Create a Credential configuration

Introduction

In an OpenID4VCI issuance workflow, Credential offers are created based on Credential configurations. These are templates that define rules and parameters that control the structure and content of the credentials being issued.

The purpose of this tutorial is to demonstrate how to create a Credential configuration using the MATTR Portal or via API calls.

Prerequisites

Ensure you have completed either the Authorization Code or Pre-authorized Code tutorials, as the claims source tutorial builds upon them.
Review the Credential configuration overview page for a detailed explanation of the key concepts and considerations involved in creating a credential configuration.

We recommend using the MATTR VII Postman collection in this tutorial. While this isn't an explicit prerequisite it can really speed things up.

Guide overview

When planning any credential configuration, an issuer should take the following factors into account:

Credential type: Used to uniquely identify credentials issued via this configuration.
Credential content: Decide what information will be included in the credential, and how it will be structured.
Credential validity: Set the appropriate validity period to reflect how long the credential should be considered accurate and trustworthy.
Revocation support: Determine whether the credential needs to support revocation status updates.
Branding configuration: Specify how the credential should appear in a digital wallet. While display conventions are not yet standardized, this tutorial uses MATTR’s proprietary format to support branding, clarity, and holder trust.

This tutorial will walk you through each of these steps and explain the different considerations, options, and best practices to help you create a well-formed credential configuration.

Credential type

The credential type is used to differentiate between different types of credentials. It is a unique identifier that specifies the purpose and structure of the credential being issued.

It is set using the type property when creating a credential configuration:

Setting Credential Type

{
    "type": "org.iso.18013.5.1.mDL"

    // Rest of the credential configuration
}

Refer to the Credential configuration overview for considerations and best practices on defining credential types.

Credential content

The credential content defines the specific information that will be included in the credential. This can include various claims about the holder, such as their name, email address, and any other relevant data.

The content is set using the claimMappings object, as shown in the following example:

Setting Credential Content

{
    "claimMappings": {
        "com.example.personaldetails.1": {
            "name": {
                "mapFrom": "claims.name",
                "type": "string",
                "required": true
            },
            "email": {
                "mapFrom": "claims.email",
                "type": "string",
                "defaultValue": "Not provided"
            }
        }
    },

    "claimSourceId": "78e1b90c-401d-45bb-89c0-938da4d44c60"

    // Rest of the credential configuration
}

This example maps claims into a single namespace (com.example.personaldetails.1) and defines two claims within it:

name : This claim is mapped from the claims.name property in the claim source. It is of type string and is marked as required, meaning that the issuance process will fail if this claim is not provided.
email : This claim is also mapped from the claims.email property in the claim source. It is of type string but is not marked as required. If the claim is not provided, it will default to the value "Not provided".

The claimSourceId property specifies the claims source from which claims are dynamically retrieved as part of the issuance flow.

Refer to the Credential configuration overview for considerations and best practices on defining and mapping credential content.

Credential validity

Credential validity defines the period during which the credential is considered valid and can be used for its intended purpose. This is set using a combination of three properties in the credential configuration. Examples include:

{
    "expiresIn": {
        "days": 30
    }

    // Rest of the credential configuration
}

In this example we are setting the credential to expire 30 days after issuance.

{
    "validFrom": {
        "defaultValue": "2023-01-01T00:00:00Z"
    },
    "validUntil": {
        "defaultValue": "2023-02-01T23:59:59Z"
    }

    // Rest of the credential configuration
}

Note that in this example expiresIn must also be set, as it is a required property. Its value will be ignored as both validFrom and validUntil are provided.

Refer to the Credential configuration overview for considerations and best practices on defining and mapping credential validity.

Revocation support

MATTR VII allows you to update the status of issued credentials, enabling you to revoke or suspend credentials when necessary. Verifiers can check the status of a presented credential without compromising the holder’s privacy.

Support for credential revocation is configured as part of the credential configuration, using the includeStatus boolean:

Revocation Configuration

{
    "includeStatus": true

    // Rest of credential configuration
}

includeStatus : When set to true, issued credentials are revocable. They'll include a status object, which refers a Status list where the credential status is indicated.

Credential branding

Credential configurations can include information regarding how to brand them when they are displayed in a digital wallet. This is useful for enhancing the user experience and ensuring that the credential is easily recognizable.

While display conventions are not yet standardized, this tutorial uses MATTR’s proprietary format to support branding, clarity, and holder trust.

Branding is controlled via the following properties of the branding object:

Branding Configuration

{
    "branding": {
        "name": "Course credential",
        "description": "Diploma in Management",
        "backgroundColor": "#860012",
        "watermarkImage": "https://example-path-to-image-data.com",
        "issuerLogo": "data:image/png;base64,anything",
        "issuerIcon": "data:image/svg+xml;base64,anything"
    }

    // Rest of credential configuration
}

Credential branding explainer

name : Displayed on the top part of the credential.
description : Displayed below the name field.
backgroundColor : Applied as the credential background color.
watermarkImage : Displayed as a pattern on top of the credential.
issuerLogo : Displayed on the bottom part of the credential.
issuerIcon : Displayed next to the issuer’s name.

Refer to the API Reference for requirements and best practices for each of these elements.

Putting it all together

Step 1: Create a Credential configuration

In the navigation panel on the left-hand side, expand the Credential Issuance menu.
Select Mobile credential.
Select the Create new button.
In the Name text box, enter a clear and descriptive title that will appear on the credential in the wallet, for example "My Credential Configuration Tutorial Credential".
In the Description text box, enter a clear and descriptive description that will appear on the credential in the wallet, for example "Credential Configuration Best Practices".
In the Credential type text box, enter a unique identifier for the credential type, for example com.example.credentialconfiguration.2.

Copy and paste the following JSON into the Claim mappings text box:

Claim mappings

 {
     "com.example.personaldetails.1": {
         "name": {
             "mapFrom": "claims.name",
             "type": "string",
             "required": true
         },
         "email": {
             "mapFrom": "claims.email",
             "type": "string",
             "required": true
         },
         "age": {
             "mapFrom": "claims.age",
             "type": "number"
         }
     }
 }

Enter "1" in the Months text box in the Validity for panel to set the credential expiration period.
Select the Create button to create the credential configuration.

Step 2: Create a Credential offer

In the navigation panel on the left-hand side, expand the Credential Issuance menu.
Select Credential offer.
Select the Select button.
Check the checkbox next to the credential configuration you created in the previous step.
Select the Apply button.
Select the Generate button.
Download the displayed QR code and save it on your computer.

Step 1: Create a Credential configuration

Make the following request to create an mDoc credentials configuration:

Request

POST /v2/credentials/mobile/configurations

Request body

{
    "type": "com.example.credentialconfiguration.2",
    "expiresIn": {
        "months": 1
    },
    "claimMappings": {
        "com.example.personaldetails.1": {
            "name": {
                "mapFrom": "claims.name",
                "type": "string",
                "required": true
            },
            "email": {
                "mapFrom": "claims.email",
                "type": "string",
                "required": true
            },
            "age": {
                "mapFrom": "claims.age",
                "type": "number"
            }
        }
    },
    "branding": {
        "name": "My Credential Configuration Tutorial Credential",
        "description": "Credential Configuration Best Practices",
        "backgroundColor": "#d82db3ff"
    },
    "claimSourceId": "<CLAIM_SOURCE_ID>",
    "includeStatus": true
}

claimSourceId : If you completed the Claim source tutorial, you can replace this with the ID of the claim source you created. Otherwise, omit this line from the request body.

Response

Response body

{
    "id": "294868aa-3814-4a50-9862-5ff48381a8e5"
    //... rest of your credential configuration
}

id : Unique identifier for the created mDocs credentials configuration. This ID is used to create a Credential offer in the next step.

Step 2: Create a Credential offer

You can now generate a Credential offer and share it with the intended holder.

Make sure you create a credential offer that matches the flow you are implementing.

Make the following request to generate a new Credential offer:

Request

POST /v1/openid/offers

Request body

{
    "credentials": ["<CREDENTIAL_CONFIGURATION_ID>"]
}

credentials: Replace this with the id value returned in the response when you created the mDocs credentials configuration in the previous step.

Response

The response will include a uri element which can be used by a digital wallet to trigger the OID4VCI workflow. Use one of the following tools to convert the uri value to a QR code (make sure you use the Plain text option where available):

MATTR is not affiliated with any of these service providers and cannot vouch for their offerings.

Save the generated QR code on your computer.

Make the following request to generate a new Pre-authorized Code flow Credential offer:

Request

POST /v1/openid/offers/pre-authorized

Request body

{
    "credentials": ["707e920a-f342-443b-ae24-6946b7b5033e"], 
    "transactionCodeConfiguration": {
        "inputMode": "numeric",
        "description": "Please enter the one-time code that was sent to you via email."
    },
    "claims": {
        "name": "John Doe", 
        "email": "<YOUR_USER_EMAIL>"
    },
    "expiresIn": {
        "minutes": 10
    }
}

credentials : Populate the array with the id element returned in the response when you created an mDocs credentials configuration in the previous step.
name : You can use any value here. It will be mapped to the name claim in the issued credential.
email : You can use any value here. It will be mapped to the email claim in the issued credential.

In this example we are manually inserting the email and age claims into the credential offer request. In a real-world scenario, you would want to dynamically populate this value based on the authenticated user.

Response

Response body

{
    "id": "e6e5e43c-8053-464a-aca4-ca43da765c97",
    "uri": "openid-credential-offer://?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Flearn.vii.au01.mattr.global%22%2C%22credentials%22%3A%5B%22b7b380be-1467-446b-8683-1d131e6532be%22%5D%2C%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%229K3N9UPQD-Hs5f5-gPx0fRJEmb1XTZsWszzXL024pV0%22%2C%22tx_code%22%3A%7B%22length%22%3A6%2C%22input_mode%22%3A%22numeric%22%2C%22description%22%3A%22Please%20enter%20the%20one-time%20code%20that%20was%20sent%20to%20you%20via%20email.%22%7D%7D%7D%7D",  
    "userId": "6e30dd69-c867-4279-afd3-e6619253b4a4",
    "expiresAt": "2025-08-25T01:39:00.523Z",
    "transactionCode": "763677"
}

You will need to obtain two important elements from the response:

transactionCode : This is the one-time code that the user will need to provide in order to claim the credential. In production deployments you will need to provide it to the user through a different channel (e.g., email, SMS, printed on paper).
uri : This URI can be used by a digital wallet to trigger the OID4VCI workflow. Use one of the following tools to convert the uri value to a QR code (make sure you use the Plain text option where available) and save the generated QR code as an image file.

MATTR is not affiliated with any of these service providers and cannot vouch for their offerings.

Test the workflow

Open the GO hold example app.
Select Scan.
Scan the QR code generated in the previous step.
Review the credential offer and select Accept.
Follow the issuance workflow instructions to claim the credential.
- If you are testing an Authorization Code flow, you will be redirected to the configured authentication provider to authenticate. After a successful authentication you will be redirected back to the GO hold app to continue the issuance workflow.
- If you are testing a Pre-authorized Code flow, you will also be prompted to enter the transactionCode value returned in the response when you created the credential offer.

You should now have a new credential your MATTR GO Hold app.

If you are using a claim source as part of your credential configuration, ensure that it is correctly set up and accessible. Issuance may fail if the claims source is not reachable or does not return the expected claims.

What's next?

Check out more resources on MATTR Learn that will enable you to:

Configure a Claims source to retrieve data from compatible data sources and use it in the issued credential.
Configure an Interaction hook to redirect the user to custom components as part of the issuance workflow.

Create a Credential configuration

On this page