OpenID Credential Provisioning is based on the OpenID4VCI protocol, which is an open standard being incubated at the OpenID Foundation leveraging the OpenID protocol to support the issuance of verifiable credentials and manage their lifecycle.

In addition to enhancements in issuance that the OpenID4VCI protocol brings, we have built extra features into our OpenID Credential Provisioning flow to give you more options to perform custom business logic and integrate with existing systems. These features include:

  • Interaction hooks: Add additional steps to the credential-claiming journey by bouncing users to your own web service. This could mean including additional biometric checks, informational screens and much more.

  • Claim source integration: Usually identity providers do not store all of the information about a user and only keep attributes like email, names or other short identifiers. When issuing credentials, you likely will need more user info and to accomodate that, we have added support for retrieving data from a custom claim source via a single API call.

This guide describes how to configure your tenant on the MATTR VII platform to issue verifiable credentials using OpenID provisioning capability.

Note: OpenID4VCI on the MATTR VII platform is currently only available for the issuance of Web Credentials – with support for other credential profiles coming soon.


You need the following items checked off before proceeding with this tutorial:

  • Create a DID to represent your issuer. This could be any DID method you like but it is easier to test with a DID:key and we recommend using DID:web as you move into production.

    With OpenID Credential Provisioning, we automatically pick the most recent DID in your tenant as the issuer. It is recommended to only keep one DID configured on your tenant for this flow.

  • Setup an OpenID provider. This flow works great when you already have an existing identity provider that can do user authentication. If you do not have an one set up, follow the guide above to create a basic identity provider (also known as authentication provider).


It's easy to get started with issuing your first web credential. Hook up an authentication provider and configure the type of credential you want to issue. Here are the general steps to follow:

  1. Configure an authentication provider— An authentication provider is used to store and manage user accounts on behalf of an organization or service provider. The provider will be the first screen users will see when trying to claim a credential. Normally, this is a login page to verify user credentials but it could be any custom implementation as long as it follows the OpenID Connect standard.

  2. Optional: Configure interaction hook - If you would like to perform business logic beyond a login page such as MFA, biometrics checks, or consent screens, set up an interaction hook to redirect users to your web app. You can also pass back additional user claims or modify the existing ones.

  3. Optional: Configure claims source - If you have additional user information stored in a seperate database or service, add a claim source to fetch claims directly from a compatible standalone system and issue credentials with them.

  4. Setup credential configuration - Add your credential types, branding, claims, and other metadata. You can also mix and match where claims for the issued credentials come from - being the identity provider, internal user store, or claim sources.

  5. Issue a credential — The final step is to create an offer URL to issue a credential to the mobile wallet of the end-user.