Issuing Credentials

Identity providers can issue portable and decentralized Verifiable Credentials to their users. Verifiable Credentials represent provable claims associated with an identity. They can represent any number of claims -- authentication, proof of KYC, credit score, etc.

Verifiable Credentials are issued to a recipient-controlled identifier (such as a DID), which increases the ability for the recipient to use the credential in different contexts through holder/subject binding techniques that prove control over an identifier.

Collecting that identifier in a secure and convenient way for the user requires different interaction flows; the following pattern is one way an issuer can enable this process for an authenticated user.

Issuance Flow

In this example, an individual's financial institution offers the ability to request a KYC or credit score credential to be displayed in the individual's mobile wallet. The flow consists of the exchange of three distinct JSON objects:

1. A Credential Offer published by the Issuer that describes the credential and how to apply for it

2. A Credential Application submitted by the wallet, and

3. A Credential Fulfillment returned by the Issuer that contains the final credential.

4. A User navigates to the Issuer site

5. The Issuer presents a QR code.

6. User scans the QR code with their wallet.

7. Wallet parses the QR code, which encodes a JSON object with a challengeTokenUrl property.

8. Wallet performs a GET request at that URL to return a Credential Offer, a wrapper around a Credential Manifest, with three supplementary properties:

   • The issuer DID.

   • A URL for the wallet to submit a Credential Application.

   • A challenge to sign.

9. The wallet prompts the user to proceed. The Credential Manifest includes descriptive properties, e.g. in the Verifier app a title and description of the credential are shown.

10. Once the recipient proceeds, the wallet prepares a signed Credential Application,

    • If the wallet doesn't have a DID, it generates one.

    • The wallet creates a Credential Application for the DID.

    • The application is signed along with the challenge in the Credential Offer

    • The ID DWN library exposes a convenience method createCredentialApplication for this purpose.

11. Wallet submits the Credential Application to the URL found in the Credential Offer.

12. The Issuer creates a Verifiable Credential and returns it to the wallet as a Credential Fulfillment.

13. Wallet persists the credential.