Issuing Credentials

Identity providers can issue portable and decentralized Verifiable Credentials to their users. Verifiable Credentials represent provable claims associated with an identity. They can represent any number of claims -- authentication, proof of KYC, credit score, etc.

Verifiable Credentials are issued to a recipient-controlled identifier (such as a DID), which increases the ability for the recipient to use the credential in different contexts through holder/subject binding techniques that prove control over an identifier.

Collecting that identifier in a secure and convenient way for the user requires different interaction flows; the following pattern is one way an issuer can enable this process for an authenticated user.

Issuance Flow

In this example, an individual's financial institution offers the ability to request a KYC or credit score credential to be displayed in the individual's mobile wallet. The flow consists of the exchange of three distinct JSON objects:

A Credential Offer published by the Issuer that describes the credential and how to apply for it
A Credential Application submitted by the wallet, and
A Credential Fulfillment returned by the Issuer that contains the final credential.
A User navigates to the Issuer site
The Issuer presents a QR code.
User scans the QR code with their wallet.
Wallet parses the QR code, which encodes a JSON object with a challengeTokenUrl property.
Wallet performs a GET request at that URL to return a Credential Offer, a wrapper around a Credential Manifest, with three supplementary properties:
- The issuer DID.
- A URL for the wallet to submit a Credential Application.
- A challenge to sign.
The wallet prompts the user to proceed. The Credential Manifest includes descriptive properties, e.g. in the Verifier app a title and description of the credential are shown.
Once the recipient proceeds, the wallet prepares a signed Credential Application,
- If the wallet doesn't have a DID, it generates one.
- The wallet creates a Credential Application for the DID.
- The application is signed along with the challenge in the Credential Offer
- The ID DWN library exposes a convenience method createCredentialApplication for this purpose.
Wallet submits the Credential Application to the URL found in the Credential Offer.
The Issuer creates a Verifiable Credential and returns it to the wallet as a Credential Fulfillment.
Wallet persists the credential.

PreviousIntroduction NextVerifying Credentials

Last updated 1 year ago

Issuing Credentials

Issuance Flow

A Credential Offer published by the Issuer that describes the credential and how to apply for it
A Credential Application submitted by the wallet, and
A Credential Fulfillment returned by the Issuer that contains the final credential.
A User navigates to the Issuer site
The Issuer presents a QR code.
User scans the QR code with their wallet.
Wallet parses the QR code, which encodes a JSON object with a challengeTokenUrl property.
Wallet performs a GET request at that URL to return a Credential Offer, a wrapper around a Credential Manifest, with three supplementary properties:
- The issuer DID.
- A URL for the wallet to submit a Credential Application.
- A challenge to sign.
The wallet prompts the user to proceed. The Credential Manifest includes descriptive properties, e.g. in the Verifier app a title and description of the credential are shown.
Once the recipient proceeds, the wallet prepares a signed Credential Application,
- If the wallet doesn't have a DID, it generates one.
- The wallet creates a Credential Application for the DID.
- The application is signed along with the challenge in the Credential Offer
- The ID DWN library exposes a convenience method createCredentialApplication for this purpose.
Wallet submits the Credential Application to the URL found in the Credential Offer.
The Issuer creates a Verifiable Credential and returns it to the wallet as a Credential Fulfillment.
Wallet persists the credential.

PreviousIntroduction NextVerifying Credentials

Last updated 1 year ago