Learn how to integrate a claims source into an OID4VCI workflow

Introduction

In an OpenID4VCI issuance workflow, you can enhance the credential issuance process by configuring your tenant to fetch claims directly from a compatible Claims source. These claims can then be used to issue verifiable credentials tailored to the user's data.

Claim sources can be integrated both to OID4VCI Authorization Code and Pre-authorized Code flows.

This tutorial focuses on guiding you through the process of setting up an OID4VCI workflow that integrates a claims source to retrieve and utilize claims during credential issuance—showing you how to achieve this using both the MATTR Portal and the MATTR VII Platform APIs.

Prerequisites

Ensure you have completed either the Authorization Code or Pre-authorized Code tutorials, as the claims source tutorial builds upon them.
Download the sample Claims source application, which will be used to simulate a claims source.
To test locally you will need to expose your local claims source to the internet. You can do this by setting up a free ngrok account, using a Cloudflare tunnel or using your own solution. For this tutorial we will be using ngrok. Sign up for a free account at ngrok.com.

We recommend using the MATTR VII Postman collection in this tutorial. While this isn't an explicit prerequisite it can really speed things up.

Tutorial overview

The current tutorial builds upon the Authorization Code or Pre-authorized Code tutorials by adding the following steps:

Set up a local Claims source: Use the provided sample Node.js application to simulate a claims source by providing a REST API to retrieve claims for specific users.
Integrate the Claims source with MATTR VII: Configure MATTR VII to connect to and utilize the sample Claims source for retrieving claims during an OID4VCI workflow.

Tutorial steps

Set up a local Claims source

Clone the MATTR Sample Apps repo to your machine and navigate to the claims-source-app folder.
Rename the env-example file to .env.
Change the value of NGROK_AUTHTOKEN to your ngrok authentication token.
Open the database.json file and add a new object to represent a user with claims:
- Set any number as the user's age.
- Set the email value based on the type of flow you are implementing:
  - If you are building on top of the Authorization Code flow tutorial, use the email address that matches the email of the user you created in your Auth0 application.
  - If you are building on top of the Pre-authorized Code flow tutorial, you can use any email address, but make note of it as you will need it later when you create the credential offer.
Start the claims source app either via npm or docker:
Start via npm
```
npm install
npm run start
```
or
Start via docker
```
docker compose up --build
```
Make note of the Public Claims Source URL displayed in the terminal after starting the app. This URL will be used to configure the Claims source in your MATTR VII tenant.

Your claim source is now set up and ready to be used, as the provided application meets the requirements for integrating a Claim source into a MATTR VII OID4VCI workflow.

Next, we will configure MATTR VII to connect to this claims source.

Configure the Claims source in your MATTR VII tenant

This step can be achieved either via the MATTR Portal or the MATTR VII Platform APIs.

In the navigation panel on the left-hand side, expand the Credential Issuance menu.
Select Claims sources.
Click the Create new button.
Insert a meaningful name for your Claims source in the Name field.
In the URL field, paste the Public Claims Source URL generated when you started the claims source application.
In the Authorization type section, select API Key as the type.
In the API Key field, paste supersecretapikey. This is the API key used by the sample claims source application to control access. In Production environments, it is strongly recommended to use a more secure API key.
Paste the following code into the Request parameters field:
Request parameters
```
{
    "email": {
        "mapFrom": "claims.email"
    }
}
```
This maps the user's email claim to a request parameter that will be sent to the claims source to retrieve user-specific information.
- In Authorization code flows it is provided by the Authentication provider.
- In Pre-authorized code flows it is provided by the issuer as part of the credential offer.
Select Save to create the Claims source.

Make a request of the following structure to configure a new claims source:

Request

POST /v1/claim-sources

Request body

{
    "name": "My tutorial Claims source",
    "url": "<CLAIM_SOURCE_URL>", 
    "authorization": { 
        "type": "api-key", 
        "value": "supersecretapikey"
    },
    "requestMethod": "GET",
    "requestParameters": { 
        "email": { 
            "mapFrom": "claims.email"
        } 
    }
}

url : Replace this with the Public Claims Source URL URL generated when you started the claims source application. The URL should follow this format: https://<YOUR_NGROK_SUBDOMAIN>/claims.
authorization : Specifies how to access the claims source. The sample claims source application uses an API key (supersecretapikey) for access control. For production environments, it is strongly recommended to use a more secure API key.
requestParameters : Maps the user's email claim to a request parameter. This parameter is sent to the claims source to retrieve user-specific information.
- In Authorization code flows it is provided by the Authentication provider.
- In Pre-authorized code flows it is provided by the issuer as part of the credential offer.

Response

Response body

{
    "id": "945214ad-3635-4aff-b51d-61d69a3c8eee"
    // Remaining response properties
}

id : Unique identifier for the configured Claims source. We will use it in the next step to integrate the Claims source into the OID4VCI workflow.

Use the Claim source in a credential configuration

This step can be achieved either via the MATTR Portal or the MATTR VII Platform APIs.

In the navigation panel on the left-hand side, expand the Credential Issuance menu.
Select Mobile credential.
Select the Create new button.
In the Name text box, enter a clear and descriptive title that will appear on the credential in the wallet, for example "Enriched Credential".
In the Description text box, enter a clear and descriptive description that will appear on the credential in the wallet, for example "Credential with integrated claims source".
In the Credential type text box, enter a unique identifier for the credential type, for example com.example.credentialwithclaims.

Paste the following JSON into the Claim mappings text box:

Claim mappings

{
    "com.example.personaldetails.1": {
        "name": {
            "mapFrom": "claims.name",
            "type": "string"
        },
        "email": {
            "mapFrom": "claims.email",
            "type": "string"
        },
        "age": {
            "mapFrom": "claims.age",
            "type": "number"
        }
    }
}

The age claim will be retrieved from the Claims source configured in the next step, while the name and email claims will be retrieved from the authentication provider (e.g., Auth0) during the OID4VCI workflow.

Use the Claim source dropdown to select the Claims source you created in the previous step. This will allow the credential to retrieve claims from the configured Claims source during issuance.
Enter "1" in the Months text box in the Validity for panel to set the credential expiration period.
Select the Create button to create the credential configuration.

Make the following request to create a simple mDoc credentials configuration that includes the holder's name and e-mail, but also their age from your configured Claims source:

Request

POST /v2/credentials/mobile/configurations

Request body

{
    "type": "com.example.credentialwithclaims",
    "expiresIn": {
        "months": 1
    },
    "claimMappings": {
        "com.example.personaldetails.1": {
            "name": {
                "mapFrom": "claims.name",
                "type": "string"
            },
            "email": {
                "mapFrom": "claims.email",
                "type": "string"
            },
            "age": { 
                "mapFrom": "claims.age", 
                "type": "number"
            }
        }
    },
    "branding": {
        "name": "My Credential with Claims",
        "description": "For rich credential issuance experience",
        "backgroundColor": "#a22dd8ff"
    },
    "claimSourceId": "<CLAIM_SOURCE_ID>", 
    "includeStatus": true
}

age : This claim represents the user's age. It is retrieved from the Claims source and stored in the users claims object as a new age property. During credential issuance claims.age will be mapped to the age claim in the credential.
claimSourceId : Replace this with the id value returned in the response when you configured the Claims source in the previous step.

Response

Response body

{
    "id": "294868aa-3814-4a50-9862-5ff48381a8e5"
    //... rest of your credential configuration
}

id : Unique identifier for the created mDocs credentials configuration. This ID is used to create a Credential offer in the next step.

Create a Credential offer

You now have all the pieces in place and can wrap them all together to generate a Credential offer and share it with the intended holder.

Make sure you create a credential offer that matches the flow you are implementing.

This offer can be created either via the MATTR Portal or the MATTR VII Platform APIs.

In the navigation panel on the left-hand side, expand the Credential Issuance menu.
Select Credential offer.
Select the Select button.
Check the checkbox next to the credential configuration you created in the previous step.
Select the Apply button.
Select the Generate button.
Download the generated QR code by selecting the Download button.

Make the following request to generate a new Credential offer:

Request

POST /v1/openid/offers

Request body

{
    "credentials": ["<CREDENTIAL_CONFIGURATION_ID>"]
}

credentials: Replace this with the id value returned in the response when you created the mDocs credentials configuration in the previous step.

Response

The response will include a uri element which can be used by a digital wallet to trigger the OID4VCI workflow. Use one of the following tools to convert the uri value to a QR code (make sure you use the Plain text option where available):

MATTR is not affiliated with any of these service providers and cannot vouch for their offerings.

Save the generated QR code on your computer.

Make the following request to generate a new Pre-authorized Code flow Credential offer:

Request

POST /v1/openid/offers/pre-authorized

Request body

{
    "credentials": ["707e920a-f342-443b-ae24-6946b7b5033e"], 
    "transactionCodeConfiguration": {
        "inputMode": "numeric",
        "description": "Please enter the one-time code that was sent to you via email."
    },
    "claims": {
        "name": "John Doe",
        "email": "<YOUR_USER_EMAIL>"
    },
    "expiresIn": {
        "minutes": 10
    }
}

credentials : Populate the array with the id element returned in the response when you created an mDocs credentials configuration in the previous step.
email : Replace <YOUR_USER_EMAIL> with the email address you used when you set up your local claims source.

In this example we are manually inserting the email into the credential offer request. In a real-world scenario, you would want to dynamically populate this value based on the authenticated user.

Response

Response body

{
    "id": "e6e5e43c-8053-464a-aca4-ca43da765c97",
    "uri": "openid-credential-offer://?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Flearn.vii.au01.mattr.global%22%2C%22credentials%22%3A%5B%22b7b380be-1467-446b-8683-1d131e6532be%22%5D%2C%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%229K3N9UPQD-Hs5f5-gPx0fRJEmb1XTZsWszzXL024pV0%22%2C%22tx_code%22%3A%7B%22length%22%3A6%2C%22input_mode%22%3A%22numeric%22%2C%22description%22%3A%22Please%20enter%20the%20one-time%20code%20that%20was%20sent%20to%20you%20via%20email.%22%7D%7D%7D%7D", 
    "userId": "6e30dd69-c867-4279-afd3-e6619253b4a4",
    "expiresAt": "2025-08-25T01:39:00.523Z",
    "transactionCode": "763677"
}

You will need to obtain two important elements from the response:

transactionCode : This is the one-time code that the user will need to provide in order to claim the credential. In production deployments you will need to provide it to the user through a different channel (e.g., email, SMS, printed on paper).
uri : This URI can be used by a digital wallet to trigger the OID4VCI workflow. Use one of the following tools to convert the uri value to a QR code (make sure you use the Plain text option where available) and save the generated QR code as an image file.

MATTR is not affiliated with any of these service providers and cannot vouch for their offerings.

Test the workflow

Open the GO hold example app.
Select Scan.
Scan the QR code generated in the previous step.
Review the credential offer and select Accept.
Follow the issuance workflow instructions to claim the credential.

You should now see a credential in your wallet that includes the age claim, which was retrieved from your configured Claims source. MATTR VII obtains this claim by querying the Claims source using the user's email—either supplied by the authentication provider (Authorization Code flow) or specified in the credential offer (Pre-authorized Code flow).

What's next?

Check out more resources on MATTR Learn that will enable you to:

Configure an Interaction hook to redirect the user to custom components as part of the issuance workflow (only supported for the Authorization Code flow).
Apply branding to issued credentials as part of creating a Credential configuration.

Learn how to integrate a claims source into an OID4VCI workflow

On this page