API Reference
Create Credential Offer
Create an Authorization Code credential offer
Returns an OpenID4VCI credential offer URI. See https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-10.1
Analytic events
- OPENID_OFFER_CREATE_START
- OPENID_OFFER_CREATE_SUCCESS
- OPENID_OFFER_CREATE_FAIL
/v1/openid/offers
In: header
This array includes a list of identifiers for credential configurations that will be included in the credential offer. These identifiers are the id
elements returned in the response when you create a credential configuration. To issue multiple credential formats of the same credential in a single flow, include all the required credential configuration id elements in the request payload.
Specifies a list of additional request parameters that the wallet can include in the authentication request.
curl -X POST "https://example.vii.au01.mattr.global/v1/openid/offers" \ -H "Content-Type: application/json" \ -d '{ "credentials": [ "707e920a-f342-443b-ae24-6946b7b5033e" ] }'
{
"uri": "openid-credential-offer://?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Fmyissuer.example.com%22%2C%22credentials%22%3A%5B%22707e920a-f342-443b-ae24-6946b7b5033e%22%5D%2C%22request_parameters%22%3A%7B%22login_hint%22%3A%22user%40example.com%22%2C%22prompt%22%3A%22login%22%7D%7D"
}
Request authorization for access to resources
Request authorization for access to resources
This endpoint is used to request authorization from the user for access to the requested resources. After the user approves the request, an authorization code is returned to the client. See https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-authorization-endpoint See https://www.rfc-editor.org/rfc/rfc6749.html#section-3.1
Analytic events
- OPENID_AUTHORIZE_START
- OPENID_AUTHORIZE_SUCCESS
- OPENID_AUTHORIZE_FAIL
/v1/oauth/authorize
Query Parameters
The response type, which must be 'code'.
"code"
The client identifier.
The URI to which the authorization server will redirect the user-agent with the authorization code.
The scope of the access request.
An opaque value used by the client to maintain state between the request and callback.
The method used to derive the code_challenge, which must be 'S256'.
"S256"
A high entropy random challenge generated by the client.
curl -X GET "https://example.vii.au01.mattr.global/v1/oauth/authorize?response_type=code&client_id=string&redirect_uri=string&scope=string&state=string&code_challenge_method=S256&code_challenge=string"
{
"code": "string",
"message": "string",
"details": [
{
"value": "string",
"msg": "Invalid value",
"param": "id",
"location": "body"
}
]
}
"Unauthorized"
Exchange authorization code for access token
Exchange authorization code for access token
This endpoint is used to exchange an authorization code or a pre-authorized code for an access token, which is later used to request a credential.
- In an Authorization Code flow the authorization code is obtained from the authorization endpoint after the user has successfully authenticated.
- In a Pre-authorized Code flow the pre-authorized code is obtained from the offer URI.
See https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-token-endpoint for more information.
Analytic events
- OPENID_TOKEN_START
- OPENID_TOKEN_SUCCESS
- OPENID_TOKEN_FAIL
/v1/oauth/token
The client identifier.
The grant type, which must be 'authorization_code'.
"authorization_code"
The redirect URI that was used in the authorization request.
The authorization code obtained from the authorization endpoint.
SHA256 hash of the code_challenge
in the authorization request.
The grant type, which must be 'urn:ietf:params:oauth:grant-type:pre-authorized_code'.
"urn:ietf:params:oauth:grant-type:pre-authorized_code"
The pre-authorized code obtained from the pre-authorized offer URI
The transaction code obtained from the pre-authorized offer URI.
curl -X POST "https://example.vii.au01.mattr.global/v1/oauth/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d 'client_id=string&grant_type=authorization_code&redirect_uri=string&code=string&code_verifier=string'
{
"access_token": "string",
"token_type": "Bearer",
"expires_in": 0,
"scope": "string"
}
{
"code": "string",
"message": "string",
"details": [
{
"value": "string",
"msg": "Invalid value",
"param": "id",
"location": "body"
}
]
}
"Unauthorized"
Issue a verifiable credential
Issue a verifiable credential
Issues a credential to a holder upon presentation of a valid access token, as per OpenID4VCI.
The valid access token must be provided in the following header format: Authorization: Bearer <access_token>
.
Analytic events
- OPENID_CREDENTIAL_START
- OPENID_CREDENTIAL_SUCCESS
- OPENID_CREDENTIAL_FAIL
/v1/openid/credential
In: header
Credential format, always ldp_vc
for JSON credentials.
"ldp_vc"
JSON object containing proof of possession of the key material the issued Credential shall be bound to.
Credential format, always cwt
for CWT credentials.
"cwt"
Credential format, always cwt_vc
for Semantic CWT credentials.
"cwt_vc"
Credential format, always mso_mdoc
for mDocs.
"mso_mdoc"
The document type identifier for the credential, as defined in ISO/IEC 18013-5:2021.
JSON object containing proof of possession of the key material the issued credential shall be bound to.
curl -X POST "https://example.vii.au01.mattr.global/v1/openid/credential" \ -H "Content-Type: application/json" \ -d '{ "format": "ldp_vc", "credential_definition": { "type": [ "VerifiableCredential", "AlumniCredential" ], "@context": [ "https://www.w3.org/2018/credentials/v1" ] }, "proof": { "proof_type": "jwt", "jwt": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9..." } }'
{
"credential": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://www.w3.org/2018/credentials/examples/v1"
],
"type": [
"VerifiableCredential",
"AlumniCredential"
],
"issuer": {
"id": "did:web:organization.com",
"name": "Example University",
"logoUrl": "https://example.edu/img/logo.png",
"iconUrl": "https://example.edu/img/icon.png"
},
"credentialBranding": {
"backgroundColor": "#B00AA0",
"watermarkImageUrl": "https://example.edu/img/watermark.png"
},
"issuanceDate": "2020-05-02T12:06:29.156Z",
"credentialStatus": {
"id": "https://tenant.vii.mattr.global/v1/revocation-lists/cc641396-3750-43c8-b8b8-f30d74eb3fb3#1",
"type": "RevocationList2020Status",
"revocationListIndex": 1,
"revocationListCredential": "https://tenant.vii.mattr.global/v1/revocation-lists/cc641396-3750-43c8-b8b8-f30d74eb3fb3"
},
"credentialSubject": {
"givenName": "Jamie",
"familyName": "Doe",
"alumniOf": "Example University"
},
"proof": {
"type": "Ed25519Signature2018",
"created": "2020-05-02T12:06:29Z",
"jws": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c",
"proofPurpose": "assertionMethod",
"verificationMethod": "did:web:organization.com"
},
"name": "Alumni Credential",
"description": "This credential shows that the person has attended the mentioned university."
},
"format": "ldp_vc"
}
Retrieve issuer metadata
Retrieve OpenID4VCI issuer metadata
Returns OpenID4VCI issuer metadata. This is the standard OpenID4VCI Well Known endpoint for your tenant.
This endpoint is unprotected, public facing and can be deterministically found at the root of the tenant subdomain or alias by any party wishing to discover the OpenID4VCI capabilities.
/.well-known/openid-credential-issuer
curl -X GET "https://example.vii.au01.mattr.global/.well-known/openid-credential-issuer"
{
"issuer": "http://example.com",
"authorization_endpoint": "http://example.com",
"token_endpoint": "http://example.com",
"scopes_supported": [
"ldp_vc:ExampleCredential"
],
"response_types_supported": [
"code"
],
"response_modes_supported": [
"query"
],
"grant_types_supported": [
"authorization_code"
],
"code_challenge_methods_supported": [
"S256"
],
"credential_issuer": "http://example.com",
"credential_endpoint": "http://example.com",
"credentials_supported": [
{
"format": "string",
"id": "string",
"scope": "string",
"@context": [
"string"
],
"type": [
"string"
],
"credentialSubject": {},
"cryptographic_binding_methods_supported": "string",
"cryptographic_suites_supported": "string"
}
],
"mdoc_iacas_uri": "http://example.com"
}
How would you rate this page?