The PKI keys are used to authenticate requests against the PassKit gRPC API. Essentially, they are the credentials used by the PassKit account holder for all requests to the PassKit API.
The PassKit gRPC implementation uses mutual TLS authentication. The system checks the certificate number of the certificate against the user record and revoked certificates list. Additionally, we check the expiry and the domain (grpc.pub1.passkit.io). If the certificate is valid for use, PassKit checks the certificate number (which holds the username) to confirm that the account is in good standing, then connection is authorized.
The expiry is set to 10 years to balance the needs of our many customers. An expired certificate would result in API calls failing. Many of our smaller customers use third parties to create one-off integrations.
The certificates can be changed at any time by requesting new credentials via the API. This call will issue a new certificate and private key.
In the event that a key is compromised, contact firstname.lastname@example.org to request that the certificate is revoked immediately and a new certificste will be issued.