Issue a verifiable credential
Issues a credential to a holder upon presentation of a valid access token, as per OpenID4VCI. Supports encrypted and non-encrypted credential issuance.
Encrypted credential issuance is currently in technical preview and must be enabled on a per-tenant basis. If you would like to enable this feature for your tenant, please contact us.
For non-encrypted credential issuance the valid access token must be provided in one of the following header formats:
Bearer
- Authorization:
Bearer <access_token>. - Content-Type:
application/json - Body:
<credential request payload>
OR
DPoP Only required when using DPoP-bound access tokens.
- Authorization:
DPoP <access_token>. - DPoP:
<dpop_token> - Content-Type:
application/json - Body:
<credential request payload>
For encrypted credential issuance, contact us to configure how your MATTR VII enforces request and/or response encryption, and then:
- For request encryption,
Content-Typemust be set toapplication/jwtand the payload must be JWE formatted. - For response encryption, include the
credential_response_encryptionproperty in the raw request payload to specify encryption details.
Analytics Events
/v1/openid/credentialIn: header
Header Parameters
DPoP proof JWT. A signed JWT that demonstrates proof-of-possession of a private key.
DPoP support is currently offered as a tech preview. As such, functionality may be limited, may not work in all scenarios, and could change or break without prior notice.
When to use:
- Token endpoint: Required when
dpop_jktwas provided in the authorization request - Credential endpoint: Required when using DPoP-bound access tokens (Authorization header must use format:
Authorization: DPoP <access_token>)
The DPoP proof must be a signed JWT with the following structure:
Header:
alg: Must beES256typ: Must bedpop+jwtjwk: Public key (JWK format)
Payload:
htu: HTTP URI of the target endpointhtm: HTTP method (e.g.,POST)jti: Unique identifier for this DPoP proofiat: Unix timestamp when the DPoP proof was createdath: Optional base64url-encoded SHA-256 hash of theaccess_token. Required when authenticating with the resource server.htcd: Optional base64-encoded SHA-256 hash (content digest) of the HTTP request payload used to validate integrity.
Each DPoP proof must be unique and cannot be reused across requests.
Credential configuration identifier.
JSON object containing proof of possession of the key material the issued Credential shall be bound to.
JSON object containing details for encrypting the issued credential in the response.
Response Body
curl -X POST "https://example.vii.au01.mattr.global/v1/openid/credential" \ -H "Content-Type: application/json" \ -d '{ "credential_configuration_id": "2cdb2c15-39a7-4556-abab-4515ce2d831b", "proofs": { "jwt": [ "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..." ] } }'{
"credentials": [
{
"credential": {
"@context": [
"https://www.w3.org/2018/credentials/v1"
],
"id": "http://example.edu/credentials/3732",
"type": [
"VerifiableCredential",
"AlumniCredential"
],
"issuer": "https://example.edu/issuers/14",
"issuanceDate": "2020-03-10T04:24:12.164Z",
"credentialSubject": {
"id": "did:example:123",
"alumniOf": "Example University"
},
"proof": {
"type": "RsaSignature2018",
"created": "2020-03-10T04:24:12Z",
"proofPurpose": "assertionMethod",
"verificationMethod": "https://example.edu/issuers/keys/1",
"jws": "EXAMPLE_JWS_TOKEN_eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9aH0..."
}
}
}
]
}How would you rate this page?