Retrieve OpenID4VCI issuer metadata
/.well-known/openid-credential-issuerReturns OpenID4VCI issuer metadata. This is the standard OpenID4VCI Well Known endpoint for your tenant.
This endpoint is unprotected, public facing and can be deterministically found at the root of the tenant subdomain or alias by any party wishing to discover the OpenID4VCI capabilities.
Response Body
application/json
fetch("https://example.vii.au01.mattr.global/.well-known/openid-credential-issuer", { method: "GET"}){
"issuer": "http://example.com",
"authorization_endpoint": "http://example.com",
"jwks_uri": "http://example.com",
"token_endpoint": "http://example.com",
"scopes_supported": [
"ldp_vc:ExampleCredential"
],
"response_types_supported": [
"code"
],
"response_modes_supported": [
"query"
],
"grant_types_supported": [
"authorization_code"
],
"code_challenge_methods_supported": [
"S256"
],
"credential_issuer": "http://example.com",
"credential_endpoint": "http://example.com",
"credentials_supported": [
{
"format": "string",
"id": "string",
"scope": "string",
"@context": [
"string"
],
"type": [
"string"
],
"credentialSubject": {},
"cryptographic_binding_methods_supported": [
"did:key",
"mso"
],
"cryptographic_suites_supported": [
"Ed25519Signature2018",
"ES256"
]
}
],
"credential_configurations_supported": {
"2cdb2c15-39a7-4556-abab-4515ce2d831b": {
"format": "ldp_vc",
"id": "2cdb2c15-39a7-4556-abab-4515ce2d831b",
"scope": "ldp_vc:TestCredential",
"credential_definition": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://schema.org"
],
"type": [
"VerifiableCredential",
"TestCredential"
]
},
"credential_signing_alg_values_supported": [
"Ed25519Signature2018",
"BbsSignatureProof2022"
],
"cryptographic_binding_methods_supported": [
"did:key"
],
"proof_types_supported": {
"jwt": {
"proof_signing_alg_values_supported": [
"EdDSA"
]
}
},
"credential_metadata": {
"display": [
{
"name": "Test Credential",
"logo": {
"uri": "https://example.com/logo.png",
"alt_text": "Example Logo"
},
"locale": "en-US",
"background_color": "#FFFFFF",
"text_color": "#000000"
}
],
"claims": [
{
"path": [
"credentialSubject",
"firstName"
],
"mandatory": true,
"display": [
{
"name": "First Name",
"locale": "en-US"
}
]
}
]
}
},
"3dfe1c4a-5b6c-4e2f-9f3a-2b1c4d5e6f7g": {
"format": "cwt_vc",
"id": "3dfe1c4a-5b6c-4e2f-9f3a-2b1c4d5e6f7g",
"scope": "cwt_vc:TestCredential",
"types": [
"VerifiableCredential",
"TestCredential"
],
"cryptographic_binding_methods_supported": [],
"credential_signing_alg_values_supported": [
-7
],
"credential_metadata": {
"claims": [
{
"path": [
"vc",
"credentialSubject",
"firstName"
],
"mandatory": true,
"display": [
{
"name": "First Name",
"locale": "en-US"
}
]
}
]
}
},
"b068c060-cc72-4758-9526-92d29edb821f": {
"format": "cwt",
"id": "b068c060-cc72-4758-9526-92d29edb821f",
"scope": "cwt:TestCredential",
"type": "TestCredential",
"cryptographic_binding_methods_supported": [],
"credential_signing_alg_values_supported": [
-7
],
"credential_metadata": {
"claims": [
{
"path": [
"firstName"
],
"mandatory": true,
"display": [
{
"name": "First Name",
"locale": "en-US"
}
]
}
]
}
},
"a1b2c3d4-e5f6-4789-abcd-ef0123456789": {
"format": "mso_mdoc",
"doctype": "org.iso.18013.5.1.mDL.T",
"scope": "mso_mdoc:TestCredential",
"id": "a1b2c3d4-e5f6-4789-abcd-ef0123456789",
"cryptographic_binding_methods_supported": [
"mso"
],
"credential_signing_alg_values_supported": [
-7
],
"proof_types_supported": {
"jwt": {
"proof_signing_alg_values_supported": [
"ES256"
]
}
},
"credential_metadata": {
"claims": [
{
"path": [
"org.iso.18013.5.1",
"firstName"
],
"mandatory": true,
"display": [
{
"name": "First Name",
"locale": "en-US"
}
]
}
],
"display": [
{
"name": "Test Mobile Credential",
"logo": {
"uri": "https://example.com/logo.png",
"alt_text": "Example Logo"
},
"locale": "en-US",
"background_color": "#FFFFFF",
"text_color": "#000000"
}
]
}
}
},
"mdoc_iacas_uri": "http://example.com",
"credential_response_encryption": {
"alg_values_supported": [
"HPKE-7"
],
"enc_values_supported": [
"A256GCM"
],
"encryption_required": false
},
"credential_request_encryption": {
"jwks": {
"keys": [
{
"kty": "EC",
"kid": "kid",
"use": "enc",
"crv": "P-256",
"alg": "HPKE-7",
"x": "YO4epjifD-KWeq1sL2tNmm36BhXnkJ0He-WqMYrp9Fk",
"y": "Hekpm0zfK7C-YccH5iBjcIXgf6YdUvNUac_0At55Okk"
}
]
},
"enc_values_supported": [
"A256GCM"
],
"encryption_required": false
}
}How would you rate this page?
Issue a verifiable credential POST
Issues a credential to a holder upon presentation of a valid access token, as per [OpenID4VCI](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-credential-endpoint). Supports [encrypted](/docs/issuance/credential-issuance/e2e-encryption) and non-encrypted credential issuance. <Callout> Encrypted credential issuance is currently in technical preview and must be enabled on a per-tenant basis. If you would like to enable this feature for your tenant, please [contact us](mailto:dev-support@mattr.global). </Callout> For non-encrypted credential issuance the valid access token must be provided in one of the following header formats: **Bearer** - Authorization: `Bearer <access_token>`. - Content-Type: `application/json` - Body: `<credential request payload>` OR **DPoP** Only required when using DPoP-bound access tokens. - Authorization: `DPoP <access_token>`. - DPoP: `<dpop_token>` - Content-Type: `application/json` - Body: `<credential request payload>` For encrypted credential issuance, [contact us](mailto:dev-support@mattr.global) to configure how your MATTR VII enforces request and/or response encryption, and then: - For **request** encryption, `Content-Type` must be set to `application/jwt` and the payload must be JWE formatted. - For **response** encryption, include the [`credential_response_encryption`](/docs/issuance/credential-issuance/e2e-encryption#encryption-key-provisioning) property in the raw request payload to specify encryption details. ### **Analytic events** * OPENID_CREDENTIAL_START * OPENID_CREDENTIAL_SUCCESS * OPENID_CREDENTIAL_FAIL
Retrieve authorization server metadata GET
Returns the OAuth 2.0 Authorization Server Metadata for your tenant. This is the standard OAuth 2.0 Well-Known endpoint, providing public metadata that describes the tenant’s OAuth 2.0 configuration and capabilities. https://www.rfc-editor.org/rfc/rfc8414.html