GuidesOID4VCICredential configuration

How to create a Credential configuration

As part of an OpenID4VCI issuance workflow you must create a Credential configuration. A Credential configuration is a specific set of rules and parameters that are used to create and validate a particular type of verifiable credential. These rules and parameters define how the credential is structured and what data it contains when issued.

The OpenID4VCI issuance workflow currently supports configuration of the following credentials formats:

  • CWT and Semantic CWT credentials
  • JSON credentials
  • mDocs

You can also create credential configurations via the MATTR Self Service Portal.

Create a CWT or Semantic CWT credentials sonfiguration

Request

Make a request of the following structure to create a new CWT credentials configuration:

HTTP
POST /v2/credentials/compact/configurations

You can make a similar request to a different endpoint to create a new Semantic CWT credential configuration:

HTTP
POST /v2/credentials/compact-semantic/configurations

Request body

JSON
{
    "type": "CourseCredential",
    "claimMappings": {
        "email": {
            "mapFrom": "claims.email"
        },
        "firstName": {
            "mapFrom": "claims.given_name"
        },
        "lastName": {
            "mapFrom": "claims.lastName"
        },
        "addressRegion": {
            "mapFrom": "claims.addressRegion",
            "required": true,
            "defaultValue": "Kakapo"
        },
        "providerUrl": {
            "mapFrom": "authenticationProvider.url",
            "required": true
        },
        "providersubjectId": {
            "mapFrom": "authenticationProvider.subjectId",
            "required": true
        }
    },
    "revocable": true,
    "expiresIn": {
        "years": 1
    },
    "claimSourceId": "945214ad-3635-4aff-b51d-61d69a3c8eee"
}
  • type (required): Used to differentiate between different CWT/Semantic CWT credentials configurations on your tenant. Thus, its value must:
    • Be unique across all CWT/Semantic CWT credentials configurations on your tenant.
    • Not be VerifiableCredential.
  • claimMappings : This is where you specify how to map claims (user attributes) into issued credentials. Each field in the object corresponds to a claim in the issued credential, and contains one or more of the following attributes:
    • mapFrom : References the path in the user object where the claim is available.
      • When using a URL as a claims namespace identifier, use bracket notation to access the claim value (e.g. mapFrom: "claims['https://example.com/claim-name']”).
      • mapFrom is optional when defaultValue is provided, as the latter will be used for all issued credentials. This is referred to as a static claim.
    • defaultValue : Used to populate the claim with a static value when mapping is unsuccessful. When defaultValue is provided, mapFrom is optional.
    • required : Indicates whether the claim is required. When a required claim cannot be retrieved and no defaultValue is available, credential issuance will fail. Defaults to false.
  • revocable : When set to true (default), the created credential can later be revoked. When set to false, the credential cannot be revoked.
  • expiresIn (optional): Used to determine when will issued credentials expire. Can include any combination of years, months, weeks, days, hours, minutes and seconds.
  • claimSourceId (optional): References the unique identifier of a claims source that can be used to retrieve claims and include them in the issued credential.

Response

JSON
{
    "id": "8fda86fc-781d-4401-80d7-eaa43efafad9",
    "type": "CourseCredential"
    //... rest of your Credential configuration
}
  • id : Uniquely identifies the created Credential configuration. This identifier can be used to include this Credential configuration in a Credential offer, or to retrieve, update or delete the Credential configuration.

Once the Credential configuration is created, its details are publicly available on https:// {your_tenant_url}/.well-known/openid-credential-issuer. This enables relying parties to verify credentials issued using this Credential configuration.