How to create a Credential configuration

As part of an OpenID4VCI issuance workflow you must create a Credential configuration. A Credential configuration is a specific set of rules and parameters that are used to create and validate a particular type of verifiable credential. These rules and parameters define how the credential is structured and what data it contains when issued.

The OpenID4VCI issuance workflow currently supports configuration of the following credentials formats:

CWT and Semantic CWT credentials
JSON credentials
mDocs

You can also create credential configurations via the MATTR Self Service Portal.

Create an mDocs credential configuration

Request

Make a request of the following structure to create a new mDocs credential configuration:

HTTP

POST /v2/credentials/mobile/configurations

Request body

JSON

{
  "type": "com.example.employeecredential.1",
  "expiresIn": {
    "months": 1
  },
  "claimMappings": {
    "com.example.personaldetails.1": {
      "first_name": {
        "mapFrom": "claims.given_name",
        "type": "string",
        "required": true
      },
      "last_name": {
        "mapFrom": "claims.last_Name",
        "type": "string",
        "required": true
      },
      "date_of_birth": {
        "mapFrom": "claims.birthDate",
        "type": "string",
        "required": true,
        "defaultValue": "Unknown"
      }
    }
  },
  "branding": {
    "name": "Course credential",
    "description": "Diploma in Management",
    "backgroundColor": "#860012",
    "watermarkImage": "https://example-path-to-image-data.com",
    "issuerLogo": "data:image/png;base64,anything", 
    "issuerIcon": "data:image/svg+xml;base64,anything"
  },
  "claimSourceId": "945214ad-3635-4aff-b51d-61d69a3c8eee",
  "includeStatus": false
}

type (required): Used to differentiate between different mDoc credential configurations on your tenant. Thus, its value must:
- Be unique across all JSON credentials configurations on your tenant.
- Not be VerifiableCredential.
- When set to org.iso.18013.5.*.mDL (where * is a positive integer), MATTR VII recognises that this is attempt to create an mDL credential configuration and will fail if the validity period is set to 447 days or more.
expiresIn (optional): Used to determine when will issued credentials expire. Can include any combination of years, months, weeks, days, hours, minutes and seconds. When type is set to org.iso.18013.5.*.mDL (where * is a positive integer), MATTR VII recognises that this is an mDL credential configuration and will fail if expiresIn is 447 days or more.
claimMappings : This is where you specify how to map claims (user attributes) into issued credentials. Each field in the object corresponds to a claim in the issued credential, and contains one or more of the following attributes:
- mapFrom : References the path in the user object where the claim is available.
  - When using a URL as a claims namespace identifier, use bracket notation to access the claim value (e.g. mapFrom: "claims['https://example.com/claim-name']”).
  - mapFrom is optional when defaultValue is provided, as the latter will be used for all issued credentials. This is referred to as a static claim.
- type : Claim data type. type is optional when defaultValue is provided. The following data types are supported:
  - boolean
  - number
  - string
  - binary: Mapped value must be in base64 string format.
  - date : Mapped value must be in YYYY-MM-DD format.
  - dateTime : Mapped value must be in YYYY-MM-DD HH:MM:SS format (ISO 8601 compliant).
  - array
  - object
  - org.iso.18013.5.1.driving_privileges : This type is unique for mDL credentials and details the holder’s driving privileges. Mapped value must be a compliant org.iso.18013.5.1.driving_privileges array, as per ISO/IEC 18013-5. The array can include the following optional items:
    - issue_date: When provided, must be in YYYY-MM-DD format.
    - expiry_date: When provided, must be in YYYY-MM-DD format.
    - vehicle_category_code (required): Must be a vehicle category code as per ISO/IEC 18013-1.
    - codes: When provided, must be an array of code information, and can include the following optional fields:
      - code (required): Must be a code as per ISO/IEC 18013-2 Annex A.
      - sign: When provided, must be a sign as per ISO/IEC 18013-2 Annex A.
      - value: When provided, must be a value as per ISO/IEC 18013-2 Annex A.
- required : Indicates whether the claim is required. When a required claim cannot be retrieved and no defaultValue is available, credential issuance will fail. Defaults to false.
- defaultValue : Used to populate the claim with a static value when mapping is unsuccessful. When defaultValue is provided, mapFrom is optional.
branding (optional): Used to apply branding to issued credentials:
- name : Insert a meaningful name for the credential. This string is displayed on the top part of the credential in the holder’s digital wallet (see image below).
- description : Insert a meaningful description for the credential. This string is displayed below the name field on the credential in the holder’s digital wallet (see image below).
- backgroundColor : Insert a colour hex code to use for the credential background color in the holder’s digital wallet (see image below).
- watermarkImage : Watermarks are displayed as a pattern on the credential in the holder’s digital wallet (see image below). You can provide either a URL to the image, or a Data URI (base64 encoded) with the following requirements:
  - URL/URI must be publicly available.
  - File must be 245x150px in size.
  - svg and png files are supported. We recommend using svg files to allow proper scaling across the UI and enable optimal performance.
  - If no watermark image is provided, a wave pattern is applied to the credentials by default.
  - The recommended maximum size of watermarkImage is 150kb.
- issuerLogo : The issuer logo is displayed on the bottom part of the credential in the holder’s digital wallet (see image below). When not provided, the issuer’s name and issuerIcon are used instead. You can provide either a URL to the image, or a Data URI (base64 encoded) with the following requirements:
  - URL/URI must be publicly available.
  - File must be 140x42px in size.
  - svg and png files are supported. We recommend using svg files to allow proper scaling across the UI and enable optimal performance.
  - Transparencies are allowed for svg or png images.
  - The recommended maximum size of issuerLogo is 50kb.
- issuerIcon : The issuer icon is displayed next to the issuer’s name when the credential is offered to the holder. It is also displayed next to the issuer’s name on the bottom part of the credential when issuerLogo is not provided. When issuerIcon is not provided, the first letter from the issuer name is used instead. You can provide either a URL to the image, or a Data URI (base64 encoded) with the following requirements:
  - URL/URI must be publicly available.
  - File must be 32x32px in size.
  - svg and png files are supported. We recommend using svg files to allow proper scaling across the UI and enable optimal performance.
  - Transparencies are allowed for svg or png images.
  - The recommended maximum size of issuerIcon is 15kb.
  - If issuerIcon is not provided, the first letter of the issuer name is displayed instead.
claimSourceId (optional): References the unique identifier of a claims source that can be used to retrieve claims and include them in the issued credential.
includeStatus : When set to true, issued mDocs are revocable. They include a status object, which refers a Status list where the mDoc’s status can be changed to valid, invalid, or suspended.

Refer to mDocs signing certificate selection to learn more about how MATTR VII automatically select suitable IACA and DSC certificates when signing mDocs.

Response

JSON

{
    "id": "294868aa-3814-4a50-9862-5ff48381a8e5",
    "type": "com.example.employeecredential.1"
    //... rest of your credential configuration
}

id : Uniquely identifies the created Credential configuration. This identifier can be used to include this Credential configuration in a Credential offer, or to retrieve, update or delete the Credential configuration.

Once the Credential configuration is created, its details are publicly available on https:// {your_tenant_url}/.well-known/openid-credential-issuer. This enables relying parties to verify credentials issued using this Credential configuration.

Branded mDoc

Create a CWT or Semantic CWT credential configuration

Request

Make a request of the following structure to create a new CWT credentials configuration:

HTTP

POST /v2/credentials/compact/configurations

You can make a similar request to a different endpoint to create a new Semantic CWT credential configuration:

HTTP

POST /v2/credentials/compact-semantic/configurations

Request body

JSON

{
    "type": "CourseCredential",
    "claimMappings": {
        "email": {
            "mapFrom": "claims.email"
        },
        "firstName": {
            "mapFrom": "claims.given_name"
        },
        "lastName": {
            "mapFrom": "claims.lastName"
        },
        "addressRegion": {
            "mapFrom": "claims.addressRegion",
            "required": true,
            "defaultValue": "Kakapo"
        },
        "providerUrl": {
            "mapFrom": "authenticationProvider.url",
            "required": true
        },
        "providersubjectId": {
            "mapFrom": "authenticationProvider.subjectId",
            "required": true
        }
    },
    "revocable": true,
    "expiresIn": {
        "years": 1
    },
    "claimSourceId": "945214ad-3635-4aff-b51d-61d69a3c8eee"
}

type (required): Used to differentiate between different CWT/Semantic CWT credentials configurations on your tenant. Thus, its value must:
- Be unique across all CWT/Semantic CWT credentials configurations on your tenant.
- Not be VerifiableCredential.
claimMappings : This is where you specify how to map claims (user attributes) into issued credentials. Each field in the object corresponds to a claim in the issued credential, and contains one or more of the following attributes:
- mapFrom : References the path in the user object where the claim is available.
  - When using a URL as a claims namespace identifier, use bracket notation to access the claim value (e.g. mapFrom: "claims['https://example.com/claim-name']”).
  - mapFrom is optional when defaultValue is provided, as the latter will be used for all issued credentials. This is referred to as a static claim.
- defaultValue : Used to populate the claim with a static value when mapping is unsuccessful. When defaultValue is provided, mapFrom is optional.
- required : Indicates whether the claim is required. When a required claim cannot be retrieved and no defaultValue is available, credential issuance will fail. Defaults to false.
revocable : When set to true (default), the created credential can later be revoked. When set to false, the credential cannot be revoked.
expiresIn (optional): Used to determine when will issued credentials expire. Can include any combination of years, months, weeks, days, hours, minutes and seconds.
claimSourceId (optional): References the unique identifier of a claims source that can be used to retrieve claims and include them in the issued credential.

Response

JSON

{
    "id": "8fda86fc-781d-4401-80d7-eaa43efafad9",
    "type": "CourseCredential"
    //... rest of your Credential configuration
}

id : Uniquely identifies the created Credential configuration. This identifier can be used to include this Credential configuration in a Credential offer, or to retrieve, update or delete the Credential configuration.

Create a JSON credentials configuration

Request

Make a request of the following structure to create a new JSON credentials configuration:

HTTP

POST /v2/credentials/web-semantic/configurations

Request body

JSON

{
    "name": "Computer Science Course Credential",
    "description": "Diploma in Management",
    "type": "CourseCredential",
    "additionalTypes": ["EducationCredential"],
    "issuer": {
        "name": "Kakapo University",
        "logoUrl": "https://example.edu/img/logo.png",
        "iconUrl": "https://example.edu/img/icon.png"
    },
    "credentialBranding": {
        "backgroundColor": "#860012",
        "watermarkImageUrl": "https://example.edu/img/watermark.png"
    },
    "claimMappings": {
        "firstName": {
            "mapFrom": "claims.firstName",
            "required": true
        },
        "address": {
            "mapFrom": "claims.address.formatted"
        },
        "picture": {
            "mapFrom": "claims.picture",
            "defaultValue": "http://example.edu/img/placeholder.png"
        },
        "badge": {
            "defaultValue": "http://example.edu/img/badge.png"
        },
        "providerSubjectId": {
            "mapFrom": "authenticationProvider.subjectId"
        }
    },
    "proofType": "Ed25519Signature2018",
    "persist": false,
    "revocable": true,
    "includeId": true,
    "claimSourceId": "945214ad-3635-4aff-b51d-61d69a3c8eee",
    "expiresIn": {
        "months": 12
    }
}

name : Insert a meaningful name for the credential. This string is displayed on the top part of the credential in the holder’s digital wallet (see image below). Maximum length is 18 characters.
description : Insert a meaningful description for the credential. This string is displayed below the name field on the credential in the holder’s digital wallet (see image below). Maximum length is 38 characters.
type (required): Used to differentiate between different JSON credentials configurations on your tenant. Thus, its value must:
- Be unique across all JSON credentials configurations on your tenant.
- Not be VerifiableCredential.
additionalTypes (optional): Additional credential types that can be referenced.
issuer : Issuer details to be displayed on issued credentials:
- name : Insert a meaningful name to indicate the issuer. This string is used when the credential is offered to the holder. It is also used on the bottom part of the credential when logoURL is not provided.
- logoURL : Insert a URL for a logo that is displayed on the bottom part of the credential (see image below). If no logo is provided, the issuer’s name and iconURL are used instead. The logo must meet the following criteria:
  - URL must be publicly available.
  - Must be 140x42 px in size.
  - svg, png and jpg files are supported, but svg is recommended. Raster images, whilst supported, are currently displayed at 1x resolution and may look pixelated on some devices.
  - Transparencies are allowed for svg or png images.
  - If no logo is provided, the first letter of the issuer name is displayed instead.
  - Recommended maximum size for logoURL is 50kb.
- iconURL : Insert a URL for an icon that is displayed next to the issuer’s name when the credential is offered to the holder. It is also displayed next to the issuer’s name on the bottom part of the credential when logoURL is not provided. When iconURL is not provided, the first letter from name is used instead. The icon must meet the following criteria:
  - URL must be publicly available.
  - Must be 32x32 px in size.
  - svg, png and jpg files are supported, but svg is recommended. Raster images, whilst supported, are currently displayed at 1x resolution and may look pixelated on some devices.
  - Transparencies are allowed for svg or png images.
  - Recommended maximum size for iconURL is 15kb.
credentialBranding : Additional branding that will be applied to issued credentials:
backgroundColor : Insert a color hex code to use for the credential background color in the holder’s digital wallet (see image below).
watermarkImageUrl : Insert a URL for a watermark image to be included as a pattern on the credential in the holder’s digital wallet (see image below):
- Must be publicly available.
- Must be 245x150 px in size.
- svg, png and jpg files are supported, but svg is recommended.
- If no watermark image is provided, a wave pattern is applied to the credentials by default.
- Recommended maximum size for watermarkImageUrl is 150kb.

Branding

Refer to this video to learn more about credential branding best practices.
Check out our Silvereye branding tool to get a real time preview of a credential based your settings and configuration.

claimMappings : This is where you specify how to map claims (user attributes) into issued credentials. Each field in the object corresponds to a claim in the issued credential, and contains one or more of the following attributes:
- mapFrom : References the path in the user object where the claim is available.
  - When using a URL as a claims namespace identifier, use bracket notation to access the claim value (e.g. mapFrom: "claims['https://example.com/claim-name']”).
  - mapFrom is optional when defaultValue is provided, as the latter will be used for all issued credentials. This is referred to as a static claim.
- defaultValue : Used to populate the claim with a static value when mapping is unsuccessful. When defaultValue is provided, mapFrom is optional.
- required : Indicates whether the claim is required. When a required claim cannot be retrieved and no defaultValue is available, credential issuance will fail. Defaults to false.
proofType (optional): This is an optional field used to define the cryptographic algorithm used to sign the credential. The credential Issuer’s DID must contain a key that supports the corresponding signing capability. If no proofType is provided, the credential will be signed using the key that is available in the Issuer’s DID:
- If a Bls12381G2 key is available, the credential will be signed with a BbsSignature2022 proof. Credentials signed with this proof type support selective disclosure.
- If a Bls12381G2 key is unavailable, but a Ed25519 key is available, the credential will be signed with a Ed25519Signature2018 proof. Credentials signed with this proof type do not support selective disclosure.
- If none of the two suitable keys are available, the request will be rejected and the credential will not be issued.
persist : When set to true, both the issued credential and its metadata are stored in the credential registry. When set to false (default) only the following metadata is stored in the credential registry:
- id
- tag
- credentialStatus
- issuanceDate
⚠️
Credentials by nature tend to hold Personally Identifying Information (PII). Before storing credential data, familiarize yourself with compliance to any PII restrictions that may apply to your use-case.
revocable : When set to true (default), the created credential can later be revoked, and https://w3id.org/vc-revocation-list-2020/v1 is injected into the credential @context object when it is issued. This references the JSON-LD definition of the credentialStatus object used to manage revocation status. When set to false, the credential cannot be revoked.
includeId : When set to true, the signed credential identifier is included in both the credential object and the credential metadata. When set to false it is only included in the credential metadata.
expiresIn (optional): Used to determine when will issued credentials expire. Can include any combination of years, months, weeks, days, hours, minutes and seconds.
claimSourceId (optional): References the unique identifier of a claims source that can be used to retrieve claims and include them in the issued credential.

Response

JSON

{
    "id": "983c0a86-204f-4431-9371-f5a22e506599",
    "name": "Computer Science Course Credential",
    "description": "Completed the Computer Science course at Kakapo University"
    //... rest of your credential configuration
}

id : Uniquely identifies the created Credential configuration. This identifier can be used to include this Credential configuration in a Credential offer, or to retrieve, update or delete the Credential configuration.

Branded JSON credential

Claims source Credential revocation