @since 3.86
          */
         BAD_REQUEST,
diff --git a/src/main/java/com/authlete/common/dto/GetTslEntriesResponse.java b/src/main/java/com/authlete/common/dto/GetTslEntriesResponse.java
new file mode 100644
index 000000000..40769b257
--- /dev/null
+++ b/src/main/java/com/authlete/common/dto/GetTslEntriesResponse.java
@@ -0,0 +1,150 @@
+package com.authlete.common.dto;
+
+import java.io.Serializable;
+
+/**
+ * Response from Authlete's {@code /tsl/entries/list} API.
+ *
+ * 

+ * This class represents the result of a query that retrieves
+ * a list of TSL (Token Status List) token entries. It contains
+ * information about pagination (start and end indexes), total
+ * entry count, and the actual list of {@link TslEntry} objects.
+ * 

+ *
+ * @since 4.33
+ * @since Authlete 3.0.22
+ */
+public class GetTslEntriesResponse implements Serializable
+{
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * The start index (inclusive) for the result set of the query.
+     */
+    private int start;
+
+    /**
+     * The end index (exclusive) for the result set of the query.
+     */
+    private int end;
+
+    /**
+     * The total number of entries available for the query, regardless of pagination.
+     */
+    private int totalCount;
+
+    /**
+     * The array of TSL token entries returned by the query.
+     */
+    private TslEntry[] tslEntries;
+
+
+    /**
+     * Set the start index (inclusive) for the result set.
+     *
+     * @param start
+     *         The start index.
+     *
+     * @return
+     *         {@code this} object for method chaining.
+     */
+    public GetTslEntriesResponse setStart(int start)
+    {
+        this.start = start;
+
+        return this;
+    }
+
+    /**
+     * Get the start index (inclusive) for the result set.
+     *
+     * @return
+     *          The start index.
+     */
+    public int getStart()
+    {
+        return start;
+    }
+
+    /**
+     * Set the end index (exclusive) for the result set.
+     *
+     * @param end
+     *          The end index.
+     *
+     * @return
+     *          {@code this} object for method chaining.
+     */
+    public GetTslEntriesResponse setEnd(int end)
+    {
+        this.end = end;
+
+        return this;
+    }
+
+    /**
+     * Get the end index (exclusive) for the result set.
+     *
+     * @return
+     *          The end index.
+     */
+    public int getEnd()
+    {
+        return end;
+    }
+
+    /**
+     * Set the total count of all entries matching the query.
+     *
+     * @param totalCount
+     *          The total number of matching entries.
+     *
+     * @return
+     *          {@code this} object for method chaining.
+     */
+    public GetTslEntriesResponse setTotalCount(int totalCount)
+    {
+        this.totalCount = totalCount;
+
+        return this;
+    }
+
+    /**
+     * Get the total number of entries matching the query.
+     *
+     * @return
+     *          The total count.
+     */
+    public int getTotalCount()
+    {
+        return totalCount;
+    }
+
+    /**
+     * Set the list of TSL token entries.
+     *
+     * @param tslEntries
+     *          An array of {@link TslEntry} objects.
+     *
+     * @return
+     *          {@code this} object for method chaining.
+     */
+    public GetTslEntriesResponse setTslEntries(TslEntry[] tslEntries)
+    {
+        this.tslEntries = tslEntries;
+
+        return this;
+    }
+
+    /**
+     * Get the list of TSL token entries returned by the query.
+     *
+     * @return
+     *          An array of {@link TslEntry} objects, or {@code null} if none.
+     */
+    public TslEntry[] getTslEntries()
+    {
+        return tslEntries;
+    }
+}
diff --git a/src/main/java/com/authlete/common/dto/Service.java b/src/main/java/com/authlete/common/dto/Service.java
index 2af8139ba..0711dcb3f 100644
--- a/src/main/java/com/authlete/common/dto/Service.java
+++ b/src/main/java/com/authlete/common/dto/Service.java
@@ -330,7 +330,7 @@
  */
 public class Service implements Serializable
 {
-    private static final long serialVersionUID = 88L;
+    private static final long serialVersionUID = 89L;
 
 
     /*
@@ -1951,15 +1951,55 @@ public class Service implements Serializable
     private boolean cimdQueryPermitted;
 
 
+    /**
+     * Whether to apply the metadata policy to client metadata that is obtained
+     * through the CIMD mechanism.
+     *
+     * @since 4.33
+     * @since Authlete 3.0.23
+     */
+    private boolean cimdMetadataPolicyEnabled;
+
+
+    /**
+     * The metadata policy applied to client metadata that is obtained through
+     * the CIMD mechanism.
+     *
+     * @since 4.33
+     * @since Authlete 3.0.23
+     */
+    private String cimdMetadataPolicy;
+
+
     /**
      * Whether to prohibit client ID aliases that start with {@code https://}
      * or {@code http://}.
      *
-     * @since 4.32
+     * @since 4.33
      * @since Authlete 3.0.22
      */
     private boolean httpAliasProhibited;
 
+    /**
+     * The flag indicating whether the feature of TSL publishing for
+     * this service is enabled or not.
+     *
+     * @since 4.33
+     * @since Authlete 3.0.22
+     */
+    private boolean tslPublishingEnabled;
+
+
+    /**
+     * TSL configuration data.
+     *
+     * @since 4.33
+     * @since Authlete 3.0.22
+     *
+     * @see 
+     *     Trust Status List
+     */
+    private TslConfigData tslConfigData;
 
     /**
      * Get the service number.
@@ -12097,7 +12137,6 @@ public Service setNativeSsoSupported(boolean supported)
         return this;
     }
 
-
     /**
      * Get the version of the OpenID for Verifiable Credential Issuance
      * specification to support.
@@ -12208,6 +12247,39 @@ public Service setOid4vciVersion(String version)
         return this;
     }
 
+    /*
+     * Sets whether TSL publishing is enabled for this service.
+     *
+     * @param tslPublishingEnabled
+     *          {@code true} to enable TSL publishing. {@code false} to disable it.
+     *
+     * @return
+     *          this {@link Service} instance for method chaining
+     *
+     * @since 4.33
+     * @since Authlete 3.0.22
+     */
+    public Service setTslPublishingEnabled(boolean tslPublishingEnabled)
+    {
+        this.tslPublishingEnabled = tslPublishingEnabled;
+
+        return this;
+    }
+
+    /**
+     * Get the flag indicating whether the feature of TSL publishing
+     * for this service is enabled or not.
+     *
+     * @return
+     *          {@code true} if the feature of TSL publishing is enabled.
+     *
+     * @since 4.33
+     * @since Authlete 3.0.22
+     */
+    public boolean isTslPublishingEnabled()
+    {
+        return tslPublishingEnabled;
+    }
 
     /**
      * Get the flag to determine to support 
+     *     Trust Status List
+     */
+    public Service setTslConfigData(TslConfigData tslConfigData)
+    {
+        this.tslConfigData = tslConfigData;
+
+        return this;
+    }
 
     /**
      * Get the flag that indicates whether the allowlist for client IDs
@@ -12724,6 +12816,206 @@ public Service setCimdQueryPermitted(boolean permitted)
     }
 
 
+    /**
+     * Get the flag that indicates whether to apply the metadata policy to
+     * client metadata that is obtained through the CIMD mechanism.
+     *
+     * 

+     * If this flag is set to {@code true}, the metadata policy specified by
+     * the {@code cimdMetadataPolicy} property, if available, is applied to
+     * the client metadata that is obtained through the CIMD mechanism.
+     * 

+     *
+     * @return
+     *         {@code true} if the metadata policy is applied to client
+     *         metadata that is obtained through the CIMD mechanism.
+     *
+     * @since 4.33
+     * @since Authlete 3.0.23
+     *
+     * @see 
+     *      OAuth Client ID Metadata Document
+     */
+    public boolean isCimdMetadataPolicyEnabled()
+    {
+        return cimdMetadataPolicyEnabled;
+    }
+
+
+    /**
+     * Set the flag that indicates whether to apply the metadata policy to
+     * client metadata that is obtained through the CIMD mechanism.
+     *
+     * 

+     * If this flag is set to {@code true}, the metadata policy specified by
+     * the {@code cimdMetadataPolicy} property, if available, is applied to
+     * the client metadata that is obtained through the CIMD mechanism.
+     * 

+     *
+     * @param enabled
+     *         {@code true} to apply the metadata policy to client metadata
+     *         that is obtained through the CIMD mechanism.
+     *
+     * @return
+     *         {@code this} object.
+     *
+     * @since 4.33
+     * @since Authlete 3.0.23
+     *
+     * @see 
+     *      OAuth Client ID Metadata Document
+     */
+    public Service setCimdMetadataPolicyEnabled(boolean enabled)
+    {
+        this.cimdMetadataPolicyEnabled = enabled;
+
+        return this;
+    }
+
+
+    /**
+     * Get the metadata policy applied to client metadata that is obtained
+     * through the CIMD mechanism.
+     *
+     * 

+     * If the {@code cimdMetadataPolicyEnabled} property is set to {@code true},
+     * the metadata policy specified by this {@code cimdMetadataPolicy} property
+     * is applied to client metadata that is obtained through the CIMD mechanism.
+     * 

+     *
+     * 

+     * The metadata policy must comply with the grammar defined in 6.1. Metadata Policy of the OpenID Federation
+     * 1.0 specification. Below is an example of metadata policy:
+     * 

+     *
+     * 
+     * {
+     *   "grant_types": {
+     *     "default": [
+     *       "authorization_code"
+     *     ],
+     *     "subset_of": [
+     *       "authorization_code",
+     *       "refresh_token"
+     *     ],
+     *     "superset_of": [
+     *       "authorization_code"
+     *     ]
+     *   },
+     *   "token_endpoint_auth_method": {
+     *     "one_of": [
+     *       "private_key_jwt",
+     *       "self_signed_tls_client_auth"
+     *     ],
+     *     "essential": true
+     *   },
+     *   "token_endpoint_auth_signing_alg" : {
+     *     "one_of": [
+     *       "PS256",
+     *       "ES256"
+     *     ]
+     *   }
+     * }

+     *
+     * @return
+     *         The metadata policy applied to client metadata that is obtained
+     *         through the CIMD mechanism.
+     *
+     * @since 4.33
+     * @since Authlete 3.0.23
+     *
+     * @see 
+     *      OAuth Client ID Metadata Document
+     * @see 
+     *      OpenID Federation 1.0, Section 6.1. Metadata Policy
+     */
+    public String getCimdMetadataPolicy()
+    {
+        return cimdMetadataPolicy;
+    }
+
+
+    /**
+     * Set the metadata policy applied to client metadata that is obtained
+     * through the CIMD mechanism.
+     *
+     * 

+     * If the {@code cimdMetadataPolicyEnabled} property is set to {@code true},
+     * the metadata policy specified by this {@code cimdMetadataPolicy} property
+     * is applied to client metadata that is obtained through the CIMD mechanism.
+     * 

+     *
+     * 

+     * The metadata policy must comply with the grammar defined in 6.1. Metadata Policy of the OpenID Federation
+     * 1.0 specification. Below is an example of metadata policy:
+     * 

+     *
+     * 
+     * {
+     *   "grant_types": {
+     *     "default": [
+     *       "authorization_code"
+     *     ],
+     *     "subset_of": [
+     *       "authorization_code",
+     *       "refresh_token"
+     *     ],
+     *     "superset_of": [
+     *       "authorization_code"
+     *     ]
+     *   },
+     *   "token_endpoint_auth_method": {
+     *     "one_of": [
+     *       "private_key_jwt",
+     *       "self_signed_tls_client_auth"
+     *     ],
+     *     "essential": true
+     *   },
+     *   "token_endpoint_auth_signing_alg" : {
+     *     "one_of": [
+     *       "PS256",
+     *       "ES256"
+     *     ]
+     *   }
+     * }

+     *
+     * @param policy
+     *         The metadata policy applied to client metadata that is obtained
+     *         through the CIMD mechanism.
+     *
+     * @return
+     *         {@code this} object.
+     *
+     * @since 4.33
+     * @since Authlete 3.0.23
+     *
+     * @see 
+     *      OAuth Client ID Metadata Document
+     * @see 
+     *      OpenID Federation 1.0, Section 6.1. Metadata Policy
+     */
+    public Service setCimdMetadataPolicy(String policy)
+    {
+        this.cimdMetadataPolicy = policy;
+
+        return this;
+    }
+
+
     /**
      * Get the flag that indicates whether to prohibit client ID aliases that
      * start with {@code https://} or {@code http://}.
@@ -12801,4 +13093,19 @@ public Service setHttpAliasProhibited(boolean prohibited)
 
         return this;
     }
+
+    /**
+     * Retrieves the {@link TslConfigData} associated with this service.
+     *
+     * @return
+     *          the current {@link TslConfigData}
+     *
+     * @since 4.33
+     * @since Authlete 3.0.22
+     */
+    public TslConfigData getTslConfigData()
+    {
+        return tslConfigData;
+
+    }
 }
diff --git a/src/main/java/com/authlete/common/dto/TslConfigData.java b/src/main/java/com/authlete/common/dto/TslConfigData.java
new file mode 100644
index 000000000..393c23533
--- /dev/null
+++ b/src/main/java/com/authlete/common/dto/TslConfigData.java
@@ -0,0 +1,213 @@
+package com.authlete.common.dto;
+
+import com.authlete.common.types.TslFormat;
+
+import java.io.Serializable;
+import java.net.URI;
+
+/**
+ * A class that represents TSL configurations data
+ * The set consists of the following.
+ *
+ * 
    
+ * 
  • {@code format}
+ * 
  • {@code validity}
+ * 
  • {@code publishFrequency}
+ * 
  • {@code timeToLive}
+ * 
  • {@code publishEndpoint}
+ * 

+ *
+ * @since 4.33
+ * @since Authlete 3.0.22
+ *
+ * @see Token Status List (TSL)
+ */
+public class TslConfigData implements Serializable
+{
+
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * The format of the TSL. Possible values are jwt and cwt. Currently only jwt is supported
+     */
+    private TslFormat format;
+
+    /**
+     * The validity of the TSL in hours.
+     */
+    private long validity;
+
+    /**
+     * Publish TSL after every X hours.
+     */
+    private long publishFrequency;
+
+    /**
+     * Time to live in hours which provides indication to verifiers to cache this TSL
+     */
+    private long timeToLive;
+
+    /**
+     * Endpoint where to publish this TSL
+     */
+    private URI publishEndpoint;
+
+    /**
+     * The default constructor.
+     */
+    public TslConfigData()
+    {
+    }
+
+    /**
+     * Copy constructor.
+     */
+    public TslConfigData(TslConfigData tslConfigData)
+    {
+        if (tslConfigData == null)
+        {
+            return;
+        }
+        format = tslConfigData.getFormat();
+        validity = tslConfigData.getValidity();
+        publishFrequency = tslConfigData.getPublishFrequency();
+        timeToLive = tslConfigData.getTimeToLive();
+        publishEndpoint = tslConfigData.getPublishEndpoint();
+    }
+
+    /**
+     * Sets the publishing format for the TSL configuration.
+     *
+     * @param format
+     *          the {@link TslFormat} value to set
+     *
+     * @return
+     *          this {@code TslConfigData} instance for method chaining
+     */
+    public TslConfigData setFormat(TslFormat format)
+    {
+        this.format = format;
+
+        return this;
+    }
+
+    /**
+     * Returns the publishing format of the TSL configuration.
+     *
+     * @return
+     *          the {@link TslFormat} value currently configured
+     */
+    public TslFormat getFormat()
+    {
+        return format;
+    }
+
+    /**
+     * Sets the TSL validity in hours.
+     *
+     * @param validity
+     *          validity in hours
+     *
+     * @return
+     *          this {@code TslConfigData} instance for method chaining
+     */
+    public TslConfigData setValidity(long validity)
+    {
+        this.validity = validity;
+
+        return this;
+    }
+
+    /**
+     * Returns the TSL validity in hours.
+     *
+     * @return
+     *          TSL validity
+     */
+    public long getValidity()
+    {
+        return validity;
+    }
+
+    /**
+     * Sets the TSL publishing frequency in every X hours.
+     *
+     * @param publishFrequency
+     *          TSL publish frequency
+     *
+     * @return
+     *          this {@code TslConfigData} instance for method chaining
+     */
+    public TslConfigData setPublishFrequency(long publishFrequency)
+    {
+        this.publishFrequency = publishFrequency;
+
+        return this;
+    }
+
+    /**
+     * Returns the TSL publishing frequency.
+     *
+     * @return
+     *          TSL publishing frequency
+     */
+    public long getPublishFrequency()
+    {
+        return publishFrequency;
+    }
+
+    /**
+     * Sets the ttl value of TSL in hours.
+     *
+     * @param timeToLive
+     *          the ttl value
+     *
+     * @return
+     *          this {@code TslConfigData} instance for method chaining
+     */
+    public TslConfigData setTimeToLive(long timeToLive)
+    {
+        this.timeToLive = timeToLive;
+
+        return this;
+    }
+
+    /**
+     * Returns the ttl value.
+     *
+     * @return
+     *          ttl value
+     */
+    public long getTimeToLive()
+    {
+        return timeToLive;
+    }
+
+    /**
+     * Sets the TSL publishing endpoint.
+     *
+     * @param publishEndpoint
+     *          TSL publish endpoint
+     *
+     * @return
+     *          this {@code TslConfigData} instance for method chaining
+     */
+    public TslConfigData setPublishEndpoint(URI publishEndpoint)
+    {
+        this.publishEndpoint = publishEndpoint;
+
+        return this;
+    }
+
+    /**
+     * Returns the TSL publishing endpoint.
+     *
+     * @return
+     *          TSL publishing endpoint
+     */
+    public URI getPublishEndpoint()
+    {
+        return publishEndpoint;
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/com/authlete/common/dto/TslEntry.java b/src/main/java/com/authlete/common/dto/TslEntry.java
new file mode 100644
index 000000000..8c037c895
--- /dev/null
+++ b/src/main/java/com/authlete/common/dto/TslEntry.java
@@ -0,0 +1,150 @@
+package com.authlete.common.dto;
+
+import com.authlete.common.types.TslTokenStatus;
+
+/**
+ * Represents a single token entry used in constructing a Token Status List (TSL).
+ *
+ * 

+ * Each entry corresponds to an issued VC/token and includes its index, unique
+ * token ID, current status, and usage flag. These objects are typically returned
+ * as part of a list in {@code /tsl/entries/list} responses.
+ * 

+ *
+ * @since 4.33
+ * @since Authlete 3.0.22
+ */
+public class TslEntry
+{
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * The token index associated with the issued VC/token.
+     * This index helps uniquely identify the token within a service.
+     */
+    private int tokenIndex;
+
+    /**
+     * The unique token ID assigned at issuance time.
+     * This value is globally unique per token/VC.
+     */
+    private String tokenId;
+
+    /**
+     * The current status of the issued VC/token.
+     */
+    private TslTokenStatus tokenStatus;
+
+    /**
+     * Indicates whether this token entry has been marked as used.
+     */
+    private boolean used;
+
+    /**
+     * Set the token index associated with this entry.
+     *
+     * @param tokenIndex
+     *          The token index.
+     *
+     * @return
+     *          {@code this} object for method chaining.
+     */
+    public TslEntry setTokenIndex(int tokenIndex)
+    {
+        this.tokenIndex = tokenIndex;
+
+        return this;
+    }
+
+    /**
+     * Get the token index associated with this entry.
+     *
+     * @return
+     *          The token index.
+     */
+    public int getTokenIndex()
+    {
+        return tokenIndex;
+    }
+
+    /**
+     * Set the unique token ID for this entry.
+     *
+     * @param tokenId
+     *          The unique token identifier.
+     *
+     * @return
+     *          {@code this} object for method chaining.
+     */
+    public TslEntry setTokenId(String tokenId)
+    {
+        this.tokenId = tokenId;
+
+        return this;
+    }
+
+    /**
+     * Get the unique token ID associated with this entry.
+     *
+     * @return
+     *          The token ID.
+     */
+    public String getTokenId()
+    {
+        return tokenId;
+    }
+
+    /**
+     * Set the current token status.
+     *
+     * @param tokenStatus
+     *          The status of the token.
+     *
+     * @return
+     *          {@code this} object for method chaining.
+     */
+    public TslEntry setTokenStatus(TslTokenStatus tokenStatus)
+    {
+        this.tokenStatus = tokenStatus;
+
+        return this;
+    }
+
+    /**
+     * Get the current status of the issued token.
+     *
+     * @return
+     *          The token status.
+     */
+    public TslTokenStatus getTokenStatus()
+    {
+        return tokenStatus;
+    }
+
+    /**
+     * Set the usage flag for this token entry.
+     *
+     * @param used
+     *          {@code true} if the entry is already used; {@code false} otherwise.
+     *
+     * @return
+     *          {@code this} object for method chaining.
+     */
+    public TslEntry setUsed(boolean used)
+    {
+        this.used = used;
+
+        return this;
+    }
+
+    /**
+     * Check whether this token entry has been marked as used.
+     *
+     * @return
+     *          {@code true} if the entry is used; {@code false} otherwise.
+     */
+    public boolean getUsed()
+    {
+        return used;
+    }
+}
diff --git a/src/main/java/com/authlete/common/dto/TslPublishConfigInfo.java b/src/main/java/com/authlete/common/dto/TslPublishConfigInfo.java
new file mode 100644
index 000000000..c52f3f753
--- /dev/null
+++ b/src/main/java/com/authlete/common/dto/TslPublishConfigInfo.java
@@ -0,0 +1,127 @@
+package com.authlete.common.dto;
+
+import com.authlete.common.types.TslFormat;
+
+/**
+ * Represents the Token Status List (TSL) publish configurations for a service.
+ *
+ * 

+ * This class contains per-service settings related to TSL publication, including
+ * the service ID, format and the Unix timestamp (in seconds) indicating when the
+ * next TSL will be published.
+ * 

+ *
+ * @since 4.33
+ * @since Authlete 3.0.22
+ */
+public class TslPublishConfigInfo
+{
+
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * The service ID for which the TSL publication schedule applies.
+     *
+     * 

+     * This uniquely identifies the service whose TSL will be published at
+     * the configured next publish time.
+     * 

+     */
+    private long serviceId;
+
+    /**
+     * The Unix timestamp (in seconds) indicating when the next TSL
+     * will be published for this service.
+     *
+     * 

+     * This value allows services to schedule periodic TSL publication.
+     * 

+     */
+    private long nextTslPublishTime;
+
+    /**
+     * The TSL format of the TSL for this service.
+     */
+    private TslFormat format;
+
+    /**
+     * Set the service ID associated with this TSL publish configurations.
+     *
+     * @param serviceId
+     *         The service ID.
+     *
+     * @return
+     *         {@code this} object.
+     */
+    public TslPublishConfigInfo setServiceId(long serviceId)
+    {
+        this.serviceId = serviceId;
+
+        return this;
+    }
+
+    /**
+     * Get the service ID associated with this TSL publish configurations.
+     *
+     * @return
+     *          The service ID.
+     */
+    public long getServiceId()
+    {
+        return serviceId;
+    }
+
+    /**
+     * Set the Unix timestamp (in seconds) for the next TSL publication time.
+     *
+     * @param nextTslPublishTime
+     *         The next publish time, in seconds.
+     *
+     * @return
+     *         {@code this} object.
+     */
+    public TslPublishConfigInfo setNextTslPublishTime(long nextTslPublishTime)
+    {
+        this.nextTslPublishTime = nextTslPublishTime;
+
+        return this;
+    }
+
+    /**
+     * Get the Unix timestamp (in seconds) for the next TSL publication time.
+     *
+     * @return The next publish time, in seconds.
+     */
+    public long getNextTslPublishTime()
+    {
+        return nextTslPublishTime;
+    }
+
+    /**
+     * Sets the format of the TSL
+     *
+     * @param format
+     *         The TSL format.
+     *
+     * @return
+     *         {@code this} object.
+     */
+    public TslPublishConfigInfo setTslFormat(TslFormat format)
+    {
+        this.format = format;
+
+        return this;
+    }
+
+    /**
+     * Gets the format of the TSL.
+     *
+     * @return
+     *         The TSL format.
+     */
+    public TslFormat getTslFormat()
+    {
+        return format;
+    }
+
+}
diff --git a/src/main/java/com/authlete/common/dto/TslPublishConfigsListResponse.java b/src/main/java/com/authlete/common/dto/TslPublishConfigsListResponse.java
new file mode 100644
index 000000000..4d6098898
--- /dev/null
+++ b/src/main/java/com/authlete/common/dto/TslPublishConfigsListResponse.java
@@ -0,0 +1,130 @@
+/*
+ * Copyright (C) 2025 Authlete, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.authlete.common.dto;
+
+/**
+ * Response from Authlete's {@code /tsl/publish/configs/list} API.
+ *
+ * 

+ * This class represents the response containing Token Status List (TSL)
+ * publish configurations for one or more services. Each entry
+ * indicates when the next TSL will be published for the corresponding service.
+ * 

+ *
+ * 

+ * The response includes an array of {@link TslPublishConfigInfo} objects, each
+ * describing:
+ * 

+ *
+ * 
    
+ *   
  • {@code serviceID} – The service ID.
    • 
+ *   
  • {@code nextTslPublishTime} – The scheduled Unix timestamp (seconds) for the next TSL publication.
    • 
+ *   
  • {@code format} – The TSL format.
    • 
+ * 

+ *
+ * @since 4.33
+ * @since Authlete 3.0.22
+ */
+public class TslPublishConfigsListResponse extends ApiResponse
+{
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * The next action that the implementation of the publish TSL endpoint
+     * should take after getting a response from Authlete's
+     * {@code /tsl/publish/configs/list} API.
+     */
+    public enum Action
+    {
+        /**
+         * Information about the TSL publish configs has been obtained
+         * successfully.
+         */
+        OK,
+    }
+
+    /**
+     * The result of the {@code /tsl/publish/configs/list} API call.
+     */
+    private Action action;
+
+    /**
+     * The list of TSL publish configurations.
+     *
+     * 

+     * Each element in the array contains the publishing schedule for a service,
+     * including the service ID, format and the next TSL scheduled publish time.
+     * 

+     */
+    private TslPublishConfigInfo[] info;
+
+
+    /**
+     * Get the next action that the implementation of the TSL publish endpoint should
+     * take after getting a response from Authlete's {@code /tsl/publish/configs/list} API.
+     *
+     * @return
+     *         The next action.
+     */
+    public Action getAction()
+    {
+        return action;
+    }
+
+    /**
+     * Set the next action that the implementation of the TSL endpoint should
+     * take after getting a response from Authlete's {@code /tsl/publish/configs/list} API.
+     *
+     * @param action
+     *         The next action.
+     *
+     * @return
+     *         {@code this} object.
+     */
+    public TslPublishConfigsListResponse setAction(Action action)
+    {
+        this.action = action;
+
+        return this;
+    }
+
+    /**
+     * Set the list of TSL publish configurations.
+     *
+     * @param info
+     *         An array of {@link TslPublishConfigInfo} objects.
+     *
+     * @return
+     *         {@code this} object.
+     */
+    public TslPublishConfigsListResponse setInfo(TslPublishConfigInfo[] info)
+    {
+        this.info = info;
+
+        return this;
+    }
+
+    /**
+     * Get the list of TSL publish configurations.
+     *
+     * @return
+     *          An array of {@link TslPublishConfigInfo} objects.
+     */
+    public TslPublishConfigInfo[] getInfo()
+    {
+        return info;
+    }
+}
diff --git a/src/main/java/com/authlete/common/dto/TslPublishRequest.java b/src/main/java/com/authlete/common/dto/TslPublishRequest.java
new file mode 100644
index 000000000..d11954d7c
--- /dev/null
+++ b/src/main/java/com/authlete/common/dto/TslPublishRequest.java
@@ -0,0 +1,75 @@
+/*
+ * Copyright (C) 2025 Authlete, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.authlete.common.dto;
+
+import com.authlete.common.types.TslFormat;
+
+import java.io.Serializable;
+
+/**
+ * Request to Authlete's {@code /tsl/publish} API.
+ *
+ * 

+ * This class represents a request to publish a Token Status List (TSL) for
+ * a specific service.
+ * 

+ *
+ * 

+ * For more details about Token Status Lists (TSL), see:
+ * 

+ *
+ * @see 
+ *      Token Status List (TSL) Specification
+ *
+ * @since 4.33
+ * @since Authlete 3.0.22
+ */
+public class TslPublishRequest implements Serializable
+{
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * The format of the to be published TSL.
+     */
+    private TslFormat format;
+
+    /**
+     * Set the to be published TSL format
+     *
+     * @param format
+     *         The TSL format.
+     *
+     * @return
+     *         {@code this} object.
+     */
+    public TslPublishRequest setTslFormat(TslFormat format)
+    {
+        this.format = format;
+
+        return this;
+    }
+
+    /**
+     * Get the to be published TSL format.
+     *
+     * @return
+     *         The TSL format.
+     */
+    public TslFormat getTslFormat()
+    {
+        return format;
+    }
+}
diff --git a/src/main/java/com/authlete/common/dto/TslPublishResponse.java b/src/main/java/com/authlete/common/dto/TslPublishResponse.java
new file mode 100644
index 000000000..01cd959a0
--- /dev/null
+++ b/src/main/java/com/authlete/common/dto/TslPublishResponse.java
@@ -0,0 +1,116 @@
+/*
+ * Copyright (C) 2025 Authlete, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.authlete.common.dto;
+
+/**
+ * Response from Authlete's {@code /tsl/publish} API.
+ *
+ * 

+ * This class represents the response returned when publishing a Token Status
+ * List (TSL) from Authlete API.
+ * 

+ *
+ * @since 4.33
+ * @since Authlete 3.0.22
+ */
+public class TslPublishResponse extends ApiResponse
+{
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * The next action that the implementation of the publish TSL endpoint
+     * should take after getting a response from Authlete's
+     * {@code /tsl/publish} API.
+     */
+    public enum Action
+    {
+        /**
+         * A TSL publish response has been prepared successfully.
+         */
+        OK,
+
+        /**
+         * The feature of TSL publish not enabled in the service
+         * configuration.
+         */
+        FORBIDDEN,
+
+        /**
+         * Invalid TSL format
+         */
+        INVALID_TSL_FORMAT,
+    }
+
+    private Action action;
+
+    private String tsl;
+
+    /**
+     * Get the next action that the implementation of the TSL publish endpoint should
+     * take after getting a response from Authlete's {@code /tsl/publish} API.
+     *
+     * @return
+     *         The next action.
+     */
+    public Action getAction()
+    {
+        return action;
+    }
+
+    /**
+     * Set the next action that the implementation of the TSL endpoint should
+     * take after getting a response from Authlete's {@code /tsl/publish} API.
+     *
+     * @param action
+     *         The next action.
+     *
+     * @return
+     *         {@code this} object.
+     */
+    public TslPublishResponse setAction(Action action)
+    {
+        this.action = action;
+
+        return this;
+    }
+
+    /**
+     * Get the published TSL
+     *
+     * @return
+     *         The published TSL.
+     */
+    public String getTsl()
+    {
+        return tsl;
+    }
+
+    /**
+     * Set the published TSL.
+     *
+     * @param tsl
+     *         The published TSL.
+     *
+     * @return
+     *         {@code this} object.
+     */
+    public TslPublishResponse setTsl(String tsl)
+    {
+        this.tsl = tsl;
+
+        return this;
+    }
+}
diff --git a/src/main/java/com/authlete/common/dto/TslRequest.java b/src/main/java/com/authlete/common/dto/TslRequest.java
new file mode 100644
index 000000000..17f570956
--- /dev/null
+++ b/src/main/java/com/authlete/common/dto/TslRequest.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2025 Authlete, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.authlete.common.dto;
+
+import com.authlete.common.types.TslFormat;
+
+import java.io.Serializable;
+
+/**
+ * Request to Authlete's {@code /tsl} API.
+ *
+ * 

+ * This class represents a request to retrieve a published Token Status List (TSL)
+ * for a specific service. The request requires the caller to specify the
+ * {@code tslFormat} for the requested TSL.
+ * 

+ *
+ * 

+ * For more details about Token Status Lists (TSL), see:
+ * 

+ *
+ * @see 
+ *      Token Status List (TSL) Specification
+ *
+ * @since 4.33
+ * @since Authlete 3.0.22
+ */
+public class TslRequest implements Serializable
+{
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * The requested TSL format. Currently only JWT format is supported.
+     */
+    private TslFormat format;
+
+    /**
+     * Set the requested TSL format
+     *
+     * @param format
+     *         The TSL format.
+     *
+     * @return
+     *         {@code this} object.
+     */
+    public TslRequest setTslFormat(TslFormat format)
+    {
+        this.format = format;
+
+        return this;
+    }
+
+    /**
+     * Get the requested TSL format.
+     *
+     * @return
+     *         The TSL format.
+     */
+    public TslFormat getTslFormat()
+    {
+        return format;
+    }
+}
diff --git a/src/main/java/com/authlete/common/dto/TslResponse.java b/src/main/java/com/authlete/common/dto/TslResponse.java
new file mode 100644
index 000000000..c715f9e06
--- /dev/null
+++ b/src/main/java/com/authlete/common/dto/TslResponse.java
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2025 Authlete, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.authlete.common.dto;
+
+/**
+ * Response from Authlete's {@code /tsl} API.
+ *
+ * 

+ * This class represents the response returned when retrieving a Token Status
+ * List (TSL) from Authlete API.
+ * 

+ *
+ * @since 4.33
+ * @since Authlete 3.0.22
+ */
+public class TslResponse extends ApiResponse
+{
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * The next action that the implementation of the TSL endpoint
+     * should take after getting a response from Authlete's
+     * {@code /tsl} API.
+     */
+    public enum Action
+    {
+        /**
+         * A get TSL response has been prepared successfully.
+         */
+        OK,
+
+        /**
+         * The feature of TSL is not enabled in the service
+         * configuration.
+         */
+        FORBIDDEN,
+
+        /**
+         * Invalid TSL format
+         */
+        INVALID_TSL_FORMAT,
+
+        /**
+         * TSL not found
+         */
+        NO_TSL_FOUND
+    }
+
+    private Action action;
+
+    private String responseContent;
+
+    /**
+     * Get the next action that the implementation of the TSL endpoint should
+     * take after getting a response from Authlete's {@code /tsl} API.
+     *
+     * @return
+     *         The next action.
+     */
+    public Action getAction()
+    {
+        return action;
+    }
+
+    /**
+     * Set the next action that the implementation of the TSL endpoint should
+     * take after getting a response from Authlete's {@code /tsl} API.
+     *
+     * @param action
+     *         The next action.
+     *
+     * @return
+     *         {@code this} object.
+     */
+    public TslResponse setAction(Action action)
+    {
+        this.action = action;
+
+        return this;
+    }
+
+
+    /**
+     * Get the content that the implementation of the TSL endpoint should use
+     * when it constructs a response.
+     *
+     * @return
+     *         The response content in the JSON format.
+     */
+    public String getResponseContent()
+    {
+        return responseContent;
+    }
+
+
+    /**
+     * Set the content that the implementation of the TSL endpoint should use
+     * when it constructs a response.
+     *
+     * @param content
+     *         The response content in the JSON format.
+     *
+     * @return
+     *         {@code this} object.
+     */
+    public TslResponse setResponseContent(String content)
+    {
+        this.responseContent = content;
+
+        return this;
+    }
+
+}
diff --git a/src/main/java/com/authlete/common/dto/TslTokenStatusUpdateRequest.java b/src/main/java/com/authlete/common/dto/TslTokenStatusUpdateRequest.java
new file mode 100644
index 000000000..9d1174e60
--- /dev/null
+++ b/src/main/java/com/authlete/common/dto/TslTokenStatusUpdateRequest.java
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) 2025 Authlete, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.authlete.common.dto;
+
+import com.authlete.common.types.TslTokenStatus;
+
+import java.io.Serializable;
+
+/**
+ * Request to Authlete's {@code /tsl/token/status} API.
+ *
+ * 

+ * This class represents a request to update the status of an issued
+ * Verifiable Credential (VC) or token. The updated status will later
+ * be included in the issued Token Status List (TSL). The request contains
+ * the following information:
+ * 

+ *
+ * 
    
+ *   
  • {@code tokenId} – The unique identifier of the issued token/VC.
    • 
+ *   
  • {@code tokenStatus} – The new status to assign to the token.
    • 
+ *   
  • {@code tokenIndex} – The index of the token in the issued TSL.
    • 
+ * 

+ *
+ * 

+ * For more details about Token Status Lists (TSL), see:
+ * 

+ *
+ * @see 
+ *      Token Status List (TSL) Specification
+ *
+ * @since 4.33
+ * @since Authlete 3.0.22
+ */
+public class TslTokenStatusUpdateRequest implements Serializable
+{
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * The token ID used to identify the issued VC/token whose status is to be changed.
+     */
+    private String tokenId;
+
+    /**
+     * The token status to be set.
+     */
+    private TslTokenStatus tokenStatus;
+
+    /**
+     * The index of the token in the issued TSL.
+     */
+    private int tokenIndex;
+
+    /**
+     * Set the token ID of the issued VC/token whose status is to be updated.
+     *
+     * @param tokenId
+     *         The unique token identifier.
+     *
+     * @return
+     *         {@code this} object.
+     */
+    public TslTokenStatusUpdateRequest setTokenId(String tokenId)
+    {
+        this.tokenId = tokenId;
+
+        return this;
+    }
+
+    /**
+     * Get the token ID of the issued VC/token whose status is being updated.
+     *
+     * @return
+     *          The token ID.
+     */
+    public String getTokenId()
+    {
+        return tokenId;
+    }
+
+    /**
+     * Set the token status to assign to the issued token/VC.
+     *
+     * @param tokenStatus
+     *         The new token status.
+     *
+     * @return
+     *         {@code this} object.
+     */
+    public TslTokenStatusUpdateRequest setTokenStatus(TslTokenStatus tokenStatus)
+    {
+        this.tokenStatus = tokenStatus;
+
+        return this;
+    }
+
+    /**
+     * Get the token status currently set for this update request.
+     *
+     * @return
+     *          The token status.
+     */
+    public TslTokenStatus getTokenStatus()
+    {
+        return tokenStatus;
+    }
+
+    /**
+     * Set the token index in the issued TSL.
+     *
+     * @param tokenIndex
+     *         The index of the token.
+     *
+     * @return
+     *         {@code this} object.
+     */
+    public TslTokenStatusUpdateRequest setTokenIndex(int tokenIndex)
+    {
+        this.tokenIndex = tokenIndex;
+
+        return this;
+    }
+
+    /**
+     * Get the token index in the issued TSL.
+     *
+     * @return
+     *          The token index.
+     */
+    public int getIndex()
+    {
+        return tokenIndex;
+    }
+}
diff --git a/src/main/java/com/authlete/common/dto/TslTokenStatusUpdateResponse.java b/src/main/java/com/authlete/common/dto/TslTokenStatusUpdateResponse.java
new file mode 100644
index 000000000..4eb10cbd1
--- /dev/null
+++ b/src/main/java/com/authlete/common/dto/TslTokenStatusUpdateResponse.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2025 Authlete, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.authlete.common.dto;
+
+/**
+ * Response to Authlete's {@code /tsl/token/status} API.
+ *
+ * 

+ * This class represents a response to update the status of an issued
+ * Verifiable Credential (VC) or token. The updated status will later
+ * be included in the issued Token Status List (TSL).
+ *
+ * @since 4.33
+ * @since Authlete 3.0.22
+ *
+ */
+public class TslTokenStatusUpdateResponse extends ApiResponse {
+
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * The next action that the implementation of the token status update endpoint
+     * should take after getting a response from Authlete's
+     * {@code /tsl/token/status} API.
+     */
+    public enum Action
+    {
+        /**
+         * A token status update performed successfully.
+         */
+        OK,
+
+        /**
+         * The feature of TSL publish not enabled in the service
+         * configuration.
+         */
+        FORBIDDEN,
+    }
+
+    private TslTokenStatusUpdateResponse.Action action;
+
+    /**
+     * Get the next action that the implementation of the token status update endpoint should
+     * take after getting a response from Authlete's {@code /tsl/token/status} API.
+     *
+     * @return
+     *         The next action.
+     */
+    public TslTokenStatusUpdateResponse.Action getAction()
+    {
+        return action;
+    }
+
+    /**
+     * Set the next action that the implementation of the token status update endpoint should
+     * take after getting a response from Authlete's {@code /tsl/token/status} API.
+     *
+     * @param action
+     *         The next action.
+     *
+     * @return
+     *         {@code this} object.
+     */
+    public TslTokenStatusUpdateResponse setAction(TslTokenStatusUpdateResponse.Action action)
+    {
+        this.action = action;
+
+        return this;
+    }
+}
diff --git a/src/main/java/com/authlete/common/dto/TslUnusedIndexesRequest.java b/src/main/java/com/authlete/common/dto/TslUnusedIndexesRequest.java
new file mode 100644
index 000000000..a345e9b1a
--- /dev/null
+++ b/src/main/java/com/authlete/common/dto/TslUnusedIndexesRequest.java
@@ -0,0 +1,102 @@
+/*
+ * Copyright (C) 2025 Authlete, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.authlete.common.dto;
+
+import java.io.Serializable;
+
+/**
+ * Request to Authlete's {@code /tsl/unused/indexes} API.
+ *
+ * 

+ * This class represents a request to pre-populate unused token indexes for a
+ * particular service. These unused indexes are later consumed when issuing
+ * Verifiable Credentials (VCs) or access tokens, allowing efficient allocation
+ * of token indexes within a Token Status List (TSL) environment.
+ * 

+ *
+ * @since 4.33
+ * @since Authlete 3.0.22
+ */
+public class TslUnusedIndexesRequest implements Serializable
+{
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * If less than this number of unused VC/token indexes left then populate new unused indexes
+     * specified in {@code unusedTokenIndexesAdd}.
+     */
+    private long unusedTokenIndexesLeft;
+
+    /**
+     * Add this number of new unused VC/token indexes.
+     */
+    private long unusedTokenIndexesAdd;
+
+    /**
+     * Set the unused token indexes left value.
+     *
+     * @param unusedTokenIndexesLeft
+     *         The unused token indexes left value.
+     *
+     * @return
+     *         {@code this} object.
+     */
+    public TslUnusedIndexesRequest setUnusedTokenIndexesLeft(long unusedTokenIndexesLeft)
+    {
+        this.unusedTokenIndexesLeft = unusedTokenIndexesLeft;
+
+        return this;
+    }
+
+    /**
+     * Get the unused token indexes left value.
+     *
+     * @return
+     *         The unused token indexes left value.
+     */
+    public long getUnusedTokenIndexesLeft()
+    {
+        return unusedTokenIndexesLeft;
+    }
+
+    /**
+     * Set the unused token indexes add value.
+     *
+     * @param unusedTokenIndexesAdd
+     *         The unused token indexes add value.
+     *
+     * @return
+     *         {@code this} object.
+     */
+    public TslUnusedIndexesRequest setUnusedTokenIndexesAdd(long unusedTokenIndexesAdd)
+    {
+        this.unusedTokenIndexesAdd = unusedTokenIndexesAdd;
+
+        return this;
+    }
+
+    /**
+     * Get the unused token indexes add value.
+     *
+     * @return
+     *         The unused token indexes add value.
+     */
+    public long getUnusedTokenIndexesAdd()
+    {
+        return unusedTokenIndexesAdd;
+    }
+
+}
diff --git a/src/main/java/com/authlete/common/dto/TslUnusedIndexesResponse.java b/src/main/java/com/authlete/common/dto/TslUnusedIndexesResponse.java
new file mode 100644
index 000000000..ce38b5bae
--- /dev/null
+++ b/src/main/java/com/authlete/common/dto/TslUnusedIndexesResponse.java
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2025 Authlete, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.authlete.common.dto;
+
+/**
+ * Response to Authlete's {@code /tsl/unused/indexes} API.
+ *
+ * 

+ * This class represents a response to pre-populate unused token indexes for a
+ * particular service. These unused indexes are later consumed when issuing
+ * Verifiable Credentials (VCs) or access tokens, allowing efficient allocation
+ * of token indexes within a Token Status List (TSL) environment.
+ * 

+ *
+ * @since 4.33
+ * @since Authlete 3.0.22
+ */
+
+public class TslUnusedIndexesResponse extends ApiResponse {
+
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * The next action that the implementation of the TSL unused indexes endpoint
+     * should take after getting a response from Authlete's
+     * {@code /tsl/unused/indexes} API.
+     */
+    public enum Action
+    {
+        /**
+         * A TSL unused indexes has been populated successfully.
+         */
+        OK,
+
+        /**
+         * The feature of TSL publish not enabled in the service
+         * configuration.
+         */
+        FORBIDDEN,
+    }
+
+    private TslUnusedIndexesResponse.Action action;
+
+    /**
+     * Get the next action that the implementation of the TSL unused indexes endpoint should
+     * take after getting a response from Authlete's {@code /tsl/unused/indexes} API.
+     *
+     * @return
+     *         The next action.
+     */
+    public TslUnusedIndexesResponse.Action getAction()
+    {
+        return action;
+    }
+
+    /**
+     * Set the next action that the implementation of the TSL unused indexes endpoint should
+     * take after getting a response from Authlete's {@code /tsl/unused/indexes} API.
+     *
+     * @param action
+     *         The next action.
+     *
+     * @return
+     *         {@code this} object.
+     */
+    public TslUnusedIndexesResponse setAction(TslUnusedIndexesResponse.Action action)
+    {
+        this.action = action;
+
+        return this;
+    }
+}
diff --git a/src/main/java/com/authlete/common/types/TslFormat.java b/src/main/java/com/authlete/common/types/TslFormat.java
new file mode 100644
index 000000000..dabb11e96
--- /dev/null
+++ b/src/main/java/com/authlete/common/types/TslFormat.java
@@ -0,0 +1,114 @@
+package com.authlete.common.types;
+
+import java.util.EnumSet;
+
+public enum TslFormat
+{
+
+    /**
+     * Currently jwt is supported. TSL publishing cwt format will be supported in the next iteration
+     */
+    JWT((short)1, "jwt");
+
+
+    private static final TslFormat[] sValues = values();
+    private static final TslFormat.Helper sHelper = new TslFormat.Helper(sValues);
+    private final short mValue;
+    private final String mString;
+
+
+    private TslFormat(short value, String string)
+    {
+        mValue  = value;
+        mString = string;
+    }
+
+
+    /**
+     * Get the integer representation of this enum instance.
+     */
+    public short getValue()
+    {
+        return mValue;
+    }
+
+
+    /**
+     * Find an instance of this enum by a value.
+     *
+     * @param value
+     *         The integer representation of the instance to find.
+     *
+     * @return
+     *         An instance of this enum, or {@code null} if not found.
+     */
+    public static TslFormat getByValue(short value)
+    {
+        if (value < 1 || sValues.length < value)
+        {
+            // Not found.
+            return null;
+        }
+
+        return sValues[value - 1];
+    }
+
+
+    /**
+     * Get the string value of TSL publish format.
+     *
+     * @return
+     *         A string that contains TSL publish format.
+     */
+    public String getString()
+    {
+        return mString;
+    }
+
+
+    public static int toBits(EnumSet set)
+    {
+        return sHelper.toBits(set);
+    }
+
+
+    public static TslFormat[] toArray(int bits)
+    {
+        return sHelper.toArray(bits);
+    }
+
+
+    public static EnumSet toSet(int bits)
+    {
+        return sHelper.toSet(bits);
+    }
+
+
+    public static EnumSet toSet(TslFormat[] array)
+    {
+        return sHelper.toSet(array);
+    }
+
+
+    private static class Helper extends EnumHelper
+    {
+        public Helper(TslFormat[] values)
+        {
+            super(TslFormat.class, values);
+        }
+
+
+        @Override
+        protected short getValue(TslFormat entry)
+        {
+            return entry.getValue();
+        }
+
+
+        @Override
+        protected TslFormat[] newArray(int size)
+        {
+            return new TslFormat[size];
+        }
+    }
+}
diff --git a/src/main/java/com/authlete/common/types/TslTokenStatus.java b/src/main/java/com/authlete/common/types/TslTokenStatus.java
new file mode 100644
index 000000000..c102ea913
--- /dev/null
+++ b/src/main/java/com/authlete/common/types/TslTokenStatus.java
@@ -0,0 +1,113 @@
+package com.authlete.common.types;
+
+import java.util.EnumSet;
+
+public enum TslTokenStatus
+{
+
+    VALID((short)0, "valid"),
+    INVALID((short)1, "invalid"),
+    SUSPENDED((short)2, "suspended");
+
+
+    private static final TslTokenStatus[] sValues = values();
+    private static final TslTokenStatus.Helper sHelper = new TslTokenStatus.Helper(sValues);
+    private final short mValue;
+    private final String mString;
+
+
+    private TslTokenStatus(short value, String string)
+    {
+        mValue  = value;
+        mString = string;
+    }
+
+
+    /**
+     * Get the integer representation of this enum instance.
+     */
+    public short getValue()
+    {
+        return mValue;
+    }
+
+
+    /**
+     * Find an instance of this enum by a value.
+     *
+     * @param value
+     *         The integer representation of the instance to find.
+     *
+     * @return
+     *         An instance of this enum, or {@code null} if not found.
+     */
+    public static TslTokenStatus getByValue(short value)
+    {
+        if (value < 1 || sValues.length < value)
+        {
+            // Not found.
+            return null;
+        }
+
+        return sValues[value - 1];
+    }
+
+
+    /**
+     * Get the string value of TSL token status.
+     *
+     * @return
+     *         A string that contains TSL token status.
+     */
+    public String getString()
+    {
+        return mString;
+    }
+
+
+    public static int toBits(EnumSet set)
+    {
+        return sHelper.toBits(set);
+    }
+
+
+    public static TslTokenStatus[] toArray(int bits)
+    {
+        return sHelper.toArray(bits);
+    }
+
+
+    public static EnumSet toSet(int bits)
+    {
+        return sHelper.toSet(bits);
+    }
+
+
+    public static EnumSet toSet(TslTokenStatus[] array)
+    {
+        return sHelper.toSet(array);
+    }
+
+
+    private static class Helper extends EnumHelper
+    {
+        public Helper(TslTokenStatus[] values)
+        {
+            super(TslTokenStatus.class, values);
+        }
+
+
+        @Override
+        protected short getValue(TslTokenStatus entry)
+        {
+            return entry.getValue();
+        }
+
+
+        @Override
+        protected TslTokenStatus[] newArray(int size)
+        {
+            return new TslTokenStatus[size];
+        }
+    }
+}