light-mode-image
Learn
API ReferenceIssuance

Issue a verifiable credential

Analytics Events

OPENID_CREDENTIAL_STARTOPENID_CREDENTIAL_SUCCESSOPENID_CREDENTIAL_FAIL
POST/v1/openid/credential

Issues a credential to a holder upon presentation of a valid access token, as per OpenID4VCI. Supports encrypted and non-encrypted credential issuance.

For non-encrypted credential issuance the valid access token must be provided in one of the following header formats:

Bearer

  • Authorization: Bearer <access_token>.
  • Content-Type: application/json
  • Body: <credential request payload>

OR

DPoP Only required when using DPoP-bound access tokens.

  • Authorization: DPoP <access_token>.
  • DPoP: <dpop_token>
  • Content-Type: application/json
  • Body: <credential request payload>

For encrypted credential issuance, contact us to configure how your MATTR VII enforces request and/or response encryption, and then:

  • For request encryption, Content-Type must be set to application/jwt and the payload must be JWE formatted.
  • For response encryption, include the credential_response_encryption property in the raw request payload to specify encryption details.

Analytic events

  • OPENID_CREDENTIAL_START
  • OPENID_CREDENTIAL_SUCCESS
  • OPENID_CREDENTIAL_FAIL

Authorization

AuthorizationBearer <token>

In: header

Header Parameters

DPoP?string

DPoP proof JWT. A signed JWT that demonstrates proof-of-possession of a private key.

DPoP is offered as a closed beta preview feature and is not generally available yet. If you are interested in trying this feature, please contact us

When to use:

  • Token endpoint: Required when dpop_jkt was provided in the authorization request
  • Credential endpoint: Required when using DPoP-bound access tokens (Authorization header must use format: Authorization: DPoP <access_token>)

The DPoP proof must be a signed JWT with the following structure:

Header:

  • alg: Must be ES256
  • typ: Must be dpop+jwt
  • jwk: Public key (JWK format)

Payload:

  • htu: HTTP URI of the target endpoint
  • htm: HTTP method (e.g., POST)
  • jti: Unique identifier for this DPoP proof
  • iat: Unix timestamp when the DPoP proof was created
  • ath: Optional base64url-encoded SHA-256 hash of the access_token. Required when authenticating with the resource server.
  • htcd: Optional base64-encoded SHA-256 hash (content digest) of the HTTP request payload used to validate integrity.

Each DPoP proof must be unique and cannot be reused across requests.

Request Body

credential_configuration_id*string

Credential configuration identifier.

proofs?

JSON object containing proof of possession of the key material the issued Credential shall be bound to.

credential_response_encryption?

JSON object containing details for encrypting the issued credential in the response.

Response Body

curl -X POST "https://example.vii.au01.mattr.global/v1/openid/credential" \  -H "Content-Type: application/json" \  -d '{    "credential_configuration_id": "2cdb2c15-39a7-4556-abab-4515ce2d831b",    "proofs": {      "jwt": [        "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..."      ]    }  }'

{
  "credentials": [
    {
      "credential": {
        "@context": [
          "https://www.w3.org/2018/credentials/v1"
        ],
        "id": "http://example.edu/credentials/3732",
        "type": [
          "VerifiableCredential",
          "AlumniCredential"
        ],
        "issuer": "https://example.edu/issuers/14",
        "issuanceDate": "2020-03-10T04:24:12.164Z",
        "credentialSubject": {
          "id": "did:example:123",
          "alumniOf": "Example University"
        },
        "proof": {
          "type": "RsaSignature2018",
          "created": "2020-03-10T04:24:12Z",
          "proofPurpose": "assertionMethod",
          "verificationMethod": "https://example.edu/issuers/keys/1",
          "jws": "EXAMPLE_JWS_TOKEN_eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9aH0..."
        }
      }
    }
  ]
}

How would you rate this page?

Exchange authorization code for access token POST

This endpoint is used to exchange an authorization code or a pre-authorized code for an access token, which is later used to request a credential. - In an Authorization Code flow the authorization code is obtained from the authorization endpoint after the user has successfully authenticated. - In a Pre-authorized Code flow the pre-authorized code is obtained from the offer URI. See [https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-token-endpoint](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-token-endpoint) for more information. ### **Analytic events** * OPENID_TOKEN_START * OPENID_TOKEN_SUCCESS * OPENID_TOKEN_FAIL

Retrieve OpenID4VCI issuer metadata GET

Returns OpenID4VCI issuer metadata. This is the standard OpenID4VCI Well Known endpoint for your tenant. This endpoint is unprotected, public facing and can be deterministically found at the root of the tenant subdomain or alias by any party wishing to discover the OpenID4VCI capabilities.