Revocation Tutorial

Introduction

In this tutorial we will explore the concept of credential revocation, a critical feature that allows issuers to invalidate previously issued credentials, ensuring the integrity and security of the system. The tutorial comprises the following steps:

Issue a revocable credential.
Obtain a credential revocation status.
Revoke an issued credential.
Attempt to verify a revoked credential.

Prerequisites

Complete the sign up form to get access to a MATTR VII trial tenant.
Make sure you are comfortable with how to:
- Obtain a MATTR VII access token.
- Make a MATTR VII API request.

We recommend using the MATTR VII Postman collection in this tutorial. While this isn’t an explicit prerequisite, it can really speed things up.

Tutorial steps

Issue a revocable credential

The first thing you need to do is sign a new credential in a way that will enable you to revoke it later. This will differ slightly based on your selected credential format.

Make a request of the following structure to create a did:web:

Request

HTTP

POST /v1/dids

JSON

{
    "method": "web",
    "options": {
        "url": "https://learn.vii.au01.mattr.global"
    }
}

url : Replace with your tenant_url provided with your tenant details.

Response

JSON

{
    "did": "did:web:learn.vii.au01.mattr.global"
    // Rest of DID document
}

did : We will use the value of this element to identify the credential’s issuer in the next step.

If your tenant has a Custom domain configured you will need to setup a redirect for this DID document.

Make a request of the following structure to create and sign a new revocable CWT credential:

Request

HTTP

POST /v2/credentials/compact/sign

JSON

{
    "payload": {
        "iss": "did:web:learn.vii.au01.mattr.global",
        "type": "Course Credential",
        "name": "Emma Jane Tasma",
        "code": "HS.278",
        "certificationName": "Working at Heights",
        "certificationLevel": "Level 4",
        "issuerName": "Advanced Safety Training"
    },
    "revocable": true,
    "isRevoked": false
}

iss : Replace with the did element obtained in the previous step.
revocable: We set this to true so that this credential can be revoked later in the tutorial.
isRevoked: We set this to false so that this credential is immediately valid upon issuance. Other use cases might require you to set this to true to issue a credential that is revoked by default until it is activated by unrevoking.

Response

JSON

{
    "id": "bKcrxojFSuSZvI5qhKInxA",
    "decoded": {
        "iss": "did:web:learn.vii.au01.mattr.global",
        "type": "Course Credential",
        "name": "Emma Jane Tasma",
        "code": "HS.278",
        "certificationName": "Working at Heights",
        "certificationLevel": "Level 4",
        "issuerName": "Advanced Safety Training",
        "status": {
            "index": 3,
            "url": "https://learn.vii.au01.mattr.global/v2/credentials/compact/revocation-lists/887cd140-e4d7-4518-b70f-305b23778848"
        },
        "jti": "bKcrxojFSuSZvI5qhKInxA"
    },
    "encoded": "CSC:/1/2KCE3IQEJB5DCMSMGZITM5QBE2QFSALWVQAXQI3ENFSDU53FMI5GYZLBOJXC45TJNEXGC5JQGEXG2YLUORZC4Z3MN5RGC3AFDJSZE7YQHIAACAACOFBW65LSONSSAQ3SMVSGK3TUNFQWYBA2NFLDPEDENZQW2ZLPIVWW2YJAJJQW4ZJAKRQXG3LBMRRW6ZDFMZEFGLRSG44HCY3FOJ2GSZTJMNQXI2LPNZHGC3LFOJLW64TLNFXGOIDBOQQEQZLJM5UHI43SMNSXE5DJMZUWGYLUNFXW4TDFOZSWYZ2MMV3GK3BAGRVGS43TOVSXETTBNVSXQGCBMR3GC3TDMVSCAU3BMZSXI6JAKRZGC2LONFXGOZTFPBYGS4TZNIZDAMRWFUYDCLJQGE5AAAIAACRAEAYDPB2WQ5DUOBZTULZPNRSWC4TOFZ3GS2JOMF2TAMJONVQXI5DSFZTWY33CMFWC6Y3POJSS65RSF5RXEZLEMVXHI2LBNRZS6Y3PNVYGCY3UF5ZGK5TPMNQXI2LPNYWWY2LTORZS6OBYG5RWIMJUGAWWKNDEG4WTINJRHAWWENZQMYWTGMBVMIZDGNZXHA4DIOAH3BAFA3FHFPDIRRKK4SM3ZDTKQSRCPRCYIA7RFUZYQI3RIGDHIGLAODJ6K2F245DTLIIKXAD35TORFQ7MVRJCIEPH6SC6NGA4HRMK76H5V6GXP66FFNX7MNYC6MYVU7ZLLXYVLXBU"
}

id : Unique credential identifier. We will use it in the next step to obtain the credential’s revocation status, and later to revoke the credential.
status: Credential revocation status details. We will use it in the next step to obtain the credential’s revocation status.

Make a request of the following structure to create a did:web:

Request

HTTP

POST /v1/dids

JSON

{
    "method": "web",
    "options": {
        "url": "https://learn.vii.au01.mattr.global"
    }
}

url : Replace with your tenant_url provided with your tenant details.

Response

JSON

{
    "did": "did:web:learn.vii.au01.mattr.global"
    // Rest of DID document
}

did : We will use the value of this element to identify the credential’s issuer in the next step.

If your tenant has a Custom domain configured you will need to setup a redirect for this DID document.

Make a request of the following structure to sign a new revocable Semantic CWT credential:

Request

HTTP

POST /v2/credentials/compact-semantic/sign

JSON

{
    "payload": {
        "iss": "did:web:learn.vii.au01.mattr.global",
        "vc": {
            "type": "Course Credential",
            "credentialSubject": {
                "name": "Emma Tasma",
                "code": "HS.278",
                "certificationName": "Working at Heights",
                "certificationLevel": "Level 4",
                "issuerName": "Advanced Safety Training"
            }
        }
    },
    "revocable": true,
    "isRevoked": false
}

iss : Replace with the did element obtained in the previous step.
revocable: We set this to true so that this credential can be revoked later in the tutorial.
isRevoked: We set this to false so that this credential is immediately valid upon issuance. Other use cases might require you to set this to true to issue a credential that is revoked by default until it is activated by unrevoking.

Response

JSON

{
    "id": "urn:uuid:78e19496-8521-424b-8315-35fb1ecaf681",
    "decoded": {
        "iss": "did:web:learn.vii.au01.mattr.global",
        "vc": {
            "type": ["VerifiableCredential", "Course Credential"],
            "@context": ["https://www.w3.org/2018/credentials/v1"],
            "credentialSubject": {
                "name": "Emma Tasma",
                "code": "HS.278",
                "certificationName": "Working at Heights",
                "certificationLevel": "Level 4",
                "issuerName": "Advanced Safety Training"
            }
        },
        "status": {
            "index": 0,
            "url": "https://learn.vii.au01.mattr.global/v2/credentials/compact-semantic/revocation-lists/1fe00d6c-904f-497e-bbe1-a3cfdc0b8368"
        },
        "jti": "urn:uuid:78e19496-8521-424b-8315-35fb1ecaf681"
    },
    "encoded": "CSS:/1/2KCE3IQEJB5DCMSMGZITM5QBE2QFSAOZUYAXQI3ENFSDU53FMI5GYZLBOJXC45TJNEXGC5JQGEXG2YLUORZC4Z3MN5RGC3AFDJSZE7YQMJ3GHI3IIBRW63TUMV4HJALYEZUHI5DQOM5C6L3XO53S45ZTFZXXEZZPGIYDCOBPMNZGKZDFNZ2GSYLMOMXXMMLEOR4XAZMCORLGK4TJMZUWCYTMMVBXEZLEMVXHI2LBNRYUG33VOJZWKICDOJSWIZLOORUWC3DRMNZGKZDFNZ2GSYLMKN2WE2TFMN2KMZDOMFWWK2SFNVWWCICUMFZW2YLEMNXWIZLGJBJS4MRXHBYWGZLSORUWM2LDMF2GS33OJZQW2ZLSK5XXE23JNZTSAYLUEBEGK2LHNB2HG4TDMVZHI2LGNFRWC5DJN5XEYZLWMVWGOTDFOZSWYIBUNJUXG43VMVZE4YLNMV4BQQLEOZQW4Y3FMQQFGYLGMV2HSICUOJQWS3TJNZTWMZLYOBUXE6LKGIYDENRNGAYS2MBRAQNGSVRXSA5AAAIAACRAEAADPB7GQ5DUOBZTULZPNRSWC4TOFZ3GS2JOMF2TAMJONVQXI5DSFZTWY33CMFWC6Y3POJSS65RSF5RXEZLEMVXHI2LBNRZS6Y3PNVYGCY3UFVZWK3LBNZ2GSYZPOJSXM33DMF2GS33OFVWGS43UOMXTCZTFGAYGINTDFU4TANDGFU2DSN3FFVRGEZJRFVQTGY3GMRRTAYRYGM3DQB6YIBIHRYMUS2CSCQSLQMKTL6Y6ZL3ICWCAUPGIGEOOWODF77V7ZJPVLGAQC2ZUP7MASXIRTIRRPOIIBKNHKZ4LHROPWBPBCYTKA3GXWIRD736HIJNQENTSFUYIPQ77BG4ZPCTXYIY"
}

id : Unique credential identifier. We will use it in the next step to obtain the credential’s revocation status, and later to revoke the credential.
status: Credential revocation status details. We will use it in the next step to obtain the credential’s revocation status.

Make a request of the following structure to create a did:web:

Request

HTTP

POST /v1/dids

JSON

{
    "method": "web",
    "options": {
        "url": "https://learn.vii.au01.mattr.global"
    }
}

url : Replace with your tenant_url provided with your tenant details.

Response

JSON

{
    "did": "did:web:learn.vii.au01.mattr.global"
    // Rest of DID document
}

did : We will use the value of this element to identify the credential’s issuer in the next step.

If your tenant has a Custom domain configured you will need to setup a redirect for this DID document.

Make a request of the following structure to sign a new revocable JSON credential:

Request

HTTP

POST /v2/credentials/web-semantic/sign

JSON

{
    "payload": {
        "name": "Course credential",
        "description": "Diploma in Management",
        "type": ["EducationalOccupationalCredential", "AlumniCredential"],
        "credentialSubject": {
            "id": "did:key:z6Mkr9f7o82NFLRFTTCWRR1GiZpca22Xf6YKo2zKThrZMA2w",
            "givenName": "Emma",
            "familyName": "Tasma",
            "alumniOf": "Zealopia University"
        },
        "issuer": {
            "id": "did:web:learn.vii.au01.mattr.global",
            "name": "Zealopia Business Institute"
        }
    },
    "revocable": true
}

issuer.id : Replace with the did element obtained in the previous step.
revocable: We set this to true so that this credential can be revoked later in the tutorial.

Response

JSON

{
    "id": "e57623d6-4b5d-4d35-b605-ee5d34915e7c",
    "credential": {
        // Credential claims
    },
    "credentialStatus": {
        "id": "https://learn.vii.au01.mattr.global/core/v2/credentials/web-semantic/revocation-lists/b95acd20-8d52-4474-8f32-71fb8d7a50ed#0",
        "type": "RevocationList2020Status",
        "revocationListIndex": "0",
        "revocationListCredential": "https://learn.vii.au01.mattr.global/core/v2/credentials/web-semantic/revocation-lists/b95acd20-8d52-4474-8f32-71fb8d7a50ed"
    },
    "issuanceDate": "2024-09-06T02:43:47.904Z"
}

id : Unique credential identifier. We will use it in the next step to obtain the credential’s revocation status, and later to revoke the credential.
credentialStatus: Credential revocation status details. We will use it in the next step to obtain the credential’s revocation status.

Obtain a credential revocation status

Now that the credential is issued, different relying parties might be interested in discovering its revocation status. In other words, they want to know whether or not the credential has been revoked by the issuer. MATTR VII supports two ways of achieving this:

Query a protected MATTR VII endpoint to get the revocation status.
Query public MATTR VII endpoints to get the revocation status.

Again, this process looks slightly different for different credential formats.

Protected endpoint

Request

Make a request of the following structure to retrieve the revocation status of a CWT credential:

HTTP

GET /v2/credentials/compact/{id}/revocation-status

id : Replace with the unique identifier of the credential you wish to revoke. This would be the id element of the credential you issued in the previous step. It will be available as part of any CWT credential issued by a MATTR VII tenant.

Response

JSON

{
    "id": "bKcrxojFSuSZvI5qhKInxA",
    "isRevoked": false
}

isRevoked : Indicates revocation status for the credential. Since we issued the credential with isRevoked set to false, this it the expected value in the response.

Public endpoint

MATTR VII enables relying parties to obtain the revocation status of a credential in a privacy preserving manners, as the issuer has no way of knowing what specific credential’s status the relying party is requesting.

This is achieved by retrieving a publicly available revocation status list, and then looking up a specific credential’s status using a reference index that is included in the credential itself. These revocation lists are compliant with the W3C Revocation List specification.

Request

Make a GET request to the status.url element from the response obtained when signing the credential

HTTP

GET https://learn.vii.au01.mattr.global/v2/credentials/compact/revocation-lists/887cd140-e4d7-4518-b70f-305b23778848

Response

The response includes an encoded revocation list, as per the W3C Revocation List specification. Relying parties can then decode the list and use the credential’s decoded.status.index element to locate and check the status of this specific credential.

Validating the credential status

Let’s validate this status by trying to verify this credential.

Make a request of the following structure to verify a CWT credential:

HTTP

POST /v2/credentials/compact/verify

Request body

JSON

{
    "payload": "CSC:/1/2KCE3IQEJB5DCMSMGZITM5QBE2QFSALWVQAXQI3ENFSDU53FMI5GYZLBOJXC45TJNEXGC5JQGEXG2YLUORZC4Z3MN5RGC3AFDJSZE7YQHIAACAACOFBW65LSONSSAQ3SMVSGK3TUNFQWYBA2NFLDPEDENZQW2ZLPIVWW2YJAJJQW4ZJAKRQXG3LBMRRW6ZDFMZEFGLRSG44HCY3FOJ2GSZTJMNQXI2LPNZHGC3LFOJLW64TLNFXGOIDBOQQEQZLJM5UHI43SMNSXE5DJMZUWGYLUNFXW4TDFOZSWYZ2MMV3GK3BAGRVGS43TOVSXETTBNVSXQGCBMR3GC3TDMVSCAU3BMZSXI6JAKRZGC2LONFXGOZTFPBYGS4TZNIZDAMRWFUYDCLJQGE5AAAIAACRAEAYDPB2WQ5DUOBZTULZPNRSWC4TOFZ3GS2JOMF2TAMJONVQXI5DSFZTWY33CMFWC6Y3POJSS65RSF5RXEZLEMVXHI2LBNRZS6Y3PNVYGCY3UF5ZGK5TPMNQXI2LPNYWWY2LTORZS6OBYG5RWIMJUGAWWKNDEG4WTINJRHAWWENZQMYWTGMBVMIZDGNZXHA4DIOAH3BAFA3FHFPDIRRKK4SM3ZDTKQSRCPRCYIA7RFUZYQI3RIGDHIGLAODJ6K2F245DTLIIKXAD35TORFQ7MVRJCIEPH6SC6NGA4HRMK76H5V6GXP66FFNX7MNYC6MYVU7ZLLXYVLXBU",
    "checkRevocation": true
}

payload : Replace with the encoded element from the response obtained when signing the credential.
checkRevocation : This is the property that makes this verification request check for the credential revocation status.

Response

JSON

{
    "verified": true
    // Rest of response
}

verified : As expected, the credential was verified. Not for long!!!

Protected endpoint

Request

Make a request of the following structure to retrieve the revocation status of a Semantic CWT credential:

HTTP

GET /v2/credentials/compact-semantic/{id}/revocation-status

id : Replace with the unique identifier of the credential you wish to revoke. This would be the id element of the credential you issued in the previous step. It will be available as part of any Semantic CWT credential issued by a MATTR VII tenant.

Response

JSON

{
    "id": "urn:uuid:78e19496-8521-424b-8315-35fb1ecaf681",
    "isRevoked": false
}

isRevoked : Indicates revocation status for the credential. Since we issued the credential with isRevoked set to false, this it the expected value in the response.

Public endpoint

Request

Make a GET request to the status.url element from the response obtained when signing the credential:

HTTP

GET https://learn.vii.au01.mattr.global/v2/credentials/compact-semantic/revocation-lists/1fe00d6c-904f-497e-bbe1-a3cfdc0b8368

Response

Validating the credential status

Let’s validate this status by trying to verify this credential.

Make a request of the following structure to verify a Semantic CWT credential:

HTTP

POST /v2/credentials/compact-semantic/verify

Request body

JSON

{
    "payload": "CSS:/1/2KCE3IQEJB5DCMSMGZITM5QBE2QFSAOZUYAXQI3ENFSDU53FMI5GYZLBOJXC45TJNEXGC5JQGEXG2YLUORZC4Z3MN5RGC3AFDJSZE7YQMJ3GHI3IIBRW63TUMV4HJALYEZUHI5DQOM5C6L3XO53S45ZTFZXXEZZPGIYDCOBPMNZGKZDFNZ2GSYLMOMXXMMLEOR4XAZMCORLGK4TJMZUWCYTMMVBXEZLEMVXHI2LBNRYUG33VOJZWKICDOJSWIZLOORUWC3DRMNZGKZDFNZ2GSYLMKN2WE2TFMN2KMZDOMFWWK2SFNVWWCICUMFZW2YLEMNXWIZLGJBJS4MRXHBYWGZLSORUWM2LDMF2GS33OJZQW2ZLSK5XXE23JNZTSAYLUEBEGK2LHNB2HG4TDMVZHI2LGNFRWC5DJN5XEYZLWMVWGOTDFOZSWYIBUNJUXG43VMVZE4YLNMV4BQQLEOZQW4Y3FMQQFGYLGMV2HSICUOJQWS3TJNZTWMZLYOBUXE6LKGIYDENRNGAYS2MBRAQNGSVRXSA5AAAIAACRAEAADPB7GQ5DUOBZTULZPNRSWC4TOFZ3GS2JOMF2TAMJONVQXI5DSFZTWY33CMFWC6Y3POJSS65RSF5RXEZLEMVXHI2LBNRZS6Y3PNVYGCY3UFVZWK3LBNZ2GSYZPOJSXM33DMF2GS33OFVWGS43UOMXTCZTFGAYGINTDFU4TANDGFU2DSN3FFVRGEZJRFVQTGY3GMRRTAYRYGM3DQB6YIBIHRYMUS2CSCQSLQMKTL6Y6ZL3ICWCAUPGIGEOOWODF77V7ZJPVLGAQC2ZUP7MASXIRTIRRPOIIBKNHKZ4LHROPWBPBCYTKA3GXWIRD736HIJNQENTSFUYIPQ77BG4ZPCTXYIY",
    "checkRevocation": true
}

payload : Replace with the encoded element from the response obtained when signing the credential.
checkRevocation : This is the property that makes this verification request check for the credential revocation status.

Response

JSON

{
    "verified": true
    // Rest of response
}

verified : As expected, the credential was verified. Not for long!!!

Protected endpoint

Request

Make a request of the following structure to retrieve the revocation status of a JSON credential:

HTTP

POST /v2/credentials/web-semantic/{id}/revocation-status

id : Replace with the unique identifier of the credential you wish to revoke. This would be the id element of the credential you issued in the previous step. It will be available as part of any JSON credential issued by a MATTR VII tenant and you can also obtain it by querying the Credential registry.

Response

JSON

{
    "id": "e57623d6-4b5d-4d35-b605-ee5d34915e7c",
    "isRevoked": false
}

isRevoked : Indicates revocation status for the credential. Since we issued the credential with isRevoked set to false, this it the expected value in the response.

Public endpoint

Request

Make a GET request to the credentialStatus.revocationListCredential element from the response obtained when signing the credential

HTTP

GET https://learn.vii.au01.mattr.global/core/v2/credentials/web-semantic/revocation-lists/b95acd20-8d52-4474-8f32-71fb8d7a50ed

Response

The response includes an encoded revocation list, as per the W3C Revocation List specification. Relying parties can then decode the list and use the credential’s credentialStatus.revocationListIndex element to locate and check the status of this specific credential.

Validating the credential status

Let’s validate this status by trying to verify this credential.

Make a request of the following structure to verify a JSON credential:

HTTP

POST /v2/credentials/web-semantic/verify

Request body

JSON

{
    "payload": {
        "type": ["VerifiableCredential", "EducationalOccupationalCredential", "AlumniCredential"]
        //... rest of JSON credential
    },
    "checkRevocation": true
}

payload : Replace with the contents of the credential object from the response obtained when signing the JSON credential. Make sure you only include the contents of the credential object and not the entire response.
checkRevocation : This is the property that makes this verification request check for the credential revocation status.

Response

JSON

{
    "verified": true
}

verified : As expected, the credential was verified. Not for long!!!

Revoking an issued credential

Next we will learn how to revoke issued credentials. The process is very similar for different credential formats but uses different MATTR VII endpoints

Request

Make a request of the following structure to revoke a CWT credential:

HTTP

POST /v2/credentials/compact/{id}/revocation-status

id : Replace with the id of the credential obtained earlier in this tutorial.

Request body

JSON

{
    "isRevoked": true
}

Response

JSON

{
    "id": "bKcrxojFSuSZvI5qhKInxA",
    "isRevoked": true
}

isRevoked : This is now set to true, which means the credential will not be verified as valid.

Making a similar request with isRevoked set to false would unrevoke a revoked credential.

Request

Make a request of the following structure to revoke a Semantic CWT credential:

HTTP

POST /v2/credentials/compact-semantic/{id}/revocation-status

id : Replace with the id of the credential obtained earlier in this tutorial.

Request body

JSON

{
    "isRevoked": true
}

Response

JSON

{
    "id": "urn:uuid:78e19496-8521-424b-8315-35fb1ecaf681",
    "isRevoked": true
}

isRevoked : This is now set to true, which means the credential will not be verified as valid.

Making a similar request with isRevoked set to false would unrevoke a revoked credential.

Make a request of the following structure to revoke a JSON Credential:

HTTP

POST /v2/credentials/web-semantic/{id}/revocation-status

id : Replace with the id of the credential you wish to revoke.

Request body

JSON

{
    "isRevoked": true
}

Response

An empty response with a 200 code indicates a successful change of revocation status.

Making a similar request with isRevoked set to false would unrevoke a revoked credential.

Attempting to verify a revoked credential

The last step will be attempting to verify the revoked credential. This step is also similar across different credential formats, using different endpoints.

Make a request of the following structure to verify a CWT credential:

HTTP

POST /v2/credentials/compact/verify

Request body

JSON

{
    "payload": "CSC:/1/2KCE3IQEJB5DCMSMGZITM5QBE2QFSALWVQAXQI3ENFSDU53FMI5GYZLBOJXC45TJNEXGC5JQGEXG2YLUORZC4Z3MN5RGC3AFDJSZE7YQHIAACAACOFBW65LSONSSAQ3SMVSGK3TUNFQWYBA2NFLDPEDENZQW2ZLPIVWW2YJAJJQW4ZJAKRQXG3LBMRRW6ZDFMZEFGLRSG44HCY3FOJ2GSZTJMNQXI2LPNZHGC3LFOJLW64TLNFXGOIDBOQQEQZLJM5UHI43SMNSXE5DJMZUWGYLUNFXW4TDFOZSWYZ2MMV3GK3BAGRVGS43TOVSXETTBNVSXQGCBMR3GC3TDMVSCAU3BMZSXI6JAKRZGC2LONFXGOZTFPBYGS4TZNIZDAMRWFUYDCLJQGE5AAAIAACRAEAYDPB2WQ5DUOBZTULZPNRSWC4TOFZ3GS2JOMF2TAMJONVQXI5DSFZTWY33CMFWC6Y3POJSS65RSF5RXEZLEMVXHI2LBNRZS6Y3PNVYGCY3UF5ZGK5TPMNQXI2LPNYWWY2LTORZS6OBYG5RWIMJUGAWWKNDEG4WTINJRHAWWENZQMYWTGMBVMIZDGNZXHA4DIOAH3BAFA3FHFPDIRRKK4SM3ZDTKQSRCPRCYIA7RFUZYQI3RIGDHIGLAODJ6K2F245DTLIIKXAD35TORFQ7MVRJCIEPH6SC6NGA4HRMK76H5V6GXP66FFNX7MNYC6MYVU7ZLLXYVLXBU",
    "checkRevocation": true
}

payload : Replace with the encoded element from the response obtained when signing the credential.
checkRevocation : This is the property that makes this verification request check for the credential revocation status.

Response

JSON

{
    "verified": false,
    "reason": {
        "type": "Revoked",
        "message": "Credential has been revoked"
    }
    // Rest of response
}

verified : As expected, the credential had failed verification.
reason : Details that the credential had failed verification since it has been revoked.

Revocation lists are cached for a certain amount of time, so you might need to wait a few minutes before verification would actually fail.

Make a request of the following structure to verify a Semantic CWT credential:

HTTP

POST /v2/credentials/compact-semantic/verify

Request body

JSON

{
    "payload": "CSS:/1/2KCE3IQEJB5DCMSMGZITM5QBE2QFSAOZUYAXQI3ENFSDU53FMI5GYZLBOJXC45TJNEXGC5JQGEXG2YLUORZC4Z3MN5RGC3AFDJSZE7YQMJ3GHI3IIBRW63TUMV4HJALYEZUHI5DQOM5C6L3XO53S45ZTFZXXEZZPGIYDCOBPMNZGKZDFNZ2GSYLMOMXXMMLEOR4XAZMCORLGK4TJMZUWCYTMMVBXEZLEMVXHI2LBNRYUG33VOJZWKICDOJSWIZLOORUWC3DRMNZGKZDFNZ2GSYLMKN2WE2TFMN2KMZDOMFWWK2SFNVWWCICUMFZW2YLEMNXWIZLGJBJS4MRXHBYWGZLSORUWM2LDMF2GS33OJZQW2ZLSK5XXE23JNZTSAYLUEBEGK2LHNB2HG4TDMVZHI2LGNFRWC5DJN5XEYZLWMVWGOTDFOZSWYIBUNJUXG43VMVZE4YLNMV4BQQLEOZQW4Y3FMQQFGYLGMV2HSICUOJQWS3TJNZTWMZLYOBUXE6LKGIYDENRNGAYS2MBRAQNGSVRXSA5AAAIAACRAEAADPB7GQ5DUOBZTULZPNRSWC4TOFZ3GS2JOMF2TAMJONVQXI5DSFZTWY33CMFWC6Y3POJSS65RSF5RXEZLEMVXHI2LBNRZS6Y3PNVYGCY3UFVZWK3LBNZ2GSYZPOJSXM33DMF2GS33OFVWGS43UOMXTCZTFGAYGINTDFU4TANDGFU2DSN3FFVRGEZJRFVQTGY3GMRRTAYRYGM3DQB6YIBIHRYMUS2CSCQSLQMKTL6Y6ZL3ICWCAUPGIGEOOWODF77V7ZJPVLGAQC2ZUP7MASXIRTIRRPOIIBKNHKZ4LHROPWBPBCYTKA3GXWIRD736HIJNQENTSFUYIPQ77BG4ZPCTXYIY",
    "checkRevocation": true
}

payload : Replace with the encoded element from the response obtained when signing the credential.
checkRevocation : This is the property that makes this verification request check for the credential revocation status.

Response

JSON

{
    "verified": false,
    "reason": {
        "type": "Revoked",
        "message": "Credential has been revoked"
    }
    // Rest of response
}

verified : As expected, the credential had failed verification.
reason : Details that the credential had failed verification since it has been revoked.

Revocation lists are cached for a certain amount of time, so you might need to wait a few minutes before verification would actually fail.

Make a request of the following structure to verify a JSON credential:

HTTP

POST /v2/credentials/web-semantic/verify

Request body

JSON

{
    "payload": {
        "type": ["VerifiableCredential", "EducationalOccupationalCredential", "AlumniCredential"]
        //... rest of JSON Credential
    },
    "checkRevocation": true
}

payload : Replace with the contents of the credential object from the response obtained when signing the JSON credential. Make sure you only include the contents of the credential object and not the entire response.
checkRevocation : This is the property that makes this verification request check for the credential revocation status.

Response

JSON

{
    "verified": false,
    "reason": {
        "type": "CredentialRevoked",
        "message": "Credential has been revoked"
    }
}

verified : As expected, the credential had failed verification.
reason : Details that the credential had failed verification since it has been revoked.

Revocation lists are cached for a certain amount of time, so you might need to wait a few minutes before verification would actually fail.

Summary

In this tutorial you learned how to manage credential revocation, including:

How to issue a revocable credential.
How to check the revocation status of a credential as an Issuer and as a relying party.
How to revoke a credential.

You can now use integrate these capabilities into your solution to support this important feature.

Additional resources

Guides

Issue a CWT credential Revoke a CWT credential

API Reference

Sign a CWT credential Set CWT credential Revocation status

OID4VCI