Specifies paths and operations for issuing credentials as part of an OID4VCI workflow.
Request authorization for access to resources
This endpoint is used to request authorization from the user for access to the requested resources. After the user approves the request, an authorization code is returned to the client. See https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-authorization-endpoint See https://www.rfc-editor.org/rfc/rfc6749.html#section-3.1
Analytic events
- OPENID_AUTHORIZE_START
- OPENID_AUTHORIZE_SUCCESS
- OPENID_AUTHORIZE_FAIL
query Parameters
Redirection to client application with authorization code
Bad Request. The request was malformed or missing required parameters.
Unauthorized. The client is not recognized by authorization server.
Forbidden. The client is recognized by authorization server but is not allowed to access this resource.
Internal Server Error. An unexpected error occurred.
- curl
- Node.js
- JavaScript
- Python
- C#
- Java
- 400
{- "code": "string",
- "type": "string",
- "message": "string",
- "details": [
- {
- "value": "string",
- "msg": "Invalid value",
- "param": "id",
- "location": "body"
}
]
}Exchange authorization code for access token
This endpoint is used to exchange an authorization code for an access token. The authorization code is obtained from the authorization endpoint after the user has authenticated and granted access. See https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-token-endpoint
Analytic events
- OPENID_TOKEN_START
- OPENID_TOKEN_SUCCESS
- OPENID_TOKEN_FAIL
Request Body schema: application/x-www-form-urlencoded
Access token successfully returned.
Bad Request. The request was malformed or missing required parameters.
Unauthorized. The client is not recognized by authorization server.
Forbidden. The client is recognized by authorization server but is not allowed to access this resource.
Internal Server Error. An unexpected error occurred.
- Payload
- curl
- Node.js
- JavaScript
- Python
- C#
- Java
client_id=string&grant_type=authorization_code&redirect_uri=string&code=string&code_verifier=string
- 200
- 400
{- "access_token": "string",
- "token_type": "Bearer",
- "expires_in": 0,
- "scope": "string"
}Issue a verifiable credential
Issues a verifiable credential to a subject as part of the OpenID4VCI protocol.
See https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-credential-endpoint
Analytic events
- OPENID_CREDENTIAL_START
- OPENID_CREDENTIAL_SUCCESS
- OPENID_CREDENTIAL_FAIL
Credential issued
- Payload
- curl
- Node.js
- JavaScript
- Python
- C#
- Java
{- "format": "ldp_vc",
- "credential_definition": {
- "type": [
- "VerifiableCredential",
- "AlumniCredential"
],
}, - "proof": {
- "proof_type": "jwt",
- "jwt": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..."
}
}- 200
{- "credential": {
- "type": [
- "VerifiableCredential",
- "AlumniCredential"
], - "issuer": {
- "id": "did:web:organization.com",
- "name": "Example University",
}, - "credentialBranding": {
- "backgroundColor": "#B00AA0",
}, - "issuanceDate": "2020-05-02T12:06:29.156Z",
- "credentialStatus": {
- "type": "RevocationList2020Status",
- "revocationListIndex": 1,
- "revocationListCredential": "https://tenant.vii.mattr.global/core/v1/revocation-lists/cc641396-3750-43c8-b8b8-f30d74eb3fb3"
}, - "credentialSubject": {
- "givenName": "Jamie",
- "familyName": "Doe",
- "alumniOf": "Example University"
}, - "proof": {
- "type": "Ed25519Signature2018",
- "created": "2020-05-02T12:06:29Z",
- "jws": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
- "proofPurpose": "assertionMethod",
- "verificationMethod": "did:web:organization.com"
}, - "name": "Alumni Credential",
- "description": "This credential shows that the person has attended the mentioned university."
}, - "format": "ldp_vc"
}
Create an OpenID4VCI credential offer
Returns an OpenID4VCI credential offer URI. See https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-10.1
Analytic events
- OPENID_OFFER_CREATE_START
- OPENID_OFFER_CREATE_SUCCESS
- OPENID_OFFER_CREATE_FAIL
Request Body schema: application/json
Credential offer URI created
- Payload
- curl
- Node.js
- JavaScript
- Python
- C#
- Java
{- "credentials": [
- "707e920a-f342-443b-ae24-6946b7b5033e"
], - "request_parameters": {
- "login_hint": "user@example.com",
- "prompt": "login"
}
}- 200
{- "uri": "openid-credential-offer://?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Fmyissuer.example.com%22%2C%22credentials%22%3A%5B%22707e920a-f342-443b-ae24-6946b7b5033e%22%5D%2C%22request_parameters%22%3A%7B%22login_hint%22%3A%22user%40example.com%22%2C%22prompt%22%3A%22login%22%7D%7D"
}Retrieve OpenID4VCI issuer metadata
Returns OpenID4VCI issuer metadata. This is the standard OpenID4VCI Well Known endpoint for your tenant.
This endpoint is unprotected, public facing and can be deterministically found at the root of the tenant subdomain or alias by any party wishing to discover the OpenID4VCI capabilities.
OpenID4VCI credential issuer metadata retrieved
- curl
- Node.js
- JavaScript
- Python
- C#
- Java
curl --request GET \ --url https://{tenantName}.{region}.mattr.global/.well-known/openid-credential-issuer \ --header 'Accept: application/json'
- 200
{- "scopes_supported": [
- "ldp_vc:ExampleCredential"
], - "response_types_supported": [
- "code"
], - "response_modes_supported": [
- "query"
], - "grant_types_supported": [
- "authorization_code"
], - "code_challenge_methods_supported": [
- "S256"
], - "credentials_supported": [
- {
- "format": "string",
- "id": "string",
- "scope": "string",
- "@context": [
- "string"
], - "type": [
- "string"
], - "credentialSubject": { },
- "cryptographic_binding_methods_supported": "string",
- "cryptographic_suites_supported": "string"
}
],
}