Specifies paths and operations for issuing credentials as part of an OID4VCI workflow.
Request authorization for access to resources
This endpoint is used to request authorization from the user for access to the requested resources. After the user approves the request, an authorization code is returned to the client. See https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-authorization-endpoint See https://www.rfc-editor.org/rfc/rfc6749.html#section-3.1
Analytic events
- OPENID_AUTHORIZE_START
- OPENID_AUTHORIZE_SUCCESS
- OPENID_AUTHORIZE_FAIL
query Parameters
Redirection to client application with authorization code
Bad Request. The request was malformed or missing required parameters.
Unauthorized. The client is not recognized by authorization server.
Forbidden. The client is recognized by authorization server but is not allowed to access this resource.
Internal Server Error. An unexpected error occurred.
- curl
- Node.js
- JavaScript
- Python
- Java
- 400
{- "code": "string",
- "type": "string",
- "message": "string",
- "details": [
- {
- "value": "string",
- "msg": "Invalid value",
- "param": "id",
- "location": "body"
}
]
}
Exchange authorization code for access token
This endpoint is used to exchange an authorization code or a pre-authorized code for an access token, which is later used to request a credential.
- In an Authorization Code flow the authorization code is obtained from the authorization endpoint after the user has successfully authenticated.
- In a Pre-authorized Code flow the pre-authorized code is obtained from the offer URI.
See https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-token-endpoint for more information.
Analytic events
- OPENID_TOKEN_START
- OPENID_TOKEN_SUCCESS
- OPENID_TOKEN_FAIL
Request Body schema: application/x-www-form-urlencoded
Access token successfully returned.
Bad Request. The request was malformed or missing required parameters.
Unauthorized. The client is not recognized by authorization server.
Forbidden. The client is recognized by authorization server but is not allowed to access this resource.
Internal Server Error. An unexpected error occurred.
- Payload
- curl
- Node.js
- JavaScript
- Python
- Java
client_id=string&grant_type=authorization_code&redirect_uri=string&code=string&code_verifier=string
- 200
- 400
{- "access_token": "string",
- "token_type": "Bearer",
- "expires_in": 0,
- "scope": "string"
}
Issue a verifiable credential
Issues a verifiable credential to a subject as part of the OpenID4VCI protocol.
See https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-credential-endpoint
Analytic events
- OPENID_CREDENTIAL_START
- OPENID_CREDENTIAL_SUCCESS
- OPENID_CREDENTIAL_FAIL
Credential issued
- Payload
- curl
- Node.js
- JavaScript
- Python
- Java
{- "format": "ldp_vc",
- "credential_definition": {
- "type": [
- "VerifiableCredential",
- "AlumniCredential"
],
}, - "proof": {
- "proof_type": "jwt",
- "jwt": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..."
}
}
- 200
{- "credential": {
- "type": [
- "VerifiableCredential",
- "AlumniCredential"
], - "issuer": {
- "id": "did:web:organization.com",
- "name": "Example University",
}, - "credentialBranding": {
- "backgroundColor": "#B00AA0",
}, - "issuanceDate": "2020-05-02T12:06:29.156Z",
- "credentialStatus": {
- "type": "RevocationList2020Status",
- "revocationListIndex": 1,
- "revocationListCredential": "https://tenant.vii.mattr.global/v1/revocation-lists/cc641396-3750-43c8-b8b8-f30d74eb3fb3"
}, - "credentialSubject": {
- "givenName": "Jamie",
- "familyName": "Doe",
- "alumniOf": "Example University"
}, - "proof": {
- "type": "Ed25519Signature2018",
- "created": "2020-05-02T12:06:29Z",
- "jws": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
- "proofPurpose": "assertionMethod",
- "verificationMethod": "did:web:organization.com"
}, - "name": "Alumni Credential",
- "description": "This credential shows that the person has attended the mentioned university."
}, - "format": "ldp_vc"
}
Create an Authorization Code credential offer
Returns an OpenID4VCI credential offer URI. See https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-10.1
Analytic events
- OPENID_OFFER_CREATE_START
- OPENID_OFFER_CREATE_SUCCESS
- OPENID_OFFER_CREATE_FAIL
Request Body schema: application/json
Credential offer URI created
- Payload
- curl
- Node.js
- JavaScript
- Python
- Java
{- "credentials": [
- "707e920a-f342-443b-ae24-6946b7b5033e"
], - "request_parameters": {
- "login_hint": "user@example.com",
- "prompt": "login"
}
}
- 200
{- "uri": "openid-credential-offer://?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Fmyissuer.example.com%22%2C%22credentials%22%3A%5B%22707e920a-f342-443b-ae24-6946b7b5033e%22%5D%2C%22request_parameters%22%3A%7B%22login_hint%22%3A%22user%40example.com%22%2C%22prompt%22%3A%22login%22%7D%7D"
}
Retrieve OpenID4VCI issuer metadata
Returns OpenID4VCI issuer metadata. This is the standard OpenID4VCI Well Known endpoint for your tenant.
This endpoint is unprotected, public facing and can be deterministically found at the root of the tenant subdomain or alias by any party wishing to discover the OpenID4VCI capabilities.
OpenID4VCI credential issuer metadata retrieved
- curl
- Node.js
- JavaScript
- Python
- Java
curl --request GET \ --url https://{tenantName}.{region}.mattr.global/.well-known/openid-credential-issuer \ --header 'Accept: application/json'
- 200
{- "scopes_supported": [
- "ldp_vc:ExampleCredential"
], - "response_types_supported": [
- "code"
], - "response_modes_supported": [
- "query"
], - "grant_types_supported": [
- "authorization_code"
], - "code_challenge_methods_supported": [
- "S256"
], - "credentials_supported": [
- {
- "format": "string",
- "id": "string",
- "scope": "string",
- "@context": [
- "string"
], - "type": [
- "string"
], - "credentialSubject": { },
- "cryptographic_binding_methods_supported": "string",
- "cryptographic_suites_supported": "string"
}
],
}
Create a Pre-Authorized Code credential offer
Generate a new OpenID4VCI Pre-Authorized Code credential offer.
Analytic events
- OPENID_PRE_AUTHORIZED_OFFER_CREATE_START
- OPENID_PRE_AUTHORIZED_OFFER_CREATE_SUCCESS
- OPENID_PRE_AUTHORIZED_OFFER_CREATE_FAIL
Request Body schema: application/json
credentials required | Array of strings This array includes a list of identifiers for credential configurations that will be included in the credential offer. These identifiers are the |
userId | string Unique system generated identifier to reference the user for this offer. This can be obtained by searching for a user. If not provided, a new user entity will be created. |
object Configure whether a second-factor transaction code is required for this offer. If a configuration is provided, a code will be generated for the offer, and the end user must submit it during credential retrieval. | |
claims | object Additional user claims that are available during credential issuance for this offer. |
claimsToPersist | Array of strings List of claims to persist from the provided |
object Specifies when the offer will expire. Once the offer expires, the user can no longer use it to claim a credential, and a new offer must be generated. The expiration period can include any combination of minutes and seconds. By default, the offer expires in 5 minutes, and the maximum allowed duration is 10 minutes. |
Credential offer created
- Payload
- curl
- Node.js
- JavaScript
- Python
- Java
{- "credentials": [
- "707e920a-f342-443b-ae24-6946b7b5033e"
], - "userId": "string",
- "transactionCodeConfiguration": {
- "inputMode": "numeric",
- "description": "Please enter the one-time code that was sent to you via email."
}, - "claims": {
- "givenName": "John",
- "familyName": "Doe",
- "email": "john.doe@example.com"
}, - "claimsToPersist": [
- "email"
], - "expiresIn": {
- "minutes": 5,
- "seconds": 0
}
}
- 200
{- "id": "string",
- "userId": "string",
- "uri": "openid-credential-offer://?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Fexample.com%22%2C%22credentials%22%3A%5B%222edaf985-fcc2-4448-9c8e-a04c6c7351c2%22%5D%2C%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22stukD6lg9c9tQ3jUCa32wVi1HI%2BQIVsFK%2FQPvC2CHRs%3D%22%2C%22tx_code%22%3A%7B%22length%22%3A6%2C%22input_mode%22%3A%22numeric%22%2C%22description%22%3A%22Please%20provide%20the%20one-time%20code%20that%20was%20sent%20via%20e-mail%22%7D%7D%7D%7D",
- "expiresAt": "2025-05-01T00:01:00.000Z",
- "transactionCode": 493536
}