Choose your issuance workflow
The first decision when building an issuance solution is which OID4VCI workflow to use. MATTR VII supports two, and your choice depends on how much control you need over user authentication during the claiming process.
Choose your issuance workflow
MATTR VII supports two OID4VCI workflows. Your choice depends on how much control you need over user authentication during the claiming process.
Pre-authorized Code flow
Best for: issuing to known users, silent issuance within existing app sessions, high-assurance credentials where identity has already been verified out-of-band.
The issuer authenticates the user externally, prepares the credential data, and creates a single-use offer. The wallet claims the credential without an additional authentication step.
- Offers are single-use, consumed after successful claim.
- Supports mDocs credential format.
- Optional transaction code adds two-factor security.
- Ideal for in-app issuance or silent credential updates.
Components involved:
| Component | Role |
|---|---|
| Credential offer | Contains pre-authorized code and claim data |
| Credential configuration | Defines credential structure and claim mappings |
| Claims source (optional) | Enriches credential with additional data |
See the Pre-authorized Code flow overview for the detailed workflow and configuration steps.
Authorization Code flow
Best for: public-facing credential offers, user self-service portals, scenarios requiring real-time identity verification.
The holder scans a QR code or clicks a link, authenticates through your identity provider, and the credential is issued upon successful authentication.
- Offers are reusable: Multiple users can claim from the same offer.
- Supports mDocs and CWT credential formats.
- Integrates with your existing OIDC identity provider.
- Supports optional interaction hooks for additional verification steps.
Components involved:
| Component | Role |
|---|---|
| Credential offer | Entry point that starts the flow |
| Authentication provider | Authenticates the holder via OIDC |
| Credential configuration | Defines credential structure and claim mappings |
| Claims source (optional) | Fetches additional data from external systems |
| Interaction hook (optional) | Adds custom steps between auth and issuance |
See the Authorization Code flow overview for the detailed workflow and configuration steps.
Next steps
Once you have chosen a workflow, define your credential structure.
How would you rate this page?
Last updated on