Epsitec.Rezo.Api
11.6.0.2629
Prefix Reserved
dotnet add package Epsitec.Rezo.Api --version 11.6.0.2629
NuGet\Install-Package Epsitec.Rezo.Api -Version 11.6.0.2629
<PackageReference Include="Epsitec.Rezo.Api" Version="11.6.0.2629" />
<PackageVersion Include="Epsitec.Rezo.Api" Version="11.6.0.2629" />
<PackageReference Include="Epsitec.Rezo.Api" />
paket add Epsitec.Rezo.Api --version 11.6.0.2629
#r "nuget: Epsitec.Rezo.Api, 11.6.0.2629"
#:package Epsitec.Rezo.Api@11.6.0.2629
#addin nuget:?package=Epsitec.Rezo.Api&version=11.6.0.2629
#tool nuget:?package=Epsitec.Rezo.Api&version=11.6.0.2629
Rezo API (Epsitec Application Services)
Epsitec.Rezo.Api is the client SDK for the Rezo platform, part of the
Epsitec Application Services suite. It bundles the typed clients, data models
and high-level helpers a host application needs to talk to the Rezo services —
identity & access, multi-factor authentication, the public key registry, and
Passport dispatch — without re-implementing the transport, crypto and
token-refresh glue by hand.
Target framework: .NET 10 / C# 14.
Clients
AuthClient — identity & access (auth/v2)
The main auth client, covering two areas:
- Authentication & tokens — password sign-in (
AuthenticateUserwith aClientSecretfromClientSecretFactory), OIDC authorization-code + PKCE flows, MFA step-up (AuthenticateWithMfa,MfaStepUpFromRefreshToken), and token refresh (Refresh). Pair it withRefreshingAccessTokenProviderto keep a fresh access token. - User / persona / claims administration — resolve users and personae
(
GetUserIdentity,ResolveUserId,GetUserPersonae), manage personae (AddPersona,RemovePersona,RemoveUser), read and update claims (TryGetUserClaims,UpdateUserCommonClaims,UpdateUserPersonaClaims,ResolveSubjectClaims), set credentials and reset MFA.
AuthMfaClient — multi-factor enrolment
TOTP / email MFA lifecycle: start and complete setup, activate, verify a code on an enrolled account, and list active enrollments.
AuthKeysetClient — public key registry (user, JWT)
Register, revoke and read a user's hybrid keysets. Reads come in raw
(GetLatest, GetRange, GetByHkid) and family-keyed
(GetLatestNormalized → NormalizedKeyset) forms.
KeysetProvisioner.RegisterAsyncruns the full registration ceremony (start → KEM proofs → complete) in one call.KeysetKeyGenerator+HybridKeyMaterial/HybridKeygenerate the hybrid key material — ECDSA P‑256, ML‑DSA‑65, X25519, ML‑KEM‑768/1024 — as DER bytes (no Bouncy Castle types on the public surface).KeysetProfilePolicy/EnforceProfilesrequire specific key profiles on read;MfaRequiredExceptionis the typed signal when a write needs an MFA-validated token.
AuthKeysetsServiceClient — public key registry (service, API key)
Service-to-service reads of the registry, authenticated by an API key instead of a user JWT.
Passport — dispatch central (IDispatchCentralClient)
Send and receive dispatch-central notifications (NotifyOne, plus
PassportListener / DispatchCentralListener for the receiving side).
Cryptography & helpers
ClientSecretFactory— derive aClientSecretfrom a login and password (Argon2id client-side hashing handled for you).RefreshingAccessTokenProvider/IAccessTokenProvider— acquire an access token and refresh it on expiry, tracking the rotated refresh token.- Claims, resource scopes, web-token and PKCE helpers for working with issued tokens.
Data models
- Clima (Crésus License Manager) — portfolios, document leases and portfolio notifications.
- William — debt-ledger types (
DebtorId,DebtLedgerStatus). - Shared auth models —
UserIdentity/UserPersona, claims and scopes,AuthorizationResult, PKCE.
Getting started
The package ships no dependency-injection bootstrap: construct the clients
yourself with your ILogger, an IHttpClientFactory, and an
Epsitec.Net.Utilities.ApiProvider bound to the service base URL. The example
below shows the common auth + keyset flow (illustrative — see each type's
constructor and XML docs):
var apiProvider = new Epsitec.Net.Utilities.ApiProvider (authBaseUrl);
var authClient = new AuthClient (logger, httpFactory, apiProvider, tokenCache);
var keysetClient = new AuthKeysetClient (logger, httpFactory, apiProvider);
// Authenticate, then keep a fresh access token.
var secret = await ClientSecretFactory.CreateAsync (authClient, login, password);
var auth = await authClient.AuthenticateUser (login, secret);
var tokens = new RefreshingAccessTokenProvider (authClient, auth, scope);
// Declare a hybrid keyset, then read another user's latest keyset (family-keyed).
var material = KeysetKeyGenerator.Generate (kemProfile);
await keysetProvisioner.RegisterAsync (tokens, uid, material);
var keyset = await keysetClient.GetLatestNormalized (otherUid, await tokens.GetAccessTokenAsync ());
Exact method signatures and overloads are documented in the package's XML docs.
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
-
net10.0
- BouncyCastle.Cryptography (>= 2.6.2)
- Konscious.Security.Cryptography.Argon2 (>= 1.3.1)
- Microsoft.AspNetCore.Http.Connections.Client (>= 10.0.9)
- Microsoft.AspNetCore.Http.Connections.Common (>= 10.0.9)
- Microsoft.AspNetCore.SignalR.Client (>= 10.0.9)
- Microsoft.AspNetCore.SignalR.Protocols.Json (>= 10.0.9)
- Microsoft.Extensions.Configuration (>= 10.0.9)
- Microsoft.Extensions.Configuration.Abstractions (>= 10.0.9)
- Microsoft.Extensions.Configuration.Binder (>= 10.0.9)
- Microsoft.Extensions.DependencyInjection (>= 10.0.9)
- Microsoft.Extensions.DependencyInjection.Abstractions (>= 10.0.9)
- Microsoft.Extensions.Http (>= 10.0.9)
- Microsoft.Extensions.Logging (>= 10.0.9)
- Microsoft.Extensions.Logging.Abstractions (>= 10.0.9)
- Microsoft.Extensions.Options (>= 10.0.9)
- Microsoft.Extensions.Options.ConfigurationExtensions (>= 10.0.9)
- Microsoft.IdentityModel.Tokens (>= 8.19.1)
NuGet packages (2)
Showing the top 2 NuGet packages that depend on Epsitec.Rezo.Api:
| Package | Downloads |
|---|---|
|
Epsitec.Briefcases.Identity
User identity lifecycle for Crésus Briefcases: key provisioning, at-rest key store, login, and keyset registration |
|
|
Epsitec.Passport.Shared
Passport.Shared - 3.44.3.2625 net10.0 |
GitHub repositories
This package is not used by any popular GitHub repositories.
| Version | Downloads | Last Updated |
|---|---|---|
| 11.6.0.2629 | 46 | 7/16/2026 |
| 11.5.1.2628 | 144 | 7/12/2026 |
| 11.4.7.2627 | 229 | 6/30/2026 |
| 11.4.6.2627 | 123 | 6/29/2026 |
| 11.4.1.2626 | 282 | 6/23/2026 |
| 11.4.0.2626 | 102 | 6/23/2026 |
| 11.3.20.2625 | 200 | 6/19/2026 |
| 11.3.7.2623 | 132 | 6/9/2026 |
| 11.3.0.2622 | 315 | 5/26/2026 |
| 11.2.1.2622 | 102 | 5/26/2026 |
| 11.2.0.2622 | 108 | 5/26/2026 |
| 10.0.0.2551 | 567 | 12/16/2025 |