Does the Data Holder (DH) need to pass any authorization header with an Accredited Data Recipient (ADR) revocation endpoint call?
If so, who generates the authorisation JSON Web Token (JWT) and how does the ADR validate the token?
The revocation call from the DH to the ADR requires client authentication. The client assertion is sent in the body of the POST request.
The JWT is signed using the DH's private key.
The ADR can decrypt and validate the JWT by using the DH's public key, obtained by calling the DH's JWKS endpoint.