Learn how to manage the revocation status of issued credentials
Overview
In this tutorial we will explore the concept of credential revocation, a critical feature that allows issuers to invalidate previously issued credentials, ensuring the integrity and security of the system. The tutorial comprises the following steps:
- Issue a revocable credential.
- Obtain a credential revocation status.
- Revoke an issued credential.
- Attempt to verify a revoked credential.
Prerequisites
- Complete the sign up form to get trial access to MATTR VII and the MATTR Portal, and then Create a tenant.
- Install the MATTR GO Hold example app by following the getting started guide.
We recommend using the MATTR VII Postman collection in this tutorial. While this isn't an explicit prerequisite, it can really speed things up.
Tutorial steps
Issue a revocable credential
The first thing you need to do is sign a new credential in a way that will enable you to revoke it later. This will differ slightly based on your selected credential format.
- Follow the Authorization Code or Pre-authorized Code tutorials to issue a credential.
- By the end of the tutorial you should have an mDoc in your MATTR GO Hold example app.
- Make a request of the following structure to
create a
did:web
:
POST /v1/dids
{
"method": "web",
"options": {
"url": "https://learn.vii.au01.mattr.global"
}
}
url
: Replace with yourtenant_url
provided with your tenant details.
Response
{
"did": "did:web:learn.vii.au01.mattr.global"
// Rest of DID document
}
-
did
: We will use the value of this element to identify the credential's issuer in the next step.If your tenant has a Custom domain configured you will need to setup a redirect for this DID document.
- Make a request of the following structure to create and sign a new revocable CWT credential:
POST /v2/credentials/compact/sign
{
"payload": {
"iss": "did:web:learn.vii.au01.mattr.global",
"type": "Course Credential",
"name": "Emma Jane Tasma",
"code": "HS.278",
"certificationName": "Working at Heights",
"certificationLevel": "Level 4",
"issuerName": "Advanced Safety Training"
},
"revocable": true,
"isRevoked": false
}
iss
: Replace with thedid
element obtained in the previous step.revocable
: We set this totrue
so that this credential can be revoked later in the tutorial.isRevoked
: We set this tofalse
so that this credential is immediately valid upon issuance. Other use cases might require you to set this totrue
to issue a credential that is revoked by default until it is activated by unrevoking.
Response
{
"id": "bKcrxojFSuSZvI5qhKInxA",
"decoded": {
"iss": "did:web:learn.vii.au01.mattr.global",
"type": "Course Credential",
"name": "Emma Jane Tasma",
"code": "HS.278",
"certificationName": "Working at Heights",
"certificationLevel": "Level 4",
"issuerName": "Advanced Safety Training",
"status": {
"index": 3,
"url": "https://learn.vii.au01.mattr.global/v2/credentials/compact/revocation-lists/887cd140-e4d7-4518-b70f-305b23778848"
},
"jti": "bKcrxojFSuSZvI5qhKInxA"
},
"encoded": "CSC:/1/2KCE3IQEJB5DCMSMGZITM5QBE2QFSALWVQAXQI3ENFSDU53FMI5GYZLBOJXC45TJNEXGC5JQGEXG2YLUORZC4Z3MN5RGC3AFDJSZE7YQHIAACAACOFBW65LSONSSAQ3SMVSGK3TUNFQWYBA2NFLDPEDENZQW2ZLPIVWW2YJAJJQW4ZJAKRQXG3LBMRRW6ZDFMZEFGLRSG44HCY3FOJ2GSZTJMNQXI2LPNZHGC3LFOJLW64TLNFXGOIDBOQQEQZLJM5UHI43SMNSXE5DJMZUWGYLUNFXW4TDFOZSWYZ2MMV3GK3BAGRVGS43TOVSXETTBNVSXQGCBMR3GC3TDMVSCAU3BMZSXI6JAKRZGC2LONFXGOZTFPBYGS4TZNIZDAMRWFUYDCLJQGE5AAAIAACRAEAYDPB2WQ5DUOBZTULZPNRSWC4TOFZ3GS2JOMF2TAMJONVQXI5DSFZTWY33CMFWC6Y3POJSS65RSF5RXEZLEMVXHI2LBNRZS6Y3PNVYGCY3UF5ZGK5TPMNQXI2LPNYWWY2LTORZS6OBYG5RWIMJUGAWWKNDEG4WTINJRHAWWENZQMYWTGMBVMIZDGNZXHA4DIOAH3BAFA3FHFPDIRRKK4SM3ZDTKQSRCPRCYIA7RFUZYQI3RIGDHIGLAODJ6K2F245DTLIIKXAD35TORFQ7MVRJCIEPH6SC6NGA4HRMK76H5V6GXP66FFNX7MNYC6MYVU7ZLLXYVLXBU"
}
id
: Unique credential identifier. We will use it in the next step to obtain the credential's revocation status, and later to revoke the credential.status
: Credential revocation status details. We will use it in the next step to obtain the credential's revocation status.
- Make a request of the following structure to
create a
did:web
:
POST /v1/dids
{
"method": "web",
"options": {
"url": "https://learn.vii.au01.mattr.global"
}
}
url
: Replace with yourtenant_url
provided with your tenant details.
Response
{
"did": "did:web:learn.vii.au01.mattr.global"
// Rest of DID document
}
-
did
: We will use the value of this element to identify the credential's issuer in the next step.If your tenant has a Custom domain configured you will need to setup a redirect for this DID document.
- Make a request of the following structure to sign a new revocable Semantic CWT credential:
POST /v2/credentials/compact-semantic/sign
{
"payload": {
"iss": "did:web:learn.vii.au01.mattr.global",
"vc": {
"type": "Course Credential",
"credentialSubject": {
"name": "Emma Tasma",
"code": "HS.278",
"certificationName": "Working at Heights",
"certificationLevel": "Level 4",
"issuerName": "Advanced Safety Training"
}
}
},
"revocable": true,
"isRevoked": false
}
iss
: Replace with thedid
element obtained in the previous step.revocable
: We set this totrue
so that this credential can be revoked later in the tutorial.isRevoked
: We set this tofalse
so that this credential is immediately valid upon issuance. Other use cases might require you to set this totrue
to issue a credential that is revoked by default until it is activated by unrevoking.
Response
{
"id": "urn:uuid:78e19496-8521-424b-8315-35fb1ecaf681",
"decoded": {
"iss": "did:web:learn.vii.au01.mattr.global",
"vc": {
"type": ["VerifiableCredential", "Course Credential"],
"@context": ["https://www.w3.org/2018/credentials/v1"],
"credentialSubject": {
"name": "Emma Tasma",
"code": "HS.278",
"certificationName": "Working at Heights",
"certificationLevel": "Level 4",
"issuerName": "Advanced Safety Training"
}
},
"status": {
"index": 0,
"url": "https://learn.vii.au01.mattr.global/v2/credentials/compact-semantic/revocation-lists/1fe00d6c-904f-497e-bbe1-a3cfdc0b8368"
},
"jti": "urn:uuid:78e19496-8521-424b-8315-35fb1ecaf681"
},
"encoded": "CSS:/1/2KCE3IQEJB5DCMSMGZITM5QBE2QFSAOZUYAXQI3ENFSDU53FMI5GYZLBOJXC45TJNEXGC5JQGEXG2YLUORZC4Z3MN5RGC3AFDJSZE7YQMJ3GHI3IIBRW63TUMV4HJALYEZUHI5DQOM5C6L3XO53S45ZTFZXXEZZPGIYDCOBPMNZGKZDFNZ2GSYLMOMXXMMLEOR4XAZMCORLGK4TJMZUWCYTMMVBXEZLEMVXHI2LBNRYUG33VOJZWKICDOJSWIZLOORUWC3DRMNZGKZDFNZ2GSYLMKN2WE2TFMN2KMZDOMFWWK2SFNVWWCICUMFZW2YLEMNXWIZLGJBJS4MRXHBYWGZLSORUWM2LDMF2GS33OJZQW2ZLSK5XXE23JNZTSAYLUEBEGK2LHNB2HG4TDMVZHI2LGNFRWC5DJN5XEYZLWMVWGOTDFOZSWYIBUNJUXG43VMVZE4YLNMV4BQQLEOZQW4Y3FMQQFGYLGMV2HSICUOJQWS3TJNZTWMZLYOBUXE6LKGIYDENRNGAYS2MBRAQNGSVRXSA5AAAIAACRAEAADPB7GQ5DUOBZTULZPNRSWC4TOFZ3GS2JOMF2TAMJONVQXI5DSFZTWY33CMFWC6Y3POJSS65RSF5RXEZLEMVXHI2LBNRZS6Y3PNVYGCY3UFVZWK3LBNZ2GSYZPOJSXM33DMF2GS33OFVWGS43UOMXTCZTFGAYGINTDFU4TANDGFU2DSN3FFVRGEZJRFVQTGY3GMRRTAYRYGM3DQB6YIBIHRYMUS2CSCQSLQMKTL6Y6ZL3ICWCAUPGIGEOOWODF77V7ZJPVLGAQC2ZUP7MASXIRTIRRPOIIBKNHKZ4LHROPWBPBCYTKA3GXWIRD736HIJNQENTSFUYIPQ77BG4ZPCTXYIY"
}
id
: Unique credential identifier. We will use it in the next step to obtain the credential's revocation status, and later to revoke the credential.status
: Credential revocation status details. We will use it in the next step to obtain the credential's revocation status.
- Make a request of the following structure to
create a
did:web
:
POST /v1/dids
{
"method": "web",
"options": {
"url": "https://learn.vii.au01.mattr.global"
}
}
url
: Replace with yourtenant_url
provided with your tenant details.
Response
{
"did": "did:web:learn.vii.au01.mattr.global"
// Rest of DID document
}
-
did
: We will use the value of this element to identify the credential's issuer in the next step.If your tenant has a Custom domain configured you will need to setup a redirect for this DID document.
- Make a request of the following structure to sign a new revocable JSON credential:
POST /v2/credentials/web-semantic/sign
{
"payload": {
"name": "Course credential",
"description": "Diploma in Management",
"type": ["EducationalOccupationalCredential", "AlumniCredential"],
"credentialSubject": {
"id": "did:key:z6Mkr9f7o82NFLRFTTCWRR1GiZpca22Xf6YKo2zKThrZMA2w",
"givenName": "Emma",
"familyName": "Tasma",
"alumniOf": "Zealopia University"
},
"issuer": {
"id": "did:web:learn.vii.au01.mattr.global",
"name": "Zealopia Business Institute"
}
},
"revocable": true
}
issuer.id
: Replace with thedid
element obtained in the previous step.revocable
: We set this totrue
so that this credential can be revoked later in the tutorial.
Response
{
"id": "e57623d6-4b5d-4d35-b605-ee5d34915e7c",
"credential": {
// Credential claims
},
"credentialStatus": {
"id": "https://learn.vii.au01.mattr.global/v2/credentials/web-semantic/revocation-lists/b95acd20-8d52-4474-8f32-71fb8d7a50ed#0",
"type": "RevocationList2020Status",
"revocationListIndex": "0",
"revocationListCredential": "https://learn.vii.au01.mattr.global/v2/credentials/web-semantic/revocation-lists/b95acd20-8d52-4474-8f32-71fb8d7a50ed"
},
"issuanceDate": "2024-09-06T02:43:47.904Z"
}
id
: Unique credential identifier. We will use it in the next step to obtain the credential's revocation status, and later to revoke the credential.credentialStatus
: Credential revocation status details. We will use it in the next step to obtain the credential's revocation status.
Obtain a credential revocation status
Now that the credential is issued, different relying parties might be interested in discovering its revocation status. In other words, they want to know whether or not the credential has been revoked by the issuer. MATTR VII supports two ways of achieving this:
- Query a protected MATTR VII endpoint to get the revocation status.
- Query public MATTR VII endpoints to get the revocation status.
Again, this process looks slightly different for different credential formats.
Protected endpoint
Make a request of the following structure to retrieve the status of an mDoc:
GET /v2/credentials/mobile/{credentialId}/status
credentialId
: Replace with theid
of the mDoc you wish to check the status for.
You can retrieve the credentialId
by querying the
Retrieve all users credentials data
endpoint with the identifier of the user you issued the credential to, and retrieve the id
from
the response.
Response
{
"status": "valid"
}
status
: Indicates status for the mDoc. This it the expected value as we have only now issued this mDoc.
Public endpoint
MATTR VII enables relying parties to obtain the status of an mDoc in a privacy preserving manner, as the issuer has no way of knowing what specific mDoc's status the relying party is requesting.
This is achieved by retrieving a publicly available Status list token, and then looking up a specific mDoc's status using a reference index that is included in the mDoc itself. These Status lists are based on the IETF Token Status list draft.
Make a request to the status.status_list.uri
element from the response obtained when signing the
mDoc:
GET https://learn.vii.au01.mattr.global/v2/credentials/mobile/status-lists/f331c9be-f526-4577-bbac-ae93d6228f7a/token
The response will include an encoded Status list token which is a
CBOR Web Token. Relying parties can then decode the
list and use the mDoc's status.status_list.idx
element to locate and check the
status of this specific mDoc.
Validating the credential status
You will need two physical devices to perform this validation:
- One device with the MATTR GO Hold example app and an mDoc claimed earlier in this tutorial.
- One device with the MATTR GO Verify example app.
Perform the following steps to validate the mDoc status:
- Open the GO Hold example app.
- Select the Wallet tab.
- Locate the mDoc claimed earlier in this tutorial.
- Select the Share button. This should display a QR code on screen.
- Use the GO Verify example app on your second device to scan the displayed QR code.
- Use the GO Hold example app to confirm sharing the credential.
- The GO Verify example app should indicate succesful verification, indicating the mDoc is valid.
Not for long!!!
Protected endpoint
Make a request of the following structure to retrieve the revocation status of a CWT credential:
GET /v2/credentials/compact/{id}/revocation-status
id
: Replace with the unique identifier of the credential you wish to revoke. This would be theid
element of the credential you issued in the previous step. It will be available as part of any CWT credential issued by a MATTR VII tenant.
Response
{
"id": "bKcrxojFSuSZvI5qhKInxA",
"isRevoked": false
}
isRevoked
: Indicates revocation status for the credential. Since we issued the credential withisRevoked
set tofalse
, this it the expected value in the response.
Public endpoint
MATTR VII enables relying parties to obtain the revocation status of a credential in a privacy preserving manner, as the issuer has no way of knowing what specific credential's status the relying party is requesting.
This is achieved by retrieving a publicly available revocation status list, and then looking up a specific credential's status using a reference index that is included in the credential itself. These revocation lists are compliant with the W3C Revocation List specification.
Make a GET request to the status.url
element from the response obtained when signing the
credential
GET https://learn.vii.au01.mattr.global/v2/credentials/compact/revocation-lists/887cd140-e4d7-4518-b70f-305b23778848
The response will include an encoded revocation list, as per the
W3C Revocation List specification. Relying parties
can then decode the list and use the credential's decoded.status.index
element to locate and check
the status of this specific credential. Check out our
revocation check sample app
for a reference implementation.
Validating the credential status
Let's validate this status by trying to verify this credential.
Make a request of the following structure to verify a CWT credential:
POST /v2/credentials/compact/verify
{
"payload": "CSC:/1/2KCE3IQEJB5DCMSMGZITM5QBE2QFSALWVQAXQI3ENFSDU53FMI5GYZLBOJXC45TJNEXGC5JQGEXG2YLUORZC4Z3MN5RGC3AFDJSZE7YQHIAACAACOFBW65LSONSSAQ3SMVSGK3TUNFQWYBA2NFLDPEDENZQW2ZLPIVWW2YJAJJQW4ZJAKRQXG3LBMRRW6ZDFMZEFGLRSG44HCY3FOJ2GSZTJMNQXI2LPNZHGC3LFOJLW64TLNFXGOIDBOQQEQZLJM5UHI43SMNSXE5DJMZUWGYLUNFXW4TDFOZSWYZ2MMV3GK3BAGRVGS43TOVSXETTBNVSXQGCBMR3GC3TDMVSCAU3BMZSXI6JAKRZGC2LONFXGOZTFPBYGS4TZNIZDAMRWFUYDCLJQGE5AAAIAACRAEAYDPB2WQ5DUOBZTULZPNRSWC4TOFZ3GS2JOMF2TAMJONVQXI5DSFZTWY33CMFWC6Y3POJSS65RSF5RXEZLEMVXHI2LBNRZS6Y3PNVYGCY3UF5ZGK5TPMNQXI2LPNYWWY2LTORZS6OBYG5RWIMJUGAWWKNDEG4WTINJRHAWWENZQMYWTGMBVMIZDGNZXHA4DIOAH3BAFA3FHFPDIRRKK4SM3ZDTKQSRCPRCYIA7RFUZYQI3RIGDHIGLAODJ6K2F245DTLIIKXAD35TORFQ7MVRJCIEPH6SC6NGA4HRMK76H5V6GXP66FFNX7MNYC6MYVU7ZLLXYVLXBU",
"checkRevocation": true
}
payload
: Replace with theencoded
element from the response obtained when signing the credential.checkRevocation
: This is the property that makes this verification request check for the credential revocation status.
Response
{
"verified": true
// Rest of response
}
verified
: As expected, the credential was verified. Not for long!!!
Protected endpoint
Make a request of the following structure to retrieve the revocation status of a Semantic CWT credential:
GET /v2/credentials/compact-semantic/{id}/revocation-status
id
: Replace with the unique identifier of the credential you wish to revoke. This would be theid
element of the credential you issued in the previous step. It will be available as part of any Semantic CWT credential issued by a MATTR VII tenant.
Response
{
"id": "urn:uuid:78e19496-8521-424b-8315-35fb1ecaf681",
"isRevoked": false
}
isRevoked
: Indicates revocation status for the credential. Since we issued the credential withisRevoked
set tofalse
, this it the expected value in the response.
Public endpoint
MATTR VII enables relying parties to obtain the revocation status of a credential in a privacy preserving manner, as the issuer has no way of knowing what specific credential's status the relying party is requesting.
This is achieved by retrieving a publicly available revocation status list, and then looking up a specific credential's status using a reference index that is included in the credential itself. These revocation lists are compliant with the W3C Revocation List specification.
Make a GET request to the status.url
element from the response obtained when signing the
credential:
GET https://learn.vii.au01.mattr.global/v2/credentials/compact-semantic/revocation-lists/1fe00d6c-904f-497e-bbe1-a3cfdc0b8368
Response
The response includes an encoded revocation list, as per the
W3C Revocation List specification. Relying parties
can then decode the list and use the credential's decoded.status.index
element to locate and check
the status of this specific credential. Check out our
revocation check sample app
for a reference implementation.
Validating the credential status
Let's validate this status by trying to verify this credential.
Make a request of the following structure to verify a Semantic CWT credential:
POST /v2/credentials/compact-semantic/verify
{
"payload": "CSS:/1/2KCE3IQEJB5DCMSMGZITM5QBE2QFSAOZUYAXQI3ENFSDU53FMI5GYZLBOJXC45TJNEXGC5JQGEXG2YLUORZC4Z3MN5RGC3AFDJSZE7YQMJ3GHI3IIBRW63TUMV4HJALYEZUHI5DQOM5C6L3XO53S45ZTFZXXEZZPGIYDCOBPMNZGKZDFNZ2GSYLMOMXXMMLEOR4XAZMCORLGK4TJMZUWCYTMMVBXEZLEMVXHI2LBNRYUG33VOJZWKICDOJSWIZLOORUWC3DRMNZGKZDFNZ2GSYLMKN2WE2TFMN2KMZDOMFWWK2SFNVWWCICUMFZW2YLEMNXWIZLGJBJS4MRXHBYWGZLSORUWM2LDMF2GS33OJZQW2ZLSK5XXE23JNZTSAYLUEBEGK2LHNB2HG4TDMVZHI2LGNFRWC5DJN5XEYZLWMVWGOTDFOZSWYIBUNJUXG43VMVZE4YLNMV4BQQLEOZQW4Y3FMQQFGYLGMV2HSICUOJQWS3TJNZTWMZLYOBUXE6LKGIYDENRNGAYS2MBRAQNGSVRXSA5AAAIAACRAEAADPB7GQ5DUOBZTULZPNRSWC4TOFZ3GS2JOMF2TAMJONVQXI5DSFZTWY33CMFWC6Y3POJSS65RSF5RXEZLEMVXHI2LBNRZS6Y3PNVYGCY3UFVZWK3LBNZ2GSYZPOJSXM33DMF2GS33OFVWGS43UOMXTCZTFGAYGINTDFU4TANDGFU2DSN3FFVRGEZJRFVQTGY3GMRRTAYRYGM3DQB6YIBIHRYMUS2CSCQSLQMKTL6Y6ZL3ICWCAUPGIGEOOWODF77V7ZJPVLGAQC2ZUP7MASXIRTIRRPOIIBKNHKZ4LHROPWBPBCYTKA3GXWIRD736HIJNQENTSFUYIPQ77BG4ZPCTXYIY",
"checkRevocation": true
}
payload
: Replace with theencoded
element from the response obtained when signing the credential.checkRevocation
: This is the property that makes this verification request check for the credential revocation status.
Response
{
"verified": true
// Rest of response
}
verified
: As expected, the credential was verified. Not for long!!!
Protected endpoint
Make a request of the following structure to retrieve the revocation status of a JSON credential:
GET /v2/credentials/web-semantic/{id}/revocation-status
id
: Replace with the unique identifier of the credential you wish to revoke. This would be theid
element of the credential you issued in the previous step. It will be available as part of any JSON credential issued by a MATTR VII tenant and you can also obtain it by querying the Credential registry.
Response
{
"id": "e57623d6-4b5d-4d35-b605-ee5d34915e7c",
"isRevoked": false
}
isRevoked
: Indicates revocation status for the credential. Since we issued the credential withisRevoked
set tofalse
, this it the expected value in the response.
Public endpoint
MATTR VII enables relying parties to obtain the revocation status of a credential in a privacy preserving manner, as the issuer has no way of knowing what specific credential's status the relying party is requesting.
This is achieved by retrieving a publicly available revocation status list, and then looking up a specific credential's status using a reference index that is included in the credential itself. These revocation lists are compliant with the W3C Revocation List specification.
Make a GET request to the credentialStatus.revocationListCredential
element from the response
obtained when signing the credential
GET https://learn.vii.au01.mattr.global/v2/credentials/web-semantic/revocation-lists/b95acd20-8d52-4474-8f32-71fb8d7a50ed
Response
The response includes an encoded revocation list, as per the
W3C Revocation List specification. Relying parties
can then decode the list and use the credential's credentialStatus.revocationListIndex
element to
locate and check the status of this specific credential. Check out our
revocation check sample app
for a reference implementation.
Validating the credential status
Let's validate this status by trying to verify this credential.
Make a request of the following structure to verify a JSON credential:
POST /v2/credentials/web-semantic/verify
{
"payload": {
"type": [
"VerifiableCredential",
"EducationalOccupationalCredential",
"AlumniCredential"
]
//... rest of JSON credential
},
"checkRevocation": true
}
payload
: Replace with the contents of thecredential
object from the response obtained when signing the JSON credential. Make sure you only include the contents of thecredential
object and not the entire response.checkRevocation
: This is the property that makes this verification request check for the credential revocation status.
Response
{
"verified": true
}
verified
: As expected, the credential was verified. Not for long!!!
Revoking an issued credential
Next we will learn how to revoke issued credentials. The process is very similar for different credential formats but uses different MATTR VII endpoints
Make a request of the following structure to revoke an mDoc:
POST /v2/credentials/mobile/{credentialId}/status
credentialId
: Replace with theid
of the mDoc you wish to revoke.
{
"status": "suspended"
}
Response
{
"status": "suspended"
}
status
: This is now set tosuspended
, which means the mDoc should not be verified as valid.
Make a request of the following structure to revoke a CWT credential:
POST /v2/credentials/compact/{id}/revocation-status
id
: Replace with theid
of the credential obtained earlier in this tutorial.
{
"isRevoked": true
}
Response
{
"id": "bKcrxojFSuSZvI5qhKInxA",
"isRevoked": true
}
isRevoked
: This is now set totrue
, which means the credential will not be verified as valid.
Making a similar request with isRevoked
set to false
would unrevoke a
revoked credential.
Make a request of the following structure to revoke a Semantic CWT credential:
POST /v2/credentials/compact-semantic/{id}/revocation-status
id
: Replace with theid
of the credential obtained earlier in this tutorial.
{
"isRevoked": true
}
Response
{
"id": "urn:uuid:78e19496-8521-424b-8315-35fb1ecaf681",
"isRevoked": true
}
isRevoked
: This is now set totrue
, which means the credential will not be verified as valid.
Making a similar request with isRevoked
set to false
would unrevoke a
revoked credential.
Make a request of the following structure to revoke a JSON Credential:
POST /v2/credentials/web-semantic/{id}/revocation-status
id
: Replace with theid
of the credential you wish to revoke.
{
"isRevoked": true
}
Response
An empty response with a 200 code indicates a successful change of revocation status.
Making a similar request with isRevoked
set to false
would unrevoke a
revoked credential.
Attempting to verify a revoked credential
The last step will be attempting to verify the revoked credential. This step is also similar across different credential formats, using different endpoints.
You will need two physical devices to perform this validation:
- One device with the MATTR GO Hold example app and an mDoc claimed earlier in this tutorial.
- One deivce with the MATTR GO Verify example app.
Perform the following steps to validate the mDoc status:
- Open the GO Hold example app.
- Select the Wallet tab.
- Locate the mDoc claimed earlier in this tutorial.
- Select the Share button. This should display a QR code on screen.
- Use the GO Verify example app on your second device to scan the displayed QR code.
- Use the GO Hold example app to confirm sharing the credential.
- The GO Verify example app should fail the verification, indicating the credential was revoked by the issuer.
Make a request of the following structure to verify a CWT credential:
POST /v2/credentials/compact/verify
{
"payload": "CSC:/1/2KCE3IQEJB5DCMSMGZITM5QBE2QFSALWVQAXQI3ENFSDU53FMI5GYZLBOJXC45TJNEXGC5JQGEXG2YLUORZC4Z3MN5RGC3AFDJSZE7YQHIAACAACOFBW65LSONSSAQ3SMVSGK3TUNFQWYBA2NFLDPEDENZQW2ZLPIVWW2YJAJJQW4ZJAKRQXG3LBMRRW6ZDFMZEFGLRSG44HCY3FOJ2GSZTJMNQXI2LPNZHGC3LFOJLW64TLNFXGOIDBOQQEQZLJM5UHI43SMNSXE5DJMZUWGYLUNFXW4TDFOZSWYZ2MMV3GK3BAGRVGS43TOVSXETTBNVSXQGCBMR3GC3TDMVSCAU3BMZSXI6JAKRZGC2LONFXGOZTFPBYGS4TZNIZDAMRWFUYDCLJQGE5AAAIAACRAEAYDPB2WQ5DUOBZTULZPNRSWC4TOFZ3GS2JOMF2TAMJONVQXI5DSFZTWY33CMFWC6Y3POJSS65RSF5RXEZLEMVXHI2LBNRZS6Y3PNVYGCY3UF5ZGK5TPMNQXI2LPNYWWY2LTORZS6OBYG5RWIMJUGAWWKNDEG4WTINJRHAWWENZQMYWTGMBVMIZDGNZXHA4DIOAH3BAFA3FHFPDIRRKK4SM3ZDTKQSRCPRCYIA7RFUZYQI3RIGDHIGLAODJ6K2F245DTLIIKXAD35TORFQ7MVRJCIEPH6SC6NGA4HRMK76H5V6GXP66FFNX7MNYC6MYVU7ZLLXYVLXBU",
"checkRevocation": true
}
payload
: Replace with theencoded
element from the response obtained when signing the credential.checkRevocation
: This is the property that makes this verification request check for the credential revocation status.
Response
{
"verified": false,
"reason": {
"type": "Revoked",
"message": "Credential has been revoked"
}
// Rest of response
}
verified
: As expected, the credential had failed verification.reason
: Details that the credential had failed verification since it has been revoked.
Revocation lists are cached for a certain amount of time, so you might need to wait a few minutes before verification would actually fail.
Make a request of the following structure to verify a Semantic CWT credential:
POST /v2/credentials/compact-semantic/verify
{
"payload": "CSS:/1/2KCE3IQEJB5DCMSMGZITM5QBE2QFSAOZUYAXQI3ENFSDU53FMI5GYZLBOJXC45TJNEXGC5JQGEXG2YLUORZC4Z3MN5RGC3AFDJSZE7YQMJ3GHI3IIBRW63TUMV4HJALYEZUHI5DQOM5C6L3XO53S45ZTFZXXEZZPGIYDCOBPMNZGKZDFNZ2GSYLMOMXXMMLEOR4XAZMCORLGK4TJMZUWCYTMMVBXEZLEMVXHI2LBNRYUG33VOJZWKICDOJSWIZLOORUWC3DRMNZGKZDFNZ2GSYLMKN2WE2TFMN2KMZDOMFWWK2SFNVWWCICUMFZW2YLEMNXWIZLGJBJS4MRXHBYWGZLSORUWM2LDMF2GS33OJZQW2ZLSK5XXE23JNZTSAYLUEBEGK2LHNB2HG4TDMVZHI2LGNFRWC5DJN5XEYZLWMVWGOTDFOZSWYIBUNJUXG43VMVZE4YLNMV4BQQLEOZQW4Y3FMQQFGYLGMV2HSICUOJQWS3TJNZTWMZLYOBUXE6LKGIYDENRNGAYS2MBRAQNGSVRXSA5AAAIAACRAEAADPB7GQ5DUOBZTULZPNRSWC4TOFZ3GS2JOMF2TAMJONVQXI5DSFZTWY33CMFWC6Y3POJSS65RSF5RXEZLEMVXHI2LBNRZS6Y3PNVYGCY3UFVZWK3LBNZ2GSYZPOJSXM33DMF2GS33OFVWGS43UOMXTCZTFGAYGINTDFU4TANDGFU2DSN3FFVRGEZJRFVQTGY3GMRRTAYRYGM3DQB6YIBIHRYMUS2CSCQSLQMKTL6Y6ZL3ICWCAUPGIGEOOWODF77V7ZJPVLGAQC2ZUP7MASXIRTIRRPOIIBKNHKZ4LHROPWBPBCYTKA3GXWIRD736HIJNQENTSFUYIPQ77BG4ZPCTXYIY",
"checkRevocation": true
}
payload
: Replace with theencoded
element from the response obtained when signing the credential.checkRevocation
: This is the property that makes this verification request check for the credential revocation status.
Response
{
"verified": false,
"reason": {
"type": "Revoked",
"message": "Credential has been revoked"
}
// Rest of response
}
verified
: As expected, the credential had failed verification.reason
: Details that the credential had failed verification since it has been revoked.
Revocation lists are cached for a certain amount of time, so you might need to wait a few minutes before verification would actually fail.
Make a request of the following structure to verify a JSON credential:
POST /v2/credentials/web-semantic/verify
{
"payload": {
"type": [
"VerifiableCredential",
"EducationalOccupationalCredential",
"AlumniCredential"
]
//... rest of JSON Credential
},
"checkRevocation": true
}
payload
: Replace with the contents of thecredential
object from the response obtained when signing the JSON credential. Make sure you only include the contents of thecredential
object and not the entire response.checkRevocation
: This is the property that makes this verification request check for the credential revocation status.
Response
{
"verified": false,
"reason": {
"type": "CredentialRevoked",
"message": "Credential has been revoked"
}
}
verified
: As expected, the credential had failed verification.reason
: Details that the credential had failed verification since it has been revoked.
Revocation lists are cached for a certain amount of time, so you might need to wait a few minutes before verification would actually fail.
Summary
In this tutorial you learned how to manage credential revocation, including:
- How to issue a revocable credential.
- How to check the revocation status of a credential as an Issuer and as a relying party.
- How to revoke a credential.
You can now integrate these capabilities into your solution to support this important feature.
How would you rate this page?