11.67. DD 67: Merchant Self Provisioning

Status: incomplete draft (2025-07-31)

11.67.1. Summary

The self-provisioning feature allows merchants sign up for their own Taler Merchant Backend instance.

11.67.2. Motivation

It’s not feasible for non-technical merchants that want to use Taler to set up their own server with a merchant backend instance running.

11.67.3. Requirements

• The self-provisioning should be completely automatic, manual actions of the the service provider must be kept at a minimum.

11.67.4. Timeline

Ideally, available by Sept. 1st 2025.

11.67.5. Proposed Solution

Implementation tasks:

• Merchant backend

  • New public endpoint for self-provisioned instance creation

  • New (private) endpoints for 2FA channel confirmation

  • New public endpoints for password reset

  • Changed endpoint for instance details (must include email/phone)

  • Database schema changes / migration

    • Ideally with migration test

• Merchant SPA:

  • onboarding page

  • password reset flow

  • new email/phone field in instance details

Documentation tasks:

• New options for self-provisioning documented in man page

• API changes documented in API docs

• Setup of 2FA providers (via helper scripts) documented in merchant operator manual

Deployment tasks:

• Integrated self-provisioning in sandcastle-ng

Testing tasks:

• taler-harness tests for self provisioning

• test steps added to docs.taler.net

• test steps run as part of final QC

11.67.6. Flows

Signup:

• User goes to the merchant SPA in their browser

• User selects sign-up option

• User enters details, incl. phone number and e-mail

• Backend sends 2FA confirmation codes to user

• User enters 2FA codes on website

  • User can re-request 2FA codes after cooldown, limited attempts

• Once 2FA channels are confirmed by the backend, user has full access to the merchant backend instance.

  • While 2FA confirmation is pending, password login works, but only limited actions (i.e.: only entering the confirmation code, requesting new codes) are available.

Password reset:

• User selects “Forgot Password” option on the login screen

• User enters their username

• Backend sends E-Mail and SMS verification codes to the user

• User enters 2FA codes on website

• On successful validation of 2FA codes, user can enter new password

  • User can re-request 2FA codes after cooldown, limited attempts

• User can log in with their new password

11.67.7. UI Structure Mocks

New login page:

Login required

Username: [ ... ]
Password: [ ... ]

[Confirm]
---
[Sign up] [Forgot Password]

Signup page:

Please enter your information to create a new merchant instance:

Username: [ ... ]
Password: [ ... ]
E-Mail*: [ ... ]
Phone number*: [ ... ]

* This information is used to restore access to your account

11.67.8. Definition of Done

• Children of tracking bug (https://bugs.taler.net/n/10224) all closed

11.67.9. Drawbacks and Alternatives

• The name might be too technical. Maybe call it “self onboarding” or “self sign-up”?

• Merchants need to fully trust the provider.

• Multi-tenancy always has some negative security implementations

  • Alternative: Deploy separate merchant backends per user instead of deploying an instance, in order to avoid multi-tenancy drawbacks.

11.67.10. Scope

Explicitly out of scope for now are:

• Invitation links (i.e. closed self sign-ups)

• Manual approval of sign-ups. For now, sign-ups are automatically approved/active.

• 2FA for login

• 2FA for particular operations (e.g. changing bank account)

11.67.11. Related Efforts

The corebank API also has 2FA. We should keep the API design as aligned as possible.

11.67.12. Discussion / Q&A

• Can the merchant delete their own instance? Or is it some support request via e-mail?

• How does the instance user known the admin/support contact? Is there some page for that in the side-bar? Or is this external to the feature?

• What happens while the 2FA channels aren’t confirmed yet?