Credential issuance

Request authorization for access to resources

This endpoint is used to request authorization from the user for access to the requested resources. After the user approves the request, an authorization code is returned to the client. See https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-authorization-endpoint See https://www.rfc-editor.org/rfc/rfc6749.html#section-3.1

Analytic events

  • OPENID_AUTHORIZE_START
  • OPENID_AUTHORIZE_SUCCESS
  • OPENID_AUTHORIZE_FAIL
Request
query Parameters
response_type
required
string

The response type, which must be 'code'.

Value: "code"
client_id
required
string

The client identifier.

redirect_uri
required
string

The URI to which the authorization server will redirect the user-agent with the authorization code.

scope
required
string

The scope of the access request.

state
string

An opaque value used by the client to maintain state between the request and callback.

code_challenge_method
required
string

The method used to derive the code_challenge, which must be 'S256'.

Value: "S256"
code_challenge
required
string

A high entropy random challenge generated by the client.

Responses
302

Redirection to client application with authorization code

400

Bad request. The request was malformed or missing required parameters.

401

Unauthorized. The client is not authorized to access this resource.

403

Forbidden. The authorization server refuses to grant the client access to the resource.

500

Internal server error. An unexpected error occurred.

get/core/v1/oauth/authorize
Request samples

Exchange authorization code for access token

This endpoint is used to exchange an authorization code for an access token. The authorization code is obtained from the authorization endpoint after the user has authenticated and granted access. See https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-token-endpoint

Analytic events

  • OPENID_TOKEN_START
  • OPENID_TOKEN_SUCCESS
  • OPENID_TOKEN_FAIL
Request
Request Body schema: application/x-www-form-urlencoded
client_id
required
string

The client identifier.

grant_type
required
string

The grant type, which must be 'authorization_code'.

Value: "authorization_code"
redirect_uri
required
string

The redirect URI that was used in the authorization request.

code
required
string

The authorization code obtained from the authorization endpoint.

code_verifier
required
string

SHA256 hash of the code_challenge in the authorization request.

Responses
200

Access token successfully returned.

400

Bad request. The request was malformed or missing required parameters.

401

Unauthorized. The client is not authorized to access this resource.

403

Forbidden. The authorization server refuses to grant the client access to the resource.

500

Internal server error. An unexpected error occurred.

post/core/v1/oauth/token
Request samples
application/x-www-form-urlencoded
client_id=string&grant_type=authorization_code&redirect_uri=string&code=string&code_verifier=string
Response samples
application/json
{
  • "access_token": "string",
  • "token_type": "Bearer",
  • "expires_in": 0,
  • "scope": "string"
}

Issue a verifiable credential

Issues a verifiable credential to a subject as part of the OpenID4VCI protocol.

See https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-credential-endpoint

Analytic events

  • OPENID_CREDENTIAL_START
  • OPENID_CREDENTIAL_SUCCESS
  • OPENID_CREDENTIAL_FAIL
SecuritybearerAuthOpenIdCredentials
Request
Request Body schema: application/json
One of:
format
required
string

Credential format, always ldp_vc for JSON credentials.

Value: "ldp_vc"
required
object
object

JSON object containing proof of possession of the key material the issued Credential shall be bound to.

Responses
200

Credential issued

post/core/v1/openid/credential
Request samples
application/json
{
  • "format": "ldp_vc",
  • "credential_definition": {},
  • "proof": {
    }
}
Response samples
application/json
{}

Create an OpenID4VCI credential offer

Returns an OpenID4VCI credential offer URI. See https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-10.1

Analytic events

  • OPENID_OFFER_CREATE_START
  • OPENID_OFFER_CREATE_SUCCESS
  • OPENID_OFFER_CREATE_FAIL
SecuritybearerAuthOpenIdCredentials
Request
Request Body schema: application/json
credentials
required
Array of strings

This array includes a list of identifiers for credentials that will be included in the credential offer. These identifiers are the id elements returned in the response when you create a credential configuration. To issue multiple credential formats of the same credential in a single flow, include all the required credential configuration id elements in the request payload.

object

Specifies a list of additional request parameters that the wallet can include in the authentication request.

Responses
200

Credential offer URI created

post/core/v1/openid/offers
Request samples
application/json
{
  • "credentials": [
    ],
  • "request_parameters": {
    }
}
Response samples
application/json
{
  • "uri": "openid-credential-offer://?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Fmyissuer.example.com%22%2C%22credentials%22%3A%5B%22707e920a-f342-443b-ae24-6946b7b5033e%22%5D%2C%22request_parameters%22%3A%7B%22login_hint%22%3A%22user%40example.com%22%2C%22prompt%22%3A%22login%22%7D%7D"
}

Retrieve OpenID4VCI issuer metadata

Returns OpenID4VCI issuer metadata. This is the standard OpenID4VCI Well Known endpoint for your tenant.

This endpoint is unprotected, public facing and can be deterministically found at the root of the tenant subdomain or alias by any party wishing to discover the OpenID4VCI capabilities.

Responses
200

OpenID4VCI credential issuer metadata retrieved

get/.well-known/openid-credential-issuer
Request samples
curl --request GET \
  --url https://{tenantName}.{region}.mattr.global/.well-known/openid-credential-issuer \
  --header 'Accept: application/json'
Response samples
application/json
{
  • "issuer": "http://example.com",
  • "authorization_endpoint": "http://example.com",
  • "token_endpoint": "http://example.com",
  • "scopes_supported": [
    ],
  • "response_types_supported": [
    ],
  • "response_modes_supported": [
    ],
  • "grant_types_supported": [
    ],
  • "code_challenge_methods_supported": [
    ],
  • "credential_issuer": "http://example.com",
  • "credential_endpoint": "http://example.com",
  • "credentials_supported": [
    ],
  • "mdoc_iacas_uri": "http://example.com"
}