Optional components
These components extend the basic issuance workflow with additional capabilities. Add them only when your assurance or data requirements call for them.
Optional components
These components extend the basic issuance workflow with additional capabilities.
Authentication provider
An authentication provider is your existing OIDC-compliant identity provider (e.g., Auth0, Entra ID, Okta). It authenticates the holder during the Authorization Code flow.
Requirements:
- Must support OIDC Discovery (
.well-known/openid-configuration). - Must support the authorization code grant.
- Must support the
stateparameter. - One authentication provider per MATTR VII tenant.
How it fits in the workflow:
- Holder initiates credential claim.
- MATTR VII redirects to your identity provider.
- Holder authenticates and consents.
- ID token claims become available for credential mapping.
Ensure the claims your credential configuration needs are available from your identity provider.
Check the claims_supported and scopes_supported metadata at your provider's discovery endpoint.
See ensuring claim availability.
Claims source
A claims source is an external HTTPS endpoint that MATTR VII calls during issuance to fetch additional claim data. This is useful when credential data lives in systems separate from your identity provider.
Common use cases:
- Government databases (license records, registry data).
- HR systems (employee attributes, role assignments).
- CRM or customer databases (membership tiers, entitlements).
How it fits in the workflow:
- Holder authenticates (Authorization Code) or presents offer (Pre-authorized Code).
- MATTR VII calls your claims source endpoint with configured parameters.
- Your endpoint returns JSON claim data.
- Claims are mapped into the credential via the credential configuration.
Integration requirements:
- HTTPS endpoint reachable from MATTR VII (IPv4).
- Must respond within 3 seconds.
- Supports API key or OAuth client credentials for authorization.
- Must return claims as a flat or nested JSON object.
Interaction hooks
An interaction hook adds a custom step between authentication and credential issuance in the Authorization Code flow. This lets you inject additional verification, consent collection, or data gathering.
Common use cases:
- Biometric or liveness verification.
- Additional consent or terms acceptance.
- Document upload or manual review steps.
- Custom data collection forms.
How it fits in the workflow:
- Holder authenticates via the authentication provider.
- MATTR VII redirects to your interaction hook URL with a signed session token.
- Your component performs its logic (verification, consent, data collection).
- Your component redirects back to MATTR VII with a signed response JWT containing any claims.
- Returned claims become available for credential mapping.
Interaction hooks add latency and complexity. Use them only when the Authorization Code flow's built-in authentication is insufficient for your assurance requirements.
Next steps
Next, manage issuer keys and certificates so your credentials are signed with keys your organization controls.
How would you rate this page?
Last updated on