openapi: 3.1.0
info:
title: MATTR VII Platform API
version: v12.2.0
description: |
# Introduction
The MATTR VII API defines a set of capabilities that can be used to manage and interact with a MATTR VII tenant. This includes managing a Verifiable Credential across its lifecycle (issue-hold-verify) as well as various tenant administration and management tasks such as setting up a custom domain, creating identifiers and configuring issuance and verification workflows.
# Getting Started with our APIs
As a MATTR VII user, you are provided with the following details, required for accessing and engaging with your MATTR VII tenant:
``` json
{
"audience": "YOUR_AUDIENCE_URL",
"auth_url": "YOUR_AUTH_URL",
"tenant_url": "YOUR_TENANT_URL",
"client_id": "YOUR_CLIENT_ID",
"client_secret": "YOUR_CLIENT_SECRET"
}
```
1. Use the `auth_url`, `audience`, `client_id` and `client_secret` to [obtain an access token](/docs/api-reference/platform/security/authToken).
2. To make a request to your tenant, suffix the `tenant_url` with the endpoint route and include the obtained access token as a header bearer token. For example:
```
GET https://{tenant_url}/v1/dids
```
# Pagination
Most list operations in the API enable cursor pagination using the `cursor` and `limit` query parameters:
**Example on [Retrieve List of Credentials](#operation/retrieveListCreds)**
```
GET https://{tenant-url}/v2/credentials
?limit=100
&cursor=Y3JlYXRlZEF0PTIwMjAtMTAtMDhUMjMlM0ExMyUzQTE3Ljg5NtZGUxZWEyNzQ4MWI4
```
* `limit`: determines how many entries are returned in that request, with a maximum value of 1000.
* `cursor`: sets the location in the retrieved list to get the next batch of entries from. This is based on the returned `nextCursor`, found at the beginning of each returned range and identifies the last object in the list.
Requesting an entry after the last list value will return an empty `data` object:
``` json
{
"data": []
}
```
Not providing a query parameter defaults the response to return the first range of entries with a `limit` of 100.
# Authorization
Access to the API is granted by our authorization provider. Use the `auth_url`, `audience`, `client_id` and `client_secret` provided with your tenant details to [make a request](/docs/api-reference/platform/security/authToken) to receive a bearer token from the auth provider. This token must then be used as an `authorization` header for all requests to protected endpoints (this is required for the majority of operations).
> The returned bearer token will only enable access to endpoints as per your client's defined role. Refer to [Access Control](#access-control) for more information.
# Access control
MATTR VII uses **Role-Based Access Control (RBAC)** to manage permissions and access within a tenant. Each role grants access to specific capabilities, ensuring that users or clients only have access to the functionalities they need. Below is a list of available roles and their descriptions:
- Tenant admin: Has full access to all tenant capabilities. This role is
assigned to the default client when a new tenant is created.
- Issuer: Has access to capabilities required for issuing and managing
credentials of different formats across different channels.
- Verifier: Has access to capabilities required for verifying credentials
of different formats across different channels.
- DTS provider: Has access to capabilities required for managing a
Digital trust service (DTS).
- DTS consumer: Has access to capabilities required to consume DTS
information from a tenant.
- Auditor: Has read-only access to analytics data.
Each restricted endpoint includes a Roles property that indicates what roles are required to access it.
contact:
email: dev-support@mattr.global
servers:
- url: https://{tenantName}.vii.{region}.mattr.global
variables:
tenantName:
default: example
description: The tenant subdomain assigned when the tenant was established.
region:
default: au01
description: The tenant region assigned when the tenant was established.
enum:
- au01
- ca01
- eu01
- us01
security:
- bearerAuth: []
tags:
- name: Analytics
description: Specifies paths and operations for retrieving platform analytics data.
- name: Messaging
description: Specifies paths and operations for signing, encrypting, decrypting and sending messages.
- name: Security
description: Specifies paths and operations for accessing protected endpoints.
- name: Custom Domain
description: Specifies paths and operations for managing custom domains.
x-displayName: Custom domain
- name: DIDs
description: Specifies paths and operations for managing DIDs.
- name: Inboxes
description: Specifies paths and operations for managing inboxes.
- name: Webhooks
description: Specifies paths and operations for managing Webhooks.
- name: Ecosystems
description: Specifies paths and operations for managing ecosystems.
- name: Configuration
description: Operations for managing Ecosystem configurations for a tenant.
- name: Participants
description: Specifies paths and operations for managing ecosystem participants.
- name: Participants assignment
description: Operations related to assigning credential types to Participants within an Ecosystem.
- name: Participants contacts
description: Operations related to managing contacts for Participants within an Ecosystem.
- name: Participants evidence
description: Operations related to managing evidence for Participants within an Ecosystem.
- name: Participants validation
description: Operations related to validating Participants within an Ecosystem.
- name: Credential types
description: Specifies paths and operations for managing ecosystem credential types.
- name: Policy
description: Specifies paths and operations for publishing and retrieving an ecosystem policy.
- name: Issuer assignment
description: Specifies paths and operations for assigning credential types to issuers.
- name: Verifier assignment
description: Specifies paths and operations for assigning credential types to verifiers.
- name: VICAL Configuration
description: Specifies paths and operations for managing VICAL configuration.
x-displayName: Configuration
- name: VICAL
description: Specifies paths and operations for publishing and retrieving an ecosystem policy as a VICAL.
x-displayName: General
- name: CWT credentials issuance
description: Specifies paths and operations for issuing CWT credentials.
x-displayName: CWT credentials
- name: Semantic CWT credentials issuance
description: Specifies paths and operations for issuing Semantic CWT credentials.
x-displayName: Semantic CWT credentials
- name: JSON credentials issuance
description: Specifies paths and operations for issuing JSON credentials.
x-displayName: JSON credentials
- name: mDocs issuance
description: Specifies paths and operations for issuing mDocs credentials.
x-displayName: mDocs
- name: CWT credentials management
description: Specifies paths and operations for managing CWT credentials.
x-displayName: CWT credentials
- name: Semantic CWT credentials management
description: Specifies paths and operations for managing Semantic CWT credentials.
x-displayName: Semantic CWT credentials
- name: JSON credentials management
description: Specifies paths and operations for managing JSON credentials.
x-displayName: JSON credentials
- name: mDocs management
description: Specifies paths and operations for managing mDocs credentials.
x-displayName: mDocs metadata
- name: CWT credentials verification
description: Specifies paths and operations for verifying CWT credentials.
x-displayName: CWT credentials
- name: Semantic CWT credentials verification
description: Specifies paths and operations for verifying Semantic CWT credentials.
x-displayName: Semantic CWT credentials
- name: JSON credentials verification
description: Specifies paths and operations for verifying JSON credentials.
x-displayName: JSON credentials
- name: mDocs verification
description: Specifies paths and operations for verifying mDocs credentials.
x-displayName: mDocs verification
- name: CWT credentials configuration
description: Specifies paths and operations for creating CWT credentials configuration.
x-displayName: CWT credentials
- name: CWT credentials PDF templates
description: Specifies paths and operations for managing CWT credentials PDF templates.
x-displayName: PDF
- name: CWT credentials Apple Pass templates
description: Specifies paths and operations for managing CWT credentials Apple Pass templates.
x-displayName: Apple Pass
- name: CWT credentials Google Pass templates
description: Specifies paths and operations for managing CWT credentials Google Pass templates.
x-displayName: Google Pass
- name: Semantic CWT credentials configuration
description: Specifies paths and operations for creating Semantic CWT credentials configuration.
x-displayName: Semantic CWT credentials
- name: Semantic CWT credentials PDF templates
description: Specifies paths and operations for managing Semantic CWT credentials PDF templates.
x-displayName: PDF
- name: Semantic CWT credentials Apple Pass templates
description: Specifies paths and operations for managing Semantic CWT credentials Apple Pass templates.
x-displayName: Apple Pass
- name: Semantic CWT credentials Google Pass templates
description: Specifies paths and operations for managing Semantic CWT credentials Google Pass templates.
x-displayName: Google Pass
- name: JSON credentials configuration
description: Specifies paths and operations for managing JSON credentials configuration.
x-displayName: JSON credentials
- name: mDoc credentials configuration
description: Specifies paths and operations for managing mDocs credentials configuration.
x-displayName: mDocs
- name: IACA
description: Specifies paths and operations for managing IACAs.
- name: Document Signers
description: Specifies paths and operations for managing Document Signers.
x-displayName: Document signers
- name: Authentication Provider
description: Specifies paths and operations for managing Authentication providers for OID4VCI workflows.
x-displayName: Authentication provider
- name: Interaction Hook
description: Specifies paths and operations for managing Interaction hooks for OID4VCI workflows.
x-displayName: Interaction hook
- name: Claims Source
description: Specifies paths and operations for managing Claim sources for OID4VCI workflows.
x-displayName: Claims source
- name: Credential offers
description: Specifies paths and operations for creating and managing credential offers as part of an OID4VCI workflow.
- name: Credential issuance
description: Specifies paths and operations for issuing credentials as part of an OID4VCI workflow.
x-displayName: Issuance
- name: Issuer metadata
description: Specifies paths and operations for retrieving issuer metadata for OID4VCI workflows.
- name: Users
description: Specifies paths and operations for managing users as part of OID4VCI workflows.
- name: OIDC Verifier Auth
description: Specifies paths and operations for retrieving information required for OIDC bridge verification workflows.
x-displayName: OIDC Verifier auth
- name: OIDC Verifiers
description: Specifies paths and operations for managing OIDC Verifiers.
- name: OIDC Verifier Client
description: Specifies paths and operations for managing OIDC Verifier Clients.
x-displayName: OIDC Verifier client
- name: Document signers
description: Specifies paths and operations for managing document signers.
- name: Status list signers
description: Specifies paths and operations for managing status list signers.
- name: Status list configuration
description: Specifies paths and operations for managing status list configuration.
- name: Status list retrieval
description: Specifies paths and operations for retrieving status lists.
- name: mDocs status
description: Specifies paths and operations for managing mDocs status.
- name: Trusted issuers
description: Specifies paths and operations for managing trusted issuers for mDocs verification.
- name: Verifier root CA certificates
description: Specifies paths and operations for managing Verifier root CA certificates for mDocs verification.
- name: Verifier applications
description: Specifies paths and operations for managing Verifier applications for mDocs verification.
- name: Wallet providers
description: Specifies paths and operations for managing Wallet providers for mDocs verification.
- name: Apple Identity Access certificates
description: Specifies paths and operations for managing Apple Identity Access certificates for mDocs verification.
- name: mDocs presentation sessions
description: Specifies paths and operations for managing mDocs presentation sessions.
x-displayName: Presentation sessions
- name: DTS root CA certificates
description: Specifies paths and operations for managing DTS root CA certificates.
x-displayName: Certificates
- name: VICAL signers
description: Specifies paths and operations for managing VICAL signers.
x-displayName: Signers
- name: Verification request signers
description: Specifies paths and operations for managing Verification request signers.
paths:
/v1/config/domain:
post:
operationId: createCustomDomain
tags:
- Custom Domain
summary: Configure custom domain
x-roles:
- admin
- issuer
- verifier
- dts-provider
- managed-issuer
description: |
Creates a custom domain configuration on your tenant. You can configure a custom domain for a specific MATTR VII tenant to represent your brand and instil trust with your end-users. Any MATTR VII tenant can only have one custom domain. Refer to our [docs](https://learn.mattr.global/docs/platform-management/custom-domain-overview) for more information.
### **Analytic events**
* CONFIG_CUSTOM_DOMAIN_CREATE_START
* CONFIG_CUSTOM_DOMAIN_CREATE_SUCCESS
* CONFIG_CUSTOM_DOMAIN_CREATE_FAIL
requestBody:
description: The custom domain payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateCustomDomain'
examples:
Create a Custom Domain:
value:
name: Example Corp
logoUrl: https://cdn.example.com/logo.jpg
domain: example.com
application/xml:
schema:
$ref: '#/components/schemas/CreateCustomDomain'
examples: {}
responses:
'201':
description: Custom domain created
content:
application/json:
schema:
$ref: '#/components/schemas/CustomDomainResponse'
examples:
Created:
value:
name: Example Corp
logoUrl: https://cdn.example.com/logo.jpg
domain: example.com
verificationToken: 8c6f36c1-91ff-439d-a518-48cf7ef421ef
isVerified: false
'400':
$ref: '#/components/responses/400'
get:
operationId: retrieveCustomDomain
tags:
- Custom Domain
summary: Retrieve custom domain
x-roles:
- admin
- issuer
- verifier
- dts-provider
- managed-issuer
description: |-
Returns your tenant's custom domain configuration and its verification status.
### **Analytic events**
* CONFIG_CUSTOM_DOMAIN_RETRIEVE_START
* CONFIG_CUSTOM_DOMAIN_RETRIEVE_SUCCESS
* CONFIG_CUSTOM_DOMAIN_RETRIEVE_FAIL
responses:
'200':
description: Custom domain returned
content:
application/json:
schema:
$ref: '#/components/schemas/CustomDomainResponse'
examples:
Retrieve Domain:
value:
name: Example Corp
logoUrl: https://cdn.example.com/logo.icon
domain: example.com
verificationToken: 8c6f36c1-91ff-439d-a518-48cf7ef421ef
isVerified: true
verifiedAt: '2024-01-31T20:31:48.340Z'
'404':
$ref: '#/components/responses/404'
delete:
operationId: removeCustomDomain
tags:
- Custom Domain
summary: Delete custom domain
x-roles:
- admin
- issuer
- verifier
- dts-provider
- managed-issuer
description: |-
Deletes the custom domain configuration on your tenant.
Deleting your custom domain configuration breaks the linkage with any credentials issued under the custom domain. These credentials will no longer be valid.
### **Analytic events**
* CONFIG_CUSTOM_DOMAIN_DELETE_START
* CONFIG_CUSTOM_DOMAIN_DELETE_SUCCESS
* CONFIG_CUSTOM_DOMAIN_DELETE_FAIL
responses:
'204':
description: Custom domain deleted
'404':
$ref: '#/components/responses/404'
put:
summary: Update custom domain
x-roles:
- admin
- issuer
- verifier
- dts-provider
- managed-issuer
operationId: updateCustomDomain
tags:
- Custom Domain
responses:
'200':
description: Custom Domain updated
content:
application/json:
schema:
$ref: '#/components/schemas/CustomDomainResponse'
examples:
Updated:
value:
name: Example Corp
logoUrl: https://cdn.example.com/logo.icon
domain: example.com
verificationToken: 8c6f36c1-91ff-439d-a518-48cf7ef421ef
isVerified: true
verifiedAt: '2021-04-15T07:37:25.008Z'
'404':
$ref: '#/components/responses/404'
description: |-
Updates the custom domain configuration.
### **Analytic events**
* CONFIG_CUSTOM_DOMAIN_UPDATE_START
* CONFIG_CUSTOM_DOMAIN_UPDATE_SUCCESS
* CONFIG_CUSTOM_DOMAIN_UPDATE_FAIL
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/UpdateCustomDomain'
examples:
Update a Custom Domain:
value:
name: Example Corp
logoUrl: https://cdn.example.com/logo.jpg
domain: example.com
description: ''
parameters: []
/v1/config/domain/verify:
post:
operationId: verifyCustomDomain
tags:
- Custom Domain
summary: Verify custom domain
x-roles:
- admin
- issuer
- verifier
- dts-provider
- managed-issuer
description: |-
Verifies that you have control of the configured custom domain by examining its TXT record.
Your custom domain will not be active until you verify it. Refer to [Verify domain ownership](https://learn.mattr.global/docs/platform-management/custom-domain-overview#verify-domain-ownership) for more information.
### **Analytic events**
* CONFIG_CUSTOM_DOMAIN_VERIFY_START
* CONFIG_CUSTOM_DOMAIN_VERIFY_SUCCESS
* CONFIG_CUSTOM_DOMAIN_VERIFY_FAIL
responses:
'204':
description: Custom domain verified
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
'404':
$ref: '#/components/responses/404'
parameters: []
/.well-known/did-configuration:
get:
security: []
tags:
- DIDs
summary: Well known DID configuration
description: |
Returns a list of Decentralized Identifier (DID) Configuration entries from the tenant. These are automatically created for **all** DIDS created on a tenant so that they can be used by any party aiming to establish and verify the domain-DID linkage by exposing cryptographic proofs. Thus, this endpoint is unprotected, public facing and can be deterministically found at the root of the tenant subdomain or alias by any party. Refer to [Well Known DID Configuration](https://identity.foundation/.well-known/resources/did-configuration) on the Decentralized Identity Foundation website for more information.
responses:
'200':
description: List of DID Configuration entries
content:
application/json:
schema:
$ref: '#/components/schemas/GetDidConfigJsonldResponse'
examples:
Example:
value:
entries:
- '@context':
- https://www.w3.org/2018/credentials/v1
- https://identity.foundation/.well-known/contexts/did-configuration-v0.2.jsonld
type:
- VerifiableCredential
- DomainLinkageCredential
issuer: did:key:z6MktarAWYW9iUWN2f9oAdHhFXdD9ZKRoEiQyPhQffBho4Df
issuanceDate: '2023-07-19T00:46:39.327Z'
credentialSubject:
id: did:key:z6MktarAWYW9iUWN2f9oAdHhFXdD9ZKRoEiQyPhQffBho4Df
origin: tenant.vii.mattr.global
proof:
type: Ed25519Signature2018
created: '2023-07-19T00:46:39Z'
verificationMethod: did:key:z6MktarAWYW9iUWN2f9oAdHhFXdD9ZKRoEiQyPhQffBho4Df#z6MktarAWYW9iUWN2f9oAdHhFXdD9ZKRoEiQyPhQffBho4Df
proofPurpose: assertionMethod
jws: EXAMPLE_JWS_TOKEN_eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..jx6VQ_iB80R2GVcqy-hBGHp0A-u-i9ynye7ipb0p4z-4I2ww8tgcut3JadipHUgTS9Qs2YwY2abUsj3045ywDA
- '@context':
- https://www.w3.org/2018/credentials/v1
- https://identity.foundation/.well-known/contexts/did-configuration-v0.2.jsonld
type:
- VerifiableCredential
- DomainLinkageCredential
issuer: did:key:zUC745TL4zAa8D8qqHnwcmLj7QFcTbgsh41x6sbkRARPokFFvykvk6jjotsEmjpXniEQsm9r5LkSfXKXXu9F5698uDoQ9Bq8MeLtisqUoJJ1SZRa9tsU5EFfD2T2dR58RFMPW9K
issuanceDate: '2023-07-19T00:46:39.328Z'
credentialSubject:
id: did:key:zUC745TL4zAa8D8qqHnwcmLj7QFcTbgsh41x6sbkRARPokFFvykvk6jjotsEmjpXniEQsm9r5LkSfXKXXu9F5698uDoQ9Bq8MeLtisqUoJJ1SZRa9tsU5EFfD2T2dR58RFMPW9K
origin: product-team.platform.staging.mattrlabs.io
proof:
type: BbsSignature2022
verificationMethod: did:key:zUC745TL4zAa8D8qqHnwcmLj7QFcTbgsh41x6sbkRARPokFFvykvk6jjotsEmjpXniEQsm9r5LkSfXKXXu9F5698uDoQ9Bq8MeLtisqUoJJ1SZRa9tsU5EFfD2T2dR58RFMPW9K#zUC745TL4zAa8D8qqHnwcmLj7QFcTbgsh41x6sbkRARPokFFvykvk6jjotsEmjpXniEQsm9r5LkSfXKXXu9F5698uDoQ9Bq8MeLtisqUoJJ1SZRa9tsU5EFfD2T2dR58RFMPW9K
proofPurpose: assertionMethod
proofValue: x8AFZpr/CUbwC4qony2g8BpW7hdF+KhM363b0jQ6MI+FFsKzwug92JDdeSXaFaZyCvfhkJrIdDGMAzyLSp9kJqH4B2cqPw2AcEsoNrTqxOEw9ZK7D1LXAkvElUhfmIZLKAmGpA8RNVPUG8Q+a2p49w==
operationId: wellKnownDidConfig
/v1/dids:
post:
tags:
- DIDs
summary: Create a DID
x-roles:
- admin
- issuer
- verifier
- dts-provider
- managed-issuer
description: |-
Takes a supported [DID method](https://learn.mattr.global/docs/concepts/dids#methods) and returns a new DID with its generated keys and required information. This endpoint also registers the DID Document when applicable.
MATTR VII currently supports creating DIDs of the following methods:
- **did:key**: The most basic type of DID. The public key forms the DID and has no further data associated with it.
- **did:web**: This type of DID requires hosting the DID document on a publicly accessible domain in order to make the document and its contents available.
### **Analytic events**
* DID_CREATE_START
* DID_CREATE_SUCCESS
* DID_CREATE_FAIL
requestBody:
description: Options for creating the decentralized identifier
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateDidDocument'
examples:
Create did:web:
value:
method: web
options:
url: learn.vii.au01.mattr.global
Create did:key:
value:
method: key
options:
keyType: Ed25519
responses:
'201':
description: DID document created
content:
application/json:
schema:
$ref: '#/components/schemas/CreateDidResponse'
examples:
did:web:
value:
did: did:web:learn.vii.au01.mattr.global
registrationStatus: COMPLETED
localMetadata:
keys:
- didDocumentKeyId: did:web:learn.vii.au01.mattr.global#z12KiP7r
kmsKeyId: 96fa6a94-a8cf-4afd-825b-70b46bdb60ee
- didDocumentKeyId: did:web:learn.vii.au01.mattr.global#nCxqyzxHFi
kmsKeyId: 378dfe87-6eba-4779-a402-34ff5b267840
- didDocumentKeyId: did:web:learn.vii.au01.mattr.global#2vcj3MjR4d
kmsKeyId: a0cba537-ffe1-486d-aedd-6ead80e75519
- didDocumentKeyId: did:web:learn.vii.au01.mattr.global#CU6dJt9p8t
kmsKeyId: 250c4e1f-bae3-44ca-9f4e-4f7ff15851e2
registered: 1674421454614
initialDidDocument:
'@context':
- https://w3.org/ns/did/v1
- https://w3id.org/security/suites/x25519-2019/v1
- https://w3id.org/security/suites/jws-2020/v1
- https://w3id.org/security/suites/ed25519-2018/v1
- https://w3id.org/security/bbs/v1
id: did:web:learn.vii.au01.mattr.global
verificationMethod:
- id: did:web:learn.vii.au01.mattr.global#z12KiP7r
controller: did:web:learn.vii.au01.mattr.global
type: JsonWebKey2020
publicKeyJwk:
kty: EC
crv: P-256
x: PZWoBmV7vjJ55Aq5hFAPIH6uDA-V3G0ueVe22ahgL7w
'y': 7kzcj257Zvfpzyj2gFWrnCIbXZxQ6WyDOo2MdA6mpMI
- id: did:web:learn.vii.au01.mattr.global#2vcj3MjR4d
controller: did:web:learn.vii.au01.mattr.global
type: Ed25519VerificationKey2018
publicKeyBase58: 2vcj3MjR4dSKq5asFQ9oor7iZsqTKTfBpjLHgaP15Y24
- id: did:web:learn.vii.au01.mattr.global#nCxqyzxHFi
controller: did:web:learn.vii.au01.mattr.global
type: Bls12381G2Key2020
publicKeyBase58: nCxqyzxHFioYCVwinAwJzTPwfs84pPaseZQFkfGXUxx5ZD93HE43aXicYsyj2s5HYFSSYw9WtRaWsKeF9qn2jBVZ2UNuQCdG1qna9jpZPTvWQY1t2Z2hxhhs8MV5P5QaozB
authentication:
- did:web:learn.vii.au01.mattr.global#2vcj3MjR4d
assertionMethod:
- did:web:learn.vii.au01.mattr.global#z12KiP7r
- did:web:learn.vii.au01.mattr.global#2vcj3MjR4d
- did:web:learn.vii.au01.mattr.global#nCxqyzxHFi
capabilityDelegation:
- did:web:learn.vii.au01.mattr.global#z12KiP7r
- did:web:learn.vii.au01.mattr.global#2vcj3MjR4d
- did:web:learn.vii.au01.mattr.global#nCxqyzxHFi
capabilityInvocation:
- did:web:learn.vii.au01.mattr.global#z12KiP7r
- did:web:learn.vii.au01.mattr.global#2vcj3MjR4d
- did:web:learn.vii.au01.mattr.global#nCxqyzxHFi
keyAgreement:
- id: did:web:learn.vii.au01.mattr.global#CU6dJt9p8t
controller: did:web:learn.vii.au01.mattr.global
type: X25519KeyAgreementKey2019
publicKeyBase58: CU6dJt9p8twE4hmyGVFbVpUMmu6G732bVgD1tNupwYY7
'400':
$ref: '#/components/responses/400'
operationId: createDid
get:
tags:
- DIDs
summary: Retrieve a list of DIDs
x-roles:
- admin
- issuer
- verifier
- dts-provider
- managed-issuer
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
description: |
Returns a list of all DIDs (Decentralized Identifiers) managed by the tenant and their associated meta-data.
### **Analytic events**
* DID_RETRIEVE_LIST_START
* DID_RETRIEVE_LIST_SUCCESS
* DID_RETRIEVE_LIST_FAIL
responses:
'200':
description: A list of DIDs
content:
application/json:
schema:
$ref: '#/components/schemas/GetDidsResponse'
examples:
Example:
value:
data:
- did: did:web:learn.vii.au01.mattr.global
localMetadata:
keys:
- didDocumentKeyId: did:web:learn.vii.au01.mattr.global#z12KiP7r
kmsKeyId: 96fa6a94-a8cf-4afd-825b-70b46bdb60ee
- didDocumentKeyId: did:web:learn.vii.au01.mattr.global#nCxqyzxHFi
kmsKeyId: 378dfe87-6eba-4779-a402-34ff5b267840
- didDocumentKeyId: did:web:learn.vii.au01.mattr.global#2vcj3MjR4d
kmsKeyId: a0cba537-ffe1-486d-aedd-6ead80e75519
- didDocumentKeyId: did:web:learn.vii.au01.mattr.global#CU6dJt9p8t
kmsKeyId: 250c4e1f-bae3-44ca-9f4e-4f7ff15851e2
registered: 1674421454614
initialDidDocument:
'@context':
- https://w3.org/ns/did/v1
- https://w3id.org/security/suites/x25519-2019/v1
- https://w3id.org/security/suites/jws-2020/v1
- https://w3id.org/security/suites/ed25519-2018/v1
- https://w3id.org/security/bbs/v1
id: did:web:learn.vii.au01.mattr.global
verificationMethod:
- id: did:web:learn.vii.au01.mattr.global#z12KiP7r
controller: did:web:learn.vii.au01.mattr.global
type: JsonWebKey2020
publicKeyJwk:
kty: EC
crv: P-256
x: PZWoBmV7vjJ55Aq5hFAPIH6uDA-V3G0ueVe22ahgL7w
'y': 7kzcj257Zvfpzyj2gFWrnCIbXZxQ6WyDOo2MdA6mpMI
- id: did:web:learn.vii.au01.mattr.global#2vcj3MjR4d
controller: did:web:learn.vii.au01.mattr.global
type: Ed25519VerificationKey2018
publicKeyBase58: 2vcj3MjR4dSKq5asFQ9oor7iZsqTKTfBpjLHgaP15Y24
- id: did:web:learn.vii.au01.mattr.global#nCxqyzxHFi
controller: did:web:learn.vii.au01.mattr.global
type: Bls12381G2Key2020
publicKeyBase58: nCxqyzxHFioYCVwinAwJzTPwfs84pPaseZQFkfGXUxx5ZD93HE43aXicYsyj2s5HYFSSYw9WtRaWsKeF9qn2jBVZ2UNuQCdG1qna9jpZPTvWQY1t2Z2hxhhs8MV5P5QaozB
authentication:
- did:web:learn.vii.au01.mattr.global#2vcj3MjR4d
assertionMethod:
- did:web:learn.vii.au01.mattr.global#z12KiP7r
- did:web:learn.vii.au01.mattr.global#2vcj3MjR4d
- did:web:learn.vii.au01.mattr.global#nCxqyzxHFi
capabilityDelegation:
- did:web:learn.vii.au01.mattr.global#z12KiP7r
- did:web:learn.vii.au01.mattr.global#2vcj3MjR4d
- did:web:learn.vii.au01.mattr.global#nCxqyzxHFi
capabilityInvocation:
- did:web:learn.vii.au01.mattr.global#z12KiP7r
- did:web:learn.vii.au01.mattr.global#2vcj3MjR4d
- did:web:learn.vii.au01.mattr.global#nCxqyzxHFi
keyAgreement:
- id: did:web:learn.vii.au01.mattr.global#CU6dJt9p8t
controller: did:web:learn.vii.au01.mattr.global
type: X25519KeyAgreementKey2019
publicKeyBase58: CU6dJt9p8twE4hmyGVFbVpUMmu6G732bVgD1tNupwYY7
- did: did:key:z6MkqHv635BxaXJpXKzbdwpKGUX1a8oqaGmgBxdi2yF1p1PZ
localMetadata:
keys:
- kmsKeyId: 2462a440-ef70-413b-8e73-0b2905a73562
didDocumentKeyId: did:key:z6MkqHv635BxaXJpXKzbdwpKGUX1a8oqaGmgBxdi2yF1p1PZ#z6MkqHv635BxaXJpXKzbdwpKGUX1a8oqaGmgBxdi2yF1p1PZ
- kmsKeyId: e65e6545-1ba0-4959-8272-db22a46f2e34
didDocumentKeyId: did:key:z6MkqHv635BxaXJpXKzbdwpKGUX1a8oqaGmgBxdi2yF1p1PZ#z6LSsfqtdz5mtaGRTZrGwhzK73xDYAtack5AHKcakR1eco7K
registered: 1671586060525
initialDidDocument:
id: did:key:z6MkqHv635BxaXJpXKzbdwpKGUX1a8oqaGmgBxdi2yF1p1PZ
'@context':
- https://w3.org/ns/did/v1
- https://w3id.org/security/suites/x25519-2019/v1
- https://w3id.org/security/suites/ed25519-2018/v1
verificationMethod:
- id: did:key:z6MkqHv635BxaXJpXKzbdwpKGUX1a8oqaGmgBxdi2yF1p1PZ#z6MkqHv635BxaXJpXKzbdwpKGUX1a8oqaGmgBxdi2yF1p1PZ
type: Ed25519VerificationKey2018
controller: did:key:z6MkqHv635BxaXJpXKzbdwpKGUX1a8oqaGmgBxdi2yF1p1PZ
publicKeyBase58: Bqf3SpwXEypMQq9txNrURNy1kZXzAPXKVwinChGztncB
keyAgreement:
- id: did:key:z6MkqHv635BxaXJpXKzbdwpKGUX1a8oqaGmgBxdi2yF1p1PZ#z6LSsfqtdz5mtaGRTZrGwhzK73xDYAtack5AHKcakR1eco7K
type: X25519KeyAgreementKey2019
controller: did:key:z6MkqHv635BxaXJpXKzbdwpKGUX1a8oqaGmgBxdi2yF1p1PZ
publicKeyBase58: Gzfj7gGuo7YgNBUWR4UMnTjjh2MTv8u1QLtuFxN7uRLZ
authentication:
- did:key:z6MkqHv635BxaXJpXKzbdwpKGUX1a8oqaGmgBxdi2yF1p1PZ#z6MkqHv635BxaXJpXKzbdwpKGUX1a8oqaGmgBxdi2yF1p1PZ
assertionMethod:
- did:key:z6MkqHv635BxaXJpXKzbdwpKGUX1a8oqaGmgBxdi2yF1p1PZ#z6MkqHv635BxaXJpXKzbdwpKGUX1a8oqaGmgBxdi2yF1p1PZ
capabilityDelegation:
- did:key:z6MkqHv635BxaXJpXKzbdwpKGUX1a8oqaGmgBxdi2yF1p1PZ#z6MkqHv635BxaXJpXKzbdwpKGUX1a8oqaGmgBxdi2yF1p1PZ
capabilityInvocation:
- did:key:z6MkqHv635BxaXJpXKzbdwpKGUX1a8oqaGmgBxdi2yF1p1PZ#z6MkqHv635BxaXJpXKzbdwpKGUX1a8oqaGmgBxdi2yF1p1PZ
nextCursor: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
operationId: retrieveListOfDids
parameters: []
/v1/dids/{id}:
get:
tags:
- DIDs
summary: Resolve a DID
x-roles:
- admin
- issuer
- verifier
- dts-provider
- managed-issuer
description: |-
Retrieves a DID and its metadata from the tenant by its URI. This may involve a network call depending on the method involved:
- For did:key the public key is encapsulated in the DID URI itself.
- For did:web it must be resolved by accessing the `/.well-known/did.json` path on its domain.
### **Analytic events**
* DID_RETRIEVE_START
* DID_RETRIEVE_SUCCESS
* DID_RETRIEVE_FAIL
responses:
'200':
description: A DID Document and its meta-data
content:
application/json:
schema:
$ref: '#/components/schemas/GetDidResponse'
examples:
Example did:web:
value:
did: did:web:learn.vii.au01.mattr.global
registrationStatus: COMPLETED
localMetadata:
keys:
- didDocumentKeyId: did:web:learn.vii.au01.mattr.global#z12KiP7r
kmsKeyId: 96fa6a94-a8cf-4afd-825b-70b46bdb60ee
- didDocumentKeyId: did:web:learn.vii.au01.mattr.global#nCxqyzxHFi
kmsKeyId: 378dfe87-6eba-4779-a402-34ff5b267840
- didDocumentKeyId: did:web:learn.vii.au01.mattr.global#2vcj3MjR4d
kmsKeyId: a0cba537-ffe1-486d-aedd-6ead80e75519
- didDocumentKeyId: did:web:learn.vii.au01.mattr.global#CU6dJt9p8t
kmsKeyId: 250c4e1f-bae3-44ca-9f4e-4f7ff15851e2
registered: 1674421454614
initialDidDocument:
'@context':
- https://w3.org/ns/did/v1
- https://w3id.org/security/suites/x25519-2019/v1
- https://w3id.org/security/suites/jws-2020/v1
- https://w3id.org/security/suites/ed25519-2018/v1
- https://w3id.org/security/bbs/v1
id: did:web:learn.vii.au01.mattr.global
verificationMethod:
- id: did:web:learn.vii.au01.mattr.global#z12KiP7r
controller: did:web:learn.vii.au01.mattr.global
type: JsonWebKey2020
publicKeyJwk:
kty: EC
crv: P-256
x: PZWoBmV7vjJ55Aq5hFAPIH6uDA-V3G0ueVe22ahgL7w
'y': 7kzcj257Zvfpzyj2gFWrnCIbXZxQ6WyDOo2MdA6mpMI
- id: did:web:learn.vii.au01.mattr.global#2vcj3MjR4d
controller: did:web:learn.vii.au01.mattr.global
type: Ed25519VerificationKey2018
publicKeyBase58: 2vcj3MjR4dSKq5asFQ9oor7iZsqTKTfBpjLHgaP15Y24
- id: did:web:learn.vii.au01.mattr.global#nCxqyzxHFi
controller: did:web:learn.vii.au01.mattr.global
type: Bls12381G2Key2020
publicKeyBase58: nCxqyzxHFioYCVwinAwJzTPwfs84pPaseZQFkfGXUxx5ZD93HE43aXicYsyj2s5HYFSSYw9WtRaWsKeF9qn2jBVZ2UNuQCdG1qna9jpZPTvWQY1t2Z2hxhhs8MV5P5QaozB
authentication:
- did:web:learn.vii.au01.mattr.global#2vcj3MjR4d
assertionMethod:
- did:web:learn.vii.au01.mattr.global#z12KiP7r
- did:web:learn.vii.au01.mattr.global#2vcj3MjR4d
- did:web:learn.vii.au01.mattr.global#nCxqyzxHFi
capabilityDelegation:
- did:web:learn.vii.au01.mattr.global#z12KiP7r
- did:web:learn.vii.au01.mattr.global#2vcj3MjR4d
- did:web:learn.vii.au01.mattr.global#nCxqyzxHFi
capabilityInvocation:
- did:web:learn.vii.au01.mattr.global#z12KiP7r
- did:web:learn.vii.au01.mattr.global#2vcj3MjR4d
- did:web:learn.vii.au01.mattr.global#nCxqyzxHFi
keyAgreement:
- id: did:web:learn.vii.au01.mattr.global#CU6dJt9p8t
controller: did:web:learn.vii.au01.mattr.global
type: X25519KeyAgreementKey2019
publicKeyBase58: CU6dJt9p8twE4hmyGVFbVpUMmu6G732bVgD1tNupwYY7
'404':
$ref: '#/components/responses/404'
operationId: resolveDid
delete:
description: |-
Deletes a DID and all associated metadata by providing its URI. This includes all the removal of all associated private keys from the Key Management System (KMS).
For `did:web` you will need to manually remove the `did.json` from your hosted domain.
### **Analytic events**
* DID_DELETE_START
* DID_DELETE_SUCCESS
* DID_DELETE_FAIL
tags:
- DIDs
summary: Delete a DID
x-roles:
- admin
- issuer
- verifier
- dts-provider
- managed-issuer
responses:
'204':
description: DID successfully deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: deleteDid
parameters:
- name: id
in: path
description: DID
schema:
type: string
format: did
example: did:key:z6Mkjr7vfzBfamiN6Wi6cyQUgTq6CEMXP1MzWQawsUEXJoa9
required: true
/v2/credentials/compact/sign:
post:
requestBody:
description: CWT credential payload to sign
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/SignCompactCredentialRequest'
tags:
- CWT credentials issuance
summary: Sign a CWT credential
x-roles:
- admin
- issuer
- managed-issuer
responses:
'200':
description: CWT credential signed
content:
application/json:
schema:
$ref: '#/components/schemas/SignCompactCredentialResponse'
'400':
$ref: '#/components/responses/400'
operationId: sign-compact-credential
description: |-
Returns a signed CWT credential generated from a provided valid payload.
The payload can include any number of custom claims, as CWT credentials do not comply with any specific standard or specification.
### **Analytic events**
* CREDENTIAL_COMPACT_SIGN_START
* CREDENTIAL_COMPACT_SIGN_SUCCESS
* CREDENTIAL_COMPACT_SIGN_FAIL
/v2/credentials/compact/{id}:
parameters:
- name: id
in: path
required: true
schema:
type: string
description: Credential ID
delete:
tags:
- CWT credentials management
summary: Delete CWT credential metadata
x-roles:
- admin
- issuer
- managed-issuer
responses:
'204':
description: Credential metadata deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: removeCompactCredential
description: |-
Deletes all credential metadata from the tenant for a specific credential by providing its ID. If the credential was set to be revocable, it will be permanently revoked upon metadata deletion.
Note that only metadata of revocable credentials or credentials issued via the OpenID4VCI flow is saved.
Deleted metadata cannot be recovered.
/v2/credentials/compact/revocation-lists:
get:
security: []
tags:
- CWT credentials management
description: |-
Returns a list of all CWT credential revocation lists on the tenant.
### **Analytic events**
* CREDENTIAL_COMPACT_REVOCATION_LISTS_RETRIEVE_START
* CREDENTIAL_COMPACT_REVOCATION_LISTS_RETRIEVE_SUCCESS
* CREDENTIAL_COMPACT_REVOCATION_LISTS_RETRIEVE_FAIL
summary: Retrieve all CWT credential revocation lists
operationId: compact-credential-revocation-list-discovery
responses:
'200':
description: Revocation lists retrieved
content:
application/json:
schema:
type: array
items:
type: object
properties:
nextCursor:
type: string
data:
type: array
items:
type: object
properties:
id:
type: string
description: Unique identifier for this Revocation List. You will need it to retrieve this specific list.
issuer:
type: string
description: Issuer DID for this tenant.
url:
type: string
description: This is the public URL where this revocation list is available.
/v2/credentials/compact/revocation-lists/{listId}:
get:
security: []
tags:
- CWT credentials management
description: |-
Returns a CWT credential revocation list by providing its ID.
### **Analytic events**
* CREDENTIAL_COMPACT_REVOCATION_RETRIEVE_START
* CREDENTIAL_COMPACT_REVOCATION_RETRIEVE_SUCCESS
* CREDENTIAL_COMPACT_REVOCATION_RETRIEVE_FAIL
summary: Retrieve CWT credential revocation list
operationId: compact-credential-revocation-list
responses:
'200':
description: Revocation list retrieved
content:
application/cwt:
schema:
type: string
format: binary
parameters:
- schema:
type: string
name: listId
in: path
required: true
description: The unique identifier of the Revocation List you wish to retrieve.
/v2/credentials/compact/{id}/revocation-status:
post:
requestBody:
description: Update revocation status
required: true
content:
application/json:
schema:
type: object
required:
- isRevoked
properties:
isRevoked:
type: boolean
description: When set to `true` the credential will be revoked. When set to `false`, the credential will be unrevoked.
tags:
- CWT credentials management
summary: Update CWT credential revocation status
x-roles:
- admin
- issuer
- managed-issuer
responses:
'200':
description: Revocation status updated
content:
application/json:
schema:
type: object
required:
- id
- isRevoked
properties:
id:
type: string
description: Unique credential identifier.
isRevoked:
type: boolean
description: Indicates whether the credential has been revoked (`true`) or not (`false`).
'404':
$ref: '#/components/responses/404'
operationId: update-revocation-compact-credential
description: |-
Updates the credential status as revoked (invalid) or unrevoked (valid).
### **Analytic events**
* CREDENTIAL_COMPACT_REVOCATION_SET_STATUS_START
* CREDENTIAL_COMPACT_REVOCATION_SET_STATUS_SUCCESS
* CREDENTIAL_COMPACT_REVOCATION_SET_STATUS_FAIL
get:
tags:
- CWT credentials management
summary: Retrieve CWT credential revocation status
x-roles:
- admin
- issuer
- managed-issuer
responses:
'200':
description: Revocation status retrieved
content:
application/json:
schema:
type: object
properties:
isRevoked:
type: boolean
description: Indicates whether the credential has been revoked (`true`) or not (`false`).
'404':
$ref: '#/components/responses/404'
operationId: get-revocation-compact-credential
description: Retrieve the revocation status of a CWT credential by providing its ID.
parameters:
- schema:
type: string
name: id
in: path
required: true
description: Unique credential identifier.
/v2/credentials/compact/verify:
post:
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- payload
properties:
payload:
type: string
description: The CWT credential to verify, represented as an encoded string.
example: CSC:/1/2KCE3IQEJB5DCMSLN5KWKZABE2QFQRVDAF4CIZDJMQ5HOZLCHIYDGOJUFUYTENJNGIZTOLJVGIWTCMJQFZXGO4TPNMXGS33ENZQW2ZLEJJXWQ3QH3BAFB3LISHKGQ2KBJ6Q35NXZFD6LGZ2YIAYHZAKCF7NKTIUZUTZQ3PWDBALAWVRG5XL2H4P4WFK25X3Y5X5RTN7NOZUST67KLCEFS3EPXQU5KM7VUGOPXJLQ6K5U676PMQNWRZCZ
trustedIssuers:
type: array
description: When you include issuers' DIDs in this array, credentials will only be verified if their `iss` value matches one of these DIDs. You can include multiple trusted issuers, separated by commas.
items:
type: string
example: did:web:organization.com
assertValidFrom:
type: boolean
description: MATTR VII validates the credential's `nbf` (not before) field by default, so that credentials that have a future `nbf` date will not be verified. When this field is set to `false`, credentials can be verified even when their `nbf` date is in the future.
default: true
assertValidUntil:
type: boolean
description: MATTR VII validates the credential's `exp` (expiry) field by default, so that expired credentials will not be verified. When this field is set to `false`, credentials can be verified even when their `exp` date has passed.
default: true
checkRevocation:
type: boolean
description: MATTR VII checks the credential revocation status by default, so that revoked credentials will not be verified. When this field is set to `false`, credentials can be verified even when they had been revoked.
default: true
multipart/form-data:
schema:
type: object
properties:
file:
type: string
format: binary
description: "A PDF or an image:\n- File size can be 1MB or under. Larger files are rejected with a 413 error.\_\n- Only the first page of PDF documents is processed. \_\n- Image files must contain a QR code of sufficient quality and resolution. This depends on many factors such as the size of the QR relative to the image, and whether the image had been processed in any way.\n- For optimal performance, ensure that only a single QR code is present on the file.\_"
trustedIssuers:
type: array
description: When you include issuers' DIDs in this array, credentials will only be verified if their `iss` value matches one of these DIDs. You can include multiple trusted issuers, separated by commas.
items:
type: string
example: did:web:example.com
assertValidFrom:
type: boolean
description: MATTR VII validates the credential's `nbf` (not before) field by default, so that credentials that have a future `nbf` date will not be verified. When this field is set to `false`, credentials can be verified even when their `nbf` date is in the future.
default: true
assertValidUntil:
type: boolean
description: MATTR VII validates the credential's `exp` (expiry) field by default, so that expired credentials will not be verified. When this field is set to `false`, credentials can be verified even when their `exp` date has passed.
default: true
checkRevocation:
type: boolean
description: MATTR VII checks the credential revocation status by default, so that revoked credentials will not be verified. When this field is set to `false`, credentials can be verified even when they had been revoked.
default: true
required:
- file
tags:
- CWT credentials verification
summary: Verify a CWT credential
x-roles:
- admin
- verifier
responses:
'200':
description: Verification completed
content:
application/json:
schema:
$ref: '#/components/schemas/VerifyCompactCredentialResponse'
'400':
$ref: '#/components/responses/400'
'413':
description: Payload Too Large
'415':
description: Unsupported Media Type
operationId: verify-compact-credential
description: |-
Verify a CWT credential by providing the encoded payload and specifying verification options.
You can provide a valid CWT credential as either an encoded string or a QR code in a PDF document or an image file.
Standard checks performed on all verification requests:
- Conformance of the string and encoded data. All string representations of CWT credentials must be prefixed with `CSC/1`.
- Decoded payload structure is a valid CWT credential.
- Issuer DID can be used to resolve its `did.json` document.
- Public key from issuer's `did.json` document validates the proof signature, confirming the credential has not been tampered with.
Optional parameter checks:
- Credential was issued by a trusted issuer.
- Current time is after the beginning of the credential validity period.
- Current time is not after the end of the credential validity period.
- Credential has not been revoked.
### **Analytic events**
* CREDENTIAL_COMPACT_VERIFY_START
* CREDENTIAL_COMPACT_VERIFY_SUCCESS
* CREDENTIAL_COMPACT_VERIFY_FAIL
/v2/credentials/compact/qrcode:
post:
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/GenerateQrCodeRequest'
tags:
- CWT credentials issuance
operationId: generateQrCodeCompactCredential
summary: Format a CWT credential as a QR code
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Returns a QR code representation of a CWT credential from a provided encoded string representation of that credential.
### **Analytic events**
* CREDENTIAL_COMPACT_QRCODE_CREATE_START
* CREDENTIAL_COMPACT_QRCODE_CREATE_SUCCESS
* CREDENTIAL_COMPACT_QRCODE_CREATE_FAIL
responses:
'200':
description: QR code generated
content:
image/png:
schema:
type: string
format: binary
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Payload is not string:
$ref: '#/components/examples/PayloadNotStringError'
The payload does not belong to compact credential profile:
$ref: '#/components/examples/InvalidCompactCredentialError'
The amount of data is too big to be stored in a QR Code:
$ref: '#/components/examples/QRCodeTooLargeDataError'
The generated QR Code is larger than the provided width:
$ref: '#/components/examples/QRCodeLargerWidthError'
/v2/credentials/compact/configurations:
post:
operationId: createCompactCredentialConfiguration
tags:
- CWT credentials configuration
summary: Create a CWT credential configuration
x-roles:
- admin
- issuer
description: |
Creates a new CWT credential configuration, a specific set of rules and parameters that are used to create and validate a particular type of verifiable credential. These rules and parameters define how the credential is structured and what data it contains when issued.
### **Analytic events**
* CREDENTIAL_COMPACT_CREDENTIAL_CONFIGURATION_CREATE_START
* CREDENTIAL_COMPACT_CREDENTIAL_CONFIGURATION_CREATE_SUCCESS
* CREDENTIAL_COMPACT_CREDENTIAL_CONFIGURATION_CREATE_FAIL
requestBody:
description: The credential configuration payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CredentialConfigurationRequest'
responses:
'201':
description: CWT credential configuration created
content:
application/json:
schema:
$ref: '#/components/schemas/CredentialConfigurationResponse'
'400':
$ref: '#/components/responses/400'
get:
operationId: getCompactCredentialConfigurations
tags:
- CWT credentials configuration
summary: Retrieve all CWT credential configurations
x-roles:
- admin
- issuer
- managed-issuer
description: |
Returns a list of all CWT credential configurations from your tenant.
### **Analytic events**
* CREDENTIAL_COMPACT_CREDENTIAL_CONFIGURATION_RETRIEVE_LIST_START
* CREDENTIAL_COMPACT_CREDENTIAL_CONFIGURATION_RETRIEVE_LIST_SUCCESS
* CREDENTIAL_COMPACT_CREDENTIAL_CONFIGURATION_RETRIEVE_LIST_FAIL
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
- schema:
type: string
example: AlumniCredential
in: query
name: type
description: The optional credential type to filter on
responses:
'200':
description: CWT credential configurations retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GetCredentialConfigurationsResponse'
'400':
$ref: '#/components/responses/400'
parameters: []
/v2/credentials/compact/configurations/{id}:
parameters:
- name: id
in: path
description: Unique identifier for the CWT credential configuration.
schema:
type: string
format: uuid
example: 3948c40e-6e19-4ffc-933c-91f643f24264
required: true
get:
operationId: getCompactCredentialConfiguration
tags:
- CWT credentials configuration
summary: Retrieve a CWT credential configuration
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Returns a CWT credential configuration by providing its ID.
### **Analytic events**
* CREDENTIAL_COMPACT_CREDENTIAL_CONFIGURATION_RETRIEVE_START
* CREDENTIAL_COMPACT_CREDENTIAL_CONFIGURATION_RETRIEVE_SUCCESS
* CREDENTIAL_COMPACT_CREDENTIAL_CONFIGURATION_RETRIEVE_FAIL
responses:
'200':
description: CWT credential configuration retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/CredentialConfigurationResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
put:
operationId: updateCompactCredentialConfiguration
tags:
- CWT credentials configuration
summary: Update a CWT credential configuration
x-roles:
- admin
- issuer
description: |
Updates an existing CWT credential configuration by providing its ID.
### **Analytic events**
* CREDENTIAL_COMPACT_CREDENTIAL_CONFIGURATION_UPDATE_START
* CREDENTIAL_COMPACT_CREDENTIAL_CONFIGURATION_UPDATE_SUCCESS
* CREDENTIAL_COMPACT_CREDENTIAL_CONFIGURATION_UPDATE_FAIL
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CredentialConfigurationRequest'
description: Update a CWT credential configuration
responses:
'200':
description: CWT credential configuration updated
content:
application/json:
schema:
$ref: '#/components/schemas/CredentialConfigurationResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
delete:
operationId: deleteCompactCredentialConfiguration
tags:
- CWT credentials configuration
summary: Delete a CWT credential configuration
x-roles:
- admin
- issuer
description: |
Deletes an existing CWT credential configuration by providing its ID.
### **Analytic events**
* CREDENTIAL_COMPACT_CREDENTIAL_CONFIGURATION_DELETE_START
* CREDENTIAL_COMPACT_CREDENTIAL_CONFIGURATION_DELETE_SUCCESS
* CREDENTIAL_COMPACT_CREDENTIAL_CONFIGURATION_DELETE_FAIL
responses:
'204':
description: CWT credential configuration deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v2/credentials/compact-semantic/sign:
post:
requestBody:
description: Semantic CWT credential payload to sign
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/SignCompactSemanticCredentialRequest'
tags:
- Semantic CWT credentials issuance
summary: Sign a Semantic CWT credential
x-roles:
- admin
- issuer
- managed-issuer
responses:
'200':
description: Semantic CWT credential signed
content:
application/json:
schema:
$ref: '#/components/schemas/SignCompactSemanticCredentialResponse'
'400':
$ref: '#/components/responses/400'
operationId: signCompactSemanticcredential
description: |-
Returns a signed Semantic CWT credential generated from a provided valid payload.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_SIGN_START
* CREDENTIAL_COMPACT_SEMANTIC_SIGN_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_SIGN_FAIL
/v2/credentials/compact-semantic/verify:
post:
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- payload
properties:
payload:
type: string
description: The Semantic CWT credential to verify, represented as an encoded string.
example: CSS:/1/2KCE3IQEJB5DCMSLN5KWKZABE2QFRMFEAF4CIZDJMQ5HOZLCHIYDGOJUFUYTENJNGIZTOLJVGIWTCMJQFZXGO4TPNMXGS33COZR2G2CAMNXW45DFPB2IC6BGNB2HI4DTHIXS653XO4XHOMZON5ZGOLZSGAYTQL3DOJSWIZLOORUWC3DTF53DCZDUPFYGLALUKZSXE2LGNFQWE3DFINZGKZDFNZ2GSYLMOFRXEZLEMVXHI2LBNRJXKYTKMVRXJILENZQW2ZLEJJXWQ3QH3BAFAW2MIRFQDICFCSNL5EIX4IISCEIFDJRFHCRRLBALWFYDLUVEKXHERNWHUDGJI3DDNNXSFWIRHUASBHGB2I7UHGPZMJEB3SMOFMBL3PABL5HUFSQLLGNE7YRKSAM3OAQN7F4LG365HL67BU
trustedIssuers:
type: array
description: When you include issuers' DIDs in this array, credentials will only be verified if their `iss` value matches one of these DIDs. You can include multiple trusted issuers, separated by commas.
items:
type: string
example: did:web:example.com
assertValidFrom:
description: MATTR VII validates the credential's `nbf` (not before) field by default, so that credentials that have a future `nbf` date will not be verified. When this field is set to `false`, credentials can be verified even when their `nbf` date is in the future.
type: boolean
default: true
assertValidUntil:
description: MATTR VII validates the credential's `exp` (expiry) field by default, so that expired credentials will not be verified. When this field is set to `false`, credentials can be verified even when their `exp` date has passed.
type: boolean
default: true
checkRevocation:
description: MATTR VII checks the credential revocation status by default, so that revoked credentials will not be verified. When this field is set to `false`, credentials can be verified even when they had been revoked.
type: boolean
default: true
multipart/form-data:
schema:
type: object
properties:
file:
type: string
format: binary
description: "A PDF or an image\n- File size can be 1MB or under. Larger files are rejected with a 413 error.\_\n- Only the first page of PDF documents is processed. \_\n- Image files must contain a QR code of sufficient quality and resolution. This depends on many factors such as the size of the QR relative to the image, and whether the image had been processed in any way.\n- For optimal performance, ensure that only a single QR code is present on the file.\_"
trustedIssuers:
type: array
description: When you include issuers' DIDs in this array, credentials will only be verified if their `iss` value matches one of these DIDs. You can include multiple trusted issuers, separated by commas.
items:
type: string
example: did:web:example.com
assertValidFrom:
description: MATTR VII validates the credential's `nbf` (not before) field by default, so that credentials that have a future `nbf` date will not be verified. When this field is set to `false`, credentials can be verified even when their `nbf` date is in the future.
type: boolean
default: true
assertValidUntil:
description: MATTR VII validates the credential's `exp` (expiry) field by default, so that expired credentials will not be verified. When this field is set to `false`, credentials can be verified even when their `exp` date has passed.
type: boolean
default: true
checkRevocation:
description: MATTR VII checks the credential revocation status by default, so that revoked credentials will not be verified. When this field is set to `false`, credentials can be verified even when they had been revoked.
type: boolean
default: true
required:
- file
tags:
- Semantic CWT credentials verification
summary: Verify a Semantic CWT credential
x-roles:
- admin
- verifier
responses:
'200':
description: Verification completed
content:
application/json:
schema:
$ref: '#/components/schemas/VerifyCompactSemanticCredentialResponse'
examples:
Issuer not trusted:
$ref: '#/components/examples/IssuerNotTrusted'
Issuer public key invalid:
$ref: '#/components/examples/IssuerPublicKeyInvalid'
Signature invalid:
$ref: '#/components/examples/SignatureInvalid'
Expired:
$ref: '#/components/examples/Expired'
NotActive:
$ref: '#/components/examples/NotActive'
Revoked:
$ref: '#/components/examples/Revoked'
'400':
$ref: '#/components/responses/400'
'413':
description: Payload Too Large
'415':
description: Unsupported Media Type
operationId: verifyCompactSemantiCredential
description: |-
Verify a Semantic CWT credential by providing the encoded payload and specifying verification options.
You can provide a valid Semantic CWT credential as either an encoded string or a QR code in a PDF document or an image file.
Standard checks performed on all verification requests:
- Conformance of the string and encoded data. All string representations of CWT credentials must be prefixed with `CSC/1`.
- Decoded payload CWT structure and attributes can be validated.
- Remote context schema can be resolved and validate claims can be dereferenced.
- Issuer DID can be used to resolve its `did.json` document.
- Public key from issuer's `did.json` document validates the proof signature, confirming the credential has not been tampered with.
Optional parameter checks:
- Credential was issued by a trusted issuer.
- Current time is after the beginning of the credential validity period.
- Current time is not after the end of the credential validity period.
- Credential has not been revoked.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_VERIFY_START
* CREDENTIAL_COMPACT_SEMANTIC_VERIFY_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_VERIFY_FAIL
/v2/credentials/compact-semantic/{id}:
parameters:
- name: id
in: path
required: true
schema:
type: string
description: Credential ID
delete:
tags:
- Semantic CWT credentials management
summary: Delete Semantic CWT credential metadata
x-roles:
- admin
- issuer
- managed-issuer
responses:
'204':
description: Credential metadata deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: removeCompactSemanticCredential
description: |-
Deletes all credential metadata from the tenant for a specific credential by providing its ID. If the credential was set to be revocable, it will be permanently revoked upon metadata deletion.
Note that only metadata of revocable credentials or credentials issued via the OpenID4VCI flow is saved.
Deleted metadata cannot be recovered.
/v2/credentials/compact-semantic/revocation-lists:
get:
security: []
tags:
- Semantic CWT credentials management
description: |-
Returns a list of all Semantic CWT credential revocation lists on the tenant.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_REVOCATION_LISTS_RETRIEVE_START
* CREDENTIAL_COMPACT_SEMANTIC_REVOCATION_LISTS_RETRIEVE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_REVOCATION_LISTS_RETRIEVE_FAIL
summary: Retrieve all Semantic CWT credential revocation lists
operationId: compact-credential-semantic-revocation-list-discovery
responses:
'200':
description: Revocation lists retrieved
content:
application/json:
schema:
type: array
items:
type: object
properties:
nextCursor:
type: string
data:
type: array
items:
type: object
properties:
id:
type: string
description: Unique identifier for this Revocation List. You will need it to retrieve this specific list.
issuer:
type: string
description: Issuer DID for this tenant.
url:
type: string
description: This is the public URL where this revocation list is available.
/v2/credentials/compact-semantic/revocation-lists/{listId}:
get:
security: []
tags:
- Semantic CWT credentials management
description: |-
Returns a Semantic CWT credential revocation list by providing its ID.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_REVOCATION_RETRIEVE_START
* CREDENTIAL_COMPACT_SEMANTIC_REVOCATION_RETRIEVE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_REVOCATION_RETRIEVE_FAIL
summary: Retrieve Semantic CWT credential revocation list
operationId: compact-credential-semantic-revocation-list
responses:
'200':
description: Revocation list retrieved
content:
application/cwt:
schema:
type: string
format: binary
parameters:
- schema:
type: string
name: listId
in: path
required: true
description: The unique identifier of the revocation list you wish to retrieve.
/v2/credentials/compact-semantic/{id}/revocation-status:
post:
requestBody:
description: Update revocation status
required: true
content:
application/json:
schema:
type: object
required:
- isRevoked
properties:
isRevoked:
type: boolean
description: When set to `true` the credential will be revoked. When set to `false`, the credential will be unrevoked.
tags:
- Semantic CWT credentials management
summary: Update Semantic CWT credential revocation status
x-roles:
- admin
- issuer
- managed-issuer
responses:
'200':
description: Revocation status updated
content:
application/json:
schema:
type: object
required:
- id
- isRevoked
properties:
id:
type: string
description: Unique credential identifier.
isRevoked:
type: boolean
description: Indicates whether the credential has been revoked (`true`) or not (`false`).
'404':
$ref: '#/components/responses/400'
operationId: update-revocation-compact-credential-semantic
description: |-
Updates the credential status as revoked (invalid) or unrevoked (valid).
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_REVOCATION_SET_STATUS_START
* CREDENTIAL_COMPACT_SEMANTIC_REVOCATION_SET_STATUS_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_REVOCATION_SET_STATUS_FAIL
get:
tags:
- Semantic CWT credentials management
summary: Retrieve Semantic CWT credential revocation status
x-roles:
- admin
- issuer
- managed-issuer
responses:
'200':
description: Revocation status retrieved
content:
application/json:
schema:
type: object
required:
- isRevoked
properties:
isRevoked:
type: boolean
description: Indicates whether the credential has been revoked (`true`) or not (`false`).
'404':
$ref: '#/components/responses/404'
operationId: get-revocation-compact-credential-semantic
description: Retrieve the revocation status of a Semantic CWT credential by providing its ID.
parameters:
- schema:
type: string
name: id
in: path
required: true
description: Unique credential identifier (`jti`)
/v2/credentials/compact-semantic/qrcode:
post:
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/GenerateQrCodeRequest'
tags:
- Semantic CWT credentials issuance
operationId: generateQrCodeCompactSemanticCredential
summary: Format a Semantic CWT credential as a QR code
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Returns a QR code representation of a Semantic CWT credential from a provided encoded string representation of that credential.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_QRCODE_CREATE_START
* CREDENTIAL_COMPACT_SEMANTIC_QRCODE_CREATE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_QRCODE_CREATE_FAIL
responses:
'200':
description: QR code generated
content:
image/png:
schema:
type: string
format: binary
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Payload is not string:
$ref: '#/components/examples/PayloadNotStringError'
The payload does not belong to compact semantic credential profile:
$ref: '#/components/examples/InvalidCompactSemanticCredentialError'
The amount of data is too big to be stored in a QR Code:
$ref: '#/components/examples/QRCodeTooLargeDataError'
The generated QR Code is larger than the provided width:
$ref: '#/components/examples/QRCodeLargerWidthError'
parameters: []
/v2/credentials/compact-semantic/configurations:
post:
operationId: createCompactSemanticCredentialConfiguration
tags:
- Semantic CWT credentials configuration
summary: Create a Semantic CWT credentials configuration
x-roles:
- admin
- issuer
description: |
Creates a new Semantic CWT credentials configuration, a specific set of rules and parameters that are used to create and validate a particular type of verifiable credential. These rules and parameters define how the credential is structured and what data it contains when issued.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_CREDENTIAL_CONFIGURATION_CREATE_START
* CREDENTIAL_COMPACT_SEMANTIC_CREDENTIAL_CONFIGURATION_CREATE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_CREDENTIAL_CONFIGURATION_CREATE_FAIL
requestBody:
description: The Credential Configuration payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/schemas-CredentialConfigurationRequest'
responses:
'201':
description: Credential configuration created
content:
application/json:
schema:
$ref: '#/components/schemas/schemas-CredentialConfigurationResponse'
'400':
$ref: '#/components/responses/400'
get:
operationId: getCompactSemanticCredentialConfigurations
tags:
- Semantic CWT credentials configuration
summary: Retrieve all Semantic CWT credentials configurations
x-roles:
- admin
- issuer
- managed-issuer
description: |
Returns a list of all Compact Semantic Credential configurations from your tenant.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_CREDENTIAL_CONFIGURATION_RETRIEVE_LIST_START
* CREDENTIAL_COMPACT_SEMANTIC_CREDENTIAL_CONFIGURATION_RETRIEVE_LIST_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_CREDENTIAL_CONFIGURATION_RETRIEVE_LIST_FAIL
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
- schema:
type: string
example: AlumniCredential
in: query
name: type
description: The optional credential type to filter on
responses:
'200':
description: Semantic CWT credentials configurations retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/schemas-GetCredentialConfigurationsResponse'
'400':
$ref: '#/components/responses/400'
parameters: []
/v2/credentials/compact-semantic/configurations/{id}:
parameters:
- name: id
in: path
description: Unique identifier for the Semantic CWT credentials configuration.
schema:
type: string
format: uuid
example: 3948c40e-6e19-4ffc-933c-91f643f24264
required: true
get:
operationId: getCompactSemanticCredentialConfiguration
tags:
- Semantic CWT credentials configuration
summary: Retrieve a Semantic CWT credentials configuration
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Returns a Semantic CWT credentials configuration by providing its ID.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_CREDENTIAL_CONFIGURATION_RETRIEVE_START
* CREDENTIAL_COMPACT_SEMANTIC_CREDENTIAL_CONFIGURATION_RETRIEVE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_CREDENTIAL_CONFIGURATION_RETRIEVE_FAIL
responses:
'200':
description: Semantic CWT credentials configuration retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/schemas-CredentialConfigurationResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
put:
operationId: updateCompactSemanticCredentialConfiguration
tags:
- Semantic CWT credentials configuration
summary: Update a Semantic CWT credentials configuration
x-roles:
- admin
- issuer
description: |
Updates an existing Semantic CWT credentials configuration by providing its ID.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_CREDENTIAL_CONFIGURATION_UPDATE_START
* CREDENTIAL_COMPACT_SEMANTIC_CREDENTIAL_CONFIGURATION_UPDATE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_CREDENTIAL_CONFIGURATION_UPDATE_FAIL
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/schemas-CredentialConfigurationRequest'
description: Update a Credential Configuration
responses:
'200':
description: Semantic CWT credentials configuration updated
content:
application/json:
schema:
$ref: '#/components/schemas/schemas-CredentialConfigurationResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/400'
delete:
operationId: deleteCompactSemanticCredentialConfiguration
tags:
- Semantic CWT credentials configuration
summary: Delete a Semantic CWT credentials configuration
x-roles:
- admin
- issuer
description: |
Deletes an existing Semantic CWT credentials configuration by providing its ID.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_CREDENTIAL_CONFIGURATION_DELETE_START
* CREDENTIAL_COMPACT_SEMANTIC_CREDENTIAL_CONFIGURATION_DELETE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_CREDENTIAL_CONFIGURATION_DELETE_FAIL
responses:
'204':
description: Semantic CWT credentials configuration deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v2/credentials/compact/pdf/templates:
post:
tags:
- CWT credentials PDF templates
summary: Create a PDF template
x-roles:
- admin
- issuer
- managed-issuer
parameters: []
requestBody:
required: true
content:
application/zip:
schema:
type: string
format: binary
responses:
'200':
description: PDF template created
content:
application/json:
schema:
$ref: '#/components/schemas/PDFTemplateResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: createCompactPdfTemplate
description: |-
Creates a CWT credential PDF template based on a provided `.zip` file. Refer to our [PDF template design guide](https://learn.mattr.global/docs/issuance/cwt-credential-templates/pdf-templates) for more information on how to design a template and structure the `.zip` file.
### **Analytic events**
* CREDENTIAL_COMPACT_PDF_TEMPLATE_CREATE_START
* CREDENTIAL_COMPACT_PDF_TEMPLATE_CREATE_SUCCESS
* CREDENTIAL_COMPACT_PDF_TEMPLATE_CREATE_FAIL
get:
summary: Retrieve all PDF templates
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: PDF templates retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/PDFTemplatesResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: getCompactPdfTemplates
description: |-
Retrieves a list of all CWT credentials PDF templates available on the tenant.
### **Analytic events**
* CREDENTIAL_COMPACT_PDF_TEMPLATE_RETRIEVE_LIST_START
* CREDENTIAL_COMPACT_PDF_TEMPLATE_RETRIEVE_LIST_SUCCESS
* CREDENTIAL_COMPACT_PDF_TEMPLATE_RETRIEVE_LIST_FAIL
tags:
- CWT credentials PDF templates
parameters: []
/v2/credentials/compact/pdf/templates/{id}:
put:
tags:
- CWT credentials PDF templates
summary: Update a PDF template
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
required: true
schema:
type: string
description: PDF template ID
requestBody:
required: true
content:
application/zip:
schema:
type: string
format: binary
responses:
'200':
description: PDF template updated
content:
application/json:
schema:
$ref: '#/components/schemas/PDFTemplateResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: updateCompactPdfTemplate
description: |-
Update an existing CWT credential PDF template based on a provided `.zip` file. Refer to our [PDF template design guide](https://learn.mattr.global/docs/issuance/cwt-credential-templates/pdf-templates) for more information on how to design a template and structure the `.zip` file.
### **Analytic events**
* CREDENTIAL_COMPACT_PDF_TEMPLATE_UPDATE_START
* CREDENTIAL_COMPACT_PDF_TEMPLATE_UPDATE_SUCCESS
* CREDENTIAL_COMPACT_PDF_TEMPLATE_UPDATE_FAIL
get:
tags:
- CWT credentials PDF templates
summary: Retrieve a PDF template
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
required: true
schema:
type: string
description: PDF template ID
responses:
'200':
description: PDF template retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/PDFTemplateResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: getCompactPdfTemplate
description: |-
Retrieves an existing CWT credentials PDF template using its ID.
### **Analytic events**
* CREDENTIAL_COMPACT_PDF_TEMPLATE_RETRIEVE_START
* CREDENTIAL_COMPACT_PDF_TEMPLATE_RETRIEVE_SUCCESS
* CREDENTIAL_COMPACT_PDF_TEMPLATE_RETRIEVE_FAIL
delete:
tags:
- CWT credentials PDF templates
summary: Delete a PDF template
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
required: true
schema:
type: string
description: PDF Template ID
responses:
'204':
description: PDF template deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: deleteCompactPdfTemplate
description: |-
Delete an existing PDF template by providing its ID
### **Analytic events**
* CREDENTIAL_COMPACT_PDF_TEMPLATE_DELETE_START
* CREDENTIAL_COMPACT_PDF_TEMPLATE_DELETE_SUCCESS
* CREDENTIAL_COMPACT_PDF_TEMPLATE_DELETE_FAIL
parameters:
- schema:
type: string
name: id
in: path
required: true
/v2/credentials/compact/pdf:
post:
tags:
- CWT credentials issuance
summary: Format a CWT credential as a PDF
x-roles:
- admin
- issuer
- managed-issuer
parameters: []
requestBody:
description: Credential payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreatePDFRequest'
examples:
Generate PDF:
value:
templateId: 4eea7654-d4c5-4eba-bd7a-5ca334d54725
payload: '{payload}'
responses:
'200':
description: PDF created
content:
application/pdf:
schema:
format: binary
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: GenCompactPdf
description: |-
Returns a PDF representation of a provided CWT credential based on an existing PDF template.
The request will fail if the provided credential isn't valid or has expired.
### **Analytic events**
* CREDENTIAL_COMPACT_PDF_CREATE_START
* CREDENTIAL_COMPACT_PDF_CREATE_SUCCESS
* CREDENTIAL_COMPACT_PDF_CREATE_FAIL
parameters: []
/v2/credentials/compact-semantic/pdf/templates:
post:
tags:
- Semantic CWT credentials PDF templates
summary: Create a PDF template
x-roles:
- admin
- issuer
- managed-issuer
parameters: []
requestBody:
required: true
content:
application/zip:
schema:
type: string
format: binary
responses:
'200':
description: PDF template created
content:
application/json:
schema:
$ref: '#/components/schemas/PDFTemplateResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: createCompactSemanticPdfTemplate
description: |-
Creates a Semantic CWT credential PDF template based on a provided `.zip` file. Refer to our [PDF template design guide](https://learn.mattr.global/docs/issuance/cwt-credential-templates/pdf-templates) for more information on how to design a template and structure the `.zip` file.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_PDF_TEMPLATE_CREATE_START
* CREDENTIAL_COMPACT_SEMANTIC_PDF_TEMPLATE_CREATE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_PDF_TEMPLATE_CREATE_FAIL
get:
tags:
- Semantic CWT credentials PDF templates
summary: Retrieve all PDF templates
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: PDF templates retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/PDFTemplatesResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: getCompactSemanticPdfTemplates
description: |-
Retrieves a list of all Semantic CWT credential PDF templates available on the tenant.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_PDF_TEMPLATE_RETRIEVE_LIST_START
* CREDENTIAL_COMPACT_SEMANTIC_PDF_TEMPLATE_RETRIEVE_LIST_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_PDF_TEMPLATE_RETRIEVE_LIST_FAIL
parameters: []
/v2/credentials/compact-semantic/pdf/templates/{id}:
put:
tags:
- Semantic CWT credentials PDF templates
summary: Update a PDF template
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
required: true
schema:
type: string
description: PDF Template ID
requestBody:
required: true
content:
application/zip:
schema:
type: string
format: binary
responses:
'200':
description: PDF template updated
content:
application/json:
schema:
$ref: '#/components/schemas/PDFTemplateResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: updateCompactSemanticPdfTemplate
description: |-
Update an existing CWT credential PDF template based on a provided `.zip` file. Refer to our [PDF template design guide](https://learn.mattr.global/docs/issuance/cwt-credential-templates/pdf-templates) for more information on how to design a template and structure the `.zip` file.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_PDF_TEMPLATE_UPDATE_START
* CREDENTIAL_COMPACT_SEMANTIC_PDF_TEMPLATE_UPDATE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_PDF_TEMPLATE_UPDATE_FAIL
get:
tags:
- Semantic CWT credentials PDF templates
summary: Retrieve a PDF template
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
required: true
schema:
type: string
description: PDF Template ID
responses:
'200':
description: PDF template retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/PDFTemplateResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: getCompactSemanticPdfTemplate
description: |-
Retrieves an existing Semantic CWT credential PDF template using its ID.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_PDF_TEMPLATE_RETRIEVE_START
* CREDENTIAL_COMPACT_SEMANTIC_PDF_TEMPLATE_RETRIEVE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_PDF_TEMPLATE_RETRIEVE_FAIL
delete:
tags:
- Semantic CWT credentials PDF templates
summary: Delete a PDF template
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
required: true
schema:
type: string
description: PDF Template ID
responses:
'204':
description: PDF template deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: deleteCompactSemanticPdfTemplate
description: |-
Delete an existing PDF template by providing its ID
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_PDF_TEMPLATE_DELETE_START
* CREDENTIAL_COMPACT_SEMANTIC_PDF_TEMPLATE_DELETE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_PDF_TEMPLATE_DELETE_FAIL
parameters:
- schema:
type: string
name: id
in: path
required: true
/v2/credentials/compact-semantic/pdf:
post:
tags:
- Semantic CWT credentials issuance
summary: Format a CWT credential as a PDF
x-roles:
- admin
- issuer
- managed-issuer
parameters: []
requestBody:
description: The credential payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreatePDFRequest'
examples:
Generate PDF:
value:
templateId: 4eea7654-d4c5-4eba-bd7a-5ca334d54725
payload: '{payload}'
responses:
'200':
description: PDF created
content:
application/pdf:
schema:
format: binary
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: GenCompactSemanticPdf
description: |-
Returns a PDF representation of a provided CWT credential based on an existing PDF template.
The request will fail if the provided credential isn't valid or has expired.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_PDF_CREATE_START
* CREDENTIAL_COMPACT_SEMANTIC_PDF_CREATE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_PDF_CREATE_FAIL
parameters: []
/v2/credentials/compact/digital-pass/apple/templates:
post:
tags:
- CWT credentials Apple Pass templates
summary: Create an Apple Pass template
x-roles:
- admin
- issuer
- managed-issuer
parameters: []
requestBody:
required: true
content:
multipart/form-data:
schema:
$ref: '#/components/schemas/ApplePassTemplateRequest'
responses:
'201':
description: Apple Pass template created
content:
application/json:
schema:
$ref: '#/components/schemas/ApplePassTemplateResponse'
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
operationId: createCCApplePassTemplate
description: |-
Creates an Apple Pass template based on the provided `.zip` file. Refer to our [Design an Apple Pass template](https://learn.mattr.global/docs/issuance/cwt-credential-templates/apple-templates) guide for more information on how to design the template and how to structure the `.zip` file.
The Apple Pass template uses the official Apple Pass bundle structure.
### **Analytic events**
* CREDENTIAL_COMPACT_APPLE_PASS_TEMPLATE_CREATE_START
* CREDENTIAL_COMPACT_APPLE_PASS_TEMPLATE_CREATE_SUCCESS
* CREDENTIAL_COMPACT_APPLE_PASS_TEMPLATE_CREATE_FAIL
get:
tags:
- CWT credentials Apple Pass templates
summary: Retrieve all Apple Pass templates
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: Apple Pass templates retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/ApplePassTemplatesResponse'
'400':
$ref: '#/components/responses/400'
operationId: listCCApplePassTemplates
description: |-
Retrieves a list of all Apple Pass template available on the tenant.
### **Analytic events**
* CREDENTIAL_COMPACT_APPLE_PASS_TEMPLATE_RETRIEVE_LIST_START
* CREDENTIAL_COMPACT_APPLE_PASS_TEMPLATE_RETRIEVE_LIST_SUCCESS
* CREDENTIAL_COMPACT_APPLE_PASS_TEMPLATE_RETRIEVE_LIST_FAIL
parameters: []
/v2/credentials/compact/digital-pass/apple/templates/{id}:
put:
tags:
- CWT credentials Apple Pass templates
summary: Update an Apple Pass template
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
required: true
schema:
type: string
description: Apple Pass template ID
requestBody:
required: true
content:
multipart/form-data:
schema:
$ref: '#/components/schemas/ApplePassTemplateRequest'
responses:
'200':
description: Apple Pass template updated
content:
application/json:
schema:
$ref: '#/components/schemas/ApplePassTemplateResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: updateCCApplePassTemplate
description: |-
Updates an existing Apple Pass template by providing its ID and a `.zip` file. Refer to our [Design an Apple Pass template](https://learn.mattr.global/docs/issuance/cwt-credential-templates/apple-templates) guide for more information on how to design the template and how to structure the `.zip` file.
### **Analytic events**
* CREDENTIAL_COMPACT_APPLE_PASS_TEMPLATE_UPDATE_START
* CREDENTIAL_COMPACT_APPLE_PASS_TEMPLATE_UPDATE_SUCCESS
* CREDENTIAL_COMPACT_APPLE_PASS_TEMPLATE_UPDATE_FAIL
get:
tags:
- CWT credentials Apple Pass templates
summary: Retrieve an Apple Pass template
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
required: true
schema:
type: string
format: uuid
description: Apple Pass template ID
responses:
'200':
description: Apple Pass template retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/ApplePassTemplateResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: retrieveCCApplePassTemplate
description: |-
Retrieves an existing Apple Pass template by providing its ID.
### **Analytic events**
* CREDENTIAL_COMPACT_APPLE_PASS_TEMPLATE_RETRIEVE_START
* CREDENTIAL_COMPACT_APPLE_PASS_TEMPLATE_RETRIEVE_SUCCESS
* CREDENTIAL_COMPACT_APPLE_PASS_TEMPLATE_RETRIEVE_FAIL
delete:
tags:
- CWT credentials Apple Pass templates
summary: Delete an Apple Pass template
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
required: true
schema:
type: string
format: uuid
description: Apple Pass template ID
responses:
'204':
description: Apple Pass template deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: deleteCCApplePassTemplate
description: |-
Deletes an existing Apple Pass template by providing its ID.
### **Analytic events**
* CREDENTIAL_COMPACT_APPLE_PASS_TEMPLATE_DELETE_START
* CREDENTIAL_COMPACT_APPLE_PASS_TEMPLATE_DELETE_SUCCESS
* CREDENTIAL_COMPACT_APPLE_PASS_TEMPLATE_DELETE_FAIL
parameters:
- schema:
type: string
name: id
in: path
required: true
description: Apple Pass template ID
/v2/credentials/compact/digital-pass/google/templates:
post:
tags:
- CWT credentials Google Pass templates
summary: Create a Google Pass template
x-roles:
- admin
- issuer
- managed-issuer
parameters: []
requestBody:
required: true
content:
multipart/form-data:
schema:
$ref: '#/components/schemas/GooglePassTemplateRequest'
responses:
'201':
description: Google Pass template created
content:
application/json:
schema:
$ref: '#/components/schemas/GooglePassTemplateResponse'
'400':
$ref: '#/components/responses/400'
operationId: createCCGooglePassTemplate
description: |-
Creates a Google Pass template based on the provided `.zip` file. Refer to our [Design a Google Pass template](https://learn.mattr.global/docs/issuance/cwt-credential-templates/google-templates) guide for more information on how to design the template and how to structure the `.zip` file.
### **Analytic events**
* CREDENTIAL_COMPACT_GOOGLE_PASS_TEMPLATE_CREATE_START
* CREDENTIAL_COMPACT_GOOGLE_PASS_TEMPLATE_CREATE_SUCCESS
* CREDENTIAL_COMPACT_GOOGLE_PASS_TEMPLATE_CREATE_FAIL
get:
tags:
- CWT credentials Google Pass templates
summary: Retrieve all Google Pass templates
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: Google Pass templates retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GooglePassTemplatesResponse'
'400':
$ref: '#/components/responses/400'
operationId: getCCGooglePassTemplates
description: |-
Retrieves a list of all Google Pass templates available on your tenant.
### **Analytic events**
* CREDENTIAL_COMPACT_GOOGLE_PASS_TEMPLATE_RETRIEVE_LIST_START
* CREDENTIAL_COMPACT_GOOGLE_PASS_TEMPLATE_RETRIEVE_LIST_SUCCESS
* CREDENTIAL_COMPACT_GOOGLE_PASS_TEMPLATE_RETRIEVE_LIST_FAIL
parameters: []
/v2/credentials/compact/digital-pass/google/templates/{id}:
put:
tags:
- CWT credentials Google Pass templates
summary: Update a Google Pass template
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
required: true
schema:
type: string
description: Google Pass template ID
requestBody:
required: true
content:
multipart/form-data:
schema:
$ref: '#/components/schemas/GooglePassTemplateRequest'
responses:
'200':
description: Google Pass template updated
content:
application/json:
schema:
$ref: '#/components/schemas/GooglePassTemplateResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: updateCCGooglePassTemplate
description: |-
Updates a existing Google Pass template by providing its ID and a `.zip` file. Refer to our [Design a Google Pass template](https://learn.mattr.global/docs/issuance/cwt-credential-templates/google-templates) guide for more information on how to design the template and how to structure the `.zip` file.
### **Analytic events**
* CREDENTIAL_COMPACT_GOOGLE_PASS_TEMPLATE_UPDATE_START
* CREDENTIAL_COMPACT_GOOGLE_PASS_TEMPLATE_UPDATE_SUCCESS
* CREDENTIAL_COMPACT_GOOGLE_PASS_TEMPLATE_UPDATE_FAIL
get:
tags:
- CWT credentials Google Pass templates
summary: Retrieve a Google Pass template
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
required: true
schema:
type: string
format: uuid
description: Google Pass template ID
responses:
'200':
description: Google Pass templated retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GooglePassTemplateResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: retrieveCCGooglePassTemplate
description: |-
Retrieves an existing Google Pass template by providing its ID.
### **Analytic events**
* CREDENTIAL_COMPACT_GOOGLE_PASS_TEMPLATE_RETRIEVE_START
* CREDENTIAL_COMPACT_GOOGLE_PASS_TEMPLATE_RETRIEVE_SUCCESS
* CREDENTIAL_COMPACT_GOOGLE_PASS_TEMPLATE_RETRIEVE_FAIL
delete:
tags:
- CWT credentials Google Pass templates
summary: Delete a Google Pass template
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
required: true
schema:
type: string
format: uuid
description: Google Pass template ID
responses:
'204':
description: Google Pass template deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: deleteCCGooglePassTemplate
description: |-
Deletes an existing Google Pass template by providing its ID.
### **Analytic events**
* CREDENTIAL_COMPACT_GOOGLE_PASS_TEMPLATE_DELETE_START
* CREDENTIAL_COMPACT_GOOGLE_PASS_TEMPLATE_DELETE_SUCCESS
* CREDENTIAL_COMPACT_GOOGLE_PASS_TEMPLATE_DELETE_FAIL
parameters:
- schema:
type: string
name: id
in: path
required: true
description: Template ID
/v2/credentials/compact/digital-pass/apple:
post:
tags:
- CWT credentials issuance
summary: Format a CWT credential as an Apple Pass
x-roles:
- admin
- issuer
- managed-issuer
parameters: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateDigitalPassRequest'
examples:
Generate Apple Pass:
value:
templateId: 3812166c-ac9f-4e4e-96dd-c1336b5be378
payload: '{payload}'
responses:
'200':
description: Apple Pass created
content:
application/vnd.apple.pkpass:
schema:
$ref: '#/components/schemas/CreateApplePassResponse'
'400':
$ref: '#/components/responses/400'
operationId: generateCCApplePass
description: |-
Returns an Apple Pass representation of a provided CWT credential based on an existing Apple Pass template.
The request will fail if the provided credential isn't valid or has expired.
### **Analytic events**
* CREDENTIAL_COMPACT_APPLE_PASS_CREATE_START
* CREDENTIAL_COMPACT_APPLE_PASS_CREATE_SUCCESS
* CREDENTIAL_COMPACT_APPLE_PASS_CREATE_FAIL
parameters: []
/v2/credentials/compact/digital-pass/google:
post:
tags:
- CWT credentials issuance
summary: Format a CWT credential as a Google Pass
x-roles:
- admin
- issuer
- managed-issuer
parameters: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateDigitalPassRequest'
examples:
Generate Google Pay Pass:
value:
templateId: 3812166c-ac9f-4e4e-96dd-c1336b5be378
payload: '{payload}'
responses:
'200':
description: Google Pass created
content:
application/json:
schema:
$ref: '#/components/schemas/CreateGooglePassResponse'
'400':
$ref: '#/components/responses/400'
operationId: createCCDigitalPass
description: |-
Returns a Google Pass representation of a provided CWT credential based on an existing Google Pass template.
The request will fail if the provided credential isn't valid or has expired.
### **Analytic events**
* CREDENTIAL_COMPACT_GOOGLE_PASS_CREATE_START
* CREDENTIAL_COMPACT_GOOGLE_PASS_CREATE_SUCCESS
* CREDENTIAL_COMPACT_GOOGLE_PASS_CREATE_FAIL
/v2/credentials/compact-semantic/digital-pass/apple/templates:
post:
tags:
- Semantic CWT credentials Apple Pass templates
summary: Create an Apple Pass template
x-roles:
- admin
- issuer
- managed-issuer
parameters: []
requestBody:
required: true
content:
multipart/form-data:
schema:
$ref: '#/components/schemas/ApplePassTemplateRequest'
responses:
'201':
description: Apple Pass template created
content:
application/json:
schema:
$ref: '#/components/schemas/ApplePassTemplateResponse'
'400':
$ref: '#/components/responses/400'
operationId: createSCApplePassTemplate
description: |-
Creates an Apple Pass template based on the provided `.zip` file. Refer to our [Design an Apple Pass template](https://learn.mattr.global/docs/issuance/cwt-credential-templates/apple-templates) guide for more information on how to design the template and how to structure the `.zip` file.
The Apple Pass template uses the official Apple Pass bundle structure.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_APPLE_PASS_TEMPLATE_CREATE_START
* CREDENTIAL_COMPACT_SEMANTIC_APPLE_PASS_TEMPLATE_CREATE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_APPLE_PASS_TEMPLATE_CREATE_FAIL
get:
tags:
- Semantic CWT credentials Apple Pass templates
summary: Retrieve all Apple Pass templates
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: Apple Pass templates retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/ApplePassTemplatesResponse'
'400':
$ref: '#/components/responses/400'
operationId: listSCApplePassTemplates
description: |-
Retrieves a list of all Apple Pass template available on the tenant.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_APPLE_PASS_TEMPLATE_RETRIEVE_LIST_START
* CREDENTIAL_COMPACT_SEMANTIC_APPLE_PASS_TEMPLATE_RETRIEVE_LIST_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_APPLE_PASS_TEMPLATE_RETRIEVE_LIST_FAIL
parameters: []
/v2/credentials/compact-semantic/digital-pass/apple/templates/{id}:
put:
tags:
- Semantic CWT credentials Apple Pass templates
summary: Update an Apple Pass template
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
required: true
schema:
type: string
description: Apple Pass template ID
requestBody:
required: true
content:
multipart/form-data:
schema:
$ref: '#/components/schemas/ApplePassTemplateRequest'
responses:
'200':
description: Apple Pass template updated
content:
application/json:
schema:
$ref: '#/components/schemas/ApplePassTemplateResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: updateSCApplePassTemplate
description: |-
Updates an existing Apple Pass template by providing its ID and a `.zip` file. Refer to our [Design an Apple Pass template](https://learn.mattr.global/docs/issuance/cwt-credential-templates/apple-templates) guide for more information on how to design the template and how to structure the `.zip` file.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_APPLE_PASS_TEMPLATE_UPDATE_START
* CREDENTIAL_COMPACT_SEMANTIC_APPLE_PASS_TEMPLATE_UPDATE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_APPLE_PASS_TEMPLATE_UPDATE_FAIL
get:
tags:
- Semantic CWT credentials Apple Pass templates
summary: Retrieve an Apple Pass template
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
required: true
schema:
type: string
format: uuid
description: Apple Pass template ID
responses:
'200':
description: Apple Pass template retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/ApplePassTemplateResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: retrieveSCApplePassTemplate
description: |-
Retrieves an existing Apple Pass template by providing its ID.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_APPLE_PASS_TEMPLATE_RETRIEVE_START
* CREDENTIAL_COMPACT_SEMANTIC_APPLE_PASS_TEMPLATE_RETRIEVE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_APPLE_PASS_TEMPLATE_RETRIEVE_FAIL
delete:
tags:
- Semantic CWT credentials Apple Pass templates
summary: Delete an Apple Pass template
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
required: true
schema:
type: string
format: uuid
description: Apple Pass template ID
responses:
'204':
description: Apple Pass template deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: deleteSCApplePassTemplate
description: |-
Deletes an existing Apple Pass template by providing its ID.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_APPLE_PASS_TEMPLATE_DELETE_START
* CREDENTIAL_COMPACT_SEMANTIC_APPLE_PASS_TEMPLATE_DELETE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_APPLE_PASS_TEMPLATE_DELETE_FAIL
parameters:
- schema:
type: string
name: id
in: path
required: true
description: Template ID
/v2/credentials/compact-semantic/digital-pass/google/templates:
post:
tags:
- Semantic CWT credentials Google Pass templates
summary: Create a Google Pass template
x-roles:
- admin
- issuer
- managed-issuer
parameters: []
requestBody:
required: true
content:
multipart/form-data:
schema:
$ref: '#/components/schemas/GooglePassTemplateRequest'
responses:
'201':
description: Google Pass template created
content:
application/json:
schema:
$ref: '#/components/schemas/GooglePassTemplateResponse'
'400':
$ref: '#/components/responses/400'
operationId: createSCGooglePassTemplate
description: |-
Creates a Google Pass template based on the provided `.zip` file. Refer to our [Design a Google Pass template](https://learn.mattr.global/docs/issuance/cwt-credential-templates/google-templates) guide for more information on how to design the template and how to structure the `.zip` file.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_GOOGLE_PASS_TEMPLATE_CREATE_START
* CREDENTIAL_COMPACT_SEMANTIC_GOOGLE_PASS_TEMPLATE_CREATE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_GOOGLE_PASS_TEMPLATE_CREATE_FAIL
get:
tags:
- Semantic CWT credentials Google Pass templates
summary: Retrieve all Google Pass templates
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: Google Pass templates retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GooglePassTemplatesResponse'
'400':
$ref: '#/components/responses/400'
operationId: getSCGooglePassTemplates
description: |-
Retrieves a list of all Google Pass templates available on your tenant.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_GOOGLE_PASS_TEMPLATE_RETRIEVE_LIST_START
* CREDENTIAL_COMPACT_SEMANTIC_GOOGLE_PASS_TEMPLATE_RETRIEVE_LIST_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_GOOGLE_PASS_TEMPLATE_RETRIEVE_LIST_FAIL
parameters: []
/v2/credentials/compact-semantic/digital-pass/google/templates/{id}:
put:
tags:
- Semantic CWT credentials Google Pass templates
summary: Update a Google Pass template
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
required: true
schema:
type: string
description: Google Pass template ID
requestBody:
required: true
content:
multipart/form-data:
schema:
$ref: '#/components/schemas/GooglePassTemplateRequest'
responses:
'200':
description: Google Pass template updated
content:
application/json:
schema:
$ref: '#/components/schemas/GooglePassTemplateResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: updateSCGooglePassTemplate
description: |-
Updates a existing Google Pass template by providing its ID and a `.zip` file. Refer to our [Design a Google Pass template](https://learn.mattr.global/docs/issuance/cwt-credential-templates/google-templates) guide for more information on how to design the template and how to structure the `.zip` file.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_GOOGLE_PASS_TEMPLATE_UPDATE_START
* CREDENTIAL_COMPACT_SEMANTIC_GOOGLE_PASS_TEMPLATE_UPDATE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_GOOGLE_PASS_TEMPLATE_UPDATE_FAIL
get:
tags:
- Semantic CWT credentials Google Pass templates
summary: Retrieve a Google Pass template
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
required: true
schema:
type: string
format: uuid
description: Google Pass template ID
responses:
'200':
description: Google Pass templated retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GooglePassTemplateResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: retrieveSCGooglePassTemplate
description: |-
Retrieves an existing Google Pass template by providing its ID.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_GOOGLE_PASS_TEMPLATE_RETRIEVE_START
* CREDENTIAL_COMPACT_SEMANTIC_GOOGLE_PASS_TEMPLATE_RETRIEVE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_GOOGLE_PASS_TEMPLATE_RETRIEVE_FAIL
delete:
tags:
- Semantic CWT credentials Google Pass templates
summary: Delete a Google Pass template
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
required: true
schema:
type: string
format: uuid
description: Google Pass template ID
responses:
'204':
description: Google Pass template deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: deleteSCGooglePassTemplate
description: |-
Delete a Google Pay Pass template by ID
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_GOOGLE_PASS_TEMPLATE_DELETE_START
* CREDENTIAL_COMPACT_SEMANTIC_GOOGLE_PASS_TEMPLATE_DELETE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_GOOGLE_PASS_TEMPLATE_DELETE_FAIL
parameters:
- schema:
type: string
name: id
in: path
required: true
description: Template ID
/v2/credentials/compact-semantic/digital-pass/apple:
post:
tags:
- Semantic CWT credentials issuance
summary: Format a Semantic CWT credential as an Apple Pass
x-roles:
- admin
- issuer
- managed-issuer
parameters: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateDigitalPassRequest'
examples:
Generate Apple Pass:
value:
templateId: 3812166c-ac9f-4e4e-96dd-c1336b5be378
payload: '{payload}'
responses:
'200':
description: Apple Pass created
content:
application/vnd.apple.pkpass:
schema:
$ref: '#/components/schemas/CreateApplePassResponse'
'400':
$ref: '#/components/responses/400'
operationId: generateSCApplePass
description: |-
Returns an Apple Pass representation of a provided Semantic CWT credential based on an existing Apple Pass template.
The request will fail if the provided credential isn't valid or has expired.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_APPLE_PASS_CREATE_START
* CREDENTIAL_COMPACT_SEMANTIC_APPLE_PASS_CREATE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_APPLE_PASS_CREATE_FAIL
parameters: []
/v2/credentials/compact-semantic/digital-pass/google:
post:
tags:
- Semantic CWT credentials issuance
summary: Format a Semantic CWT credential as a Google Pass
x-roles:
- admin
- issuer
- managed-issuer
parameters: []
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateDigitalPassRequest'
examples:
Generate Google Pay Pass:
value:
templateId: 3812166c-ac9f-4e4e-96dd-c1336b5be378
payload: '{payload}'
responses:
'200':
description: Google Pass created
content:
application/json:
schema:
$ref: '#/components/schemas/CreateGooglePassResponse'
'400':
$ref: '#/components/responses/400'
operationId: createSCDigitalPass
description: |-
Returns a Google Pass representation of a provided CWT credential based on an existing Google Pass template.
The request will fail if the provided credential isn't valid or has expired.
### **Analytic events**
* CREDENTIAL_COMPACT_SEMANTIC_GOOGLE_PASS_CREATE_START
* CREDENTIAL_COMPACT_SEMANTIC_GOOGLE_PASS_CREATE_SUCCESS
* CREDENTIAL_COMPACT_SEMANTIC_GOOGLE_PASS_CREATE_FAIL
parameters: []
/v2/credentials/mobile/iacas:
post:
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateIacaRequest'
tags:
- IACA
summary: Create an IACA
x-roles:
- admin
- issuer
responses:
'201':
description: IACA created
content:
application/json:
schema:
$ref: '#/components/schemas/IacaResponse'
'400':
$ref: '#/components/responses/400'
'409':
description: Maximum number of IACA certificates reached. Please delete an existing certificate before creating a new one.
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
operationId: create-mobile-credential-iaca
description: |-
Creates a new IACA that can be used to sign certificates for Document and Status List signers.
- IACAs are always created as inactive. You must manually [update](#operation/update-mobile-credential-iaca) the IACA to [`active: true`](#operation/update-mobile-credential-iaca!path=active&t=request) before it can be used to sign mDocs.
- A maximum of three IACAs can be created per tenant.
### **Analytic events**
* MOBILE_CREDENTIAL_IACA_CREATE_START
* MOBILE_CREDENTIAL_IACA_CREATE_SUCCESS
* MOBILE_CREDENTIAL_IACA_CREATE_FAIL
get:
tags:
- IACA
summary: Retrieve all IACAs
x-roles:
- admin
- issuer
- managed-issuer
responses:
'200':
description: IACAs Retrieved
content:
application/json:
schema:
type: object
required:
- data
properties:
data:
type: array
items:
$ref: '#/components/schemas/IacaResponse'
nextCursor:
type: string
operationId: list-mobile-credential-iaca
description: |-
Retrieves all existing IACAs from the tenant.
### **Analytic events**
* MOBILE_CREDENTIAL_IACA_RETRIEVE_LIST_START
* MOBILE_CREDENTIAL_IACA_RETRIEVE_LIST_SUCCESS
* MOBILE_CREDENTIAL_IACA_RETRIEVE_LIST_FAIL
/v2/credentials/mobile/iacas/{iacaId}:
get:
operationId: get-mobile-credential-iaca
summary: Retrieve an IACA
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Retrieves an existing IACA by providing its ID.
### **Analytic events**
* MOBILE_CREDENTIAL_IACA_RETRIEVE_START
* MOBILE_CREDENTIAL_IACA_RETRIEVE_SUCCESS
* MOBILE_CREDENTIAL_IACA_RETRIEVE_FAIL
tags:
- IACA
parameters:
- name: iacaId
required: true
in: path
description: IACA ID
schema:
type: string
format: uuid
example: 497f6eca-6276-4993-bfeb-53cbbbba6f08
responses:
'200':
description: IACA retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/IacaResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
put:
tags:
- IACA
summary: Update an IACA
x-roles:
- admin
- issuer
operationId: update-mobile-credential-iaca
description: |-
Update the status of an IACA. Only active IACAs can be used for signing mDocs.
Creating an IACA with `active` set to `false` enables distributing the IACA's PEM to relying parties in advance, before it is being used to sign any mDocs.
### **Analytic events**
* MOBILE_CREDENTIAL_IACA_UPDATE_START
* MOBILE_CREDENTIAL_IACA_UPDATE_SUCCESS
* MOBILE_CREDENTIAL_IACA_UPDATE_FAIL
parameters:
- name: iacaId
required: true
in: path
description: IACA ID
schema:
type: string
format: uuid
example: 497f6eca-6276-4993-bfeb-53cbbbba6f08
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UpdateIacaRequest'
example:
active: false
responses:
'200':
description: IACA updated
content:
application/json:
schema:
$ref: '#/components/schemas/IacaResponse'
'404':
$ref: '#/components/responses/404'
delete:
parameters:
- name: iacaId
required: true
in: path
description: IACA ID
schema:
type: string
format: uuid
example: 497f6eca-6276-4993-bfeb-53cbbbba6f08
tags:
- IACA
summary: Delete an IACA
x-roles:
- admin
- issuer
responses:
'204':
description: IACA deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: delete-mobile-credential-iaca
description: |-
Deletes an existing IACA by providing its ID.
### **Analytic events**
* MOBILE_CREDENTIAL_IACA_DELETE_START
* MOBILE_CREDENTIAL_IACA_DELETE_LIST_SUCCESS
* MOBILE_CREDENTIAL_IACA_DELETE_LIST_FAIL
/v2/credentials/mobile/iacas/{iacaId}/crl:
get:
security: []
tags:
- IACA
summary: Retrieve IACA CRL
parameters:
- name: iacaId
description: IACA identifier
in: path
required: true
schema:
type: string
format: uuid
responses:
'200':
description: IACA CRL retrieved
content:
application/pkix-crl:
schema:
type: string
format: binary
description: Certificate Revocation List in DER binary format
'404':
$ref: '#/components/responses/404'
operationId: get-mobile-credential-iaca-crl
description: |-
Retrieves the Certificate Revocation List (CRL) for the specified IACA in DER binary format.
This endpoint is public and does not require authentication. CRLs must be publicly accessible so relying parties can validate certificates.
### **Analytic events**
* MOBILE_CREDENTIAL_IACA_CRL_RETRIEVE_START
* MOBILE_CREDENTIAL_IACA_CRL_RETRIEVE_SUCCESS
* MOBILE_CREDENTIAL_IACA_CRL_RETRIEVE_FAIL
/v2/credentials/mobile/document-signers:
post:
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateDocumentSignerRequest'
tags:
- Document Signers
summary: Create a Document Signer
x-roles:
- admin
- issuer
responses:
'201':
description: Document Signer created
content:
application/json:
schema:
$ref: '#/components/schemas/DocumentSignerCsrResponse'
'400':
$ref: '#/components/responses/400'
'409':
description: Maximum number of document signer certificates reached. Please delete an existing certificate before creating a new one.
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
operationId: create-mobile-credential-document-signer
description: |-
Creates a new Document Signer that can be used to sign new mDocs.
- Only available in implementations using unmanaged (external) IACAs.
- A maximum of five Document Signers can be created per tenant.
### **Analytic events**
* MOBILE_CREDENTIAL_DOCUMENT_SIGNER_CREATE_START
* MOBILE_CREDENTIAL_DOCUMENT_SIGNER_CREATE_SUCCESS
* MOBILE_CREDENTIAL_DOCUMENT_SIGNER_CREATE_FAIL
get:
tags:
- Document Signers
summary: Retrieve all Document Signers
x-roles:
- admin
- issuer
- managed-issuer
responses:
'200':
description: Document Signers retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/ListDocumentSignersResponse'
operationId: list-mobile-credential-document-signers
description: |-
Retrieves all existing Document Signers from the tenant.
### **Analytic events**
* MOBILE_CREDENTIAL_DOCUMENT_SIGNER_RETRIEVE_LIST_START
* MOBILE_CREDENTIAL_DOCUMENT_SIGNER_RETRIEVE_LIST_SUCCESS
* MOBILE_CREDENTIAL_DOCUMENT_SIGNER_RETRIEVE_LIST_FAIL
/v2/credentials/mobile/document-signers/{documentSignerId}:
put:
parameters:
- name: documentSignerId
required: true
in: path
description: Document Signer ID
schema:
type: string
format: uuid
example: d2c9f2aa-fc69-4fbc-9b85-0c00591d72f6
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UpdateDocumentSignerRequest'
tags:
- Document Signers
summary: Update a Document Signer
x-roles:
- admin
- issuer
responses:
'200':
description: Document Signer updated
content:
application/json:
schema:
$ref: '#/components/schemas/DocumentSignerCertificateResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: update-mobile-credential-document-signer
description: |-
Updates an existing Document Signer by providing its ID and `active` parameter.
Only available in implementations using unmanaged (external) IACAs.
### **Analytic events**
* MOBILE_CREDENTIAL_DOCUMENT_SIGNER_UPDATE_START
* MOBILE_CREDENTIAL_DOCUMENT_SIGNER_UPDATE_SUCCESS
* MOBILE_CREDENTIAL_DOCUMENT_SIGNER_UPDATE_FAIL
get:
parameters:
- name: documentSignerId
required: true
in: path
description: Document Signer ID
schema:
type: string
format: uuid
example: d2c9f2aa-fc69-4fbc-9b85-0c00591d72f6
tags:
- Document Signers
summary: Retrieve a Document Signer
x-roles:
- admin
- issuer
- managed-issuer
responses:
'200':
description: Document Signer retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/DocumentSignerResponse'
'404':
$ref: '#/components/responses/404'
operationId: retrieve-mobile-credential-document-signer
description: |-
Retrieves an existing Document Signer by providing its ID.
### **Analytic events**
* MOBILE_CREDENTIAL_DOCUMENT_SIGNER_RETRIEVE_START
* MOBILE_CREDENTIAL_DOCUMENT_SIGNER_RETRIEVE_SUCCESS
* MOBILE_CREDENTIAL_DOCUMENT_SIGNER_RETRIEVE_FAIL
delete:
parameters:
- name: documentSignerId
required: true
in: path
description: Document Signer ID
schema:
type: string
format: uuid
example: d2c9f2aa-fc69-4fbc-9b85-0c00591d72f6
tags:
- Document Signers
summary: Delete a Document Signer
x-roles:
- admin
- issuer
responses:
'204':
description: Document Signer deleted
'404':
$ref: '#/components/responses/404'
operationId: remove-mobile-credential-document-signer
description: |-
Deletes an existing Document Signer by providing its ID.
Only available in implementations using unmanaged (external) IACAs.
### **Analytic events**
* MOBILE_CREDENTIAL_DOCUMENT_SIGNER_DELETE_START
* MOBILE_CREDENTIAL_DOCUMENT_SIGNER_DELETE_SUCCESS
* MOBILE_CREDENTIAL_DOCUMENT_SIGNER_DELETE_FAIL
/v2/credentials/mobile/document-signers/{documentSignerId}/revoke:
post:
operationId: revokeDocumentSigner
tags:
- Document Signers
summary: Revoke a Document Signer
x-roles:
- admin
- issuer
description: |-
Revokes an existing Document Signer, making it unusable for signing new mDocs.
If the verifier checks the CRL referenced in the IACA certificate, it must treat revoked Document Signers and any mDocs they signed as untrusted.
Only available in implementations using managed IACAs. When using unmanaged (external) IACAs, you must revoke the Document Signer certificate directly with the CA that issued it.
### **Analytic events**
* MOBILE_CREDENTIAL_DOCUMENT_SIGNER_REVOKE_START
* MOBILE_CREDENTIAL_DOCUMENT_SIGNER_REVOKE_SUCCESS
* MOBILE_CREDENTIAL_DOCUMENT_SIGNER_REVOKE_FAIL
parameters:
- name: documentSignerId
description: Document Signer identifier
in: path
required: true
schema:
type: string
format: uuid
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/DocumentSignerRevokeRequest'
responses:
'200':
description: Document Signer revoked
content:
application/json:
schema:
$ref: '#/components/schemas/DocumentSignerRevokeResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
'409':
description: Document Signer already revoked
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
/v2/credentials/mobile/status-list-signers:
post:
operationId: createStatusListSigner
tags:
- Status list signers
summary: Create a new status list signer
x-roles:
- admin
- issuer
description: |
Uses an existing IACA to sign a status list signer (intermediate certificate) that can be used to sign status list tokens.
- Only available in implementations using unmanaged (external) IACAs.
- A maximum of three Status List Signers can be created per tenant.
### **Analytic events**
* MOBILE_CREDENTIAL_STATUS_LIST_SIGNER_CREATE_START
* MOBILE_CREDENTIAL_STATUS_LIST_SIGNER_CREATE_SUCCESS
* MOBILE_CREDENTIAL_STATUS_LIST_SIGNER_CREATE_FAIL
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/StatusListSignerCreateRequest'
responses:
'200':
description: Status list signer created
content:
application/json:
schema:
$ref: '#/components/schemas/StatusListSignerResponse'
'409':
description: Maximum number of status list signer certificates reached. Please delete an existing certificate before creating a new one.
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
get:
operationId: getStatusListSigners
tags:
- Status list signers
summary: Retrieve all status list signers
x-roles:
- admin
- issuer
- managed-issuer
description: |
Retrieves all existing status list signers.
### **Analytic events**
* MOBILE_CREDENTIAL_STATUS_LIST_SIGNER_RETRIEVE_LIST_START
* MOBILE_CREDENTIAL_STATUS_LIST_SIGNER_RETRIEVE_LIST_SUCCESS
* MOBILE_CREDENTIAL_STATUS_LIST_SIGNER_RETRIEVE_LIST_FAIL
responses:
'200':
description: Status list signers retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/StatusListSignersResponse'
/v2/credentials/mobile/status-list-signers/{statusListSignerId}:
get:
operationId: getStatusListSigner
tags:
- Status list signers
summary: Retrieve a status list signer
x-roles:
- admin
- issuer
- managed-issuer
description: |
Retrieves an existing status list signer.
Status list signer operations are only available in implementations using unmanaged (external) IACAs.
### **Analytic events**
* MOBILE_CREDENTIAL_STATUS_LIST_SIGNER_RETRIEVE_START
* MOBILE_CREDENTIAL_STATUS_LIST_SIGNER_RETRIEVE_SUCCESS
* MOBILE_CREDENTIAL_STATUS_LIST_SIGNER_RETRIEVE_FAIL
parameters:
- name: statusListSignerId
description: Status list identifier
in: path
required: true
schema:
type: string
format: uuid
responses:
'200':
description: Status list signer retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/StatusListSignerResponse'
put:
operationId: updateStatusListSigner
tags:
- Status list signers
summary: Update a status list signer
x-roles:
- admin
- issuer
description: |
Updates the status of an existing status list signer.
Only available in implementations using unmanaged (external) IACAs.
### **Analytic events**
* MOBILE_CREDENTIAL_STATUS_LIST_SIGNER_UPDATE_START
* MOBILE_CREDENTIAL_STATUS_LIST_SIGNER_UPDATE_SUCCESS
* MOBILE_CREDENTIAL_STATUS_LIST_SIGNER_UPDATE_FAIL
parameters:
- name: statusListSignerId
description: Status list identifier
in: path
required: true
schema:
type: string
format: uuid
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/StatusListSignerUpdateRequest'
responses:
'200':
description: Status list signer updated
content:
application/json:
schema:
$ref: '#/components/schemas/StatusListSignerUpdateResponse'
delete:
operationId: deleteStatusListSigner
tags:
- Status list signers
summary: Delete a status list signer
x-roles:
- admin
- issuer
description: |
Deletes an existing status list signer.
Only available in implementations using unmanaged (external) IACAs.
### **Analytic events**
* MOBILE_CREDENTIAL_STATUS_LIST_SIGNER_DELETE_START
* MOBILE_CREDENTIAL_STATUS_LIST_SIGNER_DELETE_SUCCESS
* MOBILE_CREDENTIAL_STATUS_LIST_SIGNER_DELETE_FAIL
parameters:
- name: statusListSignerId
description: Status list identifier
in: path
required: true
schema:
type: string
format: uuid
responses:
'204':
description: No Content
/v2/credentials/mobile/status-list-signers/{statusListSignerId}/revoke:
post:
operationId: revokeStatusListSigner
tags:
- Status list signers
summary: Revoke a status list signer
x-roles:
- admin
- issuer
description: |-
Revokes an existing status list signer, making it unusable for signing new status lists.
If the verifier checks the CRL referenced in the IACA certificate, it must treat revoked status list signers and any status list they signed as untrusted.
Only available in implementations using managed IACAs. When using unmanaged (external) IACAs, you must revoke the status list signer certificate directly with the CA that issued it.
### **Analytic events**
* MOBILE_CREDENTIAL_STATUS_LIST_SIGNER_REVOKE_START
* MOBILE_CREDENTIAL_STATUS_LIST_SIGNER_REVOKE_SUCCESS
* MOBILE_CREDENTIAL_STATUS_LIST_SIGNER_REVOKE_FAIL
parameters:
- name: statusListSignerId
description: Status list signer identifier
in: path
required: true
schema:
type: string
format: uuid
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/StatusListSignerRevokeRequest'
responses:
'200':
description: Status list signer revoked
content:
application/json:
schema:
$ref: '#/components/schemas/StatusListSignerRevokeResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
'409':
description: Status list signer already revoked
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
/v2/credentials/mobile/{id}:
parameters:
- name: id
in: path
required: true
schema:
type: string
description: mDoc ID
delete:
tags:
- mDocs management
summary: Delete mDoc metadata
x-roles:
- admin
- issuer
- managed-issuer
responses:
'204':
description: mDoc metadata deleted
'400':
description: Invalid id parameter format
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
'404':
$ref: '#/components/responses/404'
operationId: remove-mobile-credential
description: |-
Deletes all stored data for an existing mDoc that matches the provided ID.
Removed credential data cannot be recovered.
### **Analytic events**
* USER_CREDENTIAL_DELETE_START
* USER_CREDENTIAL_DELETE_SUCCESS
* USER_CREDENTIAL_DELETE_FAIL
/v2/credentials/mobile/configurations:
post:
operationId: createMobileCredentialConfiguration
tags:
- mDoc credentials configuration
summary: Create an mDocs configuration
x-roles:
- admin
- issuer
description: |
Creates a new mDocs configuration, a specific set of rules and parameters that are used to create and validate a particular type of verifiable credential. These rules and parameters define how the credential is structured and what data it contains when issued.
### **Analytic events**
* MOBILE_CREDENTIAL_CONFIGURATION_CREATE_START
* MOBILE_CREDENTIAL_CONFIGURATION_CREATE_SUCCESS
* MOBILE_CREDENTIAL_CONFIGURATION_CREATE_FAIL
requestBody:
description: The mDocs configuration payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/components-schemas-CredentialConfigurationRequest'
responses:
'201':
description: mDocs configuration created
content:
application/json:
schema:
$ref: '#/components/schemas/components-schemas-CredentialConfigurationResponse'
'400':
$ref: '#/components/responses/400'
get:
operationId: getMobileCredentialConfigurations
tags:
- mDoc credentials configuration
summary: Retrieve all mDocs configurations
x-roles:
- admin
- issuer
- managed-issuer
description: |
Retrieves all mDocs configurations from your tenant.
### **Analytic events**
* MOBILE_CREDENTIAL_CONFIGURATION_RETRIEVE_LIST_START
* MOBILE_CREDENTIAL_CONFIGURATION_RETRIEVE_LIST_SUCCESS
* MOBILE_CREDENTIAL_CONFIGURATION_RETRIEVE_LIST_FAIL
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
- schema:
type: string
example: AlumniCredential
in: query
name: type
description: Optional credential type to filter on
responses:
'200':
description: mDocs configurations retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/components-schemas-GetCredentialConfigurationsResponse'
'400':
$ref: '#/components/responses/400'
parameters: []
/v2/credentials/mobile/configurations/{id}:
parameters:
- name: id
in: path
description: mDocs configuration ID
schema:
type: string
format: uuid
example: 3948c40e-6e19-4ffc-933c-91f643f24264
required: true
get:
operationId: getMobileCredentialConfiguration
tags:
- mDoc credentials configuration
summary: Retrieve an mDocs configuration
x-roles:
- admin
- issuer
- managed-issuer
description: |
Retrieves an existing mDocs configuration by providing its ID.
### **Analytic events**
* MOBILE_CREDENTIAL_CONFIGURATION_RETRIEVE_START
* MOBILE_CREDENTIAL_CONFIGURATION_RETRIEVE_SUCCESS
* MOBILE_CREDENTIAL_CONFIGURATION_RETRIEVE_FAIL
responses:
'200':
description: mDocs configuration retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/components-schemas-CredentialConfigurationResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
put:
operationId: updateMobileCredentialConfiguration
tags:
- mDoc credentials configuration
summary: Update an mDocs configuration
x-roles:
- admin
- issuer
description: |
Updates an existing mDocs configuration by providing its ID.
### **Analytic events**
* MOBILE_CREDENTIAL_CONFIGURATION_UPDATE_START
* MOBILE_CREDENTIAL_CONFIGURATION_UPDATE_SUCCESS
* MOBILE_CREDENTIAL_CONFIGURATION_UPDATE_FAIL
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/components-schemas-CredentialConfigurationRequest'
description: Update an mDocs configuration
responses:
'200':
description: mDocs configuration updated
content:
application/json:
schema:
$ref: '#/components/schemas/components-schemas-CredentialConfigurationResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
delete:
operationId: deleteMobileCredentialConfiguration
tags:
- mDoc credentials configuration
summary: Delete an mDocs configuration
x-roles:
- admin
- issuer
description: |
Deletes an existing mDocs configuration by providing its ID.
### **Analytic events**
* MOBILE_CREDENTIAL_CONFIGURATION_DELETE_START
* MOBILE_CREDENTIAL_CONFIGURATION_DELETE_SUCCESS
* MOBILE_CREDENTIAL_CONFIGURATION_DELETE_FAIL
responses:
'204':
description: mDocs configuration deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v2/credentials/mobile/{credentialId}/status:
parameters:
- name: credentialId
in: path
description: mDoc identifier
schema:
type: string
format: uuid
example: 3948c40e-6e19-4ffc-933c-91f643f24264
required: true
post:
operationId: postCredentialStatus
tags:
- mDocs status
summary: Update mDoc status
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Sets the status of an existing mDoc by providing its `credentialId` and the new status.
Available status values depend on the Status List configuration format:
**Draft 14 of the IETF Token Status List specification (1-bit encoding)**:
* **valid** - Credential is valid
* **invalid** - Credential is invalid (cannot be reversed)
**Deprecated Legacy format (2-bit encoding)**:
* **valid** - Credential is valid
* **invalid** - Credential is invalid (cannot be reversed)
* **suspended** - Credential is temporarily suspended
The **suspended** status is deprecated and only available in legacy format.
### **Analytic events**
* MOBILE_CREDENTIAL_STATUS_SET_START
* MOBILE_CREDENTIAL_STATUS_SET_SUCCESS
* MOBILE_CREDENTIAL_STATUS_SET_FAIL
requestBody:
description: Credential status payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/schemas-CredentialStatus'
responses:
'201':
description: Credential status updated
content:
application/json:
schema:
$ref: '#/components/schemas/schemas-CredentialStatus'
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Invalid ID:
value:
code: BadRequest
message: Validation Error
details:
- location: params
msg: Invalid value
param: credentialId
value: abc
Unsupported status provided:
value:
code: BadRequest
message: Validation Error
details:
- location: body
msg: must be one of the following values 'valid', 'invalid', 'suspended' (suspended only available in legacy format)
param: status
value: abc
mDoc status is invalid:
value:
code: BadRequest
message: Credential status is in final 'invalid' state and cannot be updated.
'404':
$ref: '#/components/responses/404'
get:
operationId: getCredentialStatus
tags:
- mDocs status
summary: Retrieve mDoc status
x-roles:
- admin
- issuer
- managed-issuer
description: |
Retrieves the status of an existing mDoc by providing its `credentialId`.
### **Analytic events**
* MOBILE_CREDENTIAL_STATUS_RETRIEVE_START
* MOBILE_CREDENTIAL_STATUS_RETRIEVE_SUCCESS
* MOBILE_CREDENTIAL_STATUS_RETRIEVE_FAIL
parameters:
- name: credentialId
in: path
description: mDoc identifier
schema:
type: string
format: uuid
example: 3948c40e-6e19-4ffc-933c-91f643f24264
required: true
responses:
'200':
description: Credential status retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/schemas-CredentialStatus'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v2/credentials/mobile/status-lists/configurations:
post:
operationId: createStatusListConfiguration
tags:
- Status list configuration
summary: Create a Status list configuration
x-roles:
- admin
- issuer
- managed-issuer
description: |
Creates a Status list configuration, which defines a status list validity periods. mDocs can then be assigned to a specific Status list configuration.
### **Analytic events**
* MOBILE_CREDENTIAL_STATUS_LIST_CONFIGURATION_CREATE_START
* MOBILE_CREDENTIAL_STATUS_LIST_CONFIGURATION_CREATE_SUCCESS
* MOBILE_CREDENTIAL_STATUS_LIST_CONFIGURATION_CREATE_FAIL
requestBody:
description: The Status list configuration payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/StatusListConfigurationRequest'
responses:
'201':
description: Status list configuration created
content:
application/json:
schema:
$ref: '#/components/schemas/CreateStatusListConfigurationResponse'
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
invalid timeToLiveDuration:
value:
code: BadRequest
message: Validation Error
details:
- location: body
msg: must be a Duration
param: timeToLiveDuration
value: abc
invalid expiryDuration:
value:
code: BadRequest
message: Validation Error
details:
- location: body
msg: must be a Duration
param: expiryDuration
value: abc
invalid docType:
value:
code: BadRequest
message: Validation Error
details:
- location: body
msg: must be a string
param: docType
value: '1'
configuration exists for docType:
value:
code: BadRequest
message: Configuration for docType already exists
get:
operationId: StatusListConfigurations
tags:
- Status list configuration
summary: Retrieve all Status list configurations
x-roles:
- admin
- issuer
- managed-issuer
description: |
Retrieves all Status list configurations from your tenant.
### **Analytic events**
* MOBILE_CREDENTIAL_STATUS_LIST_CONFIGURATION_RETRIEVE_LIST_START
* MOBILE_CREDENTIAL_STATUS_LIST_CONFIGURATION_RETRIEVE_LIST_
* MOBILE_CREDENTIAL_STATUS_LIST_CONFIGURATION_RETRIEVE_LIST_FAIL
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: Status list configurations retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GetStatusListConfigurationsResponse'
'400':
$ref: '#/components/responses/400'
/v2/credentials/mobile/status-lists/configurations/{id}:
parameters:
- name: id
in: path
description: Status list configuration ID
schema:
type: string
format: uuid
example: 3948c40e-6e19-4ffc-933c-91f643f24264
required: true
get:
operationId: getStatusListConfiguration
tags:
- Status list configuration
summary: Retrieve a Status list configuration
x-roles:
- admin
- issuer
- managed-issuer
description: |
Retrieves an existing Status list configuration by providing its ID.
### **Analytic events**
* MOBILE_CREDENTIAL_STATUS_LIST_CONFIGURATION_RETRIEVE_START
* MOBILE_CREDENTIAL_STATUS_LIST_CONFIGURATION_RETRIEVE_SUCCESS
* MOBILE_CREDENTIAL_STATUS_LIST_CONFIGURATION_RETRIEVE_FAIL
parameters:
- name: id
in: path
description: Status list configuration ID
schema:
type: string
format: uuid
example: 3948c40e-6e19-4ffc-933c-91f643f24264
required: true
responses:
'200':
description: Status list configuration retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/StatusListConfiguration'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
put:
operationId: updateStatusListConfiguration
tags:
- Status list configuration
summary: Update a Status list configuration
x-roles:
- admin
- issuer
- managed-issuer
description: |
Updates an existing Status list configuration, allowing you to adjust the expiry and TTL (Time To Live) settings.
### **Analytic events**
* MOBILE_CREDENTIAL_STATUS_LIST_CONFIGURATION_UPDATE_START
* MOBILE_CREDENTIAL_STATUS_LIST_CONFIGURATION_UPDATE_SUCCESS
* MOBILE_CREDENTIAL_STATUS_LIST_CONFIGURATION_UPDATE_FAIL
parameters:
- name: id
in: path
description: Status list configuration ID
schema:
type: string
format: uuid
example: 3948c40e-6e19-4ffc-933c-91f643f24264
required: true
requestBody:
description: The Status list configuration payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/StatusListConfigurationUpdateRequest'
responses:
'200':
description: Status list configuration updated
content:
application/json:
schema:
$ref: '#/components/schemas/CreateStatusListConfigurationResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
delete:
operationId: deleteStatusListConfiguration
tags:
- Status list configuration
summary: Delete a Status list configuration
x-roles:
- admin
- issuer
- managed-issuer
description: |
Permanently deletes an existing Status list configuration.
### **Analytic events**
* MOBILE_CREDENTIAL_STATUS_LIST_CONFIGURATION_DELETE_START
* MOBILE_CREDENTIAL_STATUS_LIST_CONFIGURATION_DELETE_SUCCESS
* MOBILE_CREDENTIAL_STATUS_LIST_CONFIGURATION_DELETE_FAIL
parameters:
- name: id
in: path
description: Status list configuration ID
schema:
type: string
format: uuid
example: 3948c40e-6e19-4ffc-933c-91f643f24264
required: true
responses:
'204':
description: Status list configuration deleted
'400':
description: Bad request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Configuration in use:
value:
code: BadRequest
message: Status list configuration is in use by at least one status list
'404':
$ref: '#/components/responses/404'
/v2/credentials/mobile/status-lists:
get:
operationId: getStatusLists
tags:
- Status list retrieval
summary: Retrieve all Status lists
x-roles:
- admin
- issuer
- managed-issuer
description: |
Retrieves all existing status lists from your tenant.
### **Analytic events**
* MOBILE_CREDENTIAL_STATUS_LIST_RETRIEVE_LIST_START
* MOBILE_CREDENTIAL_STATUS_LIST_RETRIEVE_LIST_SUCCESS
* MOBILE_CREDENTIAL_STATUS_LIST_RETRIEVE_LIST_FAIL
responses:
'200':
description: Status lists retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/StatusListsResponse'
/v2/credentials/mobile/status-lists/{statusListId}:
get:
operationId: getStatusList
tags:
- Status list retrieval
summary: Retrieve a Status list
x-roles:
- admin
- issuer
- managed-issuer
description: |
Retrieves an existing Status list and its signed token by providing its ID.
### **Analytic events**
* MOBILE_CREDENTIAL_STATUS_LIST_RETRIEVE_START
* MOBILE_CREDENTIAL_STATUS_LIST_RETRIEVE_SUCCESS
* MOBILE_CREDENTIAL_STATUS_LIST_RETRIEVE_FAIL
parameters:
- name: statusListId
description: Status list unique identifier
in: path
required: true
schema:
type: string
format: uuid
responses:
'200':
description: Status list retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/StatusListResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v2/credentials/mobile/status-lists/{statusListId}/token:
get:
operationId: getStatusListToken
security: []
tags:
- Status list retrieval
summary: Retrieve a Status list token
description: |
Retrieves the Status list token in CWT format. This public endpoint returns a token which contains a compressed, signed list of credential statuses. Relying parties can use this token to check the revocation status of an mDoc that references this Status list.
**Token Format Differences**:
The token structure depends on the Status List configuration format:
**Draft 14 of the IETF Token Status List specification**:
- Token header `typ`: `application/statuslist+cwt`
- CBOR payload claims: `65533` (status_list), `65534` (ttl)
- Status encoding: 1-bit (Valid/Invalid)
**Legacy format**:
- Token header `typ`: `mattr-statuslist+cwt`
- CBOR payload claims: `-65538` (status_list), `-65539` (ttl)
- Status encoding: 2-bit (Valid/Invalid/Suspended)
### **Analytic events**
* MOBILE_CREDENTIAL_STATUS_LIST_TOKEN_RETRIEVE_START
* MOBILE_CREDENTIAL_STATUS_LIST_TOKEN_RETRIEVE_SUCCESS
* MOBILE_CREDENTIAL_STATUS_LIST_TOKEN_RETRIEVE_FAIL
parameters:
- name: statusListId
in: path
description: Status list identifier
required: true
schema:
type: string
format: uuid
responses:
'200':
description: Status list token retrieved
content:
application/cwt:
schema:
type: string
format: binary
'404':
$ref: '#/components/responses/404'
'410':
description: Status list expired
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
/v2/credentials/mobile/status-lists/distribution:
get:
operationId: getStatusListDistribution
security: []
tags:
- Status list retrieval
summary: Status list distribution
description: |
Retrieves an object that details all existing Status lists tokens on the tenant. This public endpoint allows a relying party to consume and cache status lists. Each list
in the response includes a URL where its token can be retrieved. Status list tokens that were signed by expired IACAs are excluded from the response.
**Response Format Differences**:
The response structure depends on the Status List configuration format:
**Draft 14 of the IETF Token Status List specification**: `{"status_lists": ["https://..."]}`
**Legacy format**: `{"status_lists": [{"uri": "https://..."}]}`
### **Analytic events**
* MOBILE_CREDENTIAL_STATUS_LIST_DISTRIBUTION_START
* MOBILE_CREDENTIAL_STATUS_LIST_DISTRIBUTION_SUCCESS
* MOBILE_CREDENTIAL_STATUS_LIST_DISTRIBUTION_FAIL
responses:
'200':
description: Status lists retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/DistributionStatusListsResponse'
/v2/credentials/mobile/trusted-issuers:
post:
operationId: addMobileCredentialTrustedIssuer
tags:
- Trusted issuers
summary: Create a trusted issuer
x-roles:
- admin
- verifier
description: |
Add a new mDocs trusted issuer, to be used in online presentation workflows.
### **Analytic events**
* MOBILE_CREDENTIAL_TRUSTED_ISSUER_CREATE_START
* MOBILE_CREDENTIAL_TRUSTED_ISSUER_CREATE_SUCCESS
* MOBILE_CREDENTIAL_TRUSTED_ISSUER_CREATE_FAIL
requestBody:
description: The trusted issuer payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/TrustedIssuerRequest'
responses:
'201':
description: Trusted issuer created
content:
application/json:
schema:
$ref: '#/components/schemas/TrustedIssuer'
'400':
$ref: '#/components/responses/400'
get:
operationId: getMobileCredentialTrustedIssuers
tags:
- Trusted issuers
summary: Retrieve all trusted issuers
x-roles:
- admin
- verifier
description: |
Retrieves all mDocs trusted issuers from your tenant.
### **Analytic events**
* MOBILE_CREDENTIAL_TRUSTED_ISSUER_RETRIEVE_LIST_START
* MOBILE_CREDENTIAL_TRUSTED_ISSUER_RETRIEVE_LIST_SUCCESS
* MOBILE_CREDENTIAL_TRUSTED_ISSUER_RETRIEVE_LIST_FAIL
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: Trusted issuers retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GetTrustedIssuersResponse'
'400':
$ref: '#/components/responses/400'
parameters: []
/v2/credentials/mobile/trusted-issuers/{id}:
parameters:
- name: id
in: path
description: Trusted issuer ID
schema:
type: string
format: uuid
example: 3948c40e-6e19-4ffc-933c-91f643f24264
required: true
get:
operationId: getMobileCredentialTrustedIssuer
tags:
- Trusted issuers
summary: Retrieve a trusted issuer
x-roles:
- admin
- verifier
description: |
Retrieves an existing trusted issuer from your tenant by providing its ID.
### **Analytic events**
* MOBILE_CREDENTIAL_TRUSTED_ISSUER_RETRIEVE_START
* MOBILE_CREDENTIAL_TRUSTED_ISSUER_RETRIEVE_SUCCESS
* MOBILE_CREDENTIAL_TRUSTED_ISSUER_RETRIEVE_FAIL
responses:
'200':
description: Trusted issuer retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/TrustedIssuer'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
delete:
operationId: deleteMobileCredentialTrustedIssuer
tags:
- Trusted issuers
summary: Delete a trusted issuer
x-roles:
- admin
- verifier
description: |
Deletes an existing trusted issuer by providing its ID.
### **Analytic events**
* MOBILE_CREDENTIAL_TRUSTED_ISSUER_DELETE_START
* MOBILE_CREDENTIAL_TRUSTED_ISSUER_DELETE_SUCCESS
* MOBILE_CREDENTIAL_TRUSTED_ISSUER_DELETE_FAIL
responses:
'204':
description: Trusted issuer deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v2/presentations/certificates/ca:
post:
operationId: postVerifierCACertificate
tags:
- Verifier root CA certificates
summary: Create a verifier root CA certificate
x-roles:
- admin
- verifier
description: |-
Creates a verifier root CA certificate to be used as part of mDocs online verification workflows.
- A maximum of three Verifier root CA certificates can be created per tenant.
### **Analytic events**
* CREDENTIAL_PRESENTATION_VERIFIER_CA_CERTIFICATE_CREATE_START
* CREDENTIAL_PRESENTATION_VERIFIER_CA_CERTIFICATE_CREATE_SUCCESS
* CREDENTIAL_PRESENTATION_VERIFIER_CA_CERTIFICATE_CREATE_FAIL
requestBody:
description: Verifier root CA certificate payload
required: true
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/VerifierCACertificateManagedRequest'
- $ref: '#/components/schemas/VerifierCACertificateUnmanagedRequest'
responses:
'200':
description: Verifier root CA certificate created
content:
application/json:
schema:
$ref: '#/components/schemas/VerifierCACertificateResponse'
'400':
$ref: '#/components/responses/400'
'409':
description: Maximum number of verifier root certificates reached. Please delete an existing certificate before creating a new one.
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
get:
operationId: getVerifierCACertificates
tags:
- Verifier root CA certificates
summary: Retrieve all verifier root CA certificates
x-roles:
- admin
- verifier
description: |-
Retrieves all existing verifier root CA certificates.
### **Analytic events**
* CREDENTIAL_PRESENTATION_VERIFIER_CA_CERTIFICATE_RETRIEVE_LIST_START
* CREDENTIAL_PRESENTATION_VERIFIER_CA_CERTIFICATE_RETRIEVE_LIST_SUCCESS
* CREDENTIAL_PRESENTATION_VERIFIER_CA_CERTIFICATE_RETRIEVE_LIST_FAIL
responses:
'200':
description: Verifier root CA certificates retrieved
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/VerifierCACertificateResponse'
nextCursor:
type: string
description: Cursor to retrieve the next page of results.
/v2/presentations/certificates/ca/{certificateId}:
parameters:
- name: certificateId
in: path
description: Unique identifier for the verifier root CA certificate.
schema:
type: string
format: uuid
example: 281d20b3-42a3-40dd-b29a-115ff32b02b7
required: true
put:
operationId: putVerifierCACertificate
tags:
- Verifier root CA certificates
summary: Update a verifier root CA certificate
x-roles:
- admin
- verifier
description: |-
Updates an existing verifier root CA certificate.
### **Analytic events**
* CREDENTIAL_PRESENTATION_VERIFIER_CA_CERTIFICATE_UPDATE_START
* CREDENTIAL_PRESENTATION_VERIFIER_CA_CERTIFICATE_UPDATE_SUCCESS
* CREDENTIAL_PRESENTATION_VERIFIER_CA_CERTIFICATE_UPDATE_FAIL
requestBody:
description: Verifier root CA certificate payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/VerifierCACertificateUpdateRequest'
responses:
'200':
description: Verifier root CA certificate updated
content:
application/json:
schema:
$ref: '#/components/schemas/VerifierCACertificateResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
get:
operationId: getVerifierCACertificate
tags:
- Verifier root CA certificates
summary: Retrieve a verifier root CA certificate
x-roles:
- admin
- verifier
description: |-
Retrieves an existing verifier root CA certificate.
### **Analytic events**
* CREDENTIAL_PRESENTATION_VERIFIER_CA_CERTIFICATE_RETRIEVE_START
* CREDENTIAL_PRESENTATION_VERIFIER_CA_CERTIFICATE_RETRIEVE_SUCCESS
* CREDENTIAL_PRESENTATION_VERIFIER_CA_CERTIFICATE_RETRIEVE_FAIL
responses:
'200':
description: Verifier root CA certificate retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/VerifierCACertificateResponse'
'404':
$ref: '#/components/responses/404'
delete:
operationId: deleteVerifierCACertificate
tags:
- Verifier root CA certificates
summary: Delete a verifier root CA certificate
x-roles:
- admin
- verifier
description: |-
Deletes an existing verifier root CA certificate.
### **Analytic events**
* PRESENTATION_VERIFIER_CA_CERTIFICATE_DELETE_START
* PRESENTATION_VERIFIER_CA_CERTIFICATE_DELETE_SUCCESS
* PRESENTATION_VERIFIER_CA_CERTIFICATE_DELETE_FAIL
responses:
'204':
description: Verifier root CA certificate deleted
'404':
$ref: '#/components/responses/404'
/v2/presentations/certificates/verifier-signers:
post:
tags:
- Verification request signers
summary: Create a Verification request signer
x-roles:
- admin
- verifier
description: |-
Creates a Verification request signer.
- Only available in implementations using unmanaged (external) Verifier root CA certificates.
- A maximum of five Verification request signers can be created per tenant.
### **Analytic events**
* CREDENTIAL_PRESENTATION_VERIFIER_SIGNER_CERTIFICATE_CREATE_START
* CREDENTIAL_PRESENTATION_VERIFIER_SIGNER_CERTIFICATE_CREATE_SUCCESS
* CREDENTIAL_PRESENTATION_VERIFIER_SIGNER_CERTIFICATE_CREATE_FAIL
operationId: createVerificationRequestSigner
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/VerificationRequestSignerCreateRequest'
responses:
'201':
description: Verification request signer created
content:
application/json:
schema:
$ref: '#/components/schemas/CreateVerificationRequestSignerResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
get:
tags:
- Verification request signers
summary: Retrieve all Verification request signers
x-roles:
- admin
- verifier
description: |-
Retrieves all Verification request signers.
### **Analytic events**
* CREDENTIAL_PRESENTATION_VERIFIER_SIGNER_CERTIFICATE_RETRIEVE_LIST_START
* CREDENTIAL_PRESENTATION_VERIFIER_SIGNER_CERTIFICATE_RETRIEVE_LIST_SUCCESS
* CREDENTIAL_PRESENTATION_VERIFIER_SIGNER_CERTIFICATE_RETRIEVE_LIST_FAIL
operationId: getVerificationRequestSigners
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: Verification request signers retrieved
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
oneOf:
- $ref: '#/components/schemas/UpdateVerificationRequestSignerResponse'
- $ref: '#/components/schemas/CreateVerificationRequestSignerResponse'
nextCursor:
$ref: '#/components/schemas/nextCursor'
'400':
$ref: '#/components/responses/400'
/v2/presentations/certificates/verifier-signers/{verifierSignerId}:
parameters:
- $ref: '#/components/parameters/verifierSignerId'
put:
tags:
- Verification request signers
summary: Update a Verification request signer
x-roles:
- admin
- verifier
description: |-
Updates a Verification request signer by:
- Providing a Verification Request Signer Certificate (VRSC) in PEM format that matches its Certificate Signing Request (CSR).
- Activating or deactivating the VRSC signer. Only VRSC signers with a valid PEM certificate can be activated.
- The `certificatePem` field becomes immutable after it's updated for the first time.
Only available in implementations using unmanaged (external) Verifier root CA certificates.
### **Analytic events**
* CREDENTIAL_PRESENTATION_VERIFIER_SIGNER_CERTIFICATE_UPDATE_START
* CREDENTIAL_PRESENTATION_VERIFIER_SIGNER_CERTIFICATE_UPDATE_SUCCESS
* CREDENTIAL_PRESENTATION_VERIFIER_SIGNER_CERTIFICATE_UPDATE_FAIL
operationId: updateVerificationRequestSigner
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/VerificationRequestSignerUpdateRequest'
responses:
'200':
description: Verification request signer updated
content:
application/json:
schema:
$ref: '#/components/schemas/UpdateVerificationRequestSignerResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
delete:
tags:
- Verification request signers
summary: Delete a Verification request signer
x-roles:
- admin
- verifier
description: |-
Deletes a Verification request signer.
Only available in implementations using unmanaged (external) Verifier root CA certificates.
### **Analytic events**
* CREDENTIAL_PRESENTATION_VERIFIER_SIGNER_CERTIFICATE_DELETE_START
* CREDENTIAL_PRESENTATION_VERIFIER_SIGNER_CERTIFICATE_DELETE_SUCCESS
* CREDENTIAL_PRESENTATION_VERIFIER_SIGNER_CERTIFICATE_DELETE_FAIL
operationId: deleteVerificationRequestSigner
responses:
'204':
description: Verification request signer deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
get:
tags:
- Verification request signers
summary: Retrieve a Verification request signer
x-roles:
- admin
- verifier
description: |-
Retrieves a Verification request signer.
### **Analytic events**
* CREDENTIAL_PRESENTATION_VERIFIER_SIGNER_CERTIFICATE_RETRIEVE_START
* CREDENTIAL_PRESENTATION_VERIFIER_SIGNER_CERTIFICATE_RETRIEVE_SUCCESS
* CREDENTIAL_PRESENTATION_VERIFIER_SIGNER_CERTIFICATE_RETRIEVE_FAIL
operationId: getVerificationRequestSigner
responses:
'200':
description: Verification request signer retrieved
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/UpdateVerificationRequestSignerResponse'
- $ref: '#/components/schemas/CreateVerificationRequestSignerResponse'
'404':
$ref: '#/components/responses/404'
/v2/presentations/applications:
post:
operationId: postVerifierApplication
tags:
- Verifier applications
summary: Create verifier application
x-roles:
- admin
- verifier
description: |-
Creates an mDocs online verifier application.
### **Analytic events**
* CREDENTIAL_PRESENTATION_VERIFIER_APPLICATION_CREATE_START
* CREDENTIAL_PRESENTATION_VERIFIER_APPLICATION_CREATE_SUCCESS
* CREDENTIAL_PRESENTATION_VERIFIER_APPLICATION_CREATE_FAIL
requestBody:
description: Verifier application payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/VerifierApplicationRequest'
responses:
'201':
description: Verifier application created
content:
application/json:
schema:
$ref: '#/components/schemas/VerifierApplicationResponse'
'400':
$ref: '#/components/responses/400'
get:
operationId: getVerifierApplications
tags:
- Verifier applications
summary: Retrieve all verifier applications
x-roles:
- admin
- verifier
description: |-
Retrieves all configured mDocs online verifier applications.
### **Analytic events**
* CREDENTIAL_PRESENTATION_VERIFIER_APPLICATION_RETRIEVE_LIST_START
* CREDENTIAL_PRESENTATION_VERIFIER_APPLICATION_RETRIEVE_LIST_SUCCESS
* CREDENTIAL_PRESENTATION_VERIFIER_APPLICATION_RETRIEVE_LIST_FAIL
responses:
'200':
description: Verifier applications retrieved
content:
application/json:
schema:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
data:
type: array
items:
$ref: '#/components/schemas/VerifierApplicationResponse'
/v2/presentations/applications/{applicationId}:
parameters:
- name: applicationId
in: path
description: Unique identifier for the verifier application.
schema:
type: string
format: uuid
example: 281d20b3-42a3-40dd-b29a-115ff32b02b7
required: true
put:
operationId: putVerifierApplication
tags:
- Verifier applications
summary: Update verifier application
x-roles:
- admin
- verifier
description: |-
Updates an existing mDocs online verifier application.
### **Analytic events**
* CREDENTIAL_PRESENTATION_VERIFIER_APPLICATION_UPDATE_START
* CREDENTIAL_PRESENTATION_VERIFIER_APPLICATION_UPDATE_SUCCESS
* CREDENTIAL_PRESENTATION_VERIFIER_APPLICATION_UPDATE_FAIL
requestBody:
description: Verifier application payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/VerifierApplicationRequest'
responses:
'200':
description: Verifier application updated
content:
application/json:
schema:
$ref: '#/components/schemas/VerifierApplicationResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
get:
operationId: getVerifierApplication
tags:
- Verifier applications
summary: Retrieve a verifier application
x-roles:
- admin
- verifier
description: |-
Retrieves an existing mDocs online verifier application.
### **Analytic events**
* CREDENTIAL_PRESENTATION_VERIFIER_APPLICATION_RETRIEVE_START
* CREDENTIAL_PRESENTATION_VERIFIER_APPLICATION_RETRIEVE_SUCCESS
* CREDENTIAL_PRESENTATION_VERIFIER_APPLICATION_RETRIEVE_FAIL
responses:
'200':
description: Verifier application retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/VerifierApplicationResponse'
'404':
$ref: '#/components/responses/404'
delete:
operationId: deleteVerifierApplication
tags:
- Verifier applications
summary: Delete a verifier application
x-roles:
- admin
- verifier
description: |-
Removes an existing mDocs online verifier application.
### **Analytic events**
* PRESENTATION_VERIFIER_APPLICATION_DELETE_START
* PRESENTATION_VERIFIER_APPLICATION_DELETE_SUCCESS
* PRESENTATION_VERIFIER_APPLICATION_DELETE_FAIL
responses:
'204':
description: Verifier application deleted
'404':
$ref: '#/components/responses/404'
/v2/presentations/wallet-providers:
post:
operationId: postWalletProvider
tags:
- Wallet providers
summary: Create wallet provider
x-roles:
- admin
- verifier
description: |-
Creates a wallet provider that can present mDocs for online verification.
### **Analytic events**
* CREDENTIAL_PRESENTATION_WALLET_PROVIDER_CREATE_START
* CREDENTIAL_PRESENTATION_WALLET_PROVIDER_CREATE_SUCCESS
* CREDENTIAL_PRESENTATION_WALLET_PROVIDER_CREATE_FAIL
requestBody:
description: Wallet provider payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/WalletProviderRequest'
responses:
'200':
description: Wallet provider created
content:
application/json:
schema:
$ref: '#/components/schemas/WalletProviderResponse'
'400':
$ref: '#/components/responses/400'
get:
operationId: getWalletProviders
tags:
- Wallet providers
summary: Retrieve all wallet providers
x-roles:
- admin
- verifier
description: |-
Retrieves all existing wallet providers that can present mDocs for online verification.
### **Analytic events**
* CREDENTIAL_PRESENTATION_WALLET_PROVIDER_RETRIEVE_LIST_START
* CREDENTIAL_PRESENTATION_WALLET_PROVIDER_RETRIEVE_LIST_SUCCESS
* CREDENTIAL_PRESENTATION_WALLET_PROVIDER_RETRIEVE_LIST_FAIL
responses:
'200':
description: Wallet providers retrieved
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/WalletProviderResponse'
/v2/presentations/wallet-providers/{walletProviderId}:
parameters:
- name: walletProviderId
in: path
description: Unique identifier for the wallet provider.
schema:
type: string
format: uuid
example: 281d20b3-42a3-40dd-b29a-115ff32b02b7
required: true
put:
operationId: putWalletProvider
tags:
- Wallet providers
summary: Update a wallet provider
x-roles:
- admin
- verifier
description: |-
Updates an existing wallet provider that can present mDocs for online verification.
### **Analytic events**
* CREDENTIAL_PRESENTATION_WALLET_PROVIDER_UPDATE_START
* CREDENTIAL_PRESENTATION_WALLET_PROVIDER_UPDATE_SUCCESS
* CREDENTIAL_PRESENTATION_WALLET_PROVIDER_UPDATE_FAIL
requestBody:
description: Wallet provider payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/WalletProviderRequest'
responses:
'200':
description: Wallet provider updated
content:
application/json:
schema:
$ref: '#/components/schemas/WalletProviderResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
get:
operationId: getWalletProvider
tags:
- Wallet providers
summary: Retrieve a wallet provider
x-roles:
- admin
- verifier
description: |-
Retrieves an existing wallet provider that can present mDocs for online verification.
### **Analytic events**
* CREDENTIAL_PRESENTATION_WALLET_PROVIDER_RETRIEVE_START
* CREDENTIAL_PRESENTATION_WALLET_PROVIDER_RETRIEVE_SUCCESS
* CREDENTIAL_PRESENTATION_WALLET_PROVIDER_RETRIEVE_FAIL
responses:
'200':
description: Wallet provider retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/WalletProviderResponse'
'404':
$ref: '#/components/responses/404'
delete:
operationId: deleteWalletProvider
tags:
- Wallet providers
summary: Delete a wallet provider
x-roles:
- admin
- verifier
description: |-
Deletes an existing wallet provider that can present mDocs for online verification.
### **Analytic events**
* PRESENTATION_WALLET_PROVIDER_DELETE_START
* PRESENTATION_WALLET_PROVIDER_DELETE_SUCCESS
* PRESENTATION_WALLET_PROVIDER_DELETE_FAIL
responses:
'204':
description: Wallet provider deleted
'404':
$ref: '#/components/responses/404'
/v2/presentations/sessions/{sessionId}:
parameters:
- $ref: '#/components/parameters/SessionId'
/v2/presentations/sessions/{sessionId}/result:
parameters:
- $ref: '#/components/parameters/SessionId'
get:
operationId: getPresentationResult
tags:
- mDocs presentation sessions
summary: Retrieve presentation session result
description: |-
Retrieves the result of an online presentation session by providing the session's ID.
### **Analytic events**
* CREDENTIAL_PRESENTATION_SESSION_RESULT_RETRIEVE_START
* CREDENTIAL_PRESENTATION_SESSION_RESULT_RETRIEVE_SUCCESS
* CREDENTIAL_PRESENTATION_SESSION_RESULT_RETRIEVE_FAIL
responses:
'200':
description: Session result retrieved
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/PresentationSuccessResult'
- $ref: '#/components/schemas/PresentationFailureResult'
'404':
$ref: '#/components/responses/404'
/v2/presentations/ios/sessions/{sessionId}/openid4vp/status:
parameters:
- $ref: '#/components/parameters/SessionId'
/v2/presentations/ios/sessions/{sessionId}/openid4vp/result:
parameters:
- $ref: '#/components/parameters/SessionId'
/v2/presentations/ios/sessions/{sessionId}/abort:
parameters:
- $ref: '#/components/parameters/SessionId'
/v2/presentations/sessions/{sessionId}/requests:
parameters:
- $ref: '#/components/parameters/SessionId'
/v2/presentations/sessions/{sessionId}/dc-api/response:
parameters:
- $ref: '#/components/parameters/SessionId'
/v2/presentations/web/sessions/{sessionId}/dc-api/response:
parameters:
- $ref: '#/components/parameters/SessionId'
/v2/presentations/android/sessions/{sessionId}/dc-api/response:
parameters:
- $ref: '#/components/parameters/SessionId'
/v2/presentations/ios/sessions/{sessionId}/apple-wallet-api/response:
parameters:
- $ref: '#/components/parameters/SessionId'
/v2/presentations/certificates/apple-identity-access-certificates:
post:
operationId: postAppleIdentityAccessCertificates
tags:
- Apple Identity Access certificates
summary: Create an Apple Identity Access CSR
x-roles:
- admin
- verifier
description: |-
Creates an Apple Identity Access Certificate Signing Request (CSR) that can be uploaded to the Apple Developer Portal.
This certificate contains the public key that will be used to decrypt the response from the Apple Wallet.
### **Analytic events**
* CREDENTIAL_PRESENTATION_APPLE_IDENTITY_ACCESS_CERTIFICATE_CREATE_START
* CREDENTIAL_PRESENTATION_APPLE_IDENTITY_ACCESS_CERTIFICATE_CREATE_SUCCESS
* CREDENTIAL_PRESENTATION_APPLE_IDENTITY_ACCESS_CERTIFICATE_CREATE_FAIL
requestBody:
description: Apple Identity Access CSR payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/AppleIdentityAccessCertificateSigningRequest'
responses:
'201':
description: Apple Identity Access CSR created
content:
application/json:
schema:
$ref: '#/components/schemas/AppleIdentityAccessCertificateSigningResponse'
'400':
$ref: '#/components/responses/400'
get:
operationId: getAppleIdentityAccessCertificates
tags:
- Apple Identity Access certificates
summary: Retrieve all Apple Identity Access CSRs
x-roles:
- admin
- verifier
description: |-
Retrieves all Apple Identity Access CSRs created by the tenant.
### **Analytic events**
* CREDENTIAL_PRESENTATION_APPLE_IDENTITY_ACCESS_CERTIFICATE_RETRIEVE_LIST_START
* CREDENTIAL_PRESENTATION_APPLE_IDENTITY_ACCESS_CERTIFICATE_RETRIEVE_LIST_SUCCESS
* CREDENTIAL_PRESENTATION_APPLE_IDENTITY_ACCESS_CERTIFICATE_RETRIEVE_LIST_FAIL
responses:
'200':
description: Apple Identity Access CSRs retrieved
content:
application/json:
schema:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
data:
type: array
items:
$ref: '#/components/schemas/AppleIdentityAccessCertificateSigningResponse'
/v2/presentations/certificates/apple-identity-access-certificates/{certificateId}:
parameters:
- name: certificateId
in: path
description: Unique identifier for the Apple Identity Access CSR.
schema:
type: string
format: uuid
example: 673a20c3-97a3-40dd-b29a-115ff32b02c3
required: true
get:
operationId: getAppleIdentityAccessCertificate
tags:
- Apple Identity Access certificates
summary: Retrieve an Apple Identity Access CSR
x-roles:
- admin
- verifier
description: |-
Retrieves an existing Apple Identity Access CSR.
### **Analytic events**
* CREDENTIAL_PRESENTATION_APPLE_IDENTITY_ACCESS_CERTIFICATE_RETRIEVE_START
* CREDENTIAL_PRESENTATION_APPLE_IDENTITY_ACCESS_CERTIFICATE_RETRIEVE_SUCCESS
* CREDENTIAL_PRESENTATION_APPLE_IDENTITY_ACCESS_CERTIFICATE_RETRIEVE_FAIL
responses:
'200':
description: Apple Identity Access Certificate CSR retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/AppleIdentityAccessCertificateSigningResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
delete:
operationId: deleteAppleIdentityAccessCertificate
tags:
- Apple Identity Access certificates
summary: Delete an Apple Identity Access CSR
x-roles:
- admin
- verifier
description: |-
Deletes an existing Apple Identity Access CSR.
### **Analytic events**
* CREDENTIAL_PRESENTATION_APPLE_IDENTITY_ACCESS_CERTIFICATE_DELETE_START
* CREDENTIAL_PRESENTATION_APPLE_IDENTITY_ACCESS_CERTIFICATE_DELETE_SUCCESS
* CREDENTIAL_PRESENTATION_APPLE_IDENTITY_ACCESS_CERTIFICATE_DELETE_FAIL
responses:
'204':
description: Apple Identity Access Certificate CSR deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v2/presentations/sessions/{sessionId}/abort:
parameters:
- $ref: '#/components/parameters/SessionId'
/v2/presentations/android/sessions/{sessionId}/openid4vp/status:
parameters:
- $ref: '#/components/parameters/SessionId'
/v2/presentations/android/sessions/{sessionId}/openid4vp/result:
parameters:
- $ref: '#/components/parameters/SessionId'
/v2/presentations/android/sessions/{sessionId}/abort:
parameters:
- $ref: '#/components/parameters/SessionId'
/v2/presentations/web/sessions/{sessionId}/abort:
parameters:
- $ref: '#/components/parameters/SessionId'
/v2/presentations/sessions/{sessionId}/status:
parameters:
- $ref: '#/components/parameters/SessionId'
/v2/presentations/trusted-issuers:
get:
security: []
operationId: getTrustedIssuers
tags:
- Trusted issuers
summary: Retrieve all trusted issuers
description: |-
Retrieves all configured trusted issuers.
This endpoint is unprotected, public facing and can be used by any party wishing to retrieve the list of trusted issuers.
### **Analytic events**
* CREDENTIAL_PRESENTATION_TRUSTED_ISSUERS_RETRIEVE_LIST_START
* CREDENTIAL_PRESENTATION_TRUSTED_ISSUERS_RETRIEVE_LIST_SUCCESS
* CREDENTIAL_PRESENTATION_TRUSTED_ISSUERS_RETRIEVE_LIST_FAIL
responses:
'200':
description: Trusted issuers retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/TrustedIssuersResponse'
/v2/credentials/web-semantic/sign:
post:
requestBody:
description: JSON credential payload to sign
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/WebSemanticCredentialSignRequest'
tags:
- JSON credentials issuance
summary: Sign a JSON credential
x-roles:
- admin
- issuer
- managed-issuer
responses:
'200':
description: JSON Credential signed
content:
application/json:
schema:
$ref: '#/components/schemas/WebSemanticCredentialSignResponse'
'400':
$ref: '#/components/responses/400'
operationId: signWebSemanticCredentialV2
description: |-
Returns a signed JSON credential generated from a provided valid payload.
### **Analytic events**
* CREDENTIAL_WEB_SEMANTIC_SIGN_START
* CREDENTIAL_WEB_SEMANTIC_SIGN_SUCCESS
* CREDENTIAL_WEB_SEMANTIC_SIGN_FAIL
/v2/credentials/web-semantic:
get:
tags:
- JSON credentials management
summary: Retrieve all credential data
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- schema:
type: string
example: identifier123
in: query
name: tag
description: Optional tag to filter on.
- schema:
type: string
example: AlumniCredential
in: query
name: type
description: Optional credential type to filter on.
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: Credentials data retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GetCredentialsResponse'
examples:
List of credential data:
value:
nextCursor: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
data:
- id: 873277c0-a162-11ea-8a1d-a111119347e6
credential:
'@context':
- https://www.w3.org/2018/credentials/v1
type:
- VerifiableCredential
- AlumniCredential
issuer:
id: did:key:z6MkjBWPPa1njEKygyr3LR3pRKkqv714vyTkfnUdP6ToFSH5
name: https://tenant.vii.mattr.global
issuanceDate: '2020-05-02T12:06:29.156Z'
credentialSubject:
id: did:key:z6Mkvji7zrwyFATXUzGNBSCnrPaZy7H3BWUnihrHvZdkEd9y
givenName: Jamie
familyName: Doe
proof:
type: Ed25519Signature2018
created: '2020-05-02T12:06:29Z'
jws: EXAMPLE_JWS_TOKEN_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
proofPurpose: assertionMethod
verificationMethod: did:key:z6MkjBWPPa1njEKygyr3LR3pRKkqv714vyTkfnUdP6ToFSH5#z6Mkvji7zrwyFATXUzGNBSCnrPaZy7H3BWUnihrHvZdkEd9y
tag: identifier123
issuanceDate: '2020-05-02T12:06:29.156Z'
- id: 9043aa74-eb08-11ea-adc1-0242ac120002
tag: identifier124
credentialStatus:
id: https://tenant.vii.mattr.global/v1/revocation-lists/cc641396-3750-43c8-b8b8-f30d74eb3fb3#1
type: RevocationList2020Status
revocationListCredential: https://tenant.vii.mattr.global/v1/revocation-lists/cc641396-3750-43c8-b8b8-f30d74eb3fb3
revocationListIndex: 1
issuanceDate: '2020-10-06T03:21:02.397Z'
'400':
$ref: '#/components/responses/400'
operationId: retrieveWebSemanticCredentialListV2
description: |
Returns all available data for existing credentials:
- For credentials that were created with the `persist` flag set to `true`, the response contains both the credential and its metadata.
- For credentials that were created with the persist flag set to `false`, the response only contains the metadata (`id`, `tag`, `credentialStatus`, `issuanceDate`).
### **Analytic events**
* CREDENTIAL_WEB_SEMANTIC_RETRIEVE_LIST_START
* CREDENTIAL_WEB_SEMANTIC_RETRIEVE_LIST_SUCCESS
* CREDENTIAL_WEB_SEMANTIC_RETRIEVE_LIST_FAIL
parameters: []
/v2/credentials/web-semantic/{id}:
parameters:
- name: id
in: path
required: true
schema:
type: string
description: Credential ID
get:
tags:
- JSON credentials management
summary: Retrieve credential data
x-roles:
- admin
- issuer
- managed-issuer
responses:
'200':
description: Credential data retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GetCredentialResponse'
examples:
With persisted credential:
value:
id: 873277c0-a162-11ea-8a1d-a111119347e6
credential:
'@context':
- https://www.w3.org/2018/credentials/v1
type:
- VerifiableCredential
- AlumniCredential
issuer:
id: did:web:organization.com
name: Example University
issuanceDate: '2020-05-02T12:06:29.156Z'
credentialStatus:
id: https://tenant.vii.mattr.global/v1/revocation-lists/cc641396-3750-43c8-b8b8-f30d74eb3fb3#1
type: RevocationList2020Status
revocationListCredential: https://tenant.vii.mattr.global/v1/revocation-lists/cc641396-3750-43c8-b8b8-f30d74eb3fb3
revocationListIndex: 4
credentialSubject:
givenName: Jamie
familyName: Doe
proof:
type: Ed25519Signature2018
created: '2020-05-02T12:06:29Z'
jws: EXAMPLE_JWS_TOKEN_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
proofPurpose: assertionMethod
verificationMethod: did:web:organization.com
tag: identifier123
credentialStatus:
id: https://tenant.vii.mattr.global/v1/revocation-lists/cc641396-3750-43c8-b8b8-f30d74eb3fb3#1
type: RevocationList2020Status
revocationListCredential: https://tenant.vii.mattr.global/v1/revocation-lists/cc641396-3750-43c8-b8b8-f30d74eb3fb3
revocationListIndex: 4
issuanceDate: '2020-05-02T12:06:29.156Z'
No persisted credential:
value:
id: 9043aa74-eb08-11ea-adc1-0242ac120002
tag: identifier124
issuanceDate: '2020-05-02T12:06:29.156Z'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: retrieveWebSemanticCredentialV2
description: |-
Returns all available data for an existing credential that matches the provided ID:
- For credentials that were created with the `persist` flag set to `true`, the response contains both the credential and its metadata.
- For credentials that were created with the persist flag set to `false`, the response only contains the metadata (`id`, `tag`, `credentialStatus`, `issuanceDate`)
### **Analytic events**
* CREDENTIAL_WEB_SEMANTIC_RETRIEVE_START
* CREDENTIAL_WEB_SEMANTIC_RETRIEVE_SUCCESS
* CREDENTIAL_WEB_SEMANTIC_RETRIEVE_FAIL
delete:
tags:
- JSON credentials management
summary: Delete credential data
x-roles:
- admin
- issuer
- managed-issuer
responses:
'204':
description: Credential deleted and revoked if revocable
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
operationId: removeWebSemanticCredentialV2
description: |-
Deletes all stored data for an existing credential that matches the provided ID. If the credential is revocable, it will also be permanently revoked.
Removed credential data cannot be recovered.
### **Analytic events**
* CREDENTIAL_WEB_SEMANTIC_DELETE_START
* CREDENTIAL_WEB_SEMANTIC_DELETE_SUCCESS
* CREDENTIAL_WEB_SEMANTIC_DELETE_FAIL
/v2/credentials/web-semantic/verify:
post:
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/VerifyWebSemanticCredentialRequest'
tags:
- JSON credentials verification
summary: Verify a JSON credential
x-roles:
- admin
- verifier
responses:
'200':
description: Verification completed
content:
application/json:
schema:
$ref: '#/components/schemas/VerifyWebSemanticCredentialResponse'
'400':
$ref: '#/components/responses/400'
operationId: verifyWebSemanticCredentialV2
description: |-
Verify a JSON credential by providing its payload. The credential is verified against the following criteria:
- Issuer DID can be resolved, so that the referenced DID Document is available and valid and the public key is obtainable.
- Proof is valid and the credential has not been tampered with.
- JSON-LD context is valid for subject claims.
Optional verification checks:
- If `assertExpiry` is set to `true` and the credential has a set expiration date, verification will fail if the expiration date has passed.
- If `checkRevocation` is set to `true` and the provided credential contains a revocation status list, verification will fail if the credential has been set to `revoked`.
### **Analytic events**
* CREDENTIAL_WEB_SEMANTIC_VERIFY_START
* CREDENTIAL_WEB_SEMANTIC_VERIFY_SUCCESS
* CREDENTIAL_WEB_SEMANTIC_VERIFY_FAIL
/v2/credentials/web-semantic/{id}/revocation-status:
post:
tags:
- JSON credentials management
summary: Set credential revocation status
x-roles:
- admin
- issuer
- managed-issuer
description: |
Sets the revocation status of the credential that matches the provided ID as `true` (revoked) or `false` (unrevoked).
### **Analytic events**
* CREDENTIAL_WEB_SEMANTIC_REVOCATION_SET_STATUS_START
* CREDENTIAL_WEB_SEMANTIC_REVOCATION_SET_STATUS_SUCCESS
* CREDENTIAL_WEB_SEMANTIC_REVOCATION_SET_STATUS_FAIL
requestBody:
description: Setting the revocation status
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/SetRevocationStatus'
examples:
Example:
value:
isRevoked: true
responses:
'200':
description: Revocation status updated
'404':
$ref: '#/components/responses/404'
operationId: setWebSemanticCredentialRevocationStatusV2
parameters:
- schema:
type: string
format: uuid
example: a80a5e7e-1972-4be6-8a4e-2adf09badf24
name: id
in: path
required: true
description: Credential ID
get:
tags:
- JSON credentials management
summary: Retrieve credential revocation status
x-roles:
- admin
- issuer
- managed-issuer
responses:
'200':
description: Credential status
content:
application/json:
schema:
$ref: '#/components/schemas/RevocationStatusResponse'
examples:
Revocation Status:
value:
isRevoked: false
'404':
$ref: '#/components/responses/404'
operationId: getWebSemanticCredentialRevocationStatusV2
description: |-
Returns the revocation status of the credential matching the provided ID.
### **Analytic events**
* CREDENTIAL_WEB_SEMANTIC_REVOCATION_RETRIEVE_START
* CREDENTIAL_WEB_SEMANTIC_REVOCATION_RETRIEVE_SUCCESS
* CREDENTIAL_WEB_SEMANTIC_REVOCATION_RETRIEVE_FAIL
/v2/credentials/web-semantic/revocation-lists/{id}:
get:
security: []
tags:
- JSON credentials management
summary: Retrieve revocation list
responses:
'200':
description: Revocation list retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/VerifiableCredential'
examples:
Revocation List:
value:
id: https://tenant.vii.mattr.global/v1/revocation-lists/cc641396-3750-43c8-b8b8-f30d74eb3fb3
'@context':
- https://www.w3.org/2018/credentials/v1
- https://w3id.org/vc-revocation-list-2020/v1
type:
- VerifiableCredential
- RevocationList2020Credential
issuer: did:web:organization.com
issuanceDate: '2020-05-02T12:06:29.156Z'
credentialSubject:
type: RevocationList2020
encodedList: H4sIAAAAAAAAA-3BMQEAAADCoPVPbQwfoAAAAAAAAAAAAAAAAAAAAIC3AYbSVKsAQAAA
proof:
type: Ed25519Signature2018
created: '2020-05-02T12:06:29Z'
jws: EXAMPLE_JWS_TOKEN_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
proofPurpose: assertionMethod
verificationMethod: did:web:organization.com#CU6dJt9p8t
'404':
$ref: '#/components/responses/404'
operationId: retrieveWebSemanticCredentialRevocationListV2
description: Returns the revocation list matching the provided ID.
parameters:
- schema:
type: string
format: uuid
example: cc641396-3750-43c8-b8b8-f30d74eb3fb3
name: id
in: path
required: true
description: Revocation list ID. This value can be found within the credential you created. Look at the value for `Credential.credential.credentialStatus.id`, the string after `https://tenant.vii.mattr.global/v1/revocation-lists/` is what you're looking for
/v2/credentials/web-semantic/{id}/revocation-status/notification:
parameters:
- name: id
in: path
required: true
schema:
type: string
format: uuid
example: 873277c0-a162-11ea-8a1d-a111119347e6
description: Unique identifier for the credential whose status has changed.
post:
summary: Create a revocation message payload
x-roles:
- admin
- issuer
- managed-issuer
operationId: createWebSemanticCredentialRevNotificationV2
responses:
'201':
description: Revocation message payload created
content:
application/json:
schema:
$ref: '#/components/schemas/RevocationStatusNotification'
description: |-
Returns a message in JWM format that can be used to notify subjects based on their credential revocation status change.
To send a notification to the Subject DID holder, use the returned payload with the [encrypt](#operation/encryptMessage) and [send](#operation/sendMessage) endpoints.
### **Analytic events**
* CREDENTIAL_WEB_SEMANTIC_REVOCATION_MESSAGE_PAYLOAD_CREATE_START
* CREDENTIAL_WEB_SEMANTIC_REVOCATION_MESSAGE_PAYLOAD_CREATE_SUCCESS
* CREDENTIAL_WEB_SEMANTIC_REVOCATION_MESSAGE_PAYLOAD_CREATE_FAIL
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/CreatePayloadRequest'
description: Create a JWM message payload
tags:
- JSON credentials management
/v2/credentials/web-semantic/presentations/templates:
post:
operationId: createPresTemplateV2
tags:
- JSON credentials verification
summary: Create a presentation template
x-roles:
- admin
- verifier
description: |-
Creates a presentation template defining what type of credential is required for a particular verification workflow. Presentation templates are used to create presentation requests that are shared with a specific holder.
### **Analytic events**
* PRESENTATION_WEB_SEMANTIC_TEMPLATE_CREATE_START
* PRESENTATION_WEB_SEMANTIC_TEMPLATE_CREATE_SUCCESS
* PRESENTATION_WEB_SEMANTIC_TEMPLATE_CREATE_FAIL
requestBody:
description: The template
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreatePresentationTemplate'
examples:
Query by Example:
value:
domain: tenant.vii.mattr.global
name: alumni_credential_request
query:
- type: QueryByExample
credentialQuery:
- required: true
reason: We need you to prove your alumni membership.
example:
'@context':
- https://optionalschema.example/
type: AlumniCredential
trustedIssuer:
- required: true
issuer: did:key:z6MkjBWPPa1njEKygyr3LR3pRKkqv714vyTkfnUdP6ToFSH5
Query by Frame:
value:
domain: tenant.vii.mattr.global
name: zkp-certificate-presentation
query:
- type: QueryByFrame
credentialQuery:
- reason: Please provide your educational award and surname from your Certificate
frame:
'@context':
- https://www.w3.org/2018/credentials/v1
- https://w3id.org/vc-revocation-list-2020/v1
- https://optionalschema.example/
type:
- VerifiableCredential
- AlumniCredential
credentialSubject:
'@explicit': true
educationalCredentialAwarded: {}
familyName: {}
trustedIssuer:
- issuer: did:key:zUC7KmMGXt7fs9URk9EDqWLfpCjVTtfFMexViLLkPPUfm9j4heqvk9JkLarva3sP54FGjFNLpwc63ZTef2aR2cPssFbyDj75kopYqWL16j7JigA2BAvJcwnaKvKPUybxbroRg1v
required: true
required: true
DID Auth:
value:
name: did-auth
domain: tenant.vii.mattr.global
query:
- type: DIDAuth
responses:
'201':
description: Presentation template created
content:
application/json:
schema:
$ref: '#/components/schemas/PresentationTemplateResponse'
examples:
Created:
value:
id: 364b6a1b-3600-4927-a6ac-4d66aa6bbac3
domain: tenant.vii.mattr.global
name: alumni_credential_request
query:
- type: QueryByExample
credentialQuery:
- required: true
reason: We need you to prove your alumni membership.
example:
'@context':
- https://optionalschema.example/
type: AlumniCredential
trustedIssuer:
- required: true
issuer: did:key:z6MkjBWPPa1njEKygyr3LR3pRKkqv714vyTkfnUdP6ToFSH5
'400':
$ref: '#/components/responses/400'
get:
operationId: retrievePresTemplatesV2
tags:
- JSON credentials verification
summary: Retrieve all presentation templates
x-roles:
- admin
- verifier
description: |-
Returns a list of all presentation templates on your tenant.
### **Analytic events**
* PRESENTATION_WEB_SEMANTIC_TEMPLATE_RETRIEVE_LIST_START
* PRESENTATION_WEB_SEMANTIC_TEMPLATE_RETRIEVE_LIST_SUCCESS
* PRESENTATION_WEB_SEMANTIC_TEMPLATE_RETRIEVE_LIST_FAIL
responses:
'200':
description: Presentation templates retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/PresentationTemplateArrayResponse'
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
parameters: []
/v2/credentials/web-semantic/presentations/templates/{id}:
parameters:
- name: id
in: path
required: true
description: Presentation template ID
schema:
type: string
get:
operationId: retrievePresTemplateV2
tags:
- JSON credentials verification
summary: Retrieve a presentation template
x-roles:
- admin
- verifier
description: |-
Retrieve an existing presentation template by its ID.
### **Analytic events**
* PRESENTATION_WEB_SEMANTIC_TEMPLATE_RETRIEVE_START
* PRESENTATION_WEB_SEMANTIC_TEMPLATE_RETRIEVE_SUCCESS
* PRESENTATION_WEB_SEMANTIC_TEMPLATE_RETRIEVE_FAIL
responses:
'200':
description: Presentation template retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/PresentationTemplateResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
delete:
operationId: removePresTemplateV2
tags:
- JSON credentials verification
summary: Delete a presentation template
x-roles:
- admin
- verifier
description: |-
Deletes an existing presentation template by its ID.
### **Analytic events**
* PRESENTATION_WEB_SEMANTIC_TEMPLATE_DELETE_START
* PRESENTATION_WEB_SEMANTIC_TEMPLATE_DELETE_SUCCESS
* PRESENTATION_WEB_SEMANTIC_TEMPLATE_DELETE_FAIL
responses:
'204':
description: Presentation template deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
put:
summary: Update a presentation template
x-roles:
- admin
- verifier
operationId: updatePresTemplateV2
tags:
- JSON credentials verification
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/PresentationTemplateResponse'
description: |-
Updates an existing presentation template by its ID.
### **Analytic events**
* PRESENTATION_WEB_SEMANTIC_TEMPLATE_UPDATE_START
* PRESENTATION_WEB_SEMANTIC_TEMPLATE_UPDATE_SUCCESS
* PRESENTATION_WEB_SEMANTIC_TEMPLATE_UPDATE_FAIL
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/UpdatePresentationTemplate'
description: ''
/v2/credentials/web-semantic/presentations/requests:
post:
operationId: createPresRequestV2
tags:
- JSON credentials verification
summary: Create a presentation request
x-roles:
- admin
- verifier
description: |-
Creates a short lived presentation request based on an existing presentation template. The request is returned in the form of a JWM message and must be [signed](#operation/signMessage) and sent to the holder via one of the following methods:
- QR code.
- Deeplink.
- [Encrypted](#operation/encryptMessage) and [sent](#operation/sendMessage) as a wallet notification.
### **Analytic events**
* PRESENTATION_WEB_SEMANTIC_REQUEST_CREATE_START
* PRESENTATION_WEB_SEMANTIC_REQUEST_CREATE_SUCCESS
* PRESENTATION_WEB_SEMANTIC_REQUEST_CREATE_FAIL
requestBody:
description: The presentation request payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreatePresentationRequestRequest'
responses:
'201':
description: Presentation request created
content:
application/json:
schema:
$ref: '#/components/schemas/CreatePresentationRequestResponse'
'400':
$ref: '#/components/responses/400'
parameters: []
/v2/credentials/web-semantic/presentations/verify:
post:
summary: Verify a verifiable presentation
x-roles:
- admin
- verifier
operationId: verifyPresV2
responses:
'200':
description: Presentation verification completed
content:
application/json:
schema:
$ref: '#/components/schemas/VerifyPresentation'
examples:
Verified:
value:
verified: true
Invalid:
value:
verified: false
reason: Credential is invalid
'400':
$ref: '#/components/responses/400'
tags:
- JSON credentials verification
description: |-
Verifies a provided verifiable presentation that adheres to the [W3C Verifiable Credential Data Model](https://www.w3.org/TR/vc-data-model/#presentations):
- Ensures the presentation conforms to the VC Data model.
- For each `verifiableCredential` objects:
- Issuer DID can be resolved.
- JSON-LD context is valid for subject claims.
- Proof is valid & the credential has not been tampered with.
- Is not in a `revoked` status on a `RevocationList2020`.
- The proof is valid for each subjectDID to prove ownership.
- Valid proof exists for the presentation `holderDID`.
The request must include a `presentation` object that adheres to the [W3C Verifiable Credential Data Model](https://www.w3.org/TR/vc-data-model/#presentations).
If a `challenge` and/or `domain` is provided they are used for credential verification. Otherwise, the `challenge` and/or `domain` within the presentation proof is used instead.
### **Analytic events**
* PRESENTATION_WEB_SEMANTIC_VERIFY_START
* PRESENTATION_WEB_SEMANTIC_VERIFY_SUCCESS
* PRESENTATION_WEB_SEMANTIC_VERIFY_FAIL
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/VerifiablePresentation'
description: Presentation to verify
parameters: []
/v2/credentials/web-semantic/configurations:
post:
operationId: createWebSemanticCredentialConfiguration
tags:
- JSON credentials configuration
summary: Create a JSON credentials configuration
x-roles:
- admin
- issuer
description: |
Creates a new JSON credentials configuration, a specific set of rules and parameters that are used to create and validate a particular type of verifiable credential. These rules and parameters define how the credential is structured and what data it contains when issued.
### **Analytic events**
* CREDENTIAL_WEB_SEMANTIC_CREDENTIAL_CONFIGURATION_CREATE_START
* CREDENTIAL_WEB_SEMANTIC_CREDENTIAL_CONFIGURATION_CREATE_SUCCESS
* CREDENTIAL_WEB_SEMANTIC_CREDENTIAL_CONFIGURATION_CREATE_FAIL
requestBody:
description: The credential configuration payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/web-semantic-credential-configurations.v2_components-schemas-CredentialConfigurationRequest'
responses:
'201':
description: JSON credentials configuration created
content:
application/json:
schema:
$ref: '#/components/schemas/web-semantic-credential-configurations.v2_components-schemas-CredentialConfigurationResponse'
'400':
$ref: '#/components/responses/400'
get:
operationId: getWebSemanticCredentialConfigurations
tags:
- JSON credentials configuration
summary: Retrieve all JSON credentials configurations
x-roles:
- admin
- issuer
- managed-issuer
description: |
Returns a list of all JSON credential configurations on your tenant.
### **Analytic events**
* CREDENTIAL_WEB_SEMANTIC_CREDENTIAL_CONFIGURATION_RETRIEVE_LIST_START
* CREDENTIAL_WEB_SEMANTIC_CREDENTIAL_CONFIGURATION_RETRIEVE_LIST_SUCCESS
* CREDENTIAL_WEB_SEMANTIC_CREDENTIAL_CONFIGURATION_RETRIEVE_LIST_FAIL
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
- schema:
type: string
example: AlumniCredential
in: query
name: type
description: The optional credential type to filter on
responses:
'200':
description: JSON credentials configurations retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/web-semantic-credential-configurations.v2_components-schemas-GetCredentialConfigurationsResponse'
'400':
$ref: '#/components/responses/400'
parameters: []
/v2/credentials/web-semantic/configurations/{id}:
parameters:
- name: id
in: path
description: JSON credentials configuration unique identifier
schema:
type: string
format: uuid
example: 3948c40e-6e19-4ffc-933c-91f643f24264
required: true
get:
operationId: getWebSemanticCredentialConfiguration
tags:
- JSON credentials configuration
summary: Retrieve a JSON credentials configuration
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Retrieve a JSON credentials configuration by providing its ID.
### **Analytic events**
* CREDENTIAL_WEB_SEMANTIC_CREDENTIAL_CONFIGURATION_RETRIEVE_START
* CREDENTIAL_WEB_SEMANTIC_CREDENTIAL_CONFIGURATION_RETRIEVE_SUCCESS
* CREDENTIAL_WEB_SEMANTIC_CREDENTIAL_CONFIGURATION_RETRIEVE_FAIL
responses:
'200':
description: JSON credentials configuration retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/web-semantic-credential-configurations.v2_components-schemas-CredentialConfigurationResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
put:
operationId: updateWebSemanticCredentialConfiguration
tags:
- JSON credentials configuration
summary: Update a JSON credentials configuration
x-roles:
- admin
- issuer
description: |
Updates an existing JSON credentials configuration by providing its ID.
### **Analytic events**
* CREDENTIAL_WEB_SEMANTIC_CREDENTIAL_CONFIGURATION_UPDATE_START
* CREDENTIAL_WEB_SEMANTIC_CREDENTIAL_CONFIGURATION_UPDATE_SUCCESS
* CREDENTIAL_WEB_SEMANTIC_CREDENTIAL_CONFIGURATION_UPDATE_FAIL
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/web-semantic-credential-configurations.v2_components-schemas-CredentialConfigurationRequest'
description: Update a credential configuration
responses:
'200':
description: JSON credentials configuration updated
content:
application/json:
schema:
$ref: '#/components/schemas/web-semantic-credential-configurations.v2_components-schemas-CredentialConfigurationResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
delete:
operationId: deleteWebSemanticCredentialConfiguration
tags:
- JSON credentials configuration
summary: Delete a JSON credentials configuration
x-roles:
- admin
- issuer
description: |
Deletes an existing JSON credentials configuration by providing its ID.
### **Analytic events**
* CREDENTIAL_WEB_SEMANTIC_CREDENTIAL_CONFIGURATION_DELETE_START
* CREDENTIAL_WEB_SEMANTIC_CREDENTIAL_CONFIGURATION_DELETE_SUCCESS
* CREDENTIAL_WEB_SEMANTIC_CREDENTIAL_CONFIGURATION_DELETE_FAIL
responses:
'204':
description: JSON credentials configuration deleted
'400':
$ref: '#/components/responses/400'
'404':
description: The credential configuration is not found
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Credential configuration not found:
value:
code: NotFound
message: Validation Error
details:
- location: params
msg: Resource Not Found
param: id
value: 638c5634-fb06-403a-bb00-ddb867ea9063
/v1/oauth/authorize:
get:
operationId: getOauthAuthorize
tags:
- Credential issuance
summary: Request authorization for access to resources
description: |
This endpoint is used to request authorization from the user for access to the requested resources. After the user approves the request, an authorization code is returned to the client.
See [https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-authorization-endpoint](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-authorization-endpoint)
See [https://www.rfc-editor.org/rfc/rfc6749.html#section-3.1](https://www.rfc-editor.org/rfc/rfc6749.html#section-3.1)
### **Analytic events**
* OPENID_AUTHORIZE_START
* OPENID_AUTHORIZE_SUCCESS
* OPENID_AUTHORIZE_FAIL
security: []
parameters:
- name: response_type
in: query
description: The response type, which must be 'code'.
required: true
schema:
type: string
enum:
- code
- name: client_id
in: query
description: The client identifier.
required: true
schema:
type: string
- name: redirect_uri
in: query
description: The URI to which the authorization server will redirect the user-agent with the authorization code.
required: true
schema:
type: string
- name: scope
in: query
description: The scope of the access request.
required: true
schema:
type: string
- name: state
in: query
description: An opaque value used by the client to maintain state between the request and callback.
schema:
type: string
- name: code_challenge_method
in: query
description: The method used to derive the code_challenge, which must be 'S256'.
required: true
schema:
type: string
enum:
- S256
- name: code_challenge
in: query
description: A high entropy random challenge generated by the client.
required: true
schema:
type: string
responses:
'302':
description: Redirection to client application with authorization code
headers:
Location:
description: URL to redirect to with the authorization code
schema:
type: string
'400':
$ref: '#/components/responses/400'
'401':
$ref: '#/components/responses/401'
'403':
$ref: '#/components/responses/403'
'500':
$ref: '#/components/responses/500'
/v1/oauth/token:
post:
operationId: postOauthToken
tags:
- Credential issuance
summary: Exchange authorization code for access token
description: |
This endpoint is used to exchange an authorization code or a pre-authorized code for an access token, which is later used to request a credential.
- In an Authorization Code flow the authorization code is obtained from the authorization endpoint after the user has successfully authenticated.
- In a Pre-authorized Code flow the pre-authorized code is obtained from the offer URI.
See [https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-token-endpoint](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-token-endpoint) for more information.
### **Analytic events**
* OPENID_TOKEN_START
* OPENID_TOKEN_SUCCESS
* OPENID_TOKEN_FAIL
security: []
parameters:
- $ref: '#/components/parameters/DPoP'
- $ref: '#/components/parameters/OAuthClientAttestationPoP'
- name: OAuth-Client-Attestation
in: header
required: false
description: |
JWT generated by the Client Attester (Backend) attesting to a validated Client Instance and bound to a key managed by the Client Instance, ensuring proof of possession.
> Client Attestation support is currently offered as a **tech preview**. As such, functionality may be limited, may not work in all scenarios, and could change or break without prior notice.
**When to use:**
- When client attestation is configured for this client_id
**Header:**
- `alg`: Must be `ES256`
- `typ`: Must be `oauth-client-attestation+jwt`
- `x5c`: Must be an array of base64 encoded X509 End-Entity certificates bound to the configured client attestation root certificate.
**Payload:**
- `sub`: OAuth client_id matching the request
- `client_instance_id`: Optional identifier to represent the client/app instance.
- `iat`: Unix timestamp when the token was created
- `exp`: Unix timestamp when the token will expire
- `cnf.jwk`: JWK public key from the client instance that the authorization server uses to verify the signature of subsequent DPoP or PoP proofs.
schema:
type: string
example: eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWNsaWVudC1hdHRlc3RhdGlvbi1wb3Arand0In0.eyJhdWQiOiJodHRwczovL3lvdXItdGVuYW50LnJlZ2lvbi5tYXR0ci5nbG9iYWwiLCJqdGkiOiI2ZmU2ZWMwMi00NGRlLTQ0OTktYWFiYy1iNzZiNzRiMzJjZjciLCJpYXQiOjE3NzA4Njc1ODh9.NBMLwAa65ICxE_nwsZoJeuyFmCFWV-1s7anheUC-qTtL4ZdOE5sfzS1_v_GourNUTTdtszIJTfhYYnRhwB7t6A
requestBody:
content:
application/x-www-form-urlencoded:
schema:
oneOf:
- type: object
title: Authorization Code flow
properties:
client_id:
type: string
description: The client identifier.
grant_type:
type: string
description: The grant type, which must be 'authorization_code'.
enum:
- authorization_code
redirect_uri:
type: string
description: The redirect URI that was used in the authorization request.
code:
type: string
description: The authorization code obtained from the authorization endpoint.
code_verifier:
type: string
description: SHA256 hash of the `code_challenge` in the authorization request.
required:
- client_id
- grant_type
- redirect_uri
- code
- code_verifier
- type: object
title: Pre-authorized Code flow
properties:
client_id:
type: string
description: The client identifier.
grant_type:
type: string
description: The grant type, which must be 'urn:ietf:params:oauth:grant-type:pre-authorized_code'.
enum:
- urn:ietf:params:oauth:grant-type:pre-authorized_code
pre-authorized_code:
type: string
description: The pre-authorized code obtained from the pre-authorized offer URI
tx_code:
type: string
description: The transaction code obtained from the pre-authorized offer URI.
required:
- client_id
- grant_type
- pre-authorized_code
responses:
'200':
description: Access token successfully returned.
content:
application/json:
schema:
oneOf:
- type: object
title: Opaque Access Token
properties:
access_token:
type: string
description: The access token issued by the authorization server.
example: KrrFP8GUeddJJtj7EF-4ugdvCl-dDdWwOqvAbvYsmfy
token_type:
type: string
description: The type of the token, which is always 'Bearer'.
enum:
- Bearer
expires_in:
type: integer
description: The number of seconds until the token expires.
example: 900
scope:
type: string
description: The scope of the access token.
example: mso_mdoc:org.iso.18013.5.1.mDL
required:
- access_token
- token_type
- expires_in
- scope
'400':
$ref: '#/components/responses/400'
'401':
$ref: '#/components/responses/401'
'403':
$ref: '#/components/responses/403'
'500':
$ref: '#/components/responses/500'
/v1/openid/credential:
post:
operationId: postOpenIdCredential
summary: Issue a verifiable credential
tags:
- Credential issuance
description: |-
Issues a credential to a holder upon presentation of a valid access token, as per [OpenID4VCI](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-credential-endpoint).
Supports [encrypted](/docs/issuance/credential-issuance/e2e-encryption) and non-encrypted credential issuance.
Encrypted credential issuance is currently in technical preview and must be enabled on a per-tenant basis. If you would like to enable this feature for your tenant, please [contact us](mailto:dev-support@mattr.global).
For non-encrypted credential issuance the valid access token must be provided in one of the following header formats:
**Bearer**
- Authorization: `Bearer `.
- Content-Type: `application/json`
- Body: ``
OR
**DPoP**
Only required when using DPoP-bound access tokens.
- Authorization: `DPoP `.
- DPoP: ``
- Content-Type: `application/json`
- Body: ``
For encrypted credential issuance, [contact us](mailto:dev-support@mattr.global) to configure how your MATTR VII enforces request and/or response encryption, and then:
- For **request** encryption, `Content-Type` must be set to `application/jwt` and the payload must be JWE formatted.
- For **response** encryption, include the [`credential_response_encryption`](/docs/issuance/credential-issuance/e2e-encryption#encryption-key-provisioning) property in the raw request payload to specify encryption details.
### **Analytic events**
* OPENID_CREDENTIAL_START
* OPENID_CREDENTIAL_SUCCESS
* OPENID_CREDENTIAL_FAIL
security:
- bearerAuthOpenIdCredentials: []
- dpopAuthOpenIdCredentials: []
parameters:
- $ref: '#/components/parameters/DPoP'
requestBody:
content:
application/json:
schema:
description: Credential request payload for unencrypted credential requests
oneOf:
- $ref: '#/components/schemas/ldpvcIssueCredentialRequest'
- $ref: '#/components/schemas/cwtIssueCredentialRequest'
- $ref: '#/components/schemas/cwtvcIssueCredentialRequest'
- $ref: '#/components/schemas/msomdocIssueCredentialRequest'
- $ref: '#/components/schemas/deprecatedLdpvcIssueCredentialRequest'
- $ref: '#/components/schemas/deprecatedCwtIssueCredentialRequest'
- $ref: '#/components/schemas/deprecatedCwtvcIssueCredentialRequest'
- $ref: '#/components/schemas/deprecatedMsomdocIssueCredentialRequest'
examples:
web-semantic:
summary: Request to issue a JSON credential
value:
credential_configuration_id: 2cdb2c15-39a7-4556-abab-4515ce2d831b
proofs:
jwt:
- eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...
compact-semantic:
summary: Request to issue a Semantic CWT credential
value:
credential_configuration_id: 2cdb2c15-39a7-4556-abab-4515ce2d831b
compact:
summary: Request to issue a CWT credential
value:
credential_configuration_id: 2cdb2c15-39a7-4556-abab-4515ce2d831b
mobile-credential:
summary: Request to issue an mDocs credential
value:
credential_configuration_id: 2cdb2c15-39a7-4556-abab-4515ce2d831b
proofs:
jwt:
- eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...
web-semantic-deprecated:
summary: Request to issue a JSON credential (deprecated)
value:
format: ldp_vc
credential_definition:
type:
- VerifiableCredential
- AlumniCredential
'@context':
- https://www.w3.org/2018/credentials/v1
proof:
proof_type: jwt
jwt: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...
compact-semantic-deprecated:
summary: Request to issue a Semantic CWT credential (deprecated)
value:
format: cwt_vc
types:
- VerifiableCredential
- AlumniCredential
compact-deprecated:
summary: Request to issue a CWT credential (deprecated)
value:
format: cwt
type: AlumniCredential
mobile-credential-deprecated:
summary: Request to issue an mDocs credential (deprecated)
value:
format: mso_mdoc
doctype: org.iso.18013.5.1.mDL
proof:
proof_type: jwt
jwt: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...
application/jwt:
schema:
type: string
description: JSON Web Encryption (JWE) formatted credential request payload for encrypted credential requests
examples:
mobile-credential:
summary: Request to issue an mDocs credential with encryption
value: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...
responses:
'200':
description: Credential issued
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/ldpvcSupportedCredentialResponse'
- $ref: '#/components/schemas/msomdocIssueCredentialResponse'
- $ref: '#/components/schemas/cwtvcIssueCredentialResponse'
- $ref: '#/components/schemas/cwtIssueCredentialResponse'
- $ref: '#/components/schemas/deprecatedLdpvcSupportedCredentialResponse'
- $ref: '#/components/schemas/deprecatedMsomdocIssueCredentialResponse'
- $ref: '#/components/schemas/deprecatedCwtvcIssueCredentialResponse'
- $ref: '#/components/schemas/deprecatedCwtIssueCredentialResponse'
examples:
web-semantic:
summary: Response to issue a JSON credential
value:
credentials:
- credential:
'@context':
- https://www.w3.org/2018/credentials/v1
id: http://example.edu/credentials/3732
type:
- VerifiableCredential
- AlumniCredential
issuer: https://example.edu/issuers/14
issuanceDate: '2020-03-10T04:24:12.164Z'
credentialSubject:
id: did:example:123
alumniOf: Example University
proof:
type: RsaSignature2018
created: '2020-03-10T04:24:12Z'
proofPurpose: assertionMethod
verificationMethod: https://example.edu/issuers/keys/1
jws: EXAMPLE_JWS_TOKEN_eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9aH0...
compact-semantic:
summary: Response to issue a Semantic CWT credential
value:
credentials:
- credential: h4sIAAAAAAAAE+3BMQEAAAgDoJvcK3+gAAAAAAAAAAAAAAAAAAAAAAA
pdf: JVBERi0xLjQKJcfs... (optional)
compact:
summary: Response to issue a CWT credential
value:
credentials:
- credential: h4sIAAAAAAAAE+3BMQEAAAgDoJvcK3+gAAAAAAAAAAAAAAAAAAAAAAA
pdf: JVBERi0xLjQKJcfs... (optional)
mobile-credential:
summary: Response to issue an mDocs credential
value:
credentials:
- credential: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...
web-semantic-deprecated:
summary: Response to issue a JSON credential (deprecated)
value:
credential:
'@context':
- https://www.w3.org/2018/credentials/v1
id: http://example.edu/credentials/3732
type:
- VerifiableCredential
- AlumniCredential
issuer: https://example.edu/issuers/14
issuanceDate: '2020-03-10T04:24:12.164Z'
credentialSubject:
id: did:example:123
alumniOf: Example University
proof:
type: RsaSignature2018
created: '2020-03-10T04:24:12Z'
proofPurpose: assertionMethod
verificationMethod: https://example.edu/issuers/keys/1
jws: EXAMPLE_JWS_TOKEN_eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9aH0...
format: ldp_vc
compact-semantic-deprecated:
summary: Response to issue a Semantic CWT credential (deprecated)
value:
credential: h4sIAAAAAAAAE+3BMQEAAAgDoJvcK3+gAAAAAAAAAAAAAAAAAAAAAAA
format: cwt_vc
pdf: JVBERi0xLjQKJcfs... (optional)
compact-deprecated:
summary: Response to issue a CWT credential (deprecated)
value:
credential: h4sIAAAAAAAAE+3BMQEAAAgDoJvcK3+gAAAAAAAAAAAAAAAAAAAAAAA
format: cwt
pdf: JVBERi0xLjQKJcfs... (optional)
mobile-credential-deprecated:
summary: Response to issue an mDocs credential (deprecated)
value:
credential: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...
format: mso_mdoc
application/jwt:
schema:
type: string
description: JSON Web Encryption (JWE) formatted issued credential
examples:
mobile-credential:
summary: Issued mDocs credential with encryption
value: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9...
/v1/openid/offers:
post:
operationId: postOpenIdOffers
tags:
- Credential offers
summary: Create an Authorization Code credential offer
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Returns an OpenID4VCI credential offer URI.
See [https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-10.1](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-10.1)
### **Analytic events**
* OPENID_OFFER_CREATE_START
* OPENID_OFFER_CREATE_SUCCESS
* OPENID_OFFER_CREATE_FAIL
security:
- bearerAuthOpenIdCredentials: []
requestBody:
content:
application/json:
schema:
type: object
required:
- credentials
properties:
credentials:
type: array
items:
type: string
description: This array includes a list of identifiers for credential configurations that will be included in the credential offer. These identifiers are the `id` elements returned in the response when you create a credential configuration. To issue multiple credential formats of the same credential in a single flow, include all the required credential configuration id elements in the request payload.
example:
- 707e920a-f342-443b-ae24-6946b7b5033e
request_parameters:
type: object
description: Specifies a list of additional request parameters that the wallet can include in the authentication request.
properties:
login_hint:
type: string
description: Login hints are included in the authentication flow the holder is redirected to after accepting the credential offer. For example, you can include the user's e-mail so that it is already populated in the login screen.
example: user@example.com
prompt:
type: string
description: "Prompts are sent to the authentication provider to control the authentication flow. For example, using\_`login`\_would always require the user to authenticate, even if they had already completed login on the same device."
example: login
responses:
'200':
description: Credential offer URI created
content:
application/json:
schema:
type: object
required:
- uri
properties:
uri:
type: string
description: Generated URI that can be sent to a user's digital wallet via a message, a QR code or a deep link. When a multi-format credential offer is created, the generated URI offer is used to issue all the credential formats in a single workflow.
example: openid-credential-offer://?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Fmyissuer.example.com%22%2C%22credentials%22%3A%5B%22707e920a-f342-443b-ae24-6946b7b5033e%22%5D%2C%22credential_configuration_ids%22%3A%5B%22707e920a-f342-443b-ae24-6946b7b5033e%22%5D%2C%22request_parameters%22%3A%7B%22login_hint%22%3A%22user%40example.com%22%2C%22prompt%22%3A%22login%22%7D%7D
/.well-known/openid-credential-issuer:
get:
responses:
'200':
description: OpenID4VCI credential issuer metadata retrieved
content:
application/json:
schema:
type: object
properties:
issuer:
type: string
format: uri
authorization_endpoint:
type: string
format: uri
jwks_uri:
type: string
format: uri
token_endpoint:
type: string
format: uri
scopes_supported:
type: array
items:
type: string
example:
- ldp_vc:ExampleCredential
response_types_supported:
type: array
items:
type: string
example:
- code
response_modes_supported:
type: array
items:
type: string
example:
- query
grant_types_supported:
type: array
items:
type: string
example:
- authorization_code
code_challenge_methods_supported:
type: array
items:
type: string
example:
- S256
credential_issuer:
type: string
format: uri
credential_endpoint:
type: string
format: uri
credentials_supported:
deprecated: true
description: |-
This field is deprecated and maintained only for backward compatibility.
Use `credential_configurations_supported` instead to discover supported credentials.
type: array
items:
type: object
oneOf:
- $ref: '#/components/schemas/ldpvcSupportedCredential'
- $ref: '#/components/schemas/cwtvcSupportedCredential'
- $ref: '#/components/schemas/cwtSupportedCredential'
- $ref: '#/components/schemas/msomdocSupportedCredential'
credential_configurations_supported:
type: object
description: Supported credential configurations.
additionalProperties:
oneOf:
- $ref: '#/components/schemas/ldpvcCredentialConfigurationSupported'
- $ref: '#/components/schemas/cwtvcCredentialConfigurationSupported'
- $ref: '#/components/schemas/cwtCredentialConfigurationSupported'
- $ref: '#/components/schemas/msomdocCredentialConfigurationSupported'
example:
2cdb2c15-39a7-4556-abab-4515ce2d831b:
format: ldp_vc
id: 2cdb2c15-39a7-4556-abab-4515ce2d831b
scope: ldp_vc:TestCredential
credential_definition:
'@context':
- https://www.w3.org/2018/credentials/v1
- https://schema.org
type:
- VerifiableCredential
- TestCredential
credential_signing_alg_values_supported:
- Ed25519Signature2018
- BbsSignatureProof2022
cryptographic_binding_methods_supported:
- did:key
proof_types_supported:
jwt:
proof_signing_alg_values_supported:
- EdDSA
credential_metadata:
display:
- name: Test Credential
logo:
uri: https://example.com/logo.png
alt_text: Example Logo
locale: en-US
background_color: '#FFFFFF'
text_color: '#000000'
claims:
- path:
- credentialSubject
- firstName
mandatory: true
display:
- name: First Name
locale: en-US
3dfe1c4a-5b6c-4e2f-9f3a-2b1c4d5e6f7g:
format: cwt_vc
id: 3dfe1c4a-5b6c-4e2f-9f3a-2b1c4d5e6f7g
scope: cwt_vc:TestCredential
types:
- VerifiableCredential
- TestCredential
cryptographic_binding_methods_supported: []
credential_signing_alg_values_supported:
- -7
credential_metadata:
claims:
- path:
- vc
- credentialSubject
- firstName
mandatory: true
display:
- name: First Name
locale: en-US
b068c060-cc72-4758-9526-92d29edb821f:
format: cwt
id: b068c060-cc72-4758-9526-92d29edb821f
scope: cwt:TestCredential
type: TestCredential
cryptographic_binding_methods_supported: []
credential_signing_alg_values_supported:
- -7
credential_metadata:
claims:
- path:
- firstName
mandatory: true
display:
- name: First Name
locale: en-US
a1b2c3d4-e5f6-4789-abcd-ef0123456789:
format: mso_mdoc
doctype: org.iso.18013.5.1.mDL.T
scope: mso_mdoc:TestCredential
id: a1b2c3d4-e5f6-4789-abcd-ef0123456789
cryptographic_binding_methods_supported:
- mso
credential_signing_alg_values_supported:
- -7
proof_types_supported:
jwt:
proof_signing_alg_values_supported:
- ES256
credential_metadata:
claims:
- path:
- org.iso.18013.5.1
- firstName
mandatory: true
display:
- name: First Name
locale: en-US
display:
- name: Test Mobile Credential
logo:
uri: https://example.com/logo.png
alt_text: Example Logo
locale: en-US
background_color: '#FFFFFF'
text_color: '#000000'
mdoc_iacas_uri:
type: string
format: uri
credential_response_encryption:
type: object
description: |-
Declares the issuer's ability to encrypt credential responses.
When configured, MATTR VII can encrypt credential responses to specific wallet instances using encryption keys provided by the wallet application.
This provides end-to-end encryption ensuring that credential data remains confidential and unreadable to intermediary backend servers.
properties:
alg_values_supported:
type: array
items:
type: string
description: |-
Supported HPKE algorithms for credential response encryption.
Currently supports HPKE-7, which uses DHKEM (P-256, HKDF-SHA256) KEM, HKDF-SHA256 KDF, and AES-256-GCM AEAD.
example:
- HPKE-7
enc_values_supported:
type: array
items:
type: string
description: Supported encryption methods. Must be A256GCM for HPKE-7.
example:
- A256GCM
encryption_required:
type: boolean
description: |-
Always set to `false`. Encryption requirements are enforced through the per-client policies configured for each wallet application, which override this default value where applicable.
Wallet applications provide encryption details in the credential request through the `credential_response_encryption` parameter.
example: false
credential_request_encryption:
type: object
description: |-
Declares the issuer's ability to receive and decrypt credential requests.
When configured, wallet applications can encrypt credential requests to ensure sensitive information in the request is protected in transit.
MATTR VII will decrypt the request as part of the issuance flow and enforce the configured encryption policies.
properties:
jwks:
type: object
description: JSON Web Key Set containing the issuer's public encryption keys.
properties:
keys:
type: array
description: Array of public keys for encrypting credential requests to this issuer.
items:
type: object
properties:
kty:
type: string
description: Key type. Must be EC for HPKE-7.
example: EC
kid:
type: string
description: Key identifier for the encryption key.
example: kid
use:
type: string
description: Public key use. Must be "enc" for encryption.
example: enc
crv:
type: string
description: Elliptic curve. Must be P-256 for HPKE-7.
example: P-256
alg:
type: string
description: Algorithm. Currently supports HPKE-7 (JWE Integrated Encryption with HPKE using DHKEM (P-256, HKDF-SHA256) KEM, HKDF-SHA256 KDF, and AES-256-GCM AEAD).
example: HPKE-7
x:
type: string
description: X coordinate for the EC public key (base64url encoded).
example: YO4epjifD-KWeq1sL2tNmm36BhXnkJ0He-WqMYrp9Fk
'y':
type: string
description: Y coordinate for the EC public key (base64url encoded).
example: Hekpm0zfK7C-YccH5iBjcIXgf6YdUvNUac_0At55Okk
enc_values_supported:
type: array
items:
type: string
description: Supported encryption methods. Must be A256GCM for HPKE-7.
example:
- A256GCM
encryption_required:
type: boolean
description: |-
Always set to `false`. Encryption requirements are enforced through the per-client policies configured for each wallet application, which override this default value where applicable.
When a wallet's policy requires encryption, MATTR VII will reject unencrypted requests from that wallet.
example: false
description: |-
Returns OpenID4VCI issuer metadata. This is the standard OpenID4VCI Well Known endpoint for your tenant.
This endpoint is unprotected, public facing and can be deterministically found at the root of the tenant subdomain or alias by any party wishing to discover the OpenID4VCI capabilities.
operationId: wellKnownOidcConfig
security: []
summary: Retrieve OpenID4VCI issuer metadata
tags:
- Issuer metadata
x-codeSamples:
- lang: curl
source: |
curl --request GET \
--url https://{tenantName}.{region}.mattr.global/.well-known/openid-credential-issuer \
--header 'Accept: application/json'
/.well-known/oauth-authorization-server:
get:
responses:
'200':
description: OAuth authorization server metadata
content:
application/json:
schema:
type: object
properties:
issuer:
type: string
format: uri
description: The authorization server's issuer identifier.
authorization_endpoint:
type: string
format: uri
description: Authorization endpoint URL.
token_endpoint:
type: string
format: uri
description: Token endpoint URL.
jwks_uri:
type: string
format: uri
description: JSON Web Key Set document URL.
scopes_supported:
type: array
items:
type: string
example:
- ldp_vc:ExampleCredential
- ldp_vc:CourseCredential
- cwt:CourseCredential
- cwt_vc:CourseCredential
- mso_mdoc:org.iso.18013.5.1.mDL
description: Scopes supported by the authorization server.
response_types_supported:
type: array
items:
type: string
example:
- code
description: Response types supported by the authorization server.
response_modes_supported:
type: array
items:
type: string
example:
- query
- fragment
description: Response modes supported by the authorization server.
grant_types_supported:
type: array
items:
type: string
example:
- authorization_code
description: Grant types supported by the authorization server.
token_endpoint_auth_methods_supported:
type: array
items:
type: string
example:
- client_secret_basic
- none
description: Authentication methods supported by the token endpoint.
code_challenge_methods_supported:
type: array
items:
type: string
example:
- S256
description: Code challenge methods supported by the authorization server.
dpop_signing_alg_values_supported:
description: Supported DPoP signing algorithms.
type: array
items:
type: string
example:
- ES256
pre-authorized_grant_anonymous_access_supported:
type: boolean
description: Indicates whether the authorization server supports anonymous access for pre-authorized grants (`true`) or not (`false`).
status_list_aggregation_endpoint:
type: string
format: uri
description: URL of the status list credential aggregation endpoint, if supported by the authorization server.
description: |-
Returns the OAuth 2.0 Authorization Server Metadata for your tenant.
This is the standard OAuth 2.0 Well-Known endpoint, providing public metadata that describes the tenant’s OAuth 2.0 configuration and capabilities.
https://www.rfc-editor.org/rfc/rfc8414.html
operationId: wellKnownOauthAuthorizationServer
security: []
summary: Retrieve authorization server metadata
tags:
- Issuer metadata
/v1/openid/offers/pre-authorized:
post:
operationId: postOpenIdPreAuthorizedOffers
tags:
- Credential offers
summary: Create a Pre-Authorized Code credential offer
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Generate a new [OpenID4VCI Pre-Authorized Code](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-4.1) credential offer.
The Pre-authorized Code flow is only supported for the mDocs credential format.
### **Analytic events**
* OPENID_PRE_AUTHORIZED_OFFER_CREATE_START
* OPENID_PRE_AUTHORIZED_OFFER_CREATE_SUCCESS
* OPENID_PRE_AUTHORIZED_OFFER_CREATE_FAIL
security:
- bearerAuthOpenIdCredentials: []
requestBody:
content:
application/json:
schema:
type: object
required:
- credentials
properties:
credentials:
type: array
items:
type: string
description: This array includes a list of identifiers for mDocs credential configurations that will be included in the credential offer. These identifiers are the `id` elements returned in the response when you create a credential configuration. Providing the identifier of a non-mDocs credential configuration will result in an error.
example:
- 707e920a-f342-443b-ae24-6946b7b5033e
userId:
type: string
description: Unique system generated identifier to reference the user for this offer. This can be obtained by [searching for a user](/docs/api-reference/platform/users/searchUsers). If not provided, a new user entity will be created.
transactionCodeConfiguration:
type: object
description: Configure whether a second-factor transaction code is required for this offer. If a configuration is provided, a code will be generated for the offer, and the end user must submit it during credential retrieval. If an incorrect transaction code is entered three times by the holder, the credential offer is permanently invalidated and the wallet can no longer claim the credential.
properties:
inputMode:
type: string
description: A string that specifies the input character set. Only `numeric` (digits only) is supported.
enum:
- numeric
example: numeric
description:
type: string
description: A string providing guidance to the wallet holder on how to obtain the transaction code, such as indicating the communication channel through which it will be delivered. This string is displayed to the wallet holder during the credential retrieval flow.
example: Please enter the one-time code that was sent to you via email.
claims:
type: object
description: Additional user claims that are available during credential issuance for this offer.
example:
givenName: John
familyName: Doe
email: john.doe@example.com
claimsToPersist:
type: array
description: This array includes a list of claims that will be persisted against the [user object](/docs/issuance/users/overview) in the MATTR VII database. These claims are then available for any future credential offers or issuance operations for this user. By default no claims are persisted, and it is recommended to consider carefully which claims to persist, if any, as this has implications for data privacy and security.
items:
type: string
example:
- userId
expiresIn:
type: object
description: Specifies when the offer will expire. Once the offer expires, the user can no longer use it to claim a credential, and a new offer must be generated. The expiration period can include any combination of minutes and seconds. By default, the offer expires in 5 minutes, and the maximum allowed duration is 10 minutes.
properties:
minutes:
type: number
example: 5
seconds:
type: number
responses:
'200':
description: Credential offer created
content:
application/json:
schema:
type: object
required:
- id
- uri
- userId
- expiresAt
properties:
id:
type: string
description: Unique system generated identifier to reference this offer.
userId:
type: string
description: A unique system-generated identifier used to reference the user for this offer.
uri:
type: string
description: Generated offer URI that can be sent to the intended holder embedded in a QR code or deep link.
example: openid-credential-offer://?credential_offer=%7B%22credential_issuer%22%3A%22https%3A%2F%2Fexample.com%22%2C%22credentials%22%3A%5B%222edaf985-fcc2-4448-9c8e-a04c6c7351c2%22%5D%2C%22credential_configuration_ids%22%3A%5B%222edaf985-fcc2-4448-9c8e-a04c6c7351c2%22%5D%2C%22grants%22%3A%7B%22urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Apre-authorized_code%22%3A%7B%22pre-authorized_code%22%3A%22stukD6lg9c9tQ3jUCa32wVi1HI%2BQIVsFK%2FQPvC2CHRs%3D%22%2C%22tx_code%22%3A%7B%22length%22%3A6%2C%22input_mode%22%3A%22numeric%22%2C%22description%22%3A%22Please%20provide%20the%20one-time%20code%20that%20was%20sent%20via%20e-mail%22%7D%7D%7D%7D
expiresAt:
type: number
description: Offer expiry time in ISO-6801 format.
example: '2025-05-01T00:01:00.000Z'
transactionCode:
type: string
description: The system-generated transaction code. This property is only present if the `transactionCodeConfiguration` parameter is provided. The transaction code can be shared with the intended holder through an alternative secure communication channel. The holder must enter this code during the credential retrieval flow to successfully claim the credential. If an incorrect transaction code is entered three times, the offer is permanently invalidated and can no longer be used to claim the credential.
example: 493536
/v1/openid/offers/pre-authorized/{id}:
parameters:
- name: id
in: path
description: Pre-authorized credential offer ID
schema:
type: string
format: uuid
example: 8241400f-de3b-42c5-ad7c-8a380039e796
required: true
delete:
operationId: deleteOpenIdPreAuthorizedOffers
tags:
- Credential offers
summary: Delete a Pre-authorized Code credential offer
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Delete an [OpenID4VCI Pre-authorized Code](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-4.1) credential offer.
### **Analytic events**
* OPENID_PRE_AUTHORIZED_OFFER_DELETE_START
* OPENID_PRE_AUTHORIZED_OFFER_DELETE_SUCCESS
* OPENID_PRE_AUTHORIZED_OFFER_DELETE_FAIL
security:
- bearerAuthOpenIdCredentials: []
responses:
'204':
description: Credential offer deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v1/openid/clients/{id}:
parameters:
- name: id
in: path
required: true
description: OpenID OAuth Client unique identifier
schema:
type: string
format: uuid
example: 65e5aeee-1816-11f1-b7be-a79d594cc55e
/v1/claim-sources:
post:
operationId: createClaimSource
tags:
- Claims Source
summary: Configure a claims source
x-roles:
- admin
- issuer
- managed-issuer
description: |
Configures a new claims source for your tenant. When issuing a new credential, MATTR VII will make either a GET or a POST request to the claims source using the configured request parameters and fetch available data. This fetched data can then be included in the issued credential.
### **Analytic event**
* CLAIM_SOURCE_CREATE_START
* CLAIM_SOURCE_CREATE_SUCCESS
* CLAIM_SOURCE_CREATE_FAIL
requestBody:
description: The claim source payload
required: true
content:
application/json:
schema:
allOf:
- $ref: '#/components/schemas/ClaimSourceRequest'
examples:
Authorization with x-api-key header:
value:
name: Claims source accepting a x-api-key header
url: https://example.com/api/data
authorization:
type: api-key
value: 6hrFDATxrG9w14QY9wwnmVhLE0Wg6LIvwOwUaxz761m1J
requestParameters:
account_type:
mapFrom: claims.accountType
defaultValue: account.student
account_id:
mapFrom: claims.accountId
Authorization with OAuth 2.0 client credentials:
value:
name: Claims source accepting an OAuth 2.0 bearer token
url: https://example.com/api/data
authorization:
type: oauth-client-credentials
clientId: afd16fec-8131-4f0c-8f20-1cd5d67f8e29
clientSecret: 1b41186347e4cc716155155cdecbded07536d0f5
tokenEndpoint: https://example.com/oauth/token
tokenEndpointAuthMethod: client_secret_basic
audience: example.claim.source
requestMethod: POST
requestParameters:
account_type:
mapFrom: claims.accountType
defaultValue: account.student
account_id:
mapFrom: claims.accountId
responses:
'201':
description: Claims source configured
content:
application/json:
schema:
$ref: '#/components/schemas/CreateClaimSourceResponse'
examples:
Authorization with x-api-key header:
value:
name: Claims source accepting a x-api-key header
url: https://example.com/api/data
authorization:
type: api-key
value: '****************************************61m1J'
requestParameters:
account_type:
mapFrom: claims.accountType
defaultValue: account.student
account_id:
mapFrom: claims.accountId
Authorization with OAuth 2.0 client credentials:
value:
name: Claims source accepting an OAuth 2.0 bearer token
url: https://example.com/api/data
authorization:
type: oauth-client-credentials
clientId: afd16fec-8131-4f0c-8f20-1cd5d67f8e29
clientSecret: '***********************************6d0f5'
tokenEndpoint: https://example.com/oauth/token
tokenEndpointAuthMethod: client_secret_basic
audience: example.claim.source
requestMethod: POST
requestParameters:
account_type:
mapFrom: claims.accountType
defaultValue: account.student
account_id:
mapFrom: claims.accountId
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Bad Request:
value:
code: BadRequest
message: Validation Error
details:
- location: body
msg: Invalid value
param: url
get:
operationId: getClaimSources
tags:
- Claims Source
summary: Retrieve all claims sources
x-roles:
- admin
- issuer
- managed-issuer
description: |
Returns a list of all claims sources configured on your tenant.
### **Analytic event**
* CLAIM_SOURCE_RETRIEVE_LIST_START
* CLAIM_SOURCE_RETRIEVE_LIST_SUCCESS
* CLAIM_SOURCE_RETRIEVE_LIST_FAIL
parameters:
- schema:
type: number
example: 2
maximum: 1000
minimum: 1
in: query
name: limit
description: Range size of returned entries, default 100
- schema:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1h
in: query
name: cursor
description: Starting point for the range of entries
responses:
'200':
description: Claims sources retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GetClaimSourcesResponse'
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Bad Request:
value:
code: BadRequest
message: Validation Error
details:
- location: query
msg: Invalid value
param: cursor
value: abc
parameters: []
/v1/claim-sources/{id}:
parameters:
- name: id
in: path
description: Claims source ID
schema:
type: string
format: uuid
example: 41458e5a-9092-40b7-9a26-d4eb43c5792f
required: true
get:
operationId: getClaimSource
tags:
- Claims Source
summary: Retrieve a claims source
x-roles:
- admin
- issuer
- managed-issuer
description: |
Retrieves an existing claims source by providing its `claimSourceID`.
### **Analytic event**
* CLAIM_SOURCE_RETRIEVE_START
* CLAIM_SOURCE_RETRIEVE_SUCCESS
* CLAIM_SOURCE_RETRIEVE_FAIL
responses:
'200':
description: Claims source retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/CreateClaimSourceResponse'
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Bad Request:
value:
code: BadRequest
message: Validation Error
details:
- location: params
msg: Invalid value
param: claimSourceId
value: abc
'404':
description: Claims source not found
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Claim Source not found:
value:
code: NotFound
message: Validation Error
details:
- location: params
msg: Resource Not Found
param: claimSourceId
value: a368cfb4-9537-4439-acc6-ce3cf2287eb7
put:
operationId: updateClaimSource
tags:
- Claims Source
summary: Update a claims source
x-roles:
- admin
- issuer
- managed-issuer
description: |
Updates an existing claim source by providing its `claimSourceID`.
### **Analytic event**
* CLAIM_SOURCE_UPDATE_START
* CLAIM_SOURCE_UPDATE_SUCCESS
* CLAIM_SOURCE_UPDATE_FAIL
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UpdateClaimSourcesRequest'
description: The updated claims source payload
responses:
'200':
description: Claims source updated
content:
application/json:
schema:
$ref: '#/components/schemas/CreateClaimSourceResponse'
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Bad Request:
value:
code: BadRequest
message: Validation Error
details:
- location: body
msg: Invalid value
param: url
'404':
description: Claims source not found
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Claim Source not found:
value:
code: NotFound
message: Validation Error
details:
- location: params
msg: Resource Not Found
param: claimSourceId
value: a368cfb4-9537-4439-acc6-ce3cf2287eb7
delete:
operationId: deleteClaimSource
tags:
- Claims Source
summary: Delete a claims source
x-roles:
- admin
- issuer
- managed-issuer
description: |
Deletes an existing claims source by providing its `claimSourceID`.
### **Analytic event**
* CLAIM_SOURCE_DELETE_START
* CLAIM_SOURCE_DELETE_SUCCESS
* CLAIM_SOURCE_DELETE_FAIL
responses:
'204':
description: Claims source deleted
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Bad Request:
value:
code: BadRequest
message: Validation Error
details:
- location: params
msg: Invalid value
param: claimSourceId
value: abc
'404':
description: Claims source not found
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Claim Source not found:
value:
code: NotFound
message: Validation Error
details:
- location: params
msg: Resource Not Found
param: claimSourceId
value: a368cfb4-9537-4439-acc6-ce3cf2287eb7
/v1/messaging/inboxes:
post:
tags:
- Inboxes
summary: Create an inbox
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Creates an inbox that can register DIDs and then hold messages sent to those DIDs service points.
### **Analytic events**
* MESSAGING_INBOX_CREATE_START
* MESSAGING_INBOX_CREATE_SUCCESS
* MESSAGING_INBOX_CREATE_FAIL
requestBody:
description: Inbox configuration
required: true
content:
application/json:
schema:
type: object
properties:
name:
type: string
description: Inbox name.
minLength: 1
example: My_Inbox
required:
- name
operationId: createInbox
responses:
'201':
description: Inbox created
content:
application/json:
schema:
$ref: '#/components/schemas/MessagingInbox'
'400':
$ref: '#/components/responses/400'
get:
tags:
- Inboxes
summary: List inboxes
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
description: |
Returns a list of all inboxes on the tenant.
### **Analytic events**
* MESSAGING_INBOX_RETRIEVE_LIST_START
* MESSAGING_INBOX_RETRIEVE_LIST_SUCCESS
* MESSAGING_INBOX_RETRIEVE_LIST_FAIL
operationId: getInboxes
responses:
'200':
description: A list of inboxes
content:
application/json:
schema:
type: object
properties:
data:
type: array
minItems: 2
items:
$ref: '#/components/schemas/MessagingInbox'
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
parameters: []
/v1/messaging/inboxes/{id}:
parameters:
- name: id
in: path
required: true
schema:
type: string
description: Inbox ID
get:
tags:
- Inboxes
summary: Retrieve an inbox
x-roles:
- admin
- issuer
- managed-issuer
description: |
Retrieves an inbox based on its ID.
### **Analytic events**
* MESSAGING_INBOX_RETRIEVE_START
* MESSAGING_INBOX_RETRIEVE_SUCCESS
* MESSAGING_INBOX_RETRIEVE_FAIL
operationId: getInbox
responses:
'200':
description: Inbox returned
content:
application/json:
schema:
$ref: '#/components/schemas/MessagingInbox'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
put:
tags:
- Inboxes
summary: Update an inbox
x-roles:
- admin
- issuer
- managed-issuer
requestBody:
description: |-
Updates an inbox name.
### **Analytic events**
* MESSAGING_INBOX_UPDATE_START
* MESSAGING_INBOX_UPDATE_SUCCESS
* MESSAGING_INBOX_UPDATE_FAIL
required: true
content:
application/json:
schema:
type: object
properties:
name:
type: string
minLength: 1
required:
- name
operationId: updateInbox
responses:
'200':
description: Inbox updated
content:
application/json:
schema:
$ref: '#/components/schemas/MessagingInbox'
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Inbox ID not UUID format:
$ref: '#/components/examples/InboxIdNotUuid'
Existing inbox with same name:
$ref: '#/components/examples/InboxNameNotUnique'
'404':
$ref: '#/components/responses/404'
description: Update the inbox configurations
delete:
tags:
- Inboxes
summary: Delete an inbox
x-roles:
- admin
- issuer
- managed-issuer
responses:
'204':
description: Inbox deleted
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Inbox ID not UUID format:
$ref: '#/components/examples/InboxIdNotUuid'
'404':
$ref: '#/components/responses/400'
operationId: deleteInbox
description: |-
Deletes an inbox by providing its ID.
### **Analytic events**
* MESSAGING_INBOX_DELETE_START
* MESSAGING_INBOX_DELETE_SUCCESS
* MESSAGING_INBOX_DELETE_FAIL
/v1/messaging/inboxes/{id}/dids:
parameters:
- schema:
type: string
name: id
in: path
required: true
description: Requested inbox ID
post:
tags:
- Inboxes
summary: Register DID with an inbox
x-roles:
- admin
- issuer
- managed-issuer
requestBody:
description: DID registration information
required: true
content:
application/json:
schema:
type: object
properties:
did:
type: string
description: URI of the DID to register with this inbox.
jwt:
type: string
required:
- did
operationId: registerInboxDid
responses:
'201':
description: DID registered with inbox
content:
application/json:
schema:
type: object
properties:
did:
type: string
required:
- did
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Inbox ID not UUID format:
$ref: '#/components/examples/InboxIdNotUuid'
DID not found:
value:
code: BadRequest
message: Validation Error
details:
- location: body
msg: Resource Not Found
param: did
value: did:key:z6MkhzsSMkbGYNxyxtqNpTpPet119FSYn4om6yoZZfdUAHqj
BLS DID key type not supported:
value:
code: BadRequest
message: Validation Error
details:
- location: body
value: did:key:zUC75Wk5aeoMttq5Z4ShQTbVVLXSTy2hiEvh6L7GaFjcUWoff1szDbwvgs978r1BPy5oFL1J6n6YttvvaexugWvjrMGurpdtnYNthukkpzDqhim2ARwAHVFkdpYMF7T184jP5rx
param: did
msg: DID key with BLS key type is not supported
Bad JWT:
value:
code: BadRequest
message: Validation Error
details:
- value: j.w.t
msg: Failed to verify JWT
param: jwt
location: body
'404':
$ref: '#/components/responses/404'
description: |-
Register the provided DID to the requested inbox.
DID registration with inboxes is currently limited to `did:key`'
### **Analytic events**
* MESSAGING_INBOX_DID_REGISTER_START
* MESSAGING_INBOX_DID_REGISTER_SUCCESS
* MESSAGING_INBOX_DID_REGISTER_FAIL
get:
summary: Retrieve inbox DIDs
x-roles:
- admin
- issuer
- managed-issuer
description: |
Retrieves a list of all the DIDs registered with the requested inbox.
### **Analytic events**
* MESSAGING_INBOX_DID_RETRIEVE_LIST_START
* MESSAGING_INBOX_DID_RETRIEVE_LIST_SUCCESS
* MESSAGING_INBOX_DID_RETRIEVE_LIST_FAIL
operationId: getInboxDids
responses:
'200':
description: A list of inbox DIDs
content:
application/json:
schema:
$ref: '#/components/schemas/MessagingInboxDIDs'
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Inbox ID not UUID format:
$ref: '#/components/examples/InboxIdNotUuid'
'404':
$ref: '#/components/responses/400'
tags:
- Inboxes
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
/v1/messaging/inboxes/{id}/dids/{did}:
parameters:
- schema:
type: string
name: id
in: path
required: true
description: Requested inbox ID
- schema:
type: string
example: did:key:z6Mkjr7vfzBfamiN6Wi6cyQUgTq6CEMXP1MzWQawsUEXJoa9
name: did
in: path
required: true
description: DID
delete:
tags:
- Inboxes
description: |-
Unregisters a DID from the requested inbox.
### **Analytic events**
* MESSAGING_INBOX_DID_UNREGISTER_START
* MESSAGING_INBOX_DID_UNREGISTER_SUCCESS
* MESSAGING_INBOX_DID_UNREGISTER_FAIL
operationId: unregisterInboxDid
responses:
'204':
description: DID unregistered from inbox
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Inbox ID not UUID format:
$ref: '#/components/examples/InboxIdNotUuid'
'404':
$ref: '#/components/responses/404'
summary: Unregister DID with an inbox
x-roles:
- admin
- issuer
- managed-issuer
/v1/messaging/inboxes/{id}/messages:
parameters:
- schema:
type: string
name: id
in: path
required: true
description: Requested inbox ID
get:
tags:
- Inboxes
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
description: |
Retrieving all the messages from an inbox
### **Analytic events**
* MESSAGING_INBOX_MESSAGE_RETRIEVE_LIST_START
* MESSAGING_INBOX_MESSAGE_RETRIEVE_LIST_SUCCESS
* MESSAGING_INBOX_MESSAGE_RETRIEVE_LIST_FAIL
operationId: getInboxMessages
responses:
'200':
description: A list of inbox messages
content:
application/json:
schema:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
data:
type: array
minItems: 2
items:
$ref: '#/components/schemas/MessageInboxMessage'
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Inbox ID not UUID format:
$ref: '#/components/examples/InboxIdNotUuid'
'404':
$ref: '#/components/responses/404'
summary: Retrieve all messages
x-roles:
- admin
- issuer
- managed-issuer
/v1/messaging/inboxes/{id}/messages/{messageid}:
parameters:
- schema:
type: string
name: id
in: path
required: true
description: Requested inbox ID
- schema:
type: string
name: messageid
in: path
required: true
description: Requested message ID
get:
tags:
- Inboxes
description: |
Retrieves a message from the requested inbox by providing its ID.
### **Analytic events**
* MESSAGING_INBOX_MESSAGE_RETRIEVE_START
* MESSAGING_INBOX_MESSAGE_RETRIEVE_SUCCESS
* MESSAGING_INBOX_MESSAGE_RETRIEVE_FAIL
operationId: getInboxMessage
responses:
'200':
description: An inbox message
content:
application/json:
schema:
$ref: '#/components/schemas/MessageInboxMessage'
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Inbox ID not UUID format:
$ref: '#/components/examples/InboxIdNotUuid'
Message ID not UUID format:
$ref: '#/components/examples/MessageIdNotUuid'
'404':
$ref: '#/components/responses/404'
summary: Retrieve a message
x-roles:
- admin
- issuer
- managed-issuer
delete:
tags:
- Inboxes
description: |
Deletes a message from the requested inbox by providing its ID.
### **Analytic events**
* MESSAGING_INBOX_MESSAGE_DELETE_START
* MESSAGING_INBOX_MESSAGE_DELETE_SUCCESS
* MESSAGING_INBOX_MESSAGE_DELETE_FAIL
operationId: deleteInboxMessage
responses:
'204':
description: Message deleted
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Inbox ID not UUID format:
$ref: '#/components/examples/InboxIdNotUuid'
Message ID not UUID format:
$ref: '#/components/examples/MessageIdNotUuid'
'404':
description: Not Found
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Inbox not found:
$ref: '#/components/examples/ResourceNotFound'
Message not found:
$ref: '#/components/examples/ResourceNotFound'
summary: Delete a message
x-roles:
- admin
- issuer
- managed-issuer
/v1/messaging/sign:
post:
tags:
- Messaging
summary: Sign a message
x-roles:
- admin
- issuer
- managed-issuer
requestBody:
description: Sign message request
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/SignMessageRequest'
examples:
Sign a Message:
value:
didUrl: did:web:organization.com#2vcj3MjR4d
payload:
msg: this is a message
responses:
'200':
description: Message signed
content:
application/json:
schema:
$ref: '#/components/schemas/SignMessageResponse'
'400':
$ref: '#/components/responses/400'
description: |-
Accepts a message payload and signs it with a JWS (JSON Web Signature) using the a specific key from the DID (Decentralized Identifier) provided in the request.
### **Analytic events**
* MESSAGING_SIGN_START
* MESSAGING_SIGN_SUCCESS
* MESSAGING_SIGN_FAIL
operationId: signMessage
parameters: []
/v1/messaging/verify:
post:
tags:
- Messaging
summary: Verify a message
x-roles:
- admin
- issuer
- managed-issuer
requestBody:
description: Provide the JWS to verify
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/VerifyRequest'
examples:
Request:
value:
jws: EXAMPLE_JWS_TOKEN_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
responses:
'200':
description: Verification successful
content:
application/json:
schema:
$ref: '#/components/schemas/VerifyMessageResponse'
examples:
Verification successful:
value:
payload: payload
didUrl: did:web:organization.com#2vcj3MjR4d
did: did:web:organization.com
verified: true
signerPublicJwk:
kty: OKP
crv: Ed25519
x: oQvDM6MvUdcgRCqKGJOgteRC9U06_x7bFtY0T-MJ1rQ
Verification failed:
value:
payload: payload
didUrl: did:web:organization.com#2vcj3MjR4d
did: did:web:organization.com
verified: false
'400':
description: Invalid JWS
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Verification failed:
value:
code: BadRequest
message: Verification failed
description: |-
Verifies the signature of a provided JWS (JSON Web Signature), validating that the payload has not been tampered with and verifying that the kid in the JWS header is the same as the `iss` value in the Request Object.
One use case for verifying a JWS with a DID is when the Mobile Wallet App sends a Request Object to an OpenID Provider as part of the Authorization Code Flow (as per https://openid.net/specs/openid-connect-core-1_0-final.html#RequestObject). The Request Object is wrapped in a JWS with a signature that is generated from the Subject DID on the mobile app. Therefore verifying the JWS proves that the mobile app has access to the private key of the Subject DID.
### **Analytic events**
* MESSAGING_VERIFY_START
* MESSAGING_VERIFY_SUCCESS
* MESSAGING_VERIFY_FAIL
operationId: verifyJws
parameters: []
/v1/messaging/encrypt:
post:
tags:
- Messaging
summary: Encrypt a message
x-roles:
- admin
- issuer
- managed-issuer
operationId: encryptMessage
requestBody:
description: Encryption parameters
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/EncryptMessageRequest'
examples:
Encrypt credential offer:
value:
senderDidUrl: did:web:learn.vii.au01.mattr.global#z6LShWb1DVC2gkxoQ91VwHmNhci2A4NdVH4srFvLiTP6ETBK
recipientDidUrls:
- did:key:z6MkgmEkNM32vyFeMXcQA7AfQDznu47qHCZpy2AYH2Dtdu1d
- did:key:z6MkgxxdrThaRd7HbeAA4pYEwAgKT6ZXy2aNTcPkmeF1yWHN
payload:
id: 731961f2-bdc3-4f1e-8d59-cc308fd60ec8
type: https://mattr.global/schemas/verifiable-credential/offer/OidcCredentialProvider
from: did:web:learn.vii.au01.mattr.global
created_time: 1616466734
body:
uri: openid://discovery?issuer=https://tenant.vii.mattr.global/ext/oidc/v1/issuers/0dceeddd-f717-4bf2-b520-b3ddcd104a60
Encrypt credential:
value:
senderDidUrl: did:web:learn.vii.au01.mattr.global#z6LShWb1DVC2gkxoQ91VwHmNhci2A4NdVH4srFvLiTP6ETBK
recipientDidUrls:
- did:key:z6MkgxxdrThaRd7HbeAA4pYEwAgKT6ZXy2aNTcPkmeF1yWHN
payload:
id: 731961f2-bdc3-4f1e-8d59-cc308fd60ec8
type: https://mattr.global/schemas/verifiable-credential/offer/Direct
to:
- did:key:z6MkgxxdrThaRd7HbeAA4pYEwAgKT6ZXy2aNTcPkmeF1yWHN
from: did:web:learn.vii.au01.mattr.global
created_time: 1616466734
body:
credentials:
- '@context':
- https://www.w3.org/2018/credentials/v1
- https://schema.org
type:
- VerifiableCredential
- CourseCredential
issuer:
id: did:web:organization.com
name: tenant
issuanceDate: '2021-07-26T01:05:05.152Z'
credentialSubject:
id: did:key:z6MkfxQU7dy8eKxyHpG267FV23agZQu9zmokd8BprepfHALi
givenName: Chris
familyName: Shin
educationalCredentialAwarded: Certificate Name
proof:
type: Ed25519Signature2018
created: '2021-07-26T01:05:06Z'
jws: EXAMPLE_JWS_TOKEN_eyJhbGciOiJFZERTQSIsImI2NCI6ZmFsc2UsImNyaXQiOlsiYjY0Il19..o6hnrrWpArG8LQz2Ex_u66_BtuPdp3Hkz18nhNdNhJ7J1k_2lmCCwsNdmo-kNFirZdSIMzqO-V3wEjMDphVEAA
proofPurpose: assertionMethod
verificationMethod: did:key:z6MkndAHigYrXNpape7jgaC7jHiWwxzB3chuKUGXJg2b5RSj#z6MkndAHigYrXNpape7jgaC7jHiWwxzB3chuKUGXJg2b5RSj
domain: learn.vii.au01.mattr.global
responses:
'200':
description: Message encrypted
content:
application/json:
schema:
$ref: '#/components/schemas/EncryptedMessage'
examples:
Encrypted message:
value:
jwe:
protected: eyJhbGciOiJYQzIwUCJ9
recipients:
- header:
alg: ECDH-1PU+A256KW
kid: did:key:z6MkgmEkNM32vyFeMXcQA7AfQDznu47qHCZpy2AYH2Dtdu1d#z6LSsvqSJkBvVEsDC8cxMHuQ3sKoLRMXB1MdtoLrMUq6A8Rg
epk:
kty: OKP
crv: X25519
x: JOLnYaD7L-Rszz7fczPhn6MkNre25PUsztzB1RHoz14
skid: did:key:z6MkreuqFq6WrwozTeGKuUDz8bniTFRNAg8f3ZB862YdLp7v#z6LScyz3YLToyoKwZE6Tfq65hgZUkZdHrC4ZqohcUH9X6Twx
encryption_key: ag5iKzjJOth9Wa68dCVKJW_vnO_Ga0zSJgQp5rIUg69HCzIjuNYhDg
- header:
alg: ECDH-1PU+A256KW
kid: did:key:z6MkgxxdrThaRd7HbeAA4pYEwAgKT6ZXy2aNTcPkmeF1yWHN#z6LSgDiT1CkducmcSPaq9E1Uj1qdSXBjsUNqqLQLrUu8EHWd
epk:
kty: OKP
crv: X25519
x: gDYW7rhG3cBqFp9trFETtlut6QJxYVVSoVWL7eN1bzE
skid: did:key:z6MkreuqFq6WrwozTeGKuUDz8bniTFRNAg8f3ZB862YdLp7v#z6LScyz3YLToyoKwZE6Tfq65hgZUkZdHrC4ZqohcUH9X6Twx
encryption_key: F5R5ZW7Yk7_iWT5kUWqv3w_tLI7V86tLRthjy_SSbGQ2pFyXKni_gA
ciphertext: xpW-D6sDPpWc_jk87nEyxPX7JQV8_OZpaQft7ySQ5XmNhoj-lQyDkXDncOCyhB7yMSdZrRBNQjKxlEbpY_WLk1hBoWfsTeszVSAuFbX_VKUSJ7GR6rcnWGVNgDfKS8GsyC_owtswXatkF_65_mzFOygctkUmd2eI5bcpQpWjhw2vqnvnWkb7l2J27aWFF_c9cu52dB559j8lwLYyYC9oSMgV5piB6ppfrWBGo_DigjxvJcAYcjFYqFcT6A1nphPhwVTQ2HNfJodbQoseHub8UQdG4qAOcggq5DI84tbqor1SU9rdPH03jPkLgoO_aeXyJg5meITXoFSiu_tRfvf8QQ6vKq6pkTTXs8zKXcBCGhGIyKBNBG4R4RIY1UffTMnJQQQGBble3P06pGOnsnSop0BtygelB9M0ZEwnAUSAQqN1RR4AQwWcn9nH6hHEu1pMhSvhCuFNAPWS-hg24JGGw8Xe3EEZlLH0PM8qpUAfksPq
iv: FJq5zKvuPiUQIdRcMtiChHCJByuY8XK9
tag: u8kT0VAAtTswjGXxNpuX0g==
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Sender DID not found:
value:
code: BadRequest
message: Validation Error
details:
- location: body
msg: Resource Not Found
param: senderDidUrl
value: did:key:z6MkopLiuMudqeRm1KvQ24jyUfn6pciePNomKqpsiMgeg4nT#z6LSmWEcPwNbxCgbuSMGTz1Gddnf9MsVSMJCfgPtksgThLvi
description: |
Encrypts the provided payload using into a JWM (JSON Web Message) format.
### **Analytic events**
* MESSAGING_ENCRYPT_START
* MESSAGING_ENCRYPT_SUCCESS
* MESSAGING_ENCRYPT_FAIL
parameters: []
/v1/messaging/decrypt:
post:
tags:
- Messaging
summary: Decrypt a message
x-roles:
- admin
- issuer
- managed-issuer
operationId: decryptMessage
requestBody:
description: Decryption parameters
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/DecryptMessageRequest'
responses:
'200':
description: Message Decrypted
content:
application/json:
schema:
$ref: '#/components/schemas/DecryptMessageResponse'
'400':
$ref: '#/components/responses/400'
description: |-
Decrypts a provided message where the tenant manages the keys for the defined `recipientDidUrl`.
### **Analytic events**
* MESSAGING_DECRYPT_START
* MESSAGING_DECRYPT_SUCCESS
* MESSAGING_DECRYPT_FAIL
parameters: []
/v1/messaging/send:
post:
summary: Send a message
x-roles:
- admin
- issuer
- managed-issuer
operationId: sendMessage
description: |-
Sends an encrypted JWM (JSON Web Messaging) format message to a service endpoint defined in a public DID document.
### **Analytic events**
* MESSAGING_SEND_START
* MESSAGING_SEND_SUCCESS
* MESSAGING_SEND_FAIL
tags:
- Messaging
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/SendMessageRequest'
examples:
Send message:
value:
to: did:key:z6MkgmEkNM32vyFeMXcQA7AfQDznu47qHCZpy2AYH2Dtdu1d
message:
protected: eyJhbGciOiJYQzIwUCJ9
recipients:
- header:
alg: ECDH-1PU+A256KW
kid: did:key:z6MkgmEkNM32vyFeMXcQA7AfQDznu47qHCZpy2AYH2Dtdu1d#z6LSsvqSJkBvVEsDC8cxMHuQ3sKoLRMXB1MdtoLrMUq6A8Rg
epk:
kty: OKP
crv: X25519
x: kYsO02jWHATTJel6OpePqlkdDmKlE5VOr18UblgL8W0
skid: did:key:z6Mko4PvuwKzmjtaKTEV6ZhMSYqX5myTSe3L3Md4feiwCoua#z6LSkKk8HK73jYfUQRBHX3Qeb1Agv39qVNFn7n2PjRvjpPcy
encryption_key: n1VUf5SQdSFNtb8DHzYfJJ_lFhJcGDAPJWG8Y1W3d2qYyPzyxMhyaA
- header:
alg: ECDH-1PU+A256KW
kid: did:key:z6MkgxxdrThaRd7HbeAA4pYEwAgKT6ZXy2aNTcPkmeF1yWHN#z6LSgDiT1CkducmcSPaq9E1Uj1qdSXBjsUNqqLQLrUu8EHWd
epk:
kty: OKP
crv: X25519
x: P3jcIMPGK8thxyHxUsWB5fEsLnltJqRDWMNywtexk24
skid: did:key:z6Mko4PvuwKzmjtaKTEV6ZhMSYqX5myTSe3L3Md4feiwCoua#z6LSkKk8HK73jYfUQRBHX3Qeb1Agv39qVNFn7n2PjRvjpPcy
encryption_key: 5ZOTqwj8NredkXEOp4ZDLL1ohRQqNTS508BTkLlUVCkDoYvizCIdrg
ciphertext: Dl4zBqMeEDwcnyyc17nYvSQ048fcsha_Lm0dfer1nqfo5y8oHvD2VGNTp_lawNJMWCzQF3NDZxxKFz__wTUeHCqisCE_DWbjo_W-R3avzW9S-JFajv9NRtjlfd5yp-1TtD2N5d-8oTtMGdAxq3dftN2Od1xRe4stubJBebl3nf8-lG99DIVGdL8Y-D98kFDxnMxgCKn4RXyHnMowFWlhQCooLeYqo8aWjqVFkzuJzn-p47W7rV9BCuoVThhVuNkjQm_dhBrqu0QMpjJucz7OvOHp0mojdYNKwvWT6dfOVNXetMlKjWCGtCTNFaDTGLc4agdcTjAlaF1iedcVXDOLqVvEugXWGlusE3a68y6gmPnqHjXR6CsEfPwkb5hKKtsyrh1eHu_9UUang5o6N76mummVw4UZkDF6tP1PVGPvyctz82tthnOcjO5mZQG41xfMEMNxWtF8P8wCh4LotpdexXtYigzBgkI1Qoa_FK1czYWAUovysAJCTOZtmg==
iv: jSd3E-ElCHE-QhSDxrQ-Jv4eQhkxOj0s
tag: dbDolGVDdvYsYdn-vVrICw==
description: ''
responses:
'200':
description: Message sent
'400':
$ref: '#/components/responses/400'
parameters: []
/ext/oidc/v1/verifiers:
post:
operationId: createOidcVerifier
tags:
- OIDC Verifiers
summary: Create an OIDC Verifier
x-roles:
- admin
- verifier
description: |
Creates a new OIDC Credential Verifier on the tenant.
Once created, this OIDC Verifier is publicly available on its `/.well-known/openid-configuration` path. The Authorization header is not required as it is intended for OIDC Client applications to resolve.
### **Analytic events**
* OIDC_VERIFIER_CREATE_START
* OIDC_VERIFIER_CREATE_SUCCESS
* OIDC_VERIFIER_CREATE_FAIL
requestBody:
description: The verifier payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateOidcVerifierRequest'
examples:
Create a Verifier:
value:
verifierDid: did:key:z6MkrYVmyqSA93o4B1GwERM8kaQDMAUKAFV2TC3weQKeg9Gq
presentationTemplateId: 364b6a1b-3600-4927-a6ac-4d66aa6bbac3
claimMappings:
- jsonLdFqn: http://schema.org/alumniOf
oidcClaim: alumni_of
includePresentation: true
responses:
'201':
description: OIDC Verifier created
content:
application/json:
schema:
$ref: '#/components/schemas/CreateOidcVerifierResponse'
'400':
$ref: '#/components/responses/400'
get:
operationId: getOidcVerifiers
tags:
- OIDC Verifiers
summary: Retrieve all OIDC Verifiers
x-roles:
- admin
- verifier
description: |
Returns a list of all OIDC Verifiers on the tenant.
### **Analytic events**
* OIDC_VERIFIER_RETRIEVE_LIST_START
* OIDC_VERIFIER_RETRIEVE_LIST_SUCCESS
* OIDC_VERIFIER_RETRIEVE_LIST_FAIL
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: OIDC Verifiers retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GetOidcVerifiersResponse'
'400':
$ref: '#/components/responses/400'
parameters: []
/ext/oidc/v1/verifiers/{id}:
parameters:
- name: id
in: path
required: true
description: Verifier ID
schema:
type: string
format: uuid
example: 41458e5a-9092-40b7-9a26-d4eb43c5792f
get:
operationId: getOidcVerifier
tags:
- OIDC Verifiers
summary: Retrieve an OIDC Verifier
x-roles:
- admin
- verifier
description: |-
Retrieves an existing OIDC Verifier by providing its ID.
### **Analytic events**
* OIDC_VERIFIER_RETRIEVE_START
* OIDC_VERIFIER_RETRIEVE_SUCCESS
* OIDC_VERIFIER_RETRIEVE_FAIL
responses:
'200':
description: OIDC Verifier retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/CreateOidcVerifierResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
put:
operationId: updateOidcVerifier
tags:
- OIDC Verifiers
summary: Update an OIDC Verifier
x-roles:
- admin
- verifier
description: |
Updates an existing OIDC Verifier by providing its ID.
### **Analytic events**
* OIDC_VERIFIER_UPDATE_START
* OIDC_VERIFIER_UPDATE_SUCCESS
* OIDC_VERIFIER_UPDATE_FAIL
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateOidcVerifierRequest'
examples:
Update a Verifier:
value:
verifierDid: did:key:z6MkrYVmyqSA93o4B1GwERM8kaQDMAUKAFV2TC3weQKeg9Gq
presentationTemplateId: 364b6a1b-3600-4927-a6ac-4d66aa6bbac3
claimMappings:
- jsonLdFqn: http://schema.org/alumniOf
oidcClaim: alumni_of
includePresentation: true
description: Update a verifier
responses:
'200':
description: OIDC Verifier updated
content:
application/json:
schema:
$ref: '#/components/schemas/CreateOidcVerifierResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
delete:
operationId: deleteOidcVerifier
tags:
- OIDC Verifiers
summary: Delete an OIDC Verifier
x-roles:
- admin
- verifier
description: |
Deletes an existing OIDC Verifier by providing its ID.
### **Analytic events**
* OIDC_VERIFIER_DELETE_START
* OIDC_VERIFIER_DELETE_SUCCESS
* OIDC_VERIFIER_DELETE_FAIL
responses:
'204':
description: OIDC Verifier deleted
'400':
description: Bad Request
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Bad Request:
value:
code: BadRequest
message: Validation Error
details:
- location: params
msg: Invalid value
param: verifierId
value: abc
'404':
description: OIDC Verifier not found
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
examples:
Verifier not found:
value:
code: NotFound
message: Validation Error
details:
- location: params
msg: Resource Not Found
param: verifierId
value: a368cfb4-9537-4439-acc6-ce3cf2287eb7
/ext/oidc/v1/verifiers/{id}/clients:
parameters:
- schema:
type: string
format: uuid
example: 41458e5a-9092-40b7-9a26-d4eb43c5792f
name: id
in: path
required: true
description: Verifier ID
post:
operationId: createOidcVerifierClient
tags:
- OIDC Verifier Client
summary: Configure an OIDC Client
x-roles:
- admin
- verifier
description: |-
Configures an OIDC Verifier Client on your tenant.
In order to verify a credential using an OpenID Connect Authorization Code Flow, you need to set up an OIDC Client application. This is the client that will engage with your configured OIDC Verifier to initiate the verification workflow.
There is a list of OIDC Client apps, also known as Relying Party Libraries, on the [OpenID website](https://openid.net/developers/certified/). Pick one which you feel comfortable with.
When dealing with personal identity information it is strongly recommended to follow the Authorization Code Flow which ensures sensitive data is transmitted via the `/token` endpoint back-channel.
### **Analytic events**
* OIDC_VERIFIER_CLIENT_CREATE_START
* OIDC_VERIFIER_CLIENT_CREATE_SUCCESS
* OIDC_VERIFIER_CLIENT_CREATE_FAIL
requestBody:
description: The client payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateOidcVerifierClientRequest'
examples:
Create a Client:
value:
name: OIDC Client for the verifier
redirectUris:
- https://example.com/callback
responseTypes:
- code
grantTypes:
- authorization_code
tokenEndpointAuthMethod: client_secret_post
idTokenSignedResponseAlg: ES256
applicationType: web
logoUri: https://example.com/logo.png
responses:
'201':
description: OIDC Client configured
content:
application/json:
schema:
$ref: '#/components/schemas/CreateOidcVerifierClientResponse'
'400':
$ref: '#/components/responses/400'
get:
operationId: getOidcVerifierClients
tags:
- OIDC Verifier Client
summary: Retrieve all OIDC Clients
x-roles:
- admin
- verifier
description: |
Returns a list of all OIDC Verifier Clients on the Tenant.
### **Analytic events**
* OIDC_VERIFIER_CLIENT_RETRIEVE_LIST_START
* OIDC_VERIFIER_CLIENT_RETRIEVE_LIST_SUCCESS
* OIDC_VERIFIER_CLIENT_RETRIEVE_LIST_FAIL
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: OIDC Clients retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GetOidcVerifierClientsResponse'
'400':
$ref: '#/components/responses/400'
/ext/oidc/v1/verifiers/{id}/clients/{clientId}:
parameters:
- name: id
in: path
required: true
description: OIDC Verifier ID
schema:
type: string
format: uuid
example: 41458e5a-9092-40b7-9a26-d4eb43c5792f
- schema:
type: string
format: uuid
example: da9bb6e4-c9ae-4468-b6ac-72b90d6efd5d
name: clientId
in: path
required: true
description: OIDC Verifier Client ID
get:
operationId: getOidcVerifierClient
tags:
- OIDC Verifier Client
summary: Retrieve an OIDC Client
x-roles:
- admin
- verifier
description: |-
Retrieves an existing OIDC Verifier Client by providing its ID.
### **Analytic events**
* OIDC_VERIFIER_CLIENT_RETRIEVE_START
* OIDC_VERIFIER_CLIENT_RETRIEVE_SUCCESS
* OIDC_VERIFIER_CLIENT_RETRIEVE_FAIL
responses:
'200':
description: OIDC Verifier Client retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/CreateOidcVerifierClientResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
put:
operationId: updateOidcVerifierClient
tags:
- OIDC Verifier Client
summary: Update an OIDC Client
x-roles:
- admin
- verifier
description: |
Updates an existing OIDC Verifier Client by providing its ID.
### **Analytic events**
* OIDC_VERIFIER_CLIENT_UPDATE_START
* OIDC_VERIFIER_CLIENT_UPDATE_SUCCESS
* OIDC_VERIFIER_CLIENT_UPDATE_FAIL
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateOidcVerifierClientRequest'
examples:
Update Client:
value:
name: OIDC Client for the verifier
redirectUris:
- https://example.com/callback
responseTypes:
- code
grantTypes:
- authorization_code
tokenEndpointAuthMethod: client_secret_post
idTokenSignedResponseAlg: ES256
applicationType: web
logoUri: https://example.com/logo.png
description: Update a client
responses:
'200':
description: OIDC Verifier Client updated
content:
application/json:
schema:
$ref: '#/components/schemas/CreateOidcVerifierClientResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
delete:
operationId: deleteOidcVerifierClient
tags:
- OIDC Verifier Client
summary: Delete an OIDC Client
x-roles:
- admin
- verifier
description: |
Deletes an existing OIDC Verifier Client by providing its ID.
### **Analytic events**
* OIDC_VERIFIER_CLIENT_DELETE_START
* OIDC_VERIFIER_CLIENT_DELETE_SUCCESS
* OIDC_VERIFIER_CLIENT_DELETE_FAIL
responses:
'204':
description: OIDC Verifier Client deleted.
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/ext/oidc/v1/verifiers/{id}/.well-known/openid-configuration:
parameters:
- schema:
type: string
format: uuid
example: 41458e5a-9092-40b7-9a26-d4eb43c5792f
name: id
in: path
required: true
description: Verifier ID
get:
operationId: verifierWellKnownOidcConfig
security: []
tags:
- OIDC Verifier Auth
summary: Well Known OpenId Configuration
description: |
The standard OpenID Connect Well Known configuration metadata endpoint.
This endpoint is unprotected, public facing and can be used by any party wishing to discover the OpenID Connect capabilities.
responses:
'200':
description: Returns OpenID configuration
content:
application/json:
schema:
$ref: '#/components/schemas/OpenIdConfiguration'
/ext/oidc/v1/verifiers/{id}/token:
post:
operationId: verifierRetrieveToken
tags:
- OIDC Verifier Auth
summary: Retrieve Token
description: |-
OIDC Token endpoint
The OpenId Connect `/token` endpoint is used to obtain the `access_token` and `id_token` by presenting a valid authorization `code`
### **Analytic events**
* OIDC_VERIFIER_AUTH_START
* OIDC_VERIFIER_AUTH_SUCCESS
* OIDC_VERIFIER_AUTH_FAIL
requestBody:
content:
application/x-www-form-urlencoded:
schema:
$ref: '#/components/schemas/TokenRequest'
examples: {}
description: Token endpoint request
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '#/components/schemas/TokenResponse'
'400':
$ref: '#/components/responses/400'
security: []
parameters:
- name: id
in: path
required: true
description: Verifier ID
schema:
type: string
format: uuid
example: 41458e5a-9092-40b7-9a26-d4eb43c5792f
/v1/users/search:
post:
operationId: searchUsers
tags:
- Users
summary: Search users
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Returns a list of users from the tenant that match all the provided search criteria (all criteria are optional).
### **Analytic events**
* USER_SEARCH_START
* USER_SEARCH_SUCCESS
* USER_SEARCH_FAIL
requestBody:
description: The search criteria
required: true
content:
application/json:
schema:
type: object
properties:
claims:
type: object
description: |
Filter users by claims. Nested objects are supported. Text values must be an exact match.
example:
externalUserId: 0c3fad74-a8df-4a2d-8e75-f2d356b413ba
authenticationProvider:
type: object
description: |
Filter users by their unique identifier in the configured Authentication Provider.
properties:
providerId:
type: string
description: Authentication Provider identifier.
example: 41458e5a-9092-40b7-9a26-d4eb43c5792f
subjectId:
type: string
description: Unique identifier of the user in the Authentication Provider. Must be an exact match.
example: example-university-oauth2|123456789
limit:
type: number
description: Range size of returned entries, default 100
example: 100
maximum: 1000
minimum: 1
cursor:
type: string
description: Starting point for the range of entries
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1h
responses:
'200':
description: Users retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/SearchUsersResponse'
'400':
$ref: '#/components/responses/400'
/v1/users:
post:
operationId: createUser
tags:
- Users
summary: Create a User
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Create a user.
* USER_CREATE_START
* USER_CREATE_SUCCESS
* USER_CREATE_FAIL
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateUserRequest'
description: Create a User
responses:
'201':
description: User created
content:
application/json:
schema:
$ref: '#/components/schemas/GetUserResponse'
'400':
$ref: '#/components/responses/400'
get:
operationId: getUsers
tags:
- Users
summary: Retrieve all users
x-roles:
- admin
- issuer
- managed-issuer
description: |
Returns a list of all users on your tenant.
### **Analytic events**
* USER_RETRIEVE_LIST_START
* USER_RETRIEVE_LIST_SUCCESS
* USER_RETRIEVE_LIST_FAIL
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: Users retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GetUsersResponse'
'400':
$ref: '#/components/responses/400'
parameters: []
/v1/users/{id}:
parameters:
- name: id
in: path
description: User ID
schema:
type: string
format: uuid
example: 8241400f-de3b-42c5-ad7c-8a380039e796
required: true
get:
operationId: getUser
tags:
- Users
summary: Retrieve a user
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Retrieve an existing user by providing its ID.
* USER_RETRIEVE_START
* USER_RETRIEVE_SUCCESS
* USER_RETRIEVE_FAIL
responses:
'200':
description: User retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GetUserResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
put:
operationId: updateUser
tags:
- Users
summary: Update a User
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Updates an existing user by providing its ID.
* USER_UPDATE_START
* USER_UPDATE_SUCCESS
* USER_UPDATE_FAIL
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateUserRequest'
description: Update a User
responses:
'200':
description: User updated
content:
application/json:
schema:
$ref: '#/components/schemas/GetUserResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
delete:
operationId: deleteUser
tags:
- Users
summary: Delete a user
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Deletes a user and removes any persisted data related to them by providing the user ID.
Any credentials issued to the user remain valid even after the user is deleted.
### **Analytic events**
* USER_DELETE_START
* USER_DELETE_SUCCESS
* USER_DELETE_FAIL
responses:
'204':
description: User deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v1/users/{userId}/credentials:
parameters:
- $ref: '#/components/parameters/UserId'
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
get:
operationId: getUserCredentials
tags:
- Users
summary: Retrieve all user credentials data
x-roles:
- admin
- issuer
- managed-issuer
description: |
Returns metadata for all the credentials issued to the provided `userId`.
### **Analytic events**
* USER_CREDENTIAL_RETRIEVE_LIST_START
* USER_CREDENTIAL_RETRIEVE_LIST_SUCCESS
* USER_CREDENTIAL_RETRIEVE_LIST_FAIL
responses:
'200':
description: User credentials retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GetUserCredentialsResponse'
'400':
$ref: '#/components/responses/400'
/v1/users/authentication-providers:
post:
operationId: createAuthenticationProvider
tags:
- Authentication Provider
summary: Configure an Authentication Provider
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Configures an Authentication Provider on the tenant.
An authentication or identity provider (IdP) is a platform that is typically used to store and manage user accounts on behalf of an organization or a service provider. MATTR VII uses the authentication provider to authenticate end users before issuing them credentials.
Only one authentication provider can be configured on a tenant.
The `/.well-known/openid-configuration` endpoint of the Authentication Provider must contain values for the `authorization_endpoint`, `token_endpoint` and `scopes_supported`.
### **Analytic events**
* USER_AUTHENTICATION_PROVIDER_CREATE_START
* USER_AUTHENTICATION_PROVIDER_CREATE_SUCCESS
* USER_AUTHENTICATION_PROVIDER_CREATE_FAIL
requestBody:
description: The Authentication Provider payload
required: true
content:
application/json:
schema:
required:
- clientSecret
- url
allOf:
- $ref: '#/components/schemas/AuthenticationProviderRequest'
- type: object
properties:
url:
type: string
format: uri
description: |-
Base url for your Authentication Provider well-known endpoint:
- Must be a valid URL.
- Must use the HTTPS protocol.
- Must not be an IP address.
- Must not contain query parameters. Port and fragment parameters will be dropped.
- URL must use https and have a valid public TLD.
- Unicode will be converted to ASCII.
example: https://example-university.au.auth0.com
responses:
'201':
description: Authentication Provider configured
content:
application/json:
schema:
$ref: '#/components/schemas/CreateAuthenticationProviderResponse'
'400':
$ref: '#/components/responses/400'
get:
operationId: getAuthenticationProviders
tags:
- Authentication Provider
summary: Retrieve all Authentication Providers
x-roles:
- admin
- issuer
- managed-issuer
description: |
Returns a list of all Authentication Providers on your tenant.
### **Analytic events**
* USER_AUTHENTICATION_PROVIDER_RETRIEVE_LIST_START
* USER_AUTHENTICATION_PROVIDER_RETRIEVE_LIST_SUCCESS
* USER_AUTHENTICATION_PROVIDER_RETRIEVE_LIST_FAIL
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: Authentication Providers retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GetAuthenticationProvidersResponse'
'400':
$ref: '#/components/responses/400'
parameters: []
/v1/users/authentication-providers/{id}:
parameters:
- name: id
in: path
description: Authentication Provider ID
schema:
type: string
format: uuid
example: 41458e5a-9092-40b7-9a26-d4eb43c5792f
required: true
get:
operationId: getAuthenticationProvider
tags:
- Authentication Provider
summary: Retrieve an Authentication Provider
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Retrieve an existing Authentication Provider by providing its ID.
### **Analytic events**
* USER_AUTHENTICATION_PROVIDER_RETRIEVE_START
* USER_AUTHENTICATION_PROVIDER_RETRIEVE_SUCCESS
* USER_AUTHENTICATION_PROVIDER_RETRIEVE_FAIL
responses:
'200':
description: Authentication Provider retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/CreateAuthenticationProviderResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
put:
operationId: updateAuthenticationProvider
tags:
- Authentication Provider
summary: Update an Authentication Provider
x-roles:
- admin
- issuer
- managed-issuer
description: |
Updates an existing Authentication Provider by providing its ID.
### **Analytic events**
* USER_AUTHENTICATION_PROVIDER_UPDATE_START
* USER_AUTHENTICATION_PROVIDER_UPDATE_SUCCESS
* USER_AUTHENTICATION_PROVIDER_UPDATE_FAIL
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/AuthenticationProviderRequest'
description: Update an Authentication Provider
responses:
'200':
description: Authentication Provider updated
content:
application/json:
schema:
$ref: '#/components/schemas/CreateAuthenticationProviderResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
delete:
operationId: deleteAuthenticationProvider
tags:
- Authentication Provider
summary: Delete an Authentication Provider
x-roles:
- admin
- issuer
- managed-issuer
description: |
Deletes an existing Authentication Provider by providing its ID.
### **Analytic events**
* USER_AUTHENTICATION_PROVIDER_DELETE_START
* USER_AUTHENTICATION_PROVIDER_DELETE_SUCCESS
* USER_AUTHENTICATION_PROVIDER_DELETE_FAIL
responses:
'204':
description: Authentication Provider deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v1/openid/configuration:
put:
operationId: updateOpenIdConfiguration
tags:
- Interaction Hook
summary: Configure Interaction Hook
x-roles:
- admin
- issuer
- managed-issuer
description: |-
Configure the Interaction Hook for the OpenID4VCI protocol on your tenant.
Many credential issuance journeys require the issuer to perform custom interactions with the user. This could be gathering more information, performing additional authentication steps (E.g, 2FA, MFA or biometric checks) or communicating the terms of service. To facilitate this requirement, you can configure MATTR VII to invoke an interaction hook which will redirect the user to a custom component during the credential issuance journey. This redirect happens **after** the user is authenticated with your configured identity provider but **before** the credential is issued to the user. Upon successful completion of the interaction hook, your custom component will redirect the user back to their digital wallet to complete the credential issuance flow. Your interaction hook component can be either a web or native application.  We recommend using a web interface because it's more compatible with most scenarios.
You can only configure one interaction hook on your MATTR VII tenant. If you require several custom interactions as part of the credential issuance workflow, they should all be linked into a single interaction hook component.
### **Analytic events**
* CREDENTIAL_PROVIDER_OPENID_CONFIGURATION_UPDATE_START
* CREDENTIAL_PROVIDER_OPENID_CONFIGURATION_UPDATE_SUCCESS
* CREDENTIAL_PROVIDER_OPENID_CONFIGURATION_UPDATE_FAIL
requestBody:
description: The Interaction Hook configuration payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/UpdateOpenIdConfigurationRequest'
responses:
'200':
description: Interaction Hook configured
content:
application/json:
schema:
$ref: '#/components/schemas/schemas-OpenIdConfiguration'
'400':
$ref: '#/components/responses/400'
get:
operationId: getOpenIdConfiguration
tags:
- Interaction Hook
summary: Retrieve Interaction Hook
x-roles:
- admin
- issuer
- managed-issuer
description: |
Retrieves the Interaction Hook configuration from your tenant.
### **Analytic events**
* CREDENTIAL_PROVIDER_OPENID_CONFIGURATION_RETRIEVE_START
* CREDENTIAL_PROVIDER_OPENID_CONFIGURATION_RETRIEVE_SUCCESS
* CREDENTIAL_PROVIDER_OPENID_CONFIGURATION_RETRIEVE_FAIL
responses:
'200':
description: Interaction Hook configuration retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/schemas-OpenIdConfiguration'
/v1/analytics/events:
get:
deprecated: true
tags:
- Analytics
summary: Retrieve events
x-roles:
- admin
- auditor
- managed-issuer
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
- in: query
name: ids
schema:
type: array
items:
type: string
minLength: 1
example:
- e4c387e7-3e63-40f4-9a38-062aaae9ee50
description: Query by event IDs. These can be retrieved from event details.
- in: query
name: requestIds
schema:
type: array
items:
type: string
minLength: 1
example:
- e4c387e7-3e63-40f4-9a38-062aaae9ee50
description: Query by request IDs. These can be retrieved from event details. The response will include all the individual events that are part of the queried request.
- in: query
name: categories
schema:
type: array
example:
- credential_compact
items:
type: string
minLength: 1
description: Query by event categories. Uses an **OR** operation with `types`. Every **category** includes several event **types**. Each API endpoint details the event types it generates under the **Analytic events** heading. Refer to the [Events registry](https://api-reference-sdk.mattr.global/event-registry/latest/index.html) for an inclusive list.
- in: query
name: types
schema:
type: array
example:
- CREDENTIAL_COMPACT_SIGN_START
items:
type: string
minLength: 1
description: Query by event types. Uses an **OR** operation with `categories`. Every **category** includes several event **types**. Each API endpoint details the events it generates under the **Analytic events** heading. Refer to the [Events registry](https://api-reference-sdk.mattr.global/event-registry/latest/index.html) for an inclusive list.
- in: query
name: dateFrom
schema:
type: string
format: date-time
example: '2023-06-01T02:45:44.087Z'
description: Query by event start date and time (inclusive), in ISO-8601 format.
- in: query
name: dateTo
schema:
type: string
format: date-time
example: '2023-06-30T23:59:59.999Z'
description: Query by event end date and time (inclusive), in ISO-8601 format.
- in: query
name: managementUserIds
schema:
oneOf:
- type: array
items:
type: string
format: uuid
example:
- ea691ed4-90ff-4be2-bd85-f2c74efa72c3
- type: string
enum:
- none
- '*'
description: |
Filter events by management user IDs. You can obtain these IDs from the event details. The response will include all individual events associated with the specified management user IDs.
Special filtering values:
- `none`: Returns events that are not assigned to any management user IDs.
- `*`: Returns events that are assigned to any management user IDs.
- in: query
name: clientIds
schema:
oneOf:
- type: array
items:
type: string
example:
- 54rp8Z8yGnlva19mThj7tJzNXFSyXrCf
- type: string
enum:
- none
- '*'
description: |
Filter events by client IDs. You can obtain these IDs from the event details. The response will include all individual events associated with the specified client IDs.
Special filtering values:
- `none`: Returns events that are not assigned to any client IDs.
- `*`: Returns events that are assigned to any client IDs.
description: |
Returns a list of matching events from the tenant's event database.
The `categories` and `types` parameters filter based on an **OR** logic, whilst all other parameters use an "AND" logic. For example `(categories OR types) AND requestIds AND dateFrom`.
Refer to the [Events registry](https://api-reference-sdk.mattr.global/event-registry/latest/index.html) for an inclusive list of events categories and types.
operationId: getAnalyticsEvents
responses:
'200':
description: A list of events
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/Event'
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page.
'400':
$ref: '#/components/responses/400'
'401':
$ref: '#/components/responses/401'
'403':
$ref: '#/components/responses/403'
'500':
$ref: '#/components/responses/500'
/v1/events:
get:
tags:
- Analytics
summary: Retrieve events
x-roles:
- admin
- auditor
- managed-issuer
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
- in: query
name: ids
schema:
type: array
example:
- e4c387e7-3e63-40f4-9a38-062aaae9ee50
items:
type: string
minLength: 1
description: Query by event IDs. These can be retrieved from event details.
- in: query
name: requestIds
schema:
type: array
example:
- e4c387e7-3e63-40f4-9a38-062aaae9ee50
items:
type: string
minLength: 1
description: Query by request IDs. These can be retrieved from event details. The response will include all the individual events that are part of the queried request.
- in: query
name: categories
schema:
type: array
example:
- credential_compact
items:
type: string
minLength: 1
description: Query by event categories. Uses an **OR** operation with `types`. Every **category** includes several event **types**. Each API endpoint details the event types it generates under the **Analytic events** heading. Refer to the [Events registry](https://api-reference-sdk.mattr.global/event-registry/latest/index.html) for an inclusive list.
- in: query
name: types
schema:
type: array
example:
- CREDENTIAL_COMPACT_SIGN_START
items:
type: string
minLength: 1
description: Query by event types. Uses an **OR** operation with `categories`. Every **category** includes several event **types**. Each API endpoint details the events it generates under the **Analytic events** heading. Refer to the [Events registry](https://api-reference-sdk.mattr.global/event-registry/latest/index.html) for an inclusive list.
- in: query
name: dateFrom
schema:
type: string
format: date-time
example: '2023-06-01T02:45:44.087Z'
description: Query by event start date and time (inclusive), in ISO-8601 format.
- in: query
name: dateTo
schema:
type: string
format: date-time
example: '2023-06-30T23:59:59.999Z'
description: Query by event end date and time (inclusive), in ISO-8601 format.
- in: query
name: managementUserIds
schema:
oneOf:
- type: array
items:
type: string
format: uuid
example:
- ea691ed4-90ff-4be2-bd85-f2c74efa72c3
- type: string
enum:
- none
- '*'
description: |
Filter events by management user IDs. You can obtain these IDs from the event details. The response will include all individual events associated with the specified management user IDs.
Special filtering values:
- `none`: Returns events that are not assigned to any management user IDs.
- `*`: Returns events that are assigned to any management user IDs.
- in: query
name: clientIds
schema:
oneOf:
- type: array
items:
type: string
example:
- 54rp8Z8yGnlva19mThj7tJzNXFSyXrCf
- type: string
enum:
- none
- '*'
description: |
Filter events by client IDs. You can obtain these IDs from the event details. The response will include all individual events associated with the specified client IDs.
Special filtering values:
- `none`: Returns events that are not assigned to any client IDs.
- `*`: Returns events that are assigned to any client IDs.
description: |
Returns a list of matching events from the tenant's event database.
The `categories` and `types` parameters filter based on an **OR** logic, whilst all other parameters use an "AND" logic. For example `(categories OR types) AND requestIds AND dateFrom`.
Refer to the [Events registry](https://api-reference-sdk.mattr.global/event-registry/latest/index.html) for an inclusive list of events categories and types.
operationId: getEvents
responses:
'200':
description: A list of events
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/Event'
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page.
'400':
$ref: '#/components/responses/400'
'401':
$ref: '#/components/responses/401'
'403':
$ref: '#/components/responses/403'
'500':
$ref: '#/components/responses/500'
/v1/ecosystems:
get:
tags:
- Ecosystems
summary: Retrieve all ecosystems
x-roles:
- admin
- dts-provider
description: |-
Retrieves a list of ecosystems.
### **Analytic events**
* ECOSYSTEM_RETRIEVE_LIST_START
* ECOSYSTEM_RETRIEVE_LIST_SUCCESS
* ECOSYSTEM_RETRIEVE_LIST_FAIL
operationId: getEcosystems
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: Ecosystems retrieved
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/Ecosystem'
nextCursor:
$ref: '#/components/schemas/nextCursor'
'400':
$ref: '#/components/responses/400'
post:
tags:
- Ecosystems
summary: Create ecosystem
x-roles:
- admin
- dts-provider
description: |-
Creates an ecosystem.
### **Analytic events**
* ECOSYSTEM_CREATE_START
* ECOSYSTEM_CREATE_SUCCESS
* ECOSYSTEM_CREATE_FAIL
operationId: createEcosystem
requestBody:
required: true
content:
application/json:
schema:
type: object
required:
- name
properties:
name:
$ref: '#/components/schemas/name'
integrations:
type: array
description: Details external trust sources which are integrated into the ecosystem. These can be either a different ecosystem or a [VICAL](https://learn.mattr.global/docs/issuance/vical/overview).
items:
oneOf:
- $ref: '#/components/schemas/MattrIntegration'
- $ref: '#/components/schemas/VicalIntegration'
responses:
'201':
description: Ecosystem created
content:
application/json:
schema:
$ref: '#/components/schemas/Ecosystem'
'400':
$ref: '#/components/responses/400'
'500':
$ref: '#/components/responses/500'
/v1/ecosystems/sync:
post:
tags:
- Ecosystems
summary: Sync ecosystem
x-roles:
- admin
- dts-provider
description: |-
Synchronizes all configured consumptions and integrations by retrieving the most recent trust information.
**Analytic events**
* ECOSYSTEM_TENANT_SYNC_ALL_START
* ECOSYSTEM_TENANT_SYNC_ALL_SUCCESS
* ECOSYSTEM_TENANT_SYNC_ALL_FAIL
operationId: syncEcosystem
responses:
'202':
description: Ecosystem sync request accepted.
content:
application/json:
schema:
type: object
properties:
tenantConfiguration:
type: object
description: Details the different ecosystems that are consumed by this current ecosystem as external trust sources.
properties:
ecosystems:
type: array
description: A list of all consumed ecosystems.
items:
type: object
properties:
url:
type: string
description: URL where this ecosystem's trust information is retrieved from.
example: https://example.vii.au01.mattr.global/v1/ecosystems/489755c9-1d74-4f59-a127-db7105667bfe
integrations:
type: array
items:
oneOf:
- $ref: '#/components/schemas/MattrIntegration'
- $ref: '#/components/schemas/VicalIntegration'
'400':
$ref: '#/components/responses/400'
/v1/config/ecosystems:
get:
tags:
- Configuration
summary: Retrieve ecosystem configuration
x-roles:
- admin
- dts-consumer
description: |-
Retrieves the tenant's ecosystem configuration.
### **Analytic events**
* ECOSYSTEM_CONFIG_RETRIEVE_START
* ECOSYSTEM_CONFIG_RETRIEVE_SUCCESS
* ECOSYSTEM_CONFIG_RETRIEVE_FAIL
operationId: getEcosystemConfiguration
responses:
'200':
description: Ecosystem configuration retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/EcosystemConfig'
'404':
$ref: '#/components/responses/404'
'500':
$ref: '#/components/responses/500'
post:
tags:
- Configuration
summary: Create ecosystem configuration
x-roles:
- admin
- dts-consumer
description: |-
Creates an ecosystem configuration for the tenant.
### **Analytic events**
* ECOSYSTEM_CONFIG_CREATE_START
* ECOSYSTEM_CONFIG_CREATE_SUCCESS
* ECOSYSTEM_CONFIG_CREATE_FAIL
operationId: createEcosystemConfiguration
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/EcosystemConfig'
responses:
'201':
description: Ecosystem configuration created
content:
application/json:
schema:
$ref: '#/components/schemas/EcosystemConfig'
'400':
$ref: '#/components/responses/400'
'500':
$ref: '#/components/responses/500'
put:
tags:
- Configuration
summary: Update ecosystem configuration
x-roles:
- admin
- dts-consumer
description: |-
Updates the tenant's ecosystem configuration.
### **Analytic events**
* ECOSYSTEM_CONFIG_UPDATE_START
* ECOSYSTEM_CONFIG_UPDATE_SUCCESS
* ECOSYSTEM_CONFIG_UPDATE_FAIL
operationId: updateEcosystemConfiguration
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/EcosystemConfig'
responses:
'200':
description: Ecosystem configuration updated
content:
application/json:
schema:
$ref: '#/components/schemas/EcosystemConfig'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
'500':
$ref: '#/components/responses/500'
delete:
tags:
- Configuration
summary: Delete ecosystem configuration
x-roles:
- admin
- dts-consumer
description: |-
Deletes the tenant's ecosystem configuration.
### **Analytic events**
* ECOSYSTEM_CONFIG_DELETE_START
* ECOSYSTEM_CONFIG_DELETE_SUCCESS
* ECOSYSTEM_CONFIG_DELETE_FAIL
operationId: deleteEcosystemConfiguration
responses:
'204':
description: Ecosystem configuration deleted
'404':
$ref: '#/components/responses/404'
'500':
$ref: '#/components/responses/500'
/v1/ecosystems/{ecosystemId}:
parameters:
- $ref: '#/components/parameters/ecosystemId'
get:
tags:
- Ecosystems
summary: Retrieve ecosystem
x-roles:
- admin
- dts-provider
description: |-
Retrieves an ecosystem by its ID.
### **Analytic events**
* ECOSYSTEM_RETRIEVE_START
* ECOSYSTEM_RETRIEVE_SUCCESS
* ECOSYSTEM_RETRIEVE_FAIL
operationId: getEcosystem
responses:
'200':
description: Ecosystem retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/Ecosystem'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
put:
tags:
- Ecosystems
summary: Update ecosystem
x-roles:
- admin
- dts-provider
description: |-
Updates an ecosystem by its ID.
### **Analytic events**
* ECOSYSTEM_UPDATE_START
* ECOSYSTEM_UPDATE_SUCCESS
* ECOSYSTEM_UPDATE_FAIL
operationId: updateEcosystem
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
name:
$ref: '#/components/schemas/name'
integrations:
type: array
items:
oneOf:
- $ref: '#/components/schemas/MattrIntegration'
- $ref: '#/components/schemas/VicalIntegration'
responses:
'200':
description: Ecosystem updated
content:
application/json:
schema:
$ref: '#/components/schemas/Ecosystem'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
'500':
$ref: '#/components/responses/500'
delete:
tags:
- Ecosystems
summary: Delete ecosystem
x-roles:
- admin
- dts-provider
description: |-
Deletes an ecosystem by its ID.
### **Analytic events**
* ECOSYSTEM_DELETE_START
* ECOSYSTEM_DELETE_SUCCESS
* ECOSYSTEM_DELETE_FAIL
operationId: deleteEcosystem
responses:
'204':
description: Ecosystem deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
'500':
$ref: '#/components/responses/500'
/v1/ecosystems/{ecosystemId}/policies:
parameters:
- $ref: '#/components/parameters/ecosystemId'
post:
tags:
- Policy
summary: Publish policy
x-roles:
- admin
- dts-provider
description: |-
Publish a new version of the ecosystem policy. Only active and currently valid participants and IACA certificates are included in the policy.
### **Analytic events**
* ECOSYSTEM_POLICY_CREATE_START
* ECOSYSTEM_POLICY_CREATE_SUCCESS
* ECOSYSTEM_POLICY_CREATE_FAIL
operationId: createEcosystemPolicy
responses:
'201':
description: Ecosystem policy published
content:
application/json:
schema:
$ref: '#/components/schemas/CreatePolicyResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
'500':
$ref: '#/components/responses/500'
/v1/ecosystems/{ecosystemId}/policies/public/latest:
parameters:
- $ref: '#/components/parameters/ecosystemId'
get:
security: []
tags:
- Policy
summary: Retrieve latest ecosystem policy
description: |-
Retrieves an ecosystem policy by providing the ecosystem ID.
### **Analytic events**
* ECOSYSTEM_POLICY_RETRIEVE_LATEST_START
* ECOSYSTEM_POLICY_RETRIEVE_LATEST_SUCCESS
* ECOSYSTEM_POLICY_RETRIEVE_LATEST_FAIL
operationId: getLatestEcosystemPolicy
parameters:
- $ref: '#/components/parameters/ifNoneMatch'
- $ref: '#/components/parameters/acceptEncoding'
responses:
'200':
headers:
ETag:
description: An Entity Tag (ETag) is a unique identifier assigned to a specific version of a resource. It allows clients to check if a resource has been modified since it was last retrieved.
schema:
type: string
format: byte
example: MTcwMTIyMDgzNzMzOA==
description: Latest ecosystem policy retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/EcosystemPolicy'
'304':
$ref: '#/components/responses/304'
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/{ecosystemId}/policy:
parameters:
- $ref: '#/components/parameters/ecosystemId'
get:
deprecated: true
security: []
tags:
- Policy
summary: Retrieve ecosystem policy
description: |-
Retrieves an ecosystem policy by providing the ecosystem ID.
### **Analytic events**
* ECOSYSTEM_POLICY_RETRIEVE_LATEST_START
* ECOSYSTEM_POLICY_RETRIEVE_LATEST_SUCCESS
* ECOSYSTEM_POLICY_RETRIEVE_LATEST_FAIL
operationId: getEcosystemPolicy
parameters:
- $ref: '#/components/parameters/ifNoneMatch'
- $ref: '#/components/parameters/acceptEncoding'
responses:
'200':
headers:
ETag:
description: An Entity Tag (ETag) is a unique identifier assigned to a specific version of a resource. It allows clients to check if a resource has been modified since it was last retrieved.
schema:
type: string
format: byte
example: MTcwMTIyMDgzNzMzOA==
description: Ecosystem policy retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/EcosystemPolicy'
'304':
$ref: '#/components/responses/304'
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/{ecosystemId}/participants:
parameters:
- $ref: '#/components/parameters/ecosystemId'
get:
tags:
- Participants
summary: Retrieve participants
x-roles:
- admin
- dts-provider
description: |-
Retrieves a list of participants from the requested ecosystem.
### **Analytic events**
* ECOSYSTEM_PARTICIPANT_RETRIEVE_LIST_START
* ECOSYSTEM_PARTICIPANT_RETRIEVE_LIST_SUCCESS
* ECOSYSTEM_PARTICIPANT_RETRIEVE_LIST_FAIL
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
operationId: getEcosystemParticipants
responses:
'200':
description: Participants retrieved
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/Participant'
nextCursor:
$ref: '#/components/schemas/nextCursor'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
post:
tags:
- Participants
summary: Create participant
x-roles:
- admin
- dts-provider
description: |-
Creates a participant in the requested ecosystem.
### **Analytic events**
* ECOSYSTEM_PARTICIPANT_CREATE_START
* ECOSYSTEM_PARTICIPANT_CREATE_SUCCESS
* ECOSYSTEM_PARTICIPANT_CREATE_FAIL
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/Participant'
operationId: createEcosystemParticipant
responses:
'201':
description: Participant created
content:
application/json:
schema:
$ref: '#/components/schemas/Participant'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
'500':
$ref: '#/components/responses/500'
/v1/ecosystems/{ecosystemId}/participants/{participantId}:
parameters:
- $ref: '#/components/parameters/ecosystemId'
- $ref: '#/components/parameters/participantId'
get:
tags:
- Participants
summary: Retrieve participant
x-roles:
- admin
- dts-provider
description: |-
Retrieves a participant from the requested ecosystem by its ID.
### **Analytic events**
* ECOSYSTEM_PARTICIPANT_RETRIEVE_START
* ECOSYSTEM_PARTICIPANT_RETRIEVE_SUCCESS
* ECOSYSTEM_PARTICIPANT_RETRIEVE_FAIL
operationId: getEcosystemParticipant
responses:
'200':
description: Participant retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/Participant'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
put:
tags:
- Participants
summary: Update participant
x-roles:
- admin
- dts-provider
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/Participant'
description: |-
Updates a participant in the requested ecosystem by its ID.
### **Analytic events**
* ECOSYSTEM_PARTICIPANT_UPDATE_START
* ECOSYSTEM_PARTICIPANT_UPDATE_SUCCESS
* ECOSYSTEM_PARTICIPANT_UPDATE_FAIL
operationId: updateEcosystemParticipant
responses:
'200':
description: Participant updated
content:
application/json:
schema:
$ref: '#/components/schemas/Participant'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
'500':
$ref: '#/components/responses/500'
delete:
tags:
- Participants
summary: Delete participant
x-roles:
- admin
- dts-provider
description: |-
Deletes a participant in the requested ecosystem by its ID.
### **Analytic events**
* ECOSYSTEM_PARTICIPANT_DELETE_START
* ECOSYSTEM_PARTICIPANT_DELETE_SUCCESS
* ECOSYSTEM_PARTICIPANT_DELETE_FAIL
operationId: deleteEcosystemParticipant
responses:
'204':
description: Participant deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/{ecosystemId}/participants/{participantId}/contacts:
parameters:
- $ref: '#/components/parameters/participantId'
- $ref: '#/components/parameters/ecosystemId'
post:
tags:
- Participants contacts
summary: Create a participant point of contact
x-roles:
- admin
- dts-provider
description: |-
Create a new point of contact for the specified participant. A maximum of 10 contacts can exist per participant.
### **Analytic events**
* ECOSYSTEM_PARTICIPANT_CONTACT_CREATE_START
* ECOSYSTEM_PARTICIPANT_CONTACT_CREATE_SUCCESS
* ECOSYSTEM_PARTICIPANT_CONTACT_CREATE_FAIL
operationId: createParticipantContact
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/ParticipantContactRequest'
responses:
'201':
description: Participant point of contact created
content:
application/json:
schema:
$ref: '#/components/schemas/ParticipantContactResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
get:
tags:
- Participants contacts
summary: Retrieve all participant points of contact
x-roles:
- admin
- dts-provider
description: |-
Retrieve all points of contact for given participant.
### **Analytic events**
* ECOSYSTEM_PARTICIPANT_CONTACT_RETRIEVE_LIST_START
* ECOSYSTEM_PARTICIPANT_CONTACT_RETRIEVE_LIST_SUCCESS
* ECOSYSTEM_PARTICIPANT_CONTACT_RETRIEVE_LIST_FAIL
operationId: retrieveParticipantContacts
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: Participant points of contact retrieved
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/ParticipantContactResponse'
nextCursor:
$ref: '#/components/schemas/nextCursor'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/{ecosystemId}/participants/{participantId}/contacts/{contactId}:
parameters:
- $ref: '#/components/parameters/participantId'
- $ref: '#/components/parameters/ecosystemId'
- $ref: '#/components/parameters/contactId'
get:
tags:
- Participants contacts
summary: Retrieve a participant point of contact
x-roles:
- admin
- dts-provider
description: |-
Retrieve a specific point of contact for a given participant.
### **Analytic events**
* ECOSYSTEM_PARTICIPANT_CONTACT_RETRIEVE_START
* ECOSYSTEM_PARTICIPANT_CONTACT_RETRIEVE_SUCCESS
* ECOSYSTEM_PARTICIPANT_CONTACT_RETRIEVE_FAIL
operationId: retrieveParticipantContact
responses:
'200':
description: Participant point of contact retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/ParticipantContactResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
delete:
tags:
- Participants contacts
summary: Delete a participant point of contact
x-roles:
- admin
- dts-provider
description: |-
Delete a specific point of contact for a given participant.
### **Analytic events**
* ECOSYSTEM_PARTICIPANT_CONTACT_DELETE_START
* ECOSYSTEM_PARTICIPANT_CONTACT_DELETE_SUCCESS
* ECOSYSTEM_PARTICIPANT_CONTACT_DELETE_FAIL
operationId: deleteParticipantContact
responses:
'204':
description: Participant point of contact deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
put:
tags:
- Participants contacts
summary: Update a participant point of contact
x-roles:
- admin
- dts-provider
description: |-
Update a specific point of contact for a given participant.
### **Analytic events**
* ECOSYSTEM_PARTICIPANT_CONTACT_UPDATE_START
* ECOSYSTEM_PARTICIPANT_CONTACT_UPDATE_SUCCESS
* ECOSYSTEM_PARTICIPANT_CONTACT_UPDATE_FAIL
operationId: updateParticipantContact
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/ParticipantContactRequest'
responses:
'200':
description: Participant point of contact updated
content:
application/json:
schema:
$ref: '#/components/schemas/ParticipantContactResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/{ecosystemId}/participants/{participantId}/evidence:
parameters:
- $ref: '#/components/parameters/participantId'
- $ref: '#/components/parameters/ecosystemId'
post:
tags:
- Participants evidence
summary: Upload PDF evidence
x-roles:
- admin
- dts-provider
description: |-
Upload a PDF file as evidence for the given participant. Maximum file size is 10MB.
### **Analytic events**
* ECOSYSTEM_PARTICIPANT_EVIDENCE_CREATE_START
* ECOSYSTEM_PARTICIPANT_EVIDENCE_CREATE_SUCCESS
* ECOSYSTEM_PARTICIPANT_EVIDENCE_CREATE_FAIL
operationId: uploadPdfEvidence
requestBody:
content:
multipart/form-data:
schema:
type: object
properties:
fileDescription:
type: string
file:
type: string
format: binary
responses:
'201':
description: Evidence PDF uploaded
content:
application/json:
schema:
$ref: '#/components/schemas/ParticipantEvidence'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
get:
tags:
- Participants evidence
summary: Retrieve all PDF evidence metadata
x-roles:
- admin
- dts-provider
description: |-
Retrieve metadata for all PDF evidence uploaded for given participant.
### **Analytic events**
* ECOSYSTEM_PARTICIPANT_EVIDENCE_RETRIEVE_LIST_START
* ECOSYSTEM_PARTICIPANT_EVIDENCE_RETRIEVE_LIST_SUCCESS
* ECOSYSTEM_PARTICIPANT_EVIDENCE_RETRIEVE_LIST_FAIL
operationId: retrievePdfEvidenceList
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: PDF evidence metadata retrieved
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/ParticipantEvidence'
nextCursor:
$ref: '#/components/schemas/nextCursor'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/{ecosystemId}/participants/{participantId}/evidence/{evidenceId}:
parameters:
- $ref: '#/components/parameters/participantId'
- $ref: '#/components/parameters/ecosystemId'
- $ref: '#/components/parameters/evidenceId'
get:
tags:
- Participants evidence
summary: Retrieve a PDF evidence metadata
x-roles:
- admin
- dts-provider
description: |-
Retrieve metadata for a given uploaded PDF evidence.
### **Analytic events**
* ECOSYSTEM_PARTICIPANT_EVIDENCE_RETRIEVE_START
* ECOSYSTEM_PARTICIPANT_EVIDENCE_RETRIEVE_SUCCESS
* ECOSYSTEM_PARTICIPANT_EVIDENCE_RETRIEVE_FAIL
operationId: retrievePdfEvidence
responses:
'200':
description: Evidence retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/ParticipantEvidence'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
put:
tags:
- Participants evidence
summary: Update PDF evidence metadata
x-roles:
- admin
- dts-provider
description: |-
Update metadata for a given uploaded PDF evidence.
### **Analytic events**
* ECOSYSTEM_PARTICIPANT_EVIDENCE_UPDATE_START
* ECOSYSTEM_PARTICIPANT_EVIDENCE_UPDATE_SUCCESS
* ECOSYSTEM_PARTICIPANT_EVIDENCE_UPDATE_FAIL
operationId: updatePdfEvidence
requestBody:
content:
application/json:
schema:
type: object
properties:
fileDescription:
type: string
responses:
'200':
description: Evidence PDF metadata updated
content:
application/json:
schema:
$ref: '#/components/schemas/ParticipantEvidence'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
delete:
tags:
- Participants evidence
summary: Delete PDF evidence
x-roles:
- admin
- dts-provider
description: |-
Delete metadata for a given uploaded PDF evidence and remove it from storage.
### **Analytic events**
* ECOSYSTEM_PARTICIPANT_EVIDENCE_DELETE_START
* ECOSYSTEM_PARTICIPANT_EVIDENCE_DELETE_SUCCESS
* ECOSYSTEM_PARTICIPANT_EVIDENCE_DELETE_FAIL
operationId: deletePdfEvidence
responses:
'204':
description: PDF Evidence deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/{ecosystemId}/participants/{participantId}/evidence/{evidenceId}/download:
parameters:
- $ref: '#/components/parameters/participantId'
- $ref: '#/components/parameters/ecosystemId'
- $ref: '#/components/parameters/evidenceId'
get:
tags:
- Participants evidence
summary: Download PDF evidence
x-roles:
- admin
- dts-provider
description: |-
Retrieves a specific PDF evidence file.
### **Analytic events**
* ECOSYSTEM_PARTICIPANT_EVIDENCE_DOWNLOAD_START
* ECOSYSTEM_PARTICIPANT_EVIDENCE_DOWNLOAD_SUCCESS
* ECOSYSTEM_PARTICIPANT_EVIDENCE_DOWNLOAD_FAIL
operationId: downloadPdfEvidence
responses:
'200':
description: PDF Evidence file retrieved
content:
application/pdf:
schema:
type: string
format: binary
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/{ecosystemId}/credentials:
parameters:
- $ref: '#/components/parameters/ecosystemId'
post:
tags:
- Credential types
summary: Create credential type
x-roles:
- admin
- dts-provider
description: |-
Creates a new credential type in the requested ecosystem.
### **Analytic events**
* ECOSYSTEM_CREDENTIAL_CREATE_START
* ECOSYSTEM_CREDENTIAL_CREATE_SUCCESS
* ECOSYSTEM_CREDENTIAL_CREATE_FAIL
operationId: createEcosystemCredential
requestBody:
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/Credential'
- $ref: '#/components/schemas/CredentialMobile'
required: true
responses:
'201':
description: Credential type created
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/Credential'
- $ref: '#/components/schemas/CredentialMobile'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
'500':
$ref: '#/components/responses/500'
get:
tags:
- Credential types
summary: Retrieve credential types
x-roles:
- admin
- dts-provider
description: |-
Retrieves a list of credential types from the requested ecosystem.
### **Analytic events**
* ECOSYSTEM_CREDENTIAL_RETRIEVE_LIST_START
* ECOSYSTEM_CREDENTIAL_RETRIEVE_LIST_SUCCESS
* ECOSYSTEM_CREDENTIAL_RETRIEVE_LIST_FAIL
operationId: getEcosystemCredentials
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: Credential types retrieved
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
oneOf:
- $ref: '#/components/schemas/Credential'
- $ref: '#/components/schemas/CredentialMobile'
nextCursor:
$ref: '#/components/schemas/nextCursor'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/{ecosystemId}/credentials/{credentialId}:
parameters:
- $ref: '#/components/parameters/ecosystemId'
- $ref: '#/components/parameters/credentialId'
get:
tags:
- Credential types
summary: Retrieve credential type
x-roles:
- admin
- dts-provider
description: |-
Retrieves a credential type from the requested ecosystem by its ID.
### **Analytic events**
* ECOSYSTEM_CREDENTIAL_RETRIEVE_START
* ECOSYSTEM_CREDENTIAL_RETRIEVE_SUCCESS
* ECOSYSTEM_CREDENTIAL_RETRIEVE_FAIL
operationId: getEcosystemCredential
responses:
'200':
description: Credential type retrieved
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/Credential'
- $ref: '#/components/schemas/CredentialMobile'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
delete:
tags:
- Credential types
summary: Delete credential type
x-roles:
- admin
- dts-provider
description: |-
Deletes a credential type from the requested ecosystem by its ID.
### **Analytic events**
* ECOSYSTEM_CREDENTIAL_DELETE_START
* ECOSYSTEM_CREDENTIAL_DELETE_SUCCESS
* ECOSYSTEM_CREDENTIAL_DELETE_FAIL
operationId: deleteEcosystemCredential
responses:
'204':
description: Credential type deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/{ecosystemId}/participants/{participantId}/issuer/credentials:
parameters:
- $ref: '#/components/parameters/ecosystemId'
- $ref: '#/components/parameters/participantId'
post:
tags:
- Participants assignment
summary: Create issuer assignment
x-roles:
- admin
- dts-provider
description: |-
Assigns a credential type to the requested participant in the requested ecosystem.
### **Analytic events**
* ECOSYSTEM_ISSUER_POLICY_CREATE_START
* ECOSYSTEM_ISSUER_POLICY_CREATE_SUCCESS
* ECOSYSTEM_ISSUER_POLICY_CREATE_FAIL
operationId: createEcosystemIssuerPolicy
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
credentialId:
type: string
format: uuid
example: 599bf148-d711-405a-a20b-9c8a87ac8850
responses:
'201':
description: Issuer policy created
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/Credential'
- $ref: '#/components/schemas/CredentialMobile'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
'500':
$ref: '#/components/responses/500'
/v1/ecosystems/{ecosystemId}/participants/{participantId}/issuer/credentials/{credentialId}:
parameters:
- $ref: '#/components/parameters/ecosystemId'
- $ref: '#/components/parameters/participantId'
- $ref: '#/components/parameters/credentialId'
delete:
tags:
- Participants assignment
summary: Delete issuer assignment
x-roles:
- admin
- dts-provider
description: |-
Removes a credential type to the requested participant in the requested ecosystem.
### **Analytic events**
* ECOSYSTEM_ISSUER_POLICY_DELETE_START
* ECOSYSTEM_ISSUER_POLICY_DELETE_SUCCESS
* ECOSYSTEM_ISSUER_POLICY_DELETE_FAIL
operationId: deleteEcosystemIssuerPolicy
responses:
'204':
description: Issuer policy deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
'500':
$ref: '#/components/responses/500'
/v1/ecosystems/{ecosystemId}/participants/{participantId}/verifier/credentials:
parameters:
- $ref: '#/components/parameters/ecosystemId'
- $ref: '#/components/parameters/participantId'
post:
tags:
- Participants assignment
summary: Create verifier assignment
x-roles:
- admin
- dts-provider
description: |-
Assigns a credential type to the requested participant in the requested ecosystem.
### **Analytic events**
* ECOSYSTEM_VERIFIER_POLICY_CREATE_START
* ECOSYSTEM_VERIFIER_POLICY_CREATE_SUCCESS
* ECOSYSTEM_VERIFIER_POLICY_CREATE_FAIL
operationId: createEcosystemVerifierPolicy
requestBody:
required: true
content:
application/json:
schema:
type: object
properties:
credentialId:
type: string
format: uuid
example: 599bf148-d711-405a-a20b-9c8a87ac8850
responses:
'201':
description: Verifier policy created
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/Credential'
- $ref: '#/components/schemas/CredentialMobile'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
'500':
$ref: '#/components/responses/500'
/v1/ecosystems/{ecosystemId}/participants/{participantId}/verifier/credentials/{credentialId}:
parameters:
- $ref: '#/components/parameters/ecosystemId'
- $ref: '#/components/parameters/participantId'
- $ref: '#/components/parameters/credentialId'
delete:
tags:
- Participants assignment
summary: Delete verifier assignment
x-roles:
- admin
- dts-provider
description: |-
Removes a credential type from the requested participant in the requested ecosystem..
### **Analytic events**
* ECOSYSTEM_VERIFIER_POLICY_DELETE_START
* ECOSYSTEM_VERIFIER_POLICY_DELETE_SUCCESS
* ECOSYSTEM_VERIFIER_POLICY_DELETE_FAIL
operationId: deleteEcosystemVerifierPolicy
responses:
'204':
description: Verifier policy deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
'500':
$ref: '#/components/responses/500'
/v1/ecosystems/issuer-validation:
post:
tags:
- Participants validation
summary: Validate issuer
x-roles:
- admin
- dts-consumer
description: |
Validates that an issuer is allowed to issue a specific credential format according to the ecosystem policy.
### **Analytics events**
* ECOSYSTEM_VALIDATE_PARTICIPANT_START
* ECOSYSTEM_VALIDATE_PARTICIPANT_SUCCESS
* ECOSYSTEM_VALIDATE_PARTICIPANT_FAIL
operationId: validateIssuer
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ParticipantValidationRequest'
responses:
'200':
description: Validation completed
content:
application/json:
schema:
$ref: '#/components/schemas/ParticipantValidationResponse'
examples:
Compact credential:
value:
validated: true
policyVersion: '1698371362017'
identifier: did:example:abcdb1f712ebc6f1c276e12ec21
Mobile credential:
value:
validated: true
policyVersion: '1698371362017'
identifier: "-----BEGIN CERTIFICATE-----\r\nMIIBwzCCAWigAwIBAgIKRGC+CqoTGJKkkTAKBggqhkjOPQQDAjAgMR4wCQYDVQQG\r\nEwJOWjARBgNVBAMTCk1BVFRSIElBQ0EwHhcNMjMwODA4MDAwOTIxWhcNMzMwODA1\r\nMDAwOTIxWjAgMR4wCQYDVQQGEwJOWjARBgNVBAMTCk1BVFRSIElBQ0EwWTATBgcq\r\nhkjOPQIBBggqhkjOPQMBBwNCAASRu69fzdgM4odkyPtRcZd3eGWCw4BB7StZNGRm\r\nuIlrraUyv9SWPHgUYjYmRB1g7ERzj/pOSAspk71Y+QA+j9nPo4GJMIGGMBIGA1Ud\r\nEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgAGMB0GA1UdDgQWBBSONcHGh4If\r\nO1dYorRpsuFrs+f8SDAcBgNVHRIEFTATgRFpbmZvQG1hdHRyLmdsb2JhbDAjBgNV\r\nHR8EHDAaMBiiFoYUaHR0cHM6Ly9tYXR0ci5nbG9iYWwwCgYIKoZIzj0EAwIDSQAw\r\nRgIhAPKJIGDSvp7VxRBLCWWeghqi8UUeO+dZsC49TUZcDMNxAiEAoh+7dT+l+GzX\r\nk0J2SoGmPiagrbAuIYyTHwzZZuYr1W4=\r\n-----END CERTIFICATE-----\r\n"
'400':
$ref: '#/components/responses/400'
'500':
$ref: '#/components/responses/500'
/v1/ecosystems/verifier-validation:
post:
tags:
- Participants validation
summary: Validate verifier
x-roles:
- admin
- dts-consumer
description: |
Validates that a verifier is allowed to verify a specific credential format according to the ecosystem policy.
### **Analytics events**
* ECOSYSTEM_VALIDATE_PARTICIPANT_START
* ECOSYSTEM_VALIDATE_PARTICIPANT_SUCCESS
* ECOSYSTEM_VALIDATE_PARTICIPANT_FAIL
operationId: validateVerifier
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ParticipantValidationRequest'
responses:
'200':
description: Validation completed
content:
application/json:
schema:
$ref: '#/components/schemas/ParticipantValidationResponse'
examples:
Compact credential:
value:
validated: true
policyVersion: '1698371362017'
identifier: did:example:abcdb1f712ebc6f1c276e12ec21
Mobile credential:
value:
validated: true
policyVersion: '1698371362017'
identifier: "-----BEGIN CERTIFICATE-----\r\nMIIBwzCCAWigAwIBAgIKRGC+CqoTGJKkkTAKBggqhkjOPQQDAjAgMR4wCQYDVQQG\r\nEwJOWjARBgNVBAMTCk1BVFRSIElBQ0EwHhcNMjMwODA4MDAwOTIxWhcNMzMwODA1\r\nMDAwOTIxWjAgMR4wCQYDVQQGEwJOWjARBgNVBAMTCk1BVFRSIElBQ0EwWTATBgcq\r\nhkjOPQIBBggqhkjOPQMBBwNCAASRu69fzdgM4odkyPtRcZd3eGWCw4BB7StZNGRm\r\nuIlrraUyv9SWPHgUYjYmRB1g7ERzj/pOSAspk71Y+QA+j9nPo4GJMIGGMBIGA1Ud\r\nEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgAGMB0GA1UdDgQWBBSONcHGh4If\r\nO1dYorRpsuFrs+f8SDAcBgNVHRIEFTATgRFpbmZvQG1hdHRyLmdsb2JhbDAjBgNV\r\nHR8EHDAaMBiiFoYUaHR0cHM6Ly9tYXR0ci5nbG9iYWwwCgYIKoZIzj0EAwIDSQAw\r\nRgIhAPKJIGDSvp7VxRBLCWWeghqi8UUeO+dZsC49TUZcDMNxAiEAoh+7dT+l+GzX\r\nk0J2SoGmPiagrbAuIYyTHwzZZuYr1W4=\r\n-----END CERTIFICATE-----\r\n"
'400':
$ref: '#/components/responses/400'
'500':
$ref: '#/components/responses/500'
/v1/ecosystems/{ecosystemId}/preview:
parameters:
- $ref: '#/components/parameters/ecosystemId'
get:
tags:
- Policy
summary: Retrieve ecosystem policy preview
x-roles:
- admin
- dts-provider
description: |-
Retrieves an ecosystem policy preview by providing the Ecosystem's ID. A policy preview includes all the participants and credential types created in the ecosystem, excluding any participants with expired or inactive IACAs.
### **Analytic events**
* ECOSYSTEM_POLICY_PREVIEW_RETRIEVE_START
* ECOSYSTEM_POLICY_PREVIEW_RETRIEVE_SUCCESS
* ECOSYSTEM_POLICY_PREVIEW_RETRIEVE_FAIL
operationId: getEcosystemPolicyPreview
parameters:
- $ref: '#/components/parameters/acceptEncoding'
responses:
'200':
description: Ecosystem policy preview retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/EcosystemPolicyPreview'
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/{ecosystemId}/vicals:
parameters:
- $ref: '#/components/parameters/ecosystemId'
post:
tags:
- VICAL
summary: Create VICAL
x-roles:
- admin
- dts-provider
description: Creates a Verified Issuer Certificate Authority List (VICAL) based on the policy of the requested ecosystem. Refer to VICAL ot learn more about the [VICAL](https://learn.mattr.global/docs/issuance/vical/overview) purpose and data structure.
operationId: createVical
responses:
'201':
description: VICAL created
content:
application/json:
schema:
$ref: '#/components/schemas/Vical'
'500':
$ref: '#/components/responses/500'
/v1/ecosystems/{ecosystemId}/vicals/public:
parameters:
- $ref: '#/components/parameters/ecosystemId'
get:
security: []
tags:
- VICAL
summary: Retrieve all VICALs
description: Retrieves all VICALs available in the requested ecosystem.
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
operationId: getVicals
responses:
'200':
description: VICALs retrieved
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/VicalWithFilename'
nextCursor:
$ref: '#/components/schemas/nextCursor'
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/{ecosystemId}/vicals/public/latest:
parameters:
- $ref: '#/components/parameters/ecosystemId'
get:
security: []
tags:
- VICAL
summary: Retrieve latest VICAL
description: Retrieves the latest VICAL from the requested ecosystem.
operationId: getLatestVical
responses:
'200':
description: VICAL retrieved
headers:
Content-Type:
description: The media type of the file
schema:
type: string
example: application/cbor
Content-Disposition:
description: Indicates file attachment
schema:
type: string
example: attachment; filename="vical-2024-07-28-1722164473000.cbor"
Content-Length:
description: The size of the file in bytes
schema:
type: number
example: 1843
content:
application/cbor:
schema:
type: string
format: binary
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/{ecosystemId}/vicals/public/{vicalIssueId}:
parameters:
- $ref: '#/components/parameters/ecosystemId'
- $ref: '#/components/parameters/vicalIssueId'
get:
security: []
tags:
- VICAL
summary: Retrieve specific VICAL
description: Retrieves a specific VICAL from the requested ecosystem by providing the VICAL version identifier.
operationId: getVical
responses:
'200':
description: VICAL retrieved
headers:
Content-Type:
description: The media type of the file
schema:
type: string
example: application/cbor
Content-Disposition:
description: Indicates file attachment
schema:
type: string
example: attachment; filename="vical-2024-07-28-1722164473000.cbor"
Content-Length:
description: The size of the file in bytes
schema:
type: number
example: 1843
content:
application/cbor:
schema:
type: string
format: binary
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/{ecosystemId}/vicals/configuration:
parameters:
- $ref: '#/components/parameters/ecosystemId'
put:
tags:
- VICAL Configuration
summary: Update VICAL configuration
x-roles:
- admin
- dts-provider
description: Update the VICAL configuration for the requested ecosystem
operationId: updateVicalConfiguration
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/VicalConfigurationData'
responses:
'200':
description: VICAL configuration updated
content:
application/json:
schema:
allOf:
- $ref: '#/components/schemas/VicalConfigurationData'
- type: object
properties:
autoPublish:
type: object
properties:
configuredAt:
type: string
format: date-time
example: '2025-07-01T00:00:00.000Z'
description: The date and time when the auto-publish was configured. Only returned when `enabled` is `true`.
'400':
$ref: '#/components/responses/400'
get:
tags:
- VICAL Configuration
summary: Retrieve VICAL configuration
x-roles:
- admin
- dts-provider
description: Retrieve the VICAL configuration from the requested ecosystem
operationId: getVicalConfiguration
responses:
'200':
description: VICAL configuration retrieved
content:
application/json:
schema:
allOf:
- $ref: '#/components/schemas/VicalConfigurationData'
- type: object
properties:
autoPublish:
type: object
properties:
configuredAt:
type: string
format: date-time
example: '2025-07-01T00:00:00.000Z'
description: The date and time when the auto-publish was configured. Only returned when `enabled` is `true`.
'404':
$ref: '#/components/responses/404'
delete:
tags:
- VICAL Configuration
summary: Delete VICAL configuration
x-roles:
- admin
- dts-provider
description: Delete the VICAL configuration for the requested ecosystem
operationId: deleteVicalConfiguration
responses:
'204':
description: VICAL configuration deleted
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/certificates/ca:
post:
tags:
- DTS root CA certificates
summary: Create a DTS root CA certificate
x-roles:
- admin
- dts-provider
description: |-
Creates a DTS root CA certificate which is used to sign DTS signer certificates.
- A maximum of three DTS root CA certificates can be created per tenant.
### **Analytic events**
* ECOSYSTEM_DTS_CA_CERTIFICATE_CREATE_START
* ECOSYSTEM_DTS_CA_CERTIFICATE_CREATE_SUCCESS
* ECOSYSTEM_DTS_CA_CERTIFICATE_CREATE_FAIL
operationId: createDtsCaCertificate
requestBody:
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/DtsCaCreateRequestManaged'
- $ref: '#/components/schemas/DtsCaCreateRequestUnmanaged'
responses:
'201':
description: DTS root CA certificate created
content:
application/json:
schema:
$ref: '#/components/schemas/DtsCaResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
'409':
description: Maximum number of DTS CA certificates reached. Please delete an existing certificate before creating a new one.
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
get:
tags:
- DTS root CA certificates
summary: Retrieve all DTS root CA certificates
x-roles:
- admin
- dts-provider
description: |-
Retrieves all DTS root CA certificates.
### **Analytic events**
* ECOSYSTEM_DTS_CA_CERTIFICATE_RETRIEVE_LIST_START
* ECOSYSTEM_DTS_CA_CERTIFICATE_RETRIEVE_LIST_SUCCESS
* ECOSYSTEM_DTS_CA_CERTIFICATE_RETRIEVE_LIST_FAIL
operationId: getDtsCaCertificates
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: DTS root CA certificates retrieved
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/DtsCaResponse'
nextCursor:
$ref: '#/components/schemas/NextCursor'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/certificates/ca/{dtsCaCertificateId}:
parameters:
- $ref: '#/components/parameters/dtsCaCertificateId'
delete:
tags:
- DTS root CA certificates
summary: Delete a DTS root CA certificate
x-roles:
- admin
- dts-provider
description: |-
Deletes a DTS root CA certificate.
### **Analytic events**
* ECOSYSTEM_DTS_CA_CERTIFICATE_DELETE_START
* ECOSYSTEM_DTS_CA_CERTIFICATE_DELETE_SUCCESS
* ECOSYSTEM_DTS_CA_CERTIFICATE_DELETE_FAIL
operationId: deleteDtsCaCertificate
responses:
'204':
description: DTS root CA certificate deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
put:
tags:
- DTS root CA certificates
summary: Update a DTS root CA certificate
x-roles:
- admin
- dts-provider
description: |-
Updates a DTS root CA certificate.
### **Analytic events**
* ECOSYSTEM_DTS_CA_CERTIFICATE_UPDATE_START
* ECOSYSTEM_DTS_CA_CERTIFICATE_UPDATE_SUCCESS
* ECOSYSTEM_DTS_CA_CERTIFICATE_UPDATE_FAIL
operationId: updateDtsCaCertificate
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/DtsCaUpdateRequest'
responses:
'200':
description: DTS root CA certificate updated
content:
application/json:
schema:
$ref: '#/components/schemas/DtsCaResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
get:
tags:
- DTS root CA certificates
summary: Retrieve a DTS root CA certificate
x-roles:
- admin
- dts-provider
description: |-
Retrieves a DTS root CA certificate.
### **Analytic events**
* ECOSYSTEM_DTS_CA_CERTIFICATE_RETRIEVE_START
* ECOSYSTEM_DTS_CA_CERTIFICATE_RETRIEVE_SUCCESS
* ECOSYSTEM_DTS_CA_CERTIFICATE_RETRIEVE_FAIL
operationId: getDtsCaCertificate
responses:
'200':
description: DTS root CA certificate retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/DtsCaResponse'
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/certificates/ca/{dtsCaCertificateId}/crl:
parameters:
- $ref: '#/components/parameters/dtsCaCertificateId'
get:
security: []
tags:
- DTS root CA certificates
summary: Retrieve a DTS root CA certificate revocation list
description: Retrieves the revocation list for a given DTS root CA certificate.
operationId: getDtsCaCertificateRevocationList
responses:
'200':
description: DTS root CA certificate revocation list retrieved
content:
application/json:
schema:
type: string
format: byte
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/public/certificates/ca:
get:
security: []
tags:
- DTS root CA certificates
summary: Retrieve all public DTS root CA certificates
description: Retrieves all public DTS root CA certificates.
operationId: getDtsCaCertificatePublic
responses:
'200':
description: Public DTS root CA certificates retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/DtsCaPublicResponse'
/v1/ecosystems/certificates/vical-signers:
post:
tags:
- VICAL signers
summary: Create a VICAL signer
x-roles:
- admin
- dts-provider
description: |-
Creates a VICAL signer.
- Only available in implementations using unmanaged (external) DTS root CA certificates.
- A maximum of five VICAL signers can be created per tenant.
### **Analytic events**
* ECOSYSTEM_VICAL_SIGNER_CERTIFICATE_CREATE_START
* ECOSYSTEM_VICAL_SIGNER_CERTIFICATE_CREATE_SUCCESS
* ECOSYSTEM_VICAL_SIGNER_CERTIFICATE_CREATE_FAIL
operationId: createVicalSigner
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/VicalSignerCreateRequest'
responses:
'201':
description: VICAL signer created
content:
application/json:
schema:
$ref: '#/components/schemas/CreateVicalSignerResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
'409':
description: Maximum number of VICAL signer certificates reached. Please delete an existing certificate before creating a new one.
content:
application/json:
schema:
$ref: '#/components/schemas/ErrorResponse'
get:
tags:
- VICAL signers
summary: Retrieve all VICAL signers
x-roles:
- admin
- dts-provider
description: |-
Retrieves all VICAL signers.
### **Analytic events**
* ECOSYSTEM_VICAL_SIGNER_CERTIFICATE_RETRIEVE_LIST_START
* ECOSYSTEM_VICAL_SIGNER_CERTIFICATE_RETRIEVE_LIST_SUCCESS
* ECOSYSTEM_VICAL_SIGNER_CERTIFICATE_RETRIEVE_LIST_FAIL
operationId: getVicalSigners
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: VICAL signers retrieved
content:
application/json:
schema:
type: object
properties:
data:
type: array
items:
oneOf:
- $ref: '#/components/schemas/UpdateVicalSignerResponse'
- $ref: '#/components/schemas/CreateVicalSignerResponse'
nextCursor:
$ref: '#/components/schemas/NextCursor'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/certificates/vical-signers/{vicalSignerId}:
parameters:
- $ref: '#/components/parameters/vicalSignerId'
put:
tags:
- VICAL signers
summary: Update a VICAL signer
x-roles:
- admin
- dts-provider
description: |-
Updates a VICAL signer by:
- Providing a VICAL Signer Certificate (VSC) in PEM format that matches its Certificate Signing Request (CSR).
- Activating or deactivating the VICAL signer. Only VICAL signers with a valid PEM certificate can be activated.
- The `certificatePem` field becomes immutable after it's updated for the first time.
Only available in implementations using unmanaged (external) DTS root CA certificates.
### **Analytic events**
* ECOSYSTEM_VICAL_SIGNER_CERTIFICATE_UPDATE_START
* ECOSYSTEM_VICAL_SIGNER_CERTIFICATE_UPDATE_SUCCESS
* ECOSYSTEM_VICAL_SIGNER_CERTIFICATE_UPDATE_FAIL
operationId: updateVicalSigner
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/VicalSignerUpdateRequest'
responses:
'200':
description: VICAL signer updated
content:
application/json:
schema:
$ref: '#/components/schemas/UpdateVicalSignerResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
delete:
tags:
- VICAL signers
summary: Delete a VICAL signer
x-roles:
- admin
- dts-provider
description: |-
Deletes a VICAL signer.
Only available in implementations using unmanaged (external) DTS root CA certificates.
### **Analytic events**
* ECOSYSTEM_VICAL_SIGNER_CERTIFICATE_DELETE_START
* ECOSYSTEM_VICAL_SIGNER_CERTIFICATE_DELETE_SUCCESS
* ECOSYSTEM_VICAL_SIGNER_CERTIFICATE_DELETE_FAIL
operationId: deleteVicalSigner
responses:
'204':
description: VICAL signer deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
get:
tags:
- VICAL signers
summary: Retrieve a VICAL signer
x-roles:
- admin
- dts-provider
description: |-
Retrieves a VICAL signer.
### **Analytic events**
* ECOSYSTEM_VICAL_SIGNER_CERTIFICATE_RETRIEVE_START
* ECOSYSTEM_VICAL_SIGNER_CERTIFICATE_RETRIEVE_SUCCESS
* ECOSYSTEM_VICAL_SIGNER_CERTIFICATE_RETRIEVE_FAIL
operationId: getVicalSignerCertificate
responses:
'200':
description: VICAL signer retrieved
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/UpdateVicalSignerResponse'
- $ref: '#/components/schemas/CreateVicalSignerResponse'
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/{ecosystemId}/vicals/public/certificates/ca/latest:
parameters:
- $ref: '#/components/parameters/ecosystemId'
get:
security: []
tags:
- DTS root CA certificates
summary: Retrieve DTS root CA certificate
description: Retrieves the latest DTS root CA certificate. This can be used by relying parties to verify a signed VICAL.
deprecated: true
operationId: getLatestVicalCaCertificate
responses:
'200':
description: DTS root CA certificate retrieved
'404':
$ref: '#/components/responses/404'
/v1/ecosystems/{ecosystemId}/vicals/public/certificates/ca/{caCertificateId}/crl:
parameters:
- $ref: '#/components/parameters/ecosystemId'
- $ref: '#/components/parameters/caCertificateId'
get:
security: []
tags:
- DTS root CA certificates
summary: Retrieve DTS root CA certificate revocation list
deprecated: true
description: Retrieves revocation list for a given DTS root CA certificate.
operationId: getVicalCertificateRevocationList
responses:
'200':
description: Revocation list retrieved
'404':
$ref: '#/components/responses/404'
/v1/webhooks:
post:
operationId: createWebhook
tags:
- Webhooks
summary: Create Webhook
x-roles:
- admin
- issuer
- managed-issuer
description: |
Creates a new webhook for this tenant.
### **Analytic events**
* WEBHOOK_CREATE_START
* WEBHOOK_CREATE_SUCCESS
* WEBHOOK_CREATE_FAIL
requestBody:
description: The webhook payload
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateWebhookRequest'
examples:
Create a Webhook:
value:
events:
- OpenIdCredentialIssued
url: https://example.com
responses:
'201':
description: Webhook created
content:
application/json:
schema:
$ref: '#/components/schemas/CreateWebhookResponse'
'400':
$ref: '#/components/responses/400'
get:
operationId: getWebhooks
tags:
- Webhooks
summary: Retrieve all Webhooks
x-roles:
- admin
- issuer
- managed-issuer
description: |
Retrieves a list of webhooks configured on the tenant.
### **Analytic events**
* WEBHOOK_RETRIEVE_LIST_START
* WEBHOOK_RETRIEVE_LIST_SUCCESS
* WEBHOOK_RETRIEVE_LIST_FAIL
parameters:
- $ref: '#/components/parameters/limit'
- $ref: '#/components/parameters/cursor'
responses:
'200':
description: Webhooks retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GetWebhooksResponse'
'400':
$ref: '#/components/responses/400'
/v1/webhooks/{id}:
get:
operationId: getWebhook
tags:
- Webhooks
summary: Retrieve Webhook
x-roles:
- admin
- issuer
- managed-issuer
description: |
Retrieve a specific Webhook by providing its ID.
### **Analytic events**
* WEBHOOK_RETRIEVE_START
* WEBHOOK_RETRIEVE_SUCCESS
* WEBHOOK_RETRIEVE_FAIL
parameters:
- name: id
in: path
description: The requested Webhook ID.
schema:
type: string
format: uuid
example: 41458e5a-9092-40b7-9a26-d4eb43c5792f
required: true
responses:
'200':
description: Webhook retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GetWebhookResponse'
'400':
$ref: '#/components/responses/400'
put:
operationId: updateWebhook
tags:
- Webhooks
summary: Update Webhook
x-roles:
- admin
- issuer
- managed-issuer
parameters:
- name: id
in: path
description: Webhook ID
schema:
type: string
format: uuid
example: 41458e5a-9092-40b7-9a26-d4eb43c5792f
required: true
description: |-
Updates an existing Webhook by providing its ID.
### **Analytic events**
* WEBHOOK_UPDATE_START
* WEBHOOK_UPDATE_SUCCESS
* WEBHOOK_UPDATE_FAIL
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateWebhookRequest'
description: Update Webhook
responses:
'200':
description: Webhook updated
content:
application/json:
schema:
$ref: '#/components/schemas/CreateWebhookResponse'
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
delete:
operationId: deleteWebhook
tags:
- Webhooks
parameters:
- name: id
in: path
description: Webhook ID
schema:
type: string
format: uuid
example: 41458e5a-9092-40b7-9a26-d4eb43c5792f
required: true
summary: Delete Webhook
x-roles:
- admin
- issuer
- managed-issuer
description: |
Deletes a Webhook by providing its ID.
### **Analytic events**
* WEBHOOK_DELETE_START
* WEBHOOK_DELETE_SUCCESS
* WEBHOOK_DELETE_FAIL
responses:
'204':
description: Webhook deleted
'400':
$ref: '#/components/responses/400'
'404':
$ref: '#/components/responses/404'
/v1/webhooks/jwks:
get:
security: []
operationId: getWebhookJwks
tags:
- Webhooks
summary: Retrieve Webhook JWKs
description: |
Retrieves a list of Webhook JWKs (JSON Web Keys) from the tenant. These keys can be used to verify the HTTP signature and validate the integrity and authorship of generated Webhooks. This endpoint does not require authentication and is publicly available by design.
responses:
'200':
description: Webhook JWKs retrieved
content:
application/json:
schema:
$ref: '#/components/schemas/GetWebhooksJwksResponse'
/oauth/token:
servers:
- url: https://auth.au01.mattr.global
post:
summary: Create API Auth Token
operationId: authToken
responses:
'200':
description: Successful response
content:
application/json:
schema:
$ref: '#/components/schemas/OAuthTokenResponse'
'401':
description: Unauthorized
content:
application/json:
schema:
$ref: '#/components/schemas/TokenErrorResponse'
examples:
Invalid credentials:
value:
error: access_denied
error_description: Unauthorized
description: |-
Authorization endpoint for gaining token used for API requests requiring `bearerAuth`.
You will be provided the required `client_id` and `client_secret` as part of onboarding.
> The returned bearer token will only enable access to endpoints as per your client's defined role. Refer to [Access Control](https://learn.mattr.global/docs/platform-management/access-control) for more information.
security: []
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/OAuthTokenRequest'
examples:
Request:
value:
client_id: htf792W4p4MedZbnoWAs51EfqUt4d2
client_secret: d3fYDX7FjPg1D1h2viARXsolPByQ9vMfg8LHylBy8F4s5KJLB4HhHGOxxqJnSj3G
audience: https://learn.vii.au01.mattr.global
grant_type: client_credentials
tags:
- Security
x-codeSamples:
- lang: curl
source: |
curl --request POST \
--url https://auth.mattr.global/oauth/token/ \
--header 'Content-Type: application/json' \
--data '{"client_id": "KWdv9qo9Vnl9rrCRB7sfGKFTp4uO09im",
"client_secret": "ztJe2GVpOb1_rUo9Vnl9rrCRB7sfGKFTp4uO0DOfLnA5FSz96wbrzgJMQ",
"audience": "https://learn.vii.au01.mattr.global",
"grant_type": "client_credentials"
}'
components:
securitySchemes:
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
bearerAuthOpenIdCredentials:
type: http
scheme: bearer
schemas:
OAuthTokenResponse:
title: OAuthTokenResponse
type: object
properties:
access_token:
type: string
description: Must be used as a bearer token for all subsequent requests to protected resources on your tenant.
example: s2dgbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6s2dcaEROemRDf5gbRVEwTTVSVFE0TmtZME9UZzVNVEpDTlVJNFJqRTBPREExTmpZMk1qazFPQSJ9
expires_in:
type: number
description: Token expiry time (in seconds).
example: 86400
token_type:
type: string
example: Bearer
required:
- access_token
- expires_in
- token_type
TokenErrorResponse:
title: TokenErrorResponse
type: object
properties:
error:
type: string
error_description:
type: string
OAuthTokenRequest:
title: OAuthTokenRequest
type: object
properties:
client_id:
type: string
description: Use the `client_id` value provided with your tenant details, or retrieved when you created a tenant on the Self Service Portal.
example: htf792W4p4MedZbnoWAs51EfqUt4d2
client_secret:
type: string
description: Use the `client_secret` value provided with your tenant details, or retrieved when you created a tenant on the Self Service Portal.
example: d3fYDX7FjPg1D1h2viARXsolPByQ9vMfg8LHylBy8F4s5KJLB4HhHGOxxqJnSj3G
audience:
type: string
description: Use your tenant URL.
example: https://learn.vii.au01.mattr.global
grant_type:
type: string
description: Use `client_credentials`.
example: client_credentials
required:
- client_id
- client_secret
- audience
- grant_type
CustomDomainResponse:
type: object
properties:
name:
type: string
example: Example Corp
logoUrl:
type: string
example: https://cdn.example.com/logo.icon
domain:
type: string
example: example.com
verificationToken:
type: string
description: This value must be added to your domain DNS entry TXT record. Refer to [Verify domain ownership](https://learn.mattr.global/docs/platform-management/custom-domain-overview#verify-domain-ownership) for more information.
example: 8c6f36c1-91ff-439d-a518-48cf7ef421ef
isVerified:
type: boolean
description: This will indicate `false` until the domain has been [verified](https://learn.mattr.global/docs/platform-management/custom-domain-overview#verify-domain-ownership). MATTR VII will only use the custom domain after it has been [verified](https://learn.mattr.global/docs/platform-management/custom-domain-guide#verify-custom-domain) and this field indicates `true`.
example: false
verifiedAt:
type: string
description: Indicates when the custom domain was [verified](https://learn.mattr.global/docs/platform-management/custom-domain-overview#verify-domain-ownership). This field is only included in the response when `isVerified` is `true`.
required:
- name
- logoUrl
- domain
- verificationToken
- isVerified
title: CustomDomainResponse
NotFoundError:
title: NotFoundError
description: The specified resource was not found.
type: object
required:
- code
- message
properties:
code:
type: string
message:
type: string
details:
type: array
items:
type: object
required:
- msg
- param
- location
properties:
value:
type: string
description: The value that was provided
msg:
type: string
example: Invalid value
description: Description of why the request is invalid
param:
type: string
example: id
description: The parameter that is invalid
location:
type: string
example: body
description: The location in either body, query, path or params
CreateCustomDomain:
type: object
title: CreateCustomDomain
description: ''
properties:
name:
type: string
description: Insert a name for the custom domain that will be displayed to digital wallet holders when they receive credential offers or verification requests from this tenant.
logoUrl:
type: string
description: |-
Insert a URL for a square logo that will be displayed to digital wallet holders when they receive credential offers or verification requests from your MATTR VII tenant:
* URL must be publicly available.
* Must be a square image, recommended 64x64 px in size
* **png** and **jpg** files are supported.
* The recommended maximum size is 15 KB.
domain:
type: string
description: Insert the full custom domain, leaving out the protocol (e.g. https://).
required:
- name
- logoUrl
- domain
UpdateCustomDomain:
title: UpdateCustomDomain
allOf:
- type: object
properties:
id:
type: string
- $ref: '#/components/schemas/CreateCustomDomain'
ValidationError:
title: ValidationError
description: The request was malformed or missing required parameters.
type: object
required:
- code
- message
properties:
code:
type: string
message:
type: string
details:
type: array
items:
type: object
required:
- msg
properties:
value:
oneOf:
- type: string
- type: number
- type: boolean
- type: object
- type: array
description: The value that was provided
msg:
type: string
example: Invalid value
description: Description of why the request is invalid
param:
type: string
example: id
description: The parameter that is invalid
location:
type: string
example: body
description: The location in either body, query, path or params
ErrorResponse:
type: object
required:
- code
- message
properties:
code:
type: string
message:
type: string
details:
type: array
items:
type: object
properties:
value:
type: string
description: The value that was provided
msg:
type: string
example: Invalid value
description: Description of why the request is invalid
param:
type: string
example: id
description: The parameter that is invalid
location:
type: string
example: body
description: The location in either body, query, path or params
title: ErrorResponse
CredentialStatus:
type: object
description: Credential status location information
properties:
id:
type: string
description: Unique ID for the credential status
example: https://tenant.vii.mattr.global/v1/revocation-lists/cc641396-3750-43c8-b8b8-f30d74eb3fb3#1
type:
type: string
description: Indicates that the status contains revocation information
example: RevocationList2020Status
revocationListIndex:
type: integer
example: 1
description: The location within the revocation list for the credential
revocationListCredential:
type: string
description: The location of the revocation list
example: https://tenant.vii.mattr.global/v1/revocation-lists/cc641396-3750-43c8-b8b8-f30d74eb3fb3
title: CredentialStatus
ED25519Signature2018:
type: object
properties:
type:
type: string
example: Ed25519Signature2018
created:
type: string
format: date-time
example: '2020-05-02T12:06:29Z'
jws:
type: string
description: Compact form of JWS
example: EXAMPLE_JWS_TOKEN_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
proofPurpose:
type: string
example: assertionMethod
verificationMethod:
type: string
example: did:web:organization.com
title: ED25519Signature2018
VerifiableCredential:
type: object
properties:
'@context':
type: array
example:
- https://www.w3.org/2018/credentials/v1
- https://www.w3.org/2018/credentials/examples/v1
items:
type: string
minLength: 1
example: '"https://www.w3.org/2018/credentials/v1", "https://www.w3.org/2018/credentials/examples/v1"'
type:
type: array
example:
- VerifiableCredential
- AlumniCredential
items:
type: string
minLength: 1
example: '"AlumniCredential", "VerifiableCredential"'
issuer:
description: Includes Issuer id (DID), domain name and optional branding properties.
oneOf:
- type: object
properties:
id:
type: string
example: did:web:organization.com
name:
type: string
example: Example University
logoUrl:
type: string
example: https://example.edu/img/logo.png
description: The location of the logo image. The supported formats are jpg, png, and svg.
iconUrl:
type: string
example: https://example.edu/img/icon.png
description: The location of the icon image. The supported formats are jpg, png, and svg.
- type: string
credentialBranding:
type: object
description: Includes optional credential branding properties.
properties:
backgroundColor:
type: string
example: '#B00AA0'
description: The background colour used for the credential card. The format is "#rrggbb" where "rrggbb" is a hex RGB triplet, such as "#FFCC00".
watermarkImageUrl:
type: string
example: https://example.edu/img/watermark.png
description: The location of the watermark image. The supported formats are jpg, png, and svg.
issuanceDate:
type: string
format: date-time
example: '2020-05-02T12:06:29.156Z'
credentialStatus:
$ref: '#/components/schemas/CredentialStatus'
credentialSubject:
type: object
example:
givenName: Jamie
familyName: Doe
alumniOf: Example University
properties:
givenName:
type: string
example: Jamie
familyName:
type: string
example: Doe
alumniOf:
type: string
example: Example University
proof:
$ref: '#/components/schemas/ED25519Signature2018'
name:
type: string
example: Alumni Credential
description: Name of the credential (requires v2 data model)
description:
type: string
example: This credential shows that the person has attended the mentioned university.
description: Description of the credential (requires v2 data model)
required:
- '@context'
- type
- issuanceDate
- credentialSubject
- proof
title: VerifiableCredential
GetDidConfigJsonldResponse:
type: object
properties:
entries:
type: array
items:
$ref: '#/components/schemas/VerifiableCredential'
title: GetDidConfigJsonldResponse
DidMetadataKey:
type: object
properties:
kmsKeyId:
type: string
description: Unique identifier of this key in the Key Management System (KMS)
example: ad8facc7-e7f6-4af6-9baa-2f7abd71c928
didDocumentKeyId:
type: string
description: Unique identifier of this key in the DID document.
example: did:key:z6MkpTHR8VNsBxYAAWHut2Geadd9jSwuBV8xRoAnwWsdvktH#z6MkpTHR8VNsBxYAAWHut2Geadd9jSwuBV8xRoAnwWsdvktH
title: DidMetadataKey
DidDocument:
type: object
title: did
description: DID URI.
DidMetadata:
type: object
required:
- keys
properties:
registered:
type: number
description: Timestamp of when the DID was registered (Epoch Unix timestamp).
example: 1583233799656
keys:
type: array
description: An array of keys that describe the relationship between keys listed in the DID document and keys that exist in a connected Key Management System (KMS).
items:
$ref: '#/components/schemas/DidMetadataKey'
initialDidDocument:
type: object
description: The DID document that this DID URI should resolve to.
items:
$ref: '#/components/schemas/DidDocument'
title: DidMetadata
GetDidsResponse:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
data:
type: array
items:
type: object
required:
- did
- localMetadata
properties:
did:
type: string
example: did:key:z6Mkt7bFYc4V2HdAxwhMtaY6cgJckYXwhYdPLJCcnVqzrkpr
localMetadata:
$ref: '#/components/schemas/DidMetadata'
title: GetDidsResponse
CreateDidDocument:
type: object
properties:
method:
type: string
description: Used to determine the type of DID to be created based on its [DID method](https://learn.mattr.global/docs/concepts/dids#methods).
enum:
- key
- web
options:
type: object
description: To define a key type for a did:key or to define a domain for did:web
minItems: 1
properties:
keyType:
type: string
description: |-
Define the key types that will be generated for the created DID:
- Supported `keyType` for `did:key` are `Ed25519` and `Bls12381G2`.
- If `keyType` is omitted, the default keyType is `Ed25519`. This keytype can be used as a Verifier DID.
- If `keyType` is set to `Bls12381G2` the created DID supports BBS+ signatures for creating selective-disclosure enabled credentials.
- As `did:key` only support `Ed25519` or `Bls12381G2` key types, you can only use it to create JSON credentials. If you wish to create CWT credentials, create a DID using a keyType of `P-256`, such as `did:web`.
- The `Bls12381G2` key type cannot be used as a Verifier DID as it does not support symmetric key signing required to verify messages.
Note that keyType is only required for `did:key`, as `did:web`s are automatically created with multiple key types by default:
- P-256: This is the default option for signing CWT credentials.
- Bls12381G2Key2020: This is the default option for signing JSON credentials. It supports selective-disclosure and key rotation.
- Ed25519: Recommended when the `web:did` is used as a Verifier DID, as it supports symmetric key signing required for verifying messages.
example: Bls12381G2
url:
type: string
description: Define the domain that will host the DID document. This would likely be your tenant's URL. Refer to [hosting](https://learn.mattr.global/docs/concepts/dids#hosting) for more information about hosting your `did:web`, and to our [did:web for Custom domains tutorial](https://learn.mattr.global/docs/platform-management/custom-domain-guide#create-a-new-didweb-to-identify-the-custom-domain-optional) if you are planning to self-host your DID document.
example: learn.vii.au01.mattr.global
required:
- method
description: ''
title: CreateDidDocument
CreateDidResponse:
type: object
properties:
registrationStatus:
type: string
example: COMPLETED
description: This status will update from PROCESSING to COMPLETED once publicly resolvable. For `did:web` this means the DID document must be available on the `url` defined when it was created.
did:
type: string
example: did:key:z6Mkt7bFYc4V2HdAxwhMtaY6cgJckYXwhYdPLJCcnVqzrkpr
description: DID URI.
metadata:
$ref: '#/components/schemas/DidMetadata'
title: CreateDidResponse
GetDidResponse:
type: object
properties:
did:
$ref: '#/components/schemas/DidDocument'
registrationStatus:
type: string
description: This status will update from `PROCESSING` to `COMPLETED` once publicly resolvable. For `did:web` this means the DID document must be available on the url defined when it was created.
localMetadata:
$ref: '#/components/schemas/DidMetadata'
title: GetDidResponse
CompactCredentialSignRequest:
title: CompactCredentialSignRequest
type: object
description: CompactCredentialSignRequest
required:
- iss
additionalProperties:
example: ...
oneOf:
- type: string
- type: number
- type: boolean
properties:
iss:
type: string
example: did:web:organization.com
description: Use the DID that identifies the credential's issuer, which attests the claims in the credential. This must be a publicly available and resolvable `did:web` for the credential to be valid and verifiable.
nbf:
type: number
example: 1645743759
description: Not before. When set, credential verification will fail if the current time is earlier than the `nbf` value, expressed as a Unix timestamp.
exp:
type: number
example: 1646743759
description: Expiry. When set, credential verification will fail if the current time is later than the `exp` value, expressed as a Unix timestamp.
iat:
type: number
example: 1645743759
description: Issued at, indicates credential issuance timestamp, expressed as a Unix timestamp.
aud:
type: string
description: Audience.
sub:
type: string
description: Subject.
type:
type: string
SignCompactCredentialRequest:
title: SignCompactCredentialRequest
type: object
required:
- payload
properties:
payload:
$ref: '#/components/schemas/CompactCredentialSignRequest'
revocable:
type: boolean
default: false
description: When set to `true`, the signed credential can later be revoked. When set to `false`, the credential cannot be revoked.
isRevoked:
type: boolean
default: false
description: When set to `true`, the signed credential is issued as revoked, and must be unrevoked to become valid. If `isRevoked` is provided (e.g. set to either `true` or `false`), `revocable` must be set to `true`.
description: Sign CWT credential Request
CompactCredentialSignResponse:
title: CompactCredentialSignResponse
type: object
description: CompactCredentialSignResponse
example:
iss: did:web:organization.com
nbf: 1645743759
exp: 1646743759
iat: 1645743759
jti: 6tVMmKodQNaLywW6NGA2aA
type: CredentialType
property1: ...
property2: ...
required:
- iss
- jti
additionalProperties:
oneOf:
- type: string
- type: number
- type: boolean
properties:
iss:
type: string
jti:
type: string
nbf:
type: number
exp:
type: number
iat:
type: number
aud:
type: string
sub:
type: string
type:
type: string
status:
type: object
properties:
url:
type: string
index:
type: number
SignCompactCredentialResponse:
title: SignCompactCredentialResponse
type: object
required:
- id
- encoded
- decoded
properties:
id:
type: string
description: Unique credential identifier. This is identical to the `jti` claim, which is the CBOR Web Token (CWT) identifier.
encoded:
type: string
description: URL Encoded CWT credential payload
example: CSC:/1/2KCE3IQEJB5DCMSLN5KWKZABE2QFQRVDAF4CIZDJMQ5HOZLCHIYDGOJUFUYTENJNGIZTOLJVGIWTCMJQFZXGO4TPNMXGS33ENZQW2ZLEJJXWQ3QH3BAFB3LISHKGQ2KBJ6Q35NXZFD6LGZ2YIAYHZAKCF7NKTIUZUTZQ3PWDBALAWVRG5XL2H4P4WFK25X3Y5X5RTN7NOZUST67KLCEFS3EPXQU5KM7VUGOPXJLQ6K5U676PMQNWRZCZ
decoded:
$ref: '#/components/schemas/CompactCredentialSignResponse'
description: Sign CWT credential response
VerifyCompactCredentialResponse:
title: VerifyCompactCredentialResponse
type: object
description: VerifyCompactCredentialResponse
properties:
verified:
type: boolean
decoded:
$ref: '#/components/schemas/CompactCredentialSignResponse'
error:
type: object
properties:
type:
type: string
message:
type: string
details:
type: object
required:
- type
- message
required:
- verified
- decoded
GenerateQrCodeRequest:
title: GenerateQrCodeRequest
type: object
properties:
payload:
type: string
description: String representation of the encoded CWT credential.
example: CSS:/1/2KCE3IQEJB5DCMSMGRKXI3IBE2QFSANKVACBUYQYB2HQKGTCDAHI6BQ2MIMA5DYBPAUWI2L...
width:
type: number
description: Optionally specify the desired width of the output QR code. When no width is specified MATTR VII will generate a QR code with an optimised width based on the size of the payload. Maximal value is 1000px.
example: 250
required:
- payload
credentialConfigurationClaimMappings:
type: object
description: |
This is where you specify how to map claims (user attributes) into issued credentials. Each field in the object corresponds to a claim in the issued credential, and contains one or more from the following attributes:
- `mapFrom`: References the path in the user object where the claim is available.
- When using a URL as a claims namespace identifier, use bracket notation to access the claim value (e.g. `mapFrom: "claims['https://example.com/claim-name']"`).
- `mapFrom` is optional when `defaultValue` is provided, as the latter will be used for all issued credentials. This is referred to as a **static claim**.
- `defaultValue`: Indicates what value is used if required is set to `false` (field is optional) and no value is provided by the claims source. When `defaultValue` is provided, `mapFrom` is optional.
- `required`: Indicates whether the claim is required (default: `false`). When a required claim cannot be retrieved and no `defaultValue` is available, credential issuance will fail.
**Example `claims` object inside the `user` object**
```json
{
"claims": {
"given_name": "Jamie",
"family_name": "Doe",
"address": {
"formatted": "116-118 Quay Street, Auckland CBD, Auckland 1010"
}
},
"authenticationProvider": {
"subjectId": "6d3aab7d-73af-5f61-b47c-109ef6f7558c",
"url": "https://accounts.google.com"
}
}
```
example:
firstName:
mapFrom: claims.given_name
required: true
address:
mapFrom: claims.address.formatted
picture:
mapFrom: claims.picture
defaultValue: http://example.edu/img/placeholder.png
badge:
defaultValue: http://example.edu/img/badge.png
providerSubjectId:
mapFrom: authenticationProvider.subjectId
additionalProperties:
type: object
properties:
mapFrom:
type: string
description: The path of the property in the user `claims` object.
required:
type: boolean
description: Indicates whether value of the property must be resolvable. If set to true and does not map to a value, issuance will fail.
defaultValue:
oneOf:
- type: string
- type: number
- type: boolean
- type: array
- type: object
description: Default value to be used when unable to resolve from the supplied context object. Required when `mapFrom` is not defined.
CredentialConfiguration:
type: object
properties:
type:
description: |-
Used to differentiate between different CWT/Semantic CWT credential configurations on your tenant. Thus, its value must:
- Be unique across all CWT/Semantic CWT credential configurations on your tenant.
- Not be VerifiableCredential.
type: string
minLength: 1
maxLength: 1024
example: CourseCredential
claimMappings:
$ref: '#/components/schemas/credentialConfigurationClaimMappings'
revocable:
type: boolean
default: true
description: When set to true (default), the created credential can later be revoked. When set to false, the credential cannot be revoked.
claimSourceId:
type: string
format: uuid
description: References the unique identifier of a claims source that can be used to retrieve claims and include them in the issued credential.
expiresIn:
type: object
description: Used to determine when will issued credentials expire. Can include any combination of `years`, `months`, `weeks`, `days`, `hours`, `minutes` and `seconds`.
properties:
years:
type: number
example: 1
months:
type: number
example: 12
weeks:
type: number
example: 52
days:
type: number
example: 365
hours:
type: number
example: 24
minutes:
type: number
example: 1440
seconds:
type: number
example: 3600
required:
- claimMappings
CredentialConfigurationResponse:
required:
- id
- type
- revocable
allOf:
- type: object
properties:
id:
type: string
format: uuid
description: Uniquely identifies this credential configuration. Can be used to create an offer based on this credential configuration, or to retrieve, update or remove the credential configuration.
example: 983c0a86-204f-4431-9371-f5a22e506599
- $ref: '#/components/schemas/CredentialConfiguration'
title: CredentialConfigurationResponse
GetCredentialConfigurationsResponse:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
data:
type: array
items:
$ref: '#/components/schemas/CredentialConfigurationResponse'
title: GetCredentialConfigurationsResponse
CredentialConfigurationRequest:
required:
- type
allOf:
- $ref: '#/components/schemas/CredentialConfiguration'
title: CreateCredentialConfigurationRequest
CompactSemanticCredentialSignRequest:
title: CompactSemanticCredentialSignRequest
type: object
description: CompactSemanticCredentialSignRequest
required:
- iss
- vc
properties:
iss:
type: string
example: did:web:organization.com
description: Use the DID that identifies the credential's issuer, which attests the claims in the credential. This must be a publicly available and resolvable `did:web` for the credential to be valid and verifiable.
nbf:
type: number
example: 1645743759
description: Not before. Credential verification will fail if the current time is earlier than the `nbf` value, expressed as a Unix timestamp. `nbf` is required by the W3C VC data model. If not provided in the request, current time at issuance is used.
exp:
type: number
example: 1645743759
description: Expiry. When set, credential verification will fail if the current time is later than the `exp` value, expressed as a Unix timestamp.
iat:
type: number
example: 1645743759
description: Issued at, indicates credential issuance timestamp, expressed as a Unix timestamp.
aud:
type: string
example: ...
description: Audience.
sub:
type: string
example: ...
description: Subject identifier. As Semantic CWT credentials are _bearer credentials_, including a subject identifier is not required.
vc:
type: object
description: Represents a W3C Verifiable Credential data model credential.
required:
- credentialSubject
- type
properties:
'@context':
type: string
example: https://www.w3.org/2018/credentials/examples/v1
description: Must be a publicly available and resolvable schema.
type:
type: string
example: AlumniCredential
description: Must be a single credential type.
credentialSubject:
type: object
description: Contains all the claims attested in the credential. Must comply with the referenced context schema.
additionalProperties:
example: ...
oneOf:
- type: string
- type: number
- type: boolean
SignCompactSemanticCredentialRequest:
title: SignCompactSemanticCredentialRequest
type: object
required:
- payload
properties:
payload:
$ref: '#/components/schemas/CompactSemanticCredentialSignRequest'
revocable:
type: boolean
default: false
description: When set to `true`, the created credential can later be revoked. When set to `false`, the credential cannot be revoked.
isRevoked:
type: boolean
default: false
description: When set to `true`, the signed credential is issued as revoked, and must be unrevoked to become valid. If `isRevoked` is provided (e.g. set to either `true` or `false`), `revocable` must be set to `true`.
description: Sign Semantic CWT credential Request
CompactSemanticCredentialSignResponse:
title: CompactSemanticCredentialSignResponse
type: object
description: CompactSemanticCredentialSignResponse
required:
- iss
- nbf
- jti
- vc
properties:
iss:
type: string
example: did:web:example.com
description: This DID identifies the credential's issuer, which attests the claims in the credential. Must be a publicly available and resolvable `did:web` for the credential to be valid and verifiable.
jti:
type: string
example: ...
description: This JWT ID identifies this credential and is identical to the `id` element. When `revocable` is set to `true`, this value is persisted on the tenant to enable revoking this specific credential.
nbf:
type: number
example: 1645743759
description: Not before. Credential verification will fail if the current time is earlier than the `nbf` value, expressed as a Unix timestamp.
exp:
type: number
example: 1645743759
description: Expiry. When set, credential verification will fail if the current time is later than the `exp` value, expressed as a Unix timestamp.
iat:
type: number
example: 1645743759
description: Issued at, indicates credential issuance timestamp, expressed as a Unix timestamp.
aud:
type: string
example: ...
description: Audience.
sub:
type: string
example: ...
description: Subject identifier. As Semantic CWT credentials are _bearer credentials_, including a subject identifier is not required.
vc:
type: object
description: Represents a W3C Verifiable Credential data model credential.
required:
- '@context'
- type
- credentialSubject
properties:
'@context':
type: array
description: Must be a publicly available and resolvable schema.
items:
type: string
example:
- https://www.w3.org/2018/credentials/v1
- https://www.w3.org/2018/credentials/examples/v1
type:
type: array
description: Must be a single credential type.
items:
type: string
example:
- VerifiableCredential
- AlumniCredential
credentialSubject:
type: object
description: Contains all the claims attested in the credential. Must comply with the referenced context schema.
additionalProperties:
example: ...
oneOf:
- type: string
- type: number
- type: boolean
status:
type: object
description: If `revocable` was set to `true` in the request, this object is used to provide information required for revocation.
properties:
url:
type: string
example: ...
description: Every revocable credential will reference a Revocation List that is automatically created and held on the issuer's tenant. This list can be used by external verifiers to validate the credential status. This property references the Revocation List which holds the revocation status for this specific credential.
index:
type: number
example: 123
description: This indicates the index of this specific credential within the revocation list.
SignCompactSemanticCredentialResponse:
title: SignCompactSemanticCredentialResponse
type: object
required:
- id
- encoded
- decoded
properties:
id:
type: string
description: Unique credential identifier. This is identical to the `jti` claim, which is the CBOR Web Token (CWT) identifier.
encoded:
type: string
description: The base32 encoded string representation of the Semantic CWT credential. CSC stands for COSE_SIGN Compact format. You will use this element to convert the credential into a format that can be shared with a holder.
example: CSS:/1/BASE_32_ENCODED_PAYLOAD
decoded:
$ref: '#/components/schemas/CompactSemanticCredentialSignResponse'
description: Sign Semantic CWT credential response
VerifyCompactSemanticCredentialResponse:
title: VerifyCompactSemanticCredentialResponse
type: object
description: VerifyCompactSemanticCredentialResponse
required:
- verified
properties:
verified:
type: boolean
decoded:
$ref: '#/components/schemas/CompactSemanticCredentialSignResponse'
error:
type: object
properties:
type:
type: string
message:
type: string
details:
type: object
required:
- type
- message
schemas-CredentialConfiguration:
type: object
properties:
type:
description: |-
Used to differentiate between different CWT/Semantic CWT credentials configurations on your tenant. Thus, its value must:
- Be unique across all CWT/Semantic CWT credentials configurations on your tenant.
- Not be VerifiableCredential.
minLength: 1
maxLength: 1024
example: CourseCredential
claimMappings:
$ref: '#/components/schemas/credentialConfigurationClaimMappings'
revocable:
type: boolean
default: true
description: When set to `true` (default), the created credential can later be revoked. When set to `false`, the credential cannot be revoked.
claimSourceId:
type: string
format: uuid
description: References the unique identifier of a claims source that can be used to retrieve claims and include them in the issued credential.
expiresIn:
type: object
description: Used to determine when will issued credentials expire. Can include any combination of `years`, `months`, `weeks`, `days`, `hours`, `minutes` and `seconds`.
properties:
years:
type: number
example: 1
months:
type: number
example: 12
weeks:
type: number
example: 52
days:
type: number
example: 365
hours:
type: number
example: 24
minutes:
type: number
example: 1440
seconds:
type: number
example: 3600
required:
- claimMappings
schemas-CredentialConfigurationResponse:
required:
- id
- type
- revocable
allOf:
- type: object
properties:
id:
type: string
format: uuid
description: Uniquely identifies this credential configuration. Can be used to create an offer based on this credential configuration, or to retrieve, update or remove the credential configuration.
example: 983c0a86-204f-4431-9371-f5a22e506599
- $ref: '#/components/schemas/schemas-CredentialConfiguration'
title: CredentialConfigurationResponse
schemas-GetCredentialConfigurationsResponse:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
data:
type: array
items:
$ref: '#/components/schemas/schemas-CredentialConfigurationResponse'
title: GetCredentialConfigurationsResponse
schemas-CredentialConfigurationRequest:
required:
- type
allOf:
- $ref: '#/components/schemas/schemas-CredentialConfiguration'
title: CreateCredentialConfigurationRequest
PDFTemplateResponse:
type: object
x-examples: {}
title: PDFTemplateResponse
properties:
id:
type: string
description: This is a unique identifier for this PDF template. You will use it as the `templateId` when formatting a CWT credential as a PDF.
example: 4eea7654-d4c5-4eba-bd7a-5ca334d54725
name:
type: string
example: Certificate of participation
description: Template name.
fileName:
type: string
example: certificate_of_participation
description: File name for credentials formatted using this template.
fonts:
type: array
description: Includes any custom fonts in this template.
example:
- name: PublicSans-Regular
fileName: fonts/PublicSans-Regular.ttf
items:
type: object
properties:
name:
type: string
fileName:
type: string
metadata:
type: object
properties:
title:
type: string
example: ''
fields:
type: array
description: Includes the different elements in this PDF template and what fields in the credential they are mapped from.
example:
- key: familyName
value: '{{payload.sub_claims.familyName}}'
isRequired: true
alternativeText: '{{payload.sub_claims.familyName}}'
fontName: PublicSans-Regular
items:
type: object
properties:
key:
type: string
value:
type: string
isRequired:
type: boolean
alternativeText:
type: string
fontName:
type: string
required:
- key
- value
- alternativeText
PDFTemplatesResponse:
type: object
properties:
nextCursor:
type: string
example: 0ecdcb57-ef2b-4aa1-be34-695c2d9d9486
data:
type: array
items:
$ref: '#/components/schemas/PDFTemplateResponse'
title: PDFTemplateResponse
description: ''
CreatePDFRequest:
type: object
properties:
templateId:
type: string
description: Use the `ID` element of the PDF template to be used to format this credential.
example: 4eea7654-d4c5-4eba-bd7a-5ca334d54725
minLength: 1
payload:
type: string
description: String payload representation of the encoded CWT credential.
example: '{payload}'
minLength: 1
maxLength: 1024
title: CreatePDFResponse
DigitalPassType:
description: Digital pass type
type: string
enum:
- apple
- google
title: DigitalPassType
ApplePassTemplateResponse:
type: object
properties:
id:
type: string
example: 3812166c-ac9f-4e4e-96dd-c1336b5be378
description: This is a unique identifier for this Apple digital pass template. You will use it as the `templateId` when formatting a CWT credential as an Apple Pass.
passType:
$ref: '#/components/schemas/DigitalPassType'
name:
type: string
example: Certificate of participation
metadata:
type: object
properties:
fileName:
type: string
example: certificate_of_participation.pkpass
teamIdentifier:
type: string
example: GH5P43ABC
passTypeIdentifier:
type: string
example: pass.myproject.participation.pk
title: ApplePassTemplateResponse
ApplePassTemplatesResponse:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1h
data:
type: array
items:
$ref: '#/components/schemas/ApplePassTemplateResponse'
title: ApplePassTemplatesResponse
ApplePassTemplateRequest:
type: object
properties:
template:
type: string
format: binary
description: Includes your template files.
name:
type: string
description: Insert a name to identify this Apple digital pass template.
example: Certificate of participation
minLength: 1
maxLength: 1024
fileName:
type: string
description: Insert the file name that will be assigned to Apple digital passes created from this template. Must only include alphanumeric characters, ''_'', or ''-'', and end with `.pkpass`.
example: certificate_of_participation.pkpass
minLength: 1
maxLength: 100
teamIdentifier:
type: string
description: The Team ID for the Apple Developer Program account that registered the pass type identifier.
example: GH5P43ABC
passTypeIdentifier:
type: string
description: The pass type identifier that’s registered with Apple. The value must be the same as the distribution certificate used to sign the pass.
example: pass.myproject.participation.pk
wwdr:
type: string
description: Apple G1 or G4 worldwide developer relations intermediate certificate.
signerCert:
type: string
description: Apple pass [signer certificate](https://help.apple.com/developer-account/#/devbfa00fef7).
signerKey:
type: string
description: The encrypted key of the Apple pass signer certificate.
signerKeyPassphrase:
type: string
description: Passphrase for the encrypted key.
required:
- name
- template
- fileName
- teamIdentifier
- passTypeIdentifier
- wwdr
- signerCert
- signerKey
- signerKeyPassphrase
title: ApplePassTemplateRequest
GooglePassTemplateResponse:
type: object
properties:
id:
type: string
example: 3812166c-ac9f-4e4e-96dd-c1336b5be378
description: This is a unique identifier for this Google Pass template. You will use it as the `templateId` when formatting a CWT credential as a Google Pass.
passType:
$ref: '#/components/schemas/DigitalPassType'
name:
type: string
example: Certificate of participation
metadata:
type: object
properties:
issuerId:
type: string
example: '3388000000012346000'
serviceAccountClientEmail:
type: string
example: app-user@myproject.iam.gserviceaccount.com
payPassId:
type: string
example: 3388000000012345678.a0bbe92f-c85e-4081-94c3-f842bcd5e463
title: GooglePassTemplateResponse
GooglePassTemplatesResponse:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1h
data:
type: array
items:
$ref: '#/components/schemas/GooglePassTemplateResponse'
title: GooglePassTemplatesResponse
description: ''
GooglePassTemplateRequest:
type: object
properties:
template:
type: string
format: binary
description: Includes your template files.
name:
type: string
description: Insert a name to identify this Google Pass template.
example: Certificate of participation
minLength: 1
maxLength: 1024
issuerId:
type: string
description: Google Wallet Pass signer issuer ID.
example: '3388000000012346000'
serviceAccountClientEmail:
type: string
description: Email address of the Google Cloud Platform service account for accessing the Google Pay Passes API.
example: app-user@myproject.iam.gserviceaccount.com
serviceAccountPrivateKey:
type: string
description: Private key PEM of the Google Cloud Platform service account.
required:
- name
- template
- issuerId
- serviceAccountClientEmail
- serviceAccountPrivateKey
title: GooglePassTemplateRequest
CreateDigitalPassRequest:
format: object
properties:
templateId:
type: string
description: Use the `id` of the template to be used to format this credential.
example: 3812166c-ac9f-4e4e-96dd-c1336b5be378
minLength: 1
payload:
type: string
description: String payload representation of the encoded CWT credential.
example: '{payload}'
title: CreateDigitalPassRequest
description: ''
CreateApplePassResponse:
type: string
description: The generated Apple Pass `.pkpass` file.
title: CreateApplePassResponse
format: binary
CreateGooglePassResponse:
description: The URL to retrieve the Google Pass from.
format: object
properties:
redirectTo:
type: string
description: Redirect URL to download the Google Pass to the Google Wallet.
example: https://pay.google.com/gp/v/save/{jwt}
title: CreateGooglePassResponse
IacaCertificateData:
title: IacaCertificateData
type: object
required:
- notAfter
- notBefore
- country
- commonName
properties:
notAfter:
type: string
format: date
example: '2034-09-26'
description: IACA's expiry date (defaults to 10 years from issuance if not provided in the request).
notBefore:
type: string
format: date
example: '2023-09-26'
description: IACA’s active from date.
country:
type: string
example: US
description: ISO 3166-1 alpha-2 Country code, based on the IACA creation request.
commonName:
type: string
default: '{tenantDomain} IACA'
description: IACA's name, based on the IACA creation request.
example: '{tenant-subdomain}.vii.mattr.global IACA'
stateOrProvinceName:
type: string
description: ISO 3166-1 alpha-2 State/Province code, based on the request body.
example: US-AL
IacaResponse:
title: IacaResponse
type: object
required:
- id
- active
- certificatePem
- certificateData
- certificateFingerprint
properties:
id:
type: string
format: uuid
description: Unique identifier of the created IACA.
active:
type: boolean
example: true
description: Indicates whether the IACA is active or not. Only active IACAs can be used to sign mDocs.
certificatePem:
type: string
example: "-----BEGIN CERTIFICATE-----\r\nMIICDjCCAbSgAwIBAgIKdeZsA5NPKimuAzAKBggqhkjOPQQDAjAiMSAwCQYDVQQG\r\nEwJOWjATBgNVBAMTDEV4YW1wbGUgSUFDQTAeFw0yMzA5MTEyMzM0MjJaFw0zMzA5\r\nMDgyMzM0MjJaMCIxIDAJBgNVBAYTAk5aMBMGA1UEAxMMRXhhbXBsZSBJQUNBMFkw\r\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBbK7JKKFMWuu8kHQK2qaML+MQ0Ykk3Qg\r\n/p3TC6lQKvYJozPSpLXbJQIzMPq9u/dG+j4vq1iX/G/jFIwfiEiKEqOB0TCBzjAS\r\nBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIABjAdBgNVHQ4EFgQU9zTh\r\nKsqFxAgRJDDGW1au+ewJK6owHgYDVR0SBBcwFYYTaHR0cHM6Ly9leGFtcGxlLmNv\r\nbTBpBgNVHR8EYjBgMF6gXKBahlhodHRwczovL2V4YW1wbGUuY29tL3YyL2NyZWRl\r\nbnRpYWxzL21vYmlsZS9pYWNhcy8yZTg5YzE1Ni0zMWQ1LTQ3ODMtYmQ1OS05MDU1\r\nYjVmOGU3ZDIvY3JsMAoGCCqGSM49BAMCA0gAMEUCIQDD+eU8iOsYYC0v41L94fhF\r\nZ0brPo4gx2aRxrhE3NLFpwIgIgHCPBXJ+JICJg3K7dEsr153So4SEZzAA1rRn4eF\r\nvkM=\r\n-----END CERTIFICATE-----\r\n"
description: Certificate PEM format.
certificateData:
$ref: '#/components/schemas/IacaCertificateData'
certificateFingerprint:
type: string
example: 3c06145a53e6c252091a71540f870d4d521dede9f176a681a74e38ddc47bb311
description: Hash that includes all certificate data and its signature.
isManaged:
type: boolean
example: true
description: Indicates whether the private key for this certificate is managed by MATTR (`true`) or out of band by the customer as an external IACA (`false`).
CreateManagedIacaRequest:
title: Managed IACA
type: object
properties:
commonName:
type: string
default: '{tenantDomain} IACA'
description: This optional parameter indicates the common name of the IACA certificate. When specified, the value must be a valid `PrintableString` and cannot be an empty string. If not provided and a custom domain is configured and verified, the custom domain is used followed by the word `IACA`. If no custom domain is configured, the tenant subdomain is used instead.
example: '{tenant-subdomain}.vii.mattr.global IACA'
country:
type: string
example: US
description: This optional parameter indicates the issuer country. If not provided, a country is selected based on the region of the tenant subdomain cloud host. When specified, the value must be a valid [Alpha 2 country code](https://www.iso.org/glossary-for-iso-3166.html) as per [ISO 3166-1](https://www.iso.org/standard/72482.html).
notBefore:
type: string
example: '2024-09-26'
description: This _optional_ parameter is used to set the date and time when the IACA becomes valid and can be used to sign mDocs. This can be used alongside the `active` field to support [IACA rotation](https://learn.mattr.global/docs/mdocs/trust#iaca-rotation) by creating inactive IACAs and distributing them to relying parties in advance. * Must not be in the past. * Must be before `notAfter`.
notAfter:
type: string
example: '2034-09-26'
description: This _optional_ parameter is used to set the date and time when the IACA expires. - If not provided, calculated as `notBefore` + 10 years. - If not provided and `notBefore` is not provided, calculated as time of creation + 10 years. - Maximum value is 20 years from creation. - Must be after `notBefore`, if provided.
stateOrProvinceName:
type: string
description: This optional parameter indicates the issuer state or province. When specified, the value must be uppercase and a valid state/province code as per [ISO 3166-2](https://www.iso.org/standard/72483.html).
example: US-AL
CreateUnmanagedIacaRequest:
title: Unmanaged (external) IACA
type: object
properties:
certificatePem:
type: string
description: IACA certificate in PEM format. The certificate must be valid and not expired.
example: "-----BEGIN CERTIFICATE-----\r\nMIICDjCCAbSgAwIBAgIKdeZsA5NPKimuAzAKBggqhkjOPQQDAjAiMSAwCQYDVQQG\r\nEwJOWjATBgNVBAMTDEV4YW1wbGUgSUFDQTAeFw0yMzA5MTEyMzM0MjJaFw0zMzA5\r\nMDgyMzM0MjJaMCIxIDAJBgNVBAYTAk5aMBMGA1UEAxMMRXhhbXBsZSBJQUNBMFkw\r\nEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBbK7JKKFMWuu8kHQK2qaML+MQ0Ykk3Qg\r\n/p3TC6lQKvYJozPSpLXbJQIzMPq9u/dG+j4vq1iX/G/jFIwfiEiKEqOB0TCBzjAS\r\nBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIABjAdBgNVHQ4EFgQU9zTh\r\nKsqFxAgRJDDGW1au+ewJK6owHgYDVR0SBBcwFYYTaHR0cHM6Ly9leGFtcGxlLmNv\r\nbTBpBgNVHR8EYjBgMF6gXKBahlhodHRwczovL2V4YW1wbGUuY29tL3YyL2NyZWRl\r\nbnRpYWxzL21vYmlsZS9pYWNhcy8yZTg5YzE1Ni0zMWQ1LTQ3ODMtYmQ1OS05MDU1\r\nYjVmOGU3ZDIvY3JsMAoGCCqGSM49BAMCA0gAMEUCIQDD+eU8iOsYYC0v41L94fhF\r\nZ0brPo4gx2aRxrhE3NLFpwIgIgHCPBXJ+JICJg3K7dEsr153So4SEZzAA1rRn4eF\r\nvkM=\r\n-----END CERTIFICATE-----\r\n"
CreateIacaRequest:
oneOf:
- $ref: '#/components/schemas/CreateManagedIacaRequest'
- $ref: '#/components/schemas/CreateUnmanagedIacaRequest'
title: CreateIacaRequest
UpdateIacaRequest:
title: UpdateIacaRequest
type: object
required:
- active
properties:
active:
type: boolean
example: true
description: Indicates whether the IACA is active or not. Only active IACAs can be used to sign mDocs.
DocumentSignerCsrResponse:
title: Document Signer without certificate
type: object
description: Document signer before a certificate has been uploaded. Includes a Certificate Signing Request (CSR).
required:
- id
- iacaId
- active
- csrPem
properties:
id:
type: string
format: uuid
description: Each Document Signer created on MATTR VII will have a unique identifier which must be provided when using this Document Signer to sign an mDoc.
iacaId:
type: string
format: uuid
description: Unique identifier of the IACA used to sign the Document Signer.
active:
type: boolean
description: Indicates the Document Signer status. Only active Document Signers (`true`) can be used to sign mDocs.
csrPem:
type: string
description: The X.509 Certificate Signing Request (CSR) in PEM format, base64 encoded. Use this CSR to generate a valid certificate, then update the document signer with the resulting certificate.
example: '-----BEGIN CERTIFICATE REQUEST-----...-----END CERTIFICATE REQUEST-----'
DocumentSignerCertificateData:
title: DocumentSignerCertificateData
type: object
required:
- notAfter
- notBefore
- country
- commonName
properties:
notAfter:
type: string
format: date
example: '2034-09-26'
description: Timestamp indicating when can this certificate expires.
notBefore:
type: string
format: date
example: '2023-09-30'
description: Timestamp indicating when can this certificate become active.
country:
type: string
example: US
description: ISO 3166-1 alpha-2 Country code.
stateOrProvinceName:
type: string
example: US-AL
description: ISO 3166-1 alpha-2 State/Province code.
commonName:
type: string
default: '{tenantDomain} Document Signer'
example: '{tenant-subdomain}.vii.mattr.global Document Signer'
description: Certificate's common name.
DocumentSignerCertificateResponse:
title: Document Signer with certificate
type: object
description: Document signer after a certificate has been uploaded. Includes the uploaded certificate in PEM format, as well as the certificate's fingerprint and data.
required:
- id
- iacaId
- active
- certificatePem
- certificateFingerprint
- certificateData
properties:
id:
type: string
format: uuid
description: Each Document Signer created on MATTR VII will have a unique identifier which must be provided when using this Document Signer to sign an mDoc.
iacaId:
type: string
format: uuid
description: Unique identifier of the IACA used to sign the Document Signer.
active:
type: boolean
description: Indicates the Document Signer status. Only active Document Signers (`true`) can be used to sign mDocs.
certificatePem:
type: string
description: Document Signer Certificate (DSC) in PEM format.
example: '-----BEGIN CERTIFICATE-----\r\nMIICbzCCAhSgAwIBAgIKfS7sskyJEh+DOzAKBggqhkjOPQQDAjAiMSAwCQYDVQQG\r\nEwJOWjATBgNVBAMTDEV4YW1wbGUgSUFDQTAeFw0yMzA5MTEyMzM0MjJaFw0yNDA5\r\nMTAyMzM0MjJaMDExLzAJBgNVBAYTAk5aMCIGA1UEAxMbZXhhbXBsZS5jb20gRG9j\r\ndW1lbnQgU2lnbmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7fa+jv9zCtHQ\r\nmKn7o1dS6lBHD5thlhPqjlx7qEfqy8Im9AcQJDal2sr/fUxhHwf/G4ublS7AL04U\r\n73dzr/ozxaOCASEwggEdMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFLdNNPTmPxt0\r\nLqvlZnV/QL86MXOxMB8GA1UdIwQYMBaAFPc04SrKhcQIESQwxltWrvnsCSuqMA4G\r\nA1UdDwEB/wQEAwIAgDAeBgNVHREEFzAVhhNodHRwczovL2V4YW1wbGUuY29tMB4G\r\nA1UdEgQXMBWGE2h0dHBzOi8vZXhhbXBsZS5jb20waQYDVR0fBGIwYDBeoFygWoZY\r\naHR0cHM6Ly9leGFtcGxlLmNvbS92Mi9jcmVkZW50aWFscy9tb2JpbGUvaWFjYXMv\r\nMmU4OWMxNTYtMzFkNS00NzgzLWJkNTktOTA1NWI1ZjhlN2QyL2NybDASBgNVHSUE\r\nCzAJBgcogYxdBQECMAoGCCqGSM49BAMCA0kAMEYCIQCfgn6+QoNfDVelJANl+Jp9\r\ncq7X9paZylfnI6UGr1FM6gIhAIzhiyclDa8+/ZSRfu7KfgGrNRaJ8YQ6vevskJls\r\nIavC\r\n-----END CERTIFICATE-----\r\n'
certificateFingerprint:
type: string
description: Document Signer Certificate (DSC) Hash that includes all certificate data and its signature.
example: f6cad6e579d70b3973efa60624af731a580d1a11a7579e70f2f10f059dc86172
certificateData:
$ref: '#/components/schemas/DocumentSignerCertificateData'
ListDocumentSignersResponse:
title: ListDocumentSignersResponse
type: object
required:
- data
properties:
data:
type: array
items:
oneOf:
- $ref: '#/components/schemas/DocumentSignerCsrResponse'
- $ref: '#/components/schemas/DocumentSignerCertificateResponse'
nextCursor:
type: string
CreateDocumentSignerRequest:
title: CreateDocumentSignerRequest
type: object
required:
- iacaId
properties:
iacaId:
type: string
format: uuid
description: |
Internal identifier of the IACA used to sign this document signer:
- Must be an unmanaged (external) IACA.
DocumentSignerResponse:
oneOf:
- $ref: '#/components/schemas/DocumentSignerCsrResponse'
- $ref: '#/components/schemas/DocumentSignerCertificateResponse'
title: DocumentSignerResponse
UpdateDocumentSignerRequest:
title: UpdateDocumentSignerRequest
type: object
required:
- active
properties:
active:
description: This required parameter defines the status of the created Document Signer. Only active Document Signers can be used to sign mDocs.
type: boolean
certificatePem:
description: |
Document Signer Certificate (DSC) in PEM format. The certificate must be:
- Valid
- Not expired
- Compliant with the details provided in the Certificate Signing Request returned when the Document Signer was created
Refer to [Certificate requirements](https://learn.mattr.global/docs/issuance/certificates/overview#certificate-requirements) in the external certificates documentation for a full list of requirements detailed in the CSR.
type: string
example: '-----BEGIN CERTIFICATE-----\r\nMIICbzCCAhSgAwIBAgIKfS7sskyJEh+DOzAKBggqhkjOPQQDAjAiMSAwCQYDVQQG\r\nEwJOWjATBgNVBAMTDEV4YW1wbGUgSUFDQTAeFw0yMzA5MTEyMzM0MjJaFw0yNDA5\r\nMTAyMzM0MjJaMDExLzAJBgNVBAYTAk5aMCIGA1UEAxMbZXhhbXBsZS5jb20gRG9j\r\ndW1lbnQgU2lnbmVyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7fa+jv9zCtHQ\r\nmKn7o1dS6lBHD5thlhPqjlx7qEfqy8Im9AcQJDal2sr/fUxhHwf/G4ublS7AL04U\r\n73dzr/ozxaOCASEwggEdMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFLdNNPTmPxt0\r\nLqvlZnV/QL86MXOxMB8GA1UdIwQYMBaAFPc04SrKhcQIESQwxltWrvnsCSuqMA4G\r\nA1UdDwEB/wQEAwIAgDAeBgNVHREEFzAVhhNodHRwczovL2V4YW1wbGUuY29tMB4G\r\nA1UdEgQXMBWGE2h0dHBzOi8vZXhhbXBsZS5jb20waQYDVR0fBGIwYDBeoFygWoZY\r\naHR0cHM6Ly9leGFtcGxlLmNvbS92Mi9jcmVkZW50aWFscy9tb2JpbGUvaWFjYXMv\r\nMmU4OWMxNTYtMzFkNS00NzgzLWJkNTktOTA1NWI1ZjhlN2QyL2NybDASBgNVHSUE\r\nCzAJBgcogYxdBQECMAoGCCqGSM49BAMCA0kAMEYCIQCfgn6+QoNfDVelJANl+Jp9\r\ncq7X9paZylfnI6UGr1FM6gIhAIzhiyclDa8+/ZSRfu7KfgGrNRaJ8YQ6vevskJls\r\nIavC\r\n-----END CERTIFICATE-----\r\n'
DocumentSignerRevokeRequest:
type: object
description: Empty request body for document signer revocation
DocumentSignerRevokeResponse:
type: object
properties:
revoked:
type: boolean
description: Indicates whether this document signer has been revoked
example: true
revocationDate:
type: string
description: ISO 8601 timestamp indicating when the Document Signer was revoked
example: '2025-10-31T23:59:59Z'
required:
- revoked
- revocationDate
StatusListSignerCreateResponse:
type: object
required:
- id
- active
- iacaId
- csrPem
properties:
id:
type: string
format: uuid
description: Unique identifier for this status list.
iacaId:
type: string
format: uuid
description: Identifies the IACA used to sign this status list signer.
active:
type: boolean
description: Indicates whether or not this signer can currently be used to sign status lists. Status list signers can only be set to active after a valid certificate is provided.
example: false
csrPem:
type: string
description: The X.509 Certificate Signing Request (CSR) in PEM format, base64 encoded. Use this CSR to generate a valid certificate, then update the status list signer with the resulting certificate.
example: '-----BEGIN CERTIFICATE REQUEST-----...-----END CERTIFICATE REQUEST-----'
StatusListSignerUpdateResponse:
type: object
required:
- id
- iacaId
- active
- certificatePem
- certificateFingerprint
- certificateData
properties:
id:
type: string
format: uuid
description: Unique identifier for this status list.
iacaId:
type: string
format: uuid
description: Identifies the IACA used to sign this status list signer.
active:
type: boolean
description: Indicates whether or not this signer can currently be used to sign status lists.
example: true
certificatePem:
type: string
description: Status list signer certificate in PEM format. This will match the PEM referenced in the status list token.
certificateFingerprint:
type: string
example: 475DA948E4BA44D9B5BC31AB4B8006113FD5F538
certificateData:
type: object
description: Metadata about the status list signer certificate.
properties:
notBefore:
type: string
description: Timestamp indicating when can this certificate become active.
format: date-time
notAfter:
type: string
description: Timestamp indicating when this certificate expires.
format: date-time
country:
type: string
description: ISO 3166-1 alpha-2 Country code.
stateOrProvinceName:
type: string
description: ISO 3166-1 alpha-2 State/Province code.
organisationName:
type: string
description: Optional organization identifier.
required:
- notBefore
- notAfter
- country
- commonName
StatusListSignerResponse:
oneOf:
- $ref: '#/components/schemas/StatusListSignerCreateResponse'
- $ref: '#/components/schemas/StatusListSignerUpdateResponse'
StatusListSignersResponse:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/StatusListSignerResponse'
StatusListSignerCreateRequest:
type: object
properties:
iacaId:
type: string
format: uuid
description: |
Internal identifier of the IACA used to sign this status list signer:
- Must be the same IACA used to sign credentials that are included in a status list signed by this status list signer.
- Must be an unmanaged (external) IACA.
required:
- iacaId
StatusListSignerUpdateRequest:
type: object
properties:
active:
type: boolean
description: Status list signer status. Must be set to `true` for this status list signer to be available for signing status lists.
certificatePem:
type: string
description: |
Status list signer certificate in PEM format. The certificate must be:
- Valid
- Not expired
- Compliant with the details provided in the Certificate Signing Request returned when the status list signer was created
StatusListSignerRevokeRequest:
type: object
description: Empty request body for status list signer revocation
StatusListSignerRevokeResponse:
type: object
properties:
revoked:
type: boolean
description: Indicates whether this status list signer has been revoked
example: true
revocationDate:
type: string
description: Timestamp in ISO 8601 format (UTC) indicating when this status list signer was revoked
example: '2025-10-31T23:59:59Z'
required:
- revoked
- revocationDate
ClaimMapFrom:
type: string
description: |-
Path to the mapped claim in the configured claims source:
- When using a URL as a claims namespace identifier, use bracket notation to access the claim value (e.g. mapFrom: "claims['https://example.com/claim-name']").
- `mapForm` is optional when `defaultValue` is provided, as the latter will be used for all issued credentials. This is referred to as a **static claim**.
example: claims.given_name
ClaimRequired:
type: boolean
description: Indicates whether the claim is required (`true`) or not (`false`). When a required claim is not available, credential issuance will fail.
default: false
ClaimDefaultValue:
description: Indicates what value is used if `required` is set to `false` (field is optional) and no value is provided by the claims source. When `defaultValue` is provided, `mapFrom` and `type` are optional.
type: string
ClaimMappings:
title: ClaimMappings
type: object
description: This is where you specify how to map claims (user attributes) into issued credentials.
example:
org.iso.18013.5.1:
given_name:
mapFrom: claims.given_name
required: true
type: string
birth_date:
mapFrom: claims.date_of_birth
required: true
type: dateTime
properties:
additionalProperties:
title: namespace
description: Each object corresponds to a claims source and is referenced as a `namespace`.
type: object
properties:
additionalProperties:
title: claim
description: Each object corresponds to a claim in the issued credential, and contains fields that control the mapping logic.
oneOf:
- type: object
title: Boolean
properties:
mapFrom:
$ref: '#/components/schemas/ClaimMapFrom'
type:
type: string
description: |-
* Claim data type (boolean).
* Mapped value must be a boolean.
* Mapped to `bool` CBOR data type in the signed credential.
* Optional when `defaultValue` is provided.
enum:
- boolean
required:
$ref: '#/components/schemas/ClaimRequired'
defaultValue:
$ref: '#/components/schemas/ClaimDefaultValue'
- type: object
title: Number
properties:
mapFrom:
$ref: '#/components/schemas/ClaimMapFrom'
type:
type: string
description: |-
* Claim data type (number).
* Mapped value must be a number.
* Mapped to `uint` CBOR data type in the signed credential.
* Optional when `defaultValue` is provided.
enum:
- number
required:
$ref: '#/components/schemas/ClaimRequired'
defaultValue:
$ref: '#/components/schemas/ClaimDefaultValue'
- type: object
title: String
properties:
mapFrom:
$ref: '#/components/schemas/ClaimMapFrom'
type:
type: string
description: |-
* Claim data type (string).
* Mapped value must be a string.
* Mapped to `tstr` CBOR data type in the signed credential.
* Optional when `defaultValue` is provided.
enum:
- string
required:
$ref: '#/components/schemas/ClaimRequired'
defaultValue:
$ref: '#/components/schemas/ClaimDefaultValue'
- type: object
title: Binary
properties:
mapFrom:
$ref: '#/components/schemas/ClaimMapFrom'
type:
type: string
description: |-
* Claim data type (binary).
* Mapped value must be a string in `base64` string format.
* Mapped to `bstr` CBOR data type in the signed credential.
* This type must be used for any images signed as part of the credential.
* Maximum supported image size is 500KB.
* Recommended image size is below 50KB for optimal performance.
enum:
- binary
required:
$ref: '#/components/schemas/ClaimRequired'
defaultValue:
$ref: '#/components/schemas/ClaimDefaultValue'
- type: object
title: Date
properties:
mapFrom:
$ref: '#/components/schemas/ClaimMapFrom'
type:
type: string
description: |-
* Claim data type (date).
* Mapped value must be a string in `YYYY-MM-DD` format.
* Mapped to the `1004` CBOR tag as a `full-date` CBOR data type in the signed credential.
enum:
- date
required:
$ref: '#/components/schemas/ClaimRequired'
defaultValue:
$ref: '#/components/schemas/ClaimDefaultValue'
- type: object
title: Date/Time
properties:
mapFrom:
$ref: '#/components/schemas/ClaimMapFrom'
type:
type: string
description: |-
* Claim data type (date/time).
* Mapped value must be a string in YYYY-MM-DD HH:MM:SS format ([ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) compliant).
* Mapped to the `0` CBOR tag as a `tdate` CBOR data type in the signed credential.
enum:
- dateTime
required:
$ref: '#/components/schemas/ClaimRequired'
defaultValue:
$ref: '#/components/schemas/ClaimDefaultValue'
- type: object
title: Array
properties:
mapFrom:
$ref: '#/components/schemas/ClaimMapFrom'
type:
type: string
description: |-
* Claim data type (array).
* Mapped value must be an array.
* Array elements are mapped to the following CBOR data types in the signed credential:
* number => `uint`
* string => `tstr`
* array => CBOR array []
* map => CBOR map {}
enum:
- array
required:
$ref: '#/components/schemas/ClaimRequired'
defaultValue:
$ref: '#/components/schemas/ClaimDefaultValue'
- type: object
title: Object
properties:
mapFrom:
$ref: '#/components/schemas/ClaimMapFrom'
type:
type: string
description: |-
* Claim data type (object).
* Mapped value must be an object.
* Passed object must be a valid JSON structure.
* Object items are mapped to the following CBOR data types in the signed credential:
* number => `uint`
* string => `tstr`
* array => CBOR array []
* map => CBOR map {}
enum:
- object
required:
$ref: '#/components/schemas/ClaimRequired'
defaultValue:
$ref: '#/components/schemas/ClaimDefaultValue'
- type: object
title: ISO 18013-5 Driving Privileges
properties:
mapFrom:
$ref: '#/components/schemas/ClaimMapFrom'
type:
type: string
description: |-
* Claim data type (Driving Privileges).
* Mapped value must be a compliant `org.iso.18013.5.1.driving_privileges` object as per ISO 18013-5.
* Mapped to a CBOR data type compliant with org.iso.18013.5.1.
enum:
- org.iso.18013.5.1.driving_privileges
required:
$ref: '#/components/schemas/ClaimRequired'
defaultValue:
$ref: '#/components/schemas/ClaimDefaultValue'
components-schemas-CredentialConfiguration:
type: object
properties:
type:
description: |-
Used to differentiate between different mDocs configurations on your tenant. Thus, its value must:
- Be unique across all mDocs configurations on your tenant.
- Not be `VerifiableCredential`.
- When set to `org.iso.18013.5.*.mDL` (where `*` is a positive integer), MATTR VII recognizes that this is attempt to create an mDL credential configuration and will fail if the validity period is set to 427 days or more.
type: string
minLength: 1
maxLength: 1024
example: org.iso.18013.5.1.mDL
claimMappings:
$ref: '#/components/schemas/ClaimMappings'
claimSourceId:
type: string
format: uuid
description: References the unique identifier of a claims source that can be used to retrieve claims and include them in the issued credential.
expiresIn:
type: object
description: |-
Used to determine when issued credentials will expire, relative to issuance date:
- Ignored if a valid `validUntil` date/time is provided.
- Cannot be before the `validFrom` date/time.
- If `expiresIn` is used to determine the credential's expiry date and `validFrom` is provided, the expiration date will still be calculated based on the issuance date, not the `validFrom` value.
- Can include any combination of years, months, weeks, days, hours, minutes and seconds.
- If `type` is set to `org.iso.18013.5.*.mDL` (for issuing an mDL), the maximum validity is 427 days.
- For any other `type`, the maximum validity is 3620 days.
Credential expiry can never exceed the validity period of the IACA used as the root certificate when signing the credential. However, all validity checks (including those for IACA and credential validity periods) only occur when an individual credential is being signed, not when the generic credential configuration template is created (Refer to [IACA selection](/docs/mdocs/trust#iaca-selection) for more information on how an IACA is selected when signing an mDoc). As a result, issuance will fail if the `expiresIn` value exceeds the validity of all currently active IACAs at the time of issuance.
properties:
years:
type: number
months:
type: number
example: 1
weeks:
type: number
days:
type: number
hours:
type: number
minutes:
type: number
seconds:
type: number
validFrom:
type: object
description: |-
Specifies an explicit date and time from which the credential becomes valid.
- Must be mapped from the provided user claims.
- Must be formatted as a valid ISO 8601 date/time string.
- If not provided, defaults to using the issuance date as the starting point for the credential's validity.
- Cannot be after the credential's expiration date/time.
- Cannot be before the credential's issuance date/time.
Credential expiry can never exceed the validity period of the IACA used as the root certificate when signing the credential. However, all validity checks (including those for IACA and credential validity periods) only occur when an individual credential is being signed, not when the generic credential configuration template is created (Refer to [IACA selection](/docs/mdocs/trust#iaca-selection) for more information on how an IACA is selected when signing an mDoc). As a result, issuance will fail if the `validFrom` value exceeds the validity of all currently active IACAs at the time of issuance.
properties:
mapFrom:
type: string
validUntil:
type: object
description: |-
Specifies an explicit date and time at which the credential expires.
- Must be mapped from the provided user claims.
- Must be formatted as a valid ISO 8601 date/time string.
- If not provided, the expiration date will be determined based on the `expiresIn` value provided in the credential configuration.
- Cannot be before the `validFrom` date/time.
- If `type` is set to `org.iso.18013.5.*.mDL` (for issuing an mDL), the maximum validity is 427 days.
- For any other `type`, the maximum validity is 3620 days.
Credential expiry can never exceed the validity period of the IACA used as the root certificate when signing the credential. However, all validity checks (including those for IACA and credential validity periods) only occur when an individual credential is being signed, not when the generic credential configuration template is created (Refer to [IACA selection](/docs/mdocs/trust#iaca-selection) for more information on how an IACA is selected when signing an mDoc). As a result, issuance will fail if the `validUntil` value exceeds the validity of all currently active IACAs at the time of issuance.
properties:
mapFrom:
type: string
components-schemas-CredentialConfigurationResponse:
required:
- id
- type
- expiresIn
- claimMappings
allOf:
- type: object
properties:
id:
type: string
format: uuid
description: Uniquely identifies the created credential configuration. This identifier can be used to create an offer based on this credential configuration, or to retrieve, update or remove the credential configuration.
example: 983c0a86-204f-4431-9371-f5a22e506599
branding:
type: object
description: Credential branding information
example:
name: Credential name
description: Credential Description
backgroundColor: '#FFFFFF'
watermarkImage: data:image/png;base64,{image-data}
issuerLogo: data:image/png;base64,{image-data}
issuerIcon: data:image/svg+xml;base64,{image-data}
properties:
name:
description: This string is displayed on the top part of the credential in the holder's digital wallet.
type: string
description:
description: This string is displayed below the name field on the credential in the holder's digital wallet.
type: string
backgroundColor:
description: Color hex code used for the credential background color in the holder's digital wallet.
type: string
watermarkImage:
description: |-
Watermarks are displayed included as a pattern on the credential in the holder's digital wallet. You can provide either a URL to the image, or a Data URI (base64 encoded) with the following requirements:
- URL/URI must be publicly available.
- File must be 245x150 px in size.
- **svg** and **png** files are supported. We recommend using **svg** files to allow proper scaling across the UI and enable optimal performance.
- If no watermark image is provided, a wave pattern is applied to the credentials by default.
- The recommended maximum size is 150 KB.
type: string
issuerLogo:
description: |-
The issuer logo is displayed on the bottom part of the credential in the holder's digital wallet. You can provide either a URL to the image, or a Data URI (base64 encoded) with the following requirements:
- URL/URI must be publicly available.
- File must be 140x42 px in size.
- **svg** and **png** files are supported. We recommend using **svg** files to allow proper scaling across the UI and enable optimal performance.
- Transparencies are allowed for **svg** and **png** files.
- The recommended maximum size is 50 KB.
- If no logo is provided, the first letter of the issuer name is displayed instead.
type: string
issuerIcon:
description: |-
The issuer icon is displayed next to the issuer's logo on the bottom part of the credential in the holder's digital wallet. You can provide either a URL to the image, or a Data URI (base64 encoded) with the following requirements:
- URL/URI must be publicly available.
- File must be 32x32 px in size.
- **svg** and **png** files are supported. We recommend using **svg** files to allow proper scaling across the UI and enable optimal performance.
- Transparencies are allowed for **svg** and **png** files.
- The recommended maximum size is 15 KB.
type: string
includeStatus:
type: boolean
default: false
example: true
description: When set to `true`, issued mDocs will include a 'status' field, which can be subsequently changed to 'valid', 'invalid', or 'suspended'.
- $ref: '#/components/schemas/components-schemas-CredentialConfiguration'
title: CredentialConfigurationResponse
components-schemas-GetCredentialConfigurationsResponse:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
data:
type: array
items:
$ref: '#/components/schemas/components-schemas-CredentialConfigurationResponse'
title: GetCredentialConfigurationsResponse
components-schemas-CredentialConfigurationRequest:
required:
- type
- expiresIn
- claimMappings
allOf:
- $ref: '#/components/schemas/components-schemas-CredentialConfiguration'
- type: object
properties:
branding:
type: object
description: Used to apply branding to issued credentials.
example:
name: Credential name
description: Credential Description
backgroundColor: '#FFFFFF'
watermarkImage: data:image/png;base64,{image-data}
issuerLogo: https://example-path-to-image-data.com
issuerIcon: data:image/svg+xml;base64,{image-data}
properties:
name:
description: Insert a meaningful name for the credential. This string is displayed on the top part of the credential in the holder's digital wallet.
type: string
description:
description: Insert a meaningful description for the credential. This string is displayed below the name field on the credential in the holder's digital wallet.
type: string
backgroundColor:
description: Insert a color hex code to use for the credential background color in the holder's digital wallet.
type: string
watermarkImage:
description: |-
Watermarks are displayed included as a pattern on the credential in the holder's digital wallet. You can provide either a URL to the image, or a Data URI (base64 encoded) with the following requirements:
- URL/URI must be publicly available.
- File must be 245x150 px in size.
- **svg** and **png** files are supported. We recommend using **svg** files to allow proper scaling across the UI and enable optimal performance.
- If no watermark image is provided, a wave pattern is applied to the credentials by default.
- The recommended maximum size is 150 KB.
type: string
issuerLogo:
description: |-
The issuer logo is displayed on the bottom part of the credential in the holder's digital wallet. When not provided, the issuer's name and `issuerIcon` are used instead. You can provide either a URL to the image, or a Data URI (base64 encoded) with the following requirements:
- URL/URI must be publicly available.
- File must be 140x42 px in size.
- **svg** and **png** files are supported. We recommend using **svg** files to allow proper scaling across the UI and enable optimal performance.
- Transparencies are allowed for **svg** and **png** files.
- The recommended maximum size is 50 KB.
- If no logo is provided, the first letter of the issuer name is displayed instead.
type: string
issuerIcon:
description: |-
The issuer icon is displayed next to the issuer's name when the credential is offered to the holder. It is also displayed next to the issuer's name on the bottom part of the credential when `issuerLogo` is not provided. When `issuerIcon` is not provided, the first letter from the issuer name is used instead. You can provide either a URL to the image, or a Data URI (base64 encoded) with the following requirements:
- URL/URI must be publicly available.
- File must be 32x32 px in size.
- **svg** and **png** files are supported. We recommend using **svg** files to allow proper scaling across the UI and enable optimal performance.
- Transparencies are allowed for **svg** and **png** files.
- The recommended maximum size is 15 KB.
type: string
includeStatus:
type: boolean
default: false
description: When set to `true`, issued mDocs are [revocable](https://learn.mattr.global/docs/mdocs/revocation). They include a `status` object, which refers a [Status list](https://learn.mattr.global/docs/mdocs/revocation#status-list) where the mDoc status is indicated. Revocable mDocs are issued as **valid** by default, but this status can later be changed to **invalid** or **suspended**.
example: true
title: CreateCredentialConfigurationRequest
schemas-CredentialStatus:
title: CredentialStatus
type: object
required:
- status
properties:
status:
description: |-
mDoc status. Available values depend on the Status List configuration format:
**Draft 14 of the IETF Token Status List specification (1-bit)**: `valid`, `invalid`
**Deprecated Legacy format (2-bit)**: `valid`, `invalid`, `suspended`
type: string
enum:
- valid
- suspended
- invalid
example: valid
timeToLiveDuration:
type: object
description: Defines how long relying parties can cache Status list tokens of this docType before it is recommended to retrieve a new Status list token from the tenant. Cannot exceed `expiryDuration`.
example:
days: 1
expiryDuration:
type: object
description: Defines how long relying parties can cache Status list tokens of this docType before they expire. Once a Status list token expires, relying parties can no longer use it to check credentials status and must retrieve a new one from the tenant. Regardless of the value of this parameter, Status list tokens expiry cannot exceed the validity of the IACA that is used to sign the Status list token.
example:
days: 2
CreateStatusListConfigurationResponse:
required:
- id
- docType
- timeToLiveDuration
- expiryDuration
allOf:
- type: object
properties:
id:
type: string
format: uuid
description: Uniquely identifies the created Status list configuration.
example: 983c0a86-204f-4431-9371-f5a22e506599
docType:
type: string
description: The unique docType the created Status list configuration is associated with.
example: Drivers License
timeToLiveDuration:
$ref: '#/components/schemas/timeToLiveDuration'
expiryDuration:
$ref: '#/components/schemas/expiryDuration'
GetStatusListConfigurationsResponse:
title: GetCredentialConfigurationsResponse
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
data:
type: array
items:
$ref: '#/components/schemas/CreateStatusListConfigurationResponse'
StatusListConfiguration:
type: object
properties:
docType:
description: Status list configurations are unique per docType on your tenant. This value must match the type set when [creating an mDoc credential configuration](/docs/issuance/credential-configuration/api-reference/mdocs#create-an-mdocs-credential-configuration).
type: string
minLength: 1
maxLength: 1024
example: DriverLicense
timeToLiveDuration:
$ref: '#/components/schemas/timeToLiveDuration'
expiryDuration:
$ref: '#/components/schemas/expiryDuration'
StatusListConfigurationRequest:
title: StatusListConfigurationRequest
required:
- docType
- timeToLiveDuration
- expiryDuration
allOf:
- $ref: '#/components/schemas/StatusListConfiguration'
- type: object
StatusListConfigurationUpdateRequest:
properties:
timeToLiveDuration:
$ref: '#/components/schemas/timeToLiveDuration'
expiryDuration:
$ref: '#/components/schemas/expiryDuration'
StatusListResponse:
type: object
properties:
id:
type: string
format: uuid
description: Unique identifier for this status list.
iacaId:
type: string
format: uuid
description: Identifies the IACA used as the root certificate for credentials in this status list.
statusListConfigurationId:
type: string
format: uuid
description: Identifies the status list configuration that determines the status list validity period.
listSize:
type: integer
description: The maximum number of credentials that can be added to this list before a new status list must be created.
example: 100000
list:
type: string
example: 0oRZAu6jEHRtYXR0ci1zdGF0dXNs...
description: The base-64 encoded token of this status list.
StatusListsResponse:
type: object
properties:
data:
type: array
items:
$ref: '#/components/schemas/StatusListResponse'
DistributionStatusListsResponseLatest:
type: object
description: Draft 14 of the IETF Token Status List specification format where `status_lists` is an array of URL strings
required:
- status_lists
properties:
status_lists:
type: array
description: All Status list URLs available on this tenant (Draft 14 of the IETF Token Status List specification format)
items:
type: string
example: https://learn.vii.au01.mattr.global/v2/credentials/mobile/status-lists/{statusListId}/token
description: URL of a Status list token
DistributionStatusListsResponseLegacy:
type: object
description: Legacy response format where `status_lists` is an array of objects, each containing a `uri` field that points to the Status list token URL.
required:
- status_lists
properties:
status_lists:
type: array
description: All Status lists available on this tenant (legacy format)
items:
type: object
required:
- uri
properties:
uri:
type: string
example: https://learn.vii.au01.mattr.global/v2/credentials/mobile/status-lists/{statusListId}/token
description: URL of a Status list token
DistributionStatusListsResponse:
type: object
description: Response format depends on the Status List configuration format (Draft 14 of the IETF Token Status List specification vs legacy)
anyOf:
- $ref: '#/components/schemas/DistributionStatusListsResponseLatest'
- $ref: '#/components/schemas/DistributionStatusListsResponseLegacy'
TrustedIssuer:
required:
- id
- certificatePem
- certificateData
allOf:
- type: object
properties:
id:
type: string
format: uuid
description: Unique identifier representing this trusted issuer.
example: ed74319e-72a6-4401-b3a5-94e980fbebea
certificatePem:
type: string
description: PEM certificate containing trusted issuer data.
example: '-----BEGIN CERTIFICATE-----\r\nMIICUDCCAfWgAwIBAgIKVVqBlVonWFs3lTAKBggqhkjOPQQDAjAkMQswCQYDVQQG\r\nEwJOWjEVMBMGA1UEAwwMRXhhbXBsZSBJQUNBMB4XDTI0MDExMTAzMjYwMFoXDTM0\r\nMDEwODAzMjYwMFowJDELMAkGA1UEBhMCTloxFTATBgNVBAMMDEV4YW1wbGUgSUFD\r\nQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOHxm9MYkCvIvZc/MyoWGul8+tla\r\nFSSRVkDllFERbO/Tg7DOj4CJfYrhDJEuV04eRgcowBDhr9W/bvnTMZMa/RijggEN\r\nMIIBCTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4E\r\nFgQUpS3hOCbmCUwu8n91X9CLS682cOkwOwYDVR0SBDQwMoYwaHR0cHM6Ly9odWRz\r\nb24tdGVuYW50LTAwMS52aWkuYXUzMDEubWF0dHJsYWJzLmlvMIGGBgNVHR8EfzB9\r\nMHugeaB3hnVodHRwczovL2h1ZHNvbi10ZW5hbnQtMDAxLnZpaS5hdTMwMS5tYXR0\r\ncmxhYnMuaW8vdjIvY3JlZGVudGlhbHMvbW9iaWxlL2lhY2FzL2VkNzQzMTllLTcy\r\nYTYtNDQwMS1iM2E1LTk0ZTk4MGZiZWJlYS9jcmwwCgYIKoZIzj0EAwIDSQAwRgIh\r\nAJxWGZvntq+hymL7zWwrlZo1Jz1+lWglu/MESdmUhTNFAiEAg+x5e3TzBxgHneIM\r\nVpTmZNOyZI3Hn17WRKkyKSg+5/8=\r\n-----END CERTIFICATE-----\r\n'
certificateData:
type: object
description: JSON representation of certificate validity and identifying info.
properties:
notAfter:
type: string
format: date
description: Date after which the certificate cannot be used to issue valid mDocs.
example: '2033-09-23'
notBefore:
type: string
format: date
description: Date before which the certificate cannot be used to issue valid mDocs.
example: '2023-09-23'
country:
type: string
format: date
description: Country code from the certificate subject's RelativeDistinguishedName.
example: NZ
commonName:
type: string
format: date
description: Common Name from the certificate subject's RelativeDistinguishedName.
example: Example Trusted Issuer
GetTrustedIssuersResponse:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
data:
type: array
items:
$ref: '#/components/schemas/TrustedIssuer'
title: GetTrustedIssuersResponse
TrustedIssuerRequest:
required:
- certificatePem
allOf:
- type: object
properties:
certificatePem:
type: string
description: Certificate PEM containing trusted issuer data. This PEM can represent a future-dated IACA to support seamless rotation.
example: '-----BEGIN CERTIFICATE-----\r\nMIICUDCCAfWgAwIBAgIKVVqBlVonWFs3lTAKBggqhkjOPQQDAjAkMQswCQYDVQQG\r\nEwJOWjEVMBMGA1UEAwwMRXhhbXBsZSBJQUNBMB4XDTI0MDExMTAzMjYwMFoXDTM0\r\nMDEwODAzMjYwMFowJDELMAkGA1UEBhMCTloxFTATBgNVBAMMDEV4YW1wbGUgSUFD\r\nQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOHxm9MYkCvIvZc/MyoWGul8+tla\r\nFSSRVkDllFERbO/Tg7DOj4CJfYrhDJEuV04eRgcowBDhr9W/bvnTMZMa/RijggEN\r\nMIIBCTASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4E\r\nFgQUpS3hOCbmCUwu8n91X9CLS682cOkwOwYDVR0SBDQwMoYwaHR0cHM6Ly9odWRz\r\nb24tdGVuYW50LTAwMS52aWkuYXUzMDEubWF0dHJsYWJzLmlvMIGGBgNVHR8EfzB9\r\nMHugeaB3hnVodHRwczovL2h1ZHNvbi10ZW5hbnQtMDAxLnZpaS5hdTMwMS5tYXR0\r\ncmxhYnMuaW8vdjIvY3JlZGVudGlhbHMvbW9iaWxlL2lhY2FzL2VkNzQzMTllLTcy\r\nYTYtNDQwMS1iM2E1LTk0ZTk4MGZiZWJlYS9jcmwwCgYIKoZIzj0EAwIDSQAwRgIh\r\nAJxWGZvntq+hymL7zWwrlZo1Jz1+lWglu/MESdmUhTNFAiEAg+x5e3TzBxgHneIM\r\nVpTmZNOyZI3Hn17WRKkyKSg+5/8=\r\n-----END CERTIFICATE-----\r\n'
VerifierCACertificateResponse:
type: object
title: VerifierCACertificateResponse
description: Response payload for verifier root CA certificate
properties:
id:
type: string
description: Unique identifier for this Verifier root CA certificate.
certificatePem:
type: string
description: DTS root CA certificate in PEM format.
example: |-
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAL5...
-----END CERTIFICATE-----
certificateFingerprint:
type: string
description: Hash that includes all the Verifier root CA certificate data and its signature.
example: a3b2c1d4e5f60718293a4b5c6d7e8f90123456789abcdef0123456789abcdef0
certificateData:
type: object
required:
- commonName
- country
- notAfter
- notBefore
- organisationName
properties:
commonName:
type: string
description: The common name of the Verifier root CA certificate.
example: Example Verifier
country:
type: string
description: The country associated with the Verifier root CA certificate.
example: US
notAfter:
type: string
format: date-time
description: The Verifier root CA certificate's expiration date and time.
example: '2024-10-22T00:00:00Z'
notBefore:
type: string
format: date-time
description: The Verifier root CA certificate's validity period start date and time.
example: '2023-10-22T00:00:00Z'
active:
type: boolean
default: true
description: Indicates if the Verifier root CA certificate is active. Only active Verifier root CA certificates can be used to sign other intermediate certificates.
isManaged:
type: boolean
description: Indicates whether the private key for this Verifier root CA certificate is managed by MATTR (`true`) or out of band by the customer as an external certificate (`false`).
VerifierCACertificateManagedRequest:
title: Managed Verifier root CA certificate
type: object
description: Request payload for managed verifier root CA certificate
properties:
commonName:
type: string
default: '{tenantDomain} Verifier'
description: |
Used to define the common name of the created verifier root CA certificate. Used to establish trust with the verifier by wallets that implement certificate-based trust.
- When provided, the value must be a valid `PrintableString` and cannot be an empty string.
- If not provided and a custom domain is configured and verified, the custom domain is used followed by the word `IACA`.
- If no custom domain is configured, the tenant subdomain is used instead.
country:
type: string
description: Indicates the verifier's country. If not provided, a country is selected based on the region of the tenant subdomain cloud host. When specified, the value must be a valid [Alpha 2 country code](https://www.iso.org/glossary-for-iso-3166.html) as per [ISO 3166-1](https://www.iso.org/standard/72482.html).
notBefore:
type: string
format: date-time
description: |
Used to set the date and time when the Verifier root CA certificate becomes valid and can be used to sign other intermediate certificates.
- Must not be in the past.
- Must be before `notAfter`.
notAfter:
type: string
format: date-time
description: |
Used to set the date and time when the Verifier root CA certificate expires.
- If not provided, calculated as `notBefore` + 20 years.
- If not provided and `notBefore` is not provided, calculated as time of creation + 20 years.
- Maximum value is 20 years from creation.
- Must be after `notBefore`, if provided.
VerifierCACertificateUnmanagedRequest:
title: Unmanaged Verifier root CA certificate
type: object
required:
- certificatePem
description: Request payload for unmanaged verifier root CA certificate
properties:
certificatePem:
type: string
description: Verifier root CA certificate in PEM format. The certificate must be valid and not expired.
VerifierCACertificateUpdateRequest:
type: object
required:
- active
description: Request payload for updating a verifier root CA certificate.
properties:
active:
type: boolean
default: true
description: Indicates if the Verifier root CA certificate is active. Only active certificates can be used to sign other intermediate certificates.
VerifierSignerCaType:
type: string
description: |
Specifies the type of certificate authority for the verifier root certificate.
- Set to `mattr` if the certificate is managed by MATTR.
- Set to `apple` if it is an Apple Business Connect certificate.
- Set to `external` if the certificate is managed outside of MATTR (e.g., using your own PKI).
enum:
- mattr
- apple
- external
SubjectAlternativeName:
type: object
required:
- type
- value
properties:
type:
type: integer
description: |
[Numeric identifier](https://datatracker.ietf.org/doc/html/rfc5280?utm_source=chatgpt.com#section-4.2.1.6) of the SAN type. For Apple Business Connect certificates, the identifier will be 2 (DNS name).
value:
type: string
description: The Subject Alternative Name (SAN) value corresponding to the specified type. This should be a domain where you intend to use Verify with Wallet for the Web.
UpdateVerificationRequestSignerResponse:
title: Verification request signer with certificate
description: |
Verification request signer after a Verification Request Signer Certificate (VRSC) has been uploaded. Includes the uploaded certificate in PEM format,
as well as the certificate's fingerprint and data. Each `caType` has different rules:
- `mattr` - MATTR manages the verifier signer and it cannot be updated.
- `apple` - the `certificatePem` must be a certificate that Apple Business Connect issued using this verifier signer's `csrPem`.
- `caType` - the `certificatePem` can be from any issuer but needs to match the public key specified in `csrPem`.
type: object
required:
- id
- caType
- active
- certificatePem
- certificateFingerprint
- certificateData
properties:
id:
type: string
format: uuid
description: Each Verification request signer will have a unique identifier which must be provided when using this Verification request signer to sign a Verification request.
example: 782f1885-c7c2-4459-8426-b6d7c111b0b1
caType:
$ref: '#/components/schemas/VerifierSignerCaType'
active:
type: boolean
description: Indicates if the Verification request signer is active. Only active Verification request signers can be used to sign Verification requests.
example: true
certificatePem:
type: string
description: Verification Request Signer Certificate (VRSC) in PEM format.
example: |-
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAL5...
-----END CERTIFICATE-----
certificateFingerprint:
type: string
description: VRSC Hash that includes all certificate data and its signature.
example: f6cad6e579d70b3973efa60624af731a580d1a11a7579e70f2f10f059dc86172
certificateData:
type: object
required:
- commonName
- country
- notAfter
- notBefore
properties:
commonName:
type: string
description: The common name of the VRSC.
example: example.com
country:
type: string
description: The country associated with the VRSC.
example: US
notAfter:
type: string
format: date-time
description: VRSC expiration date and time.
example: '2024-10-22T00:00:00Z'
notBefore:
type: string
format: date-time
description: VRSC validity period start date and time.
example: '2023-10-22T00:00:00Z'
subjectAlternativeNames:
type: array
description: Required when caType is set to "apple" (Apple Business Connect). Specifies the domains where Verify with Wallet for the Web can be used. Each entry must be a fully qualified domain name (FQDN) covered by the Apple-issued certificate.
items:
$ref: '#/components/schemas/SubjectAlternativeName'
CreateVerificationRequestSignerResponse:
title: Verification request signer without certificate
description: Verification request signer before a Verification Request Signer Certificate (VRSC) has been uploaded. Includes the Certificate Signing Request (CSR).
type: object
required:
- id
- caType
- csrPem
- caId
- active
properties:
id:
type: string
format: uuid
description: Each Verification request signer will have a unique identifier which must be provided when using this Verification request signer to sign a verification request.
example: 782f1885-c7c2-4459-8426-b6d7c111b0b1
csrPem:
type: string
description: The X.509 Certificate Signing Request (CSR) in PEM format, base64 encoded. Use this CSR to generate a valid certificate, then update the Verification request signer with the resulting certificate. If `caType` is `apple`, upload the `csrPem` to Apple Business Connect to issue a `certificatePem`.
example: |-
-----BEGIN CERTIFICATE REQUEST-----
MIIDXTCCAkWgAwIBAgIJAL5...
-----END CERTIFICATE REQUEST-----
caId:
type: string
format: uuid
description: Unique identifier of the Verifier root CA certificate used to sign the Verification request signer.
example: b0aae560-10e7-4247-8e96-7cdd3578a1e2
active:
type: boolean
description: |
Indicates if the Verifier request signer is active.
- Only active Verification request signers can be used to sign Verification requests.
- Verification request signers are created as inactive by default.
enum:
- false
example: false
caType:
$ref: '#/components/schemas/VerifierSignerCaType'
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a paginated list.
ExternalVerificationRequestSignerCreateRequest:
description: Request payload for creating a Verification request signer using an unmanaged (external) Verifier root CA certificate.
type: object
required:
- caId
properties:
caId:
type: string
format: uuid
description: |
Internal identifier of the Verifier root CA certificate that will be used for signing the Verification request signer.
- Must be an unmanaged (external) Verifier root CA certificate.
example: b0aae560-10e7-4247-8e96-7cdd3578a1e2
caType:
type: string
description: Indicates the source of the verifier root CA certificate. Set to `external` if the verifier root CA certificate is managed outside of MATTR (e.g., using your own PKI).
enum:
- external
AppleVerificationRequestSignerCreateRequest:
description: Request payload for creating a Verification request signer that uses an Apple Business Connect root CA. The CSR produced from this request must be uploaded to Apple Business Connect. Apple then issues a certificate that you upload to MATTR VII to associate with the signer.
type: object
required:
- caType
- emailAddress
- country
- stateOrProvinceName
- organizationName
- commonName
properties:
caType:
type: string
description: |
Source of the verifier root CA certificate. Set to `apple` when the root CA is issued and managed by Apple Business Connect.
Apple Business Connect support is a tech preview; functionality may be limited and subject to change.
enum:
- apple
emailAddress:
type: string
format: email
description: Email address for the domain or IT administrator.
example: user@example.com
country:
type: string
description: Two-letter country code (ISO 3166-1 alpha-2).
example: US
stateOrProvinceName:
type: string
description: State, province, or region where the company is registered.
example: California
organizationName:
type: string
description: Legal name of the company.
example: MATTR Learn
commonName:
type: string
description: Fully qualified domain name (FQDN) hosting the verifier application.
example: my-verifier.example.com
VerificationRequestSignerCreateRequest:
oneOf:
- $ref: '#/components/schemas/ExternalVerificationRequestSignerCreateRequest'
- $ref: '#/components/schemas/AppleVerificationRequestSignerCreateRequest'
verifierSignerId:
description: Unique identifier of the Verification Request Signer Certificate (VRSC).
type: string
format: uuid
example: b0aae560-10e7-4247-8e96-7cdd3578a1e2
VerificationRequestSignerUpdateRequest:
type: object
required:
- active
properties:
active:
type: boolean
description: Indicates if the Verification request signer is active. Only active Verification request signers can be used for signing verification requests.
example: true
certificatePem:
type: string
description: Verification Request Signer Certificate (VRSC) in PEM format. If `caType` is `apple`, then this certificate must be issued by Apple Business Connect.
example: |-
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAL5...
-----END CERTIFICATE-----
VerifierApplicationDisplay:
type: object
description: Controls the appearance of the iframe modal displayed in cross-device presentation workflows. This object is **required** when `supportedModes` is set to `all` or `crossDevice`.
properties:
logoImage:
type: object
description: Logo to be displayed on the top left corner of the iframe modal.
properties:
url:
type: string
description: URL of logo image.
example: https://example-logo-image-url.com
altText:
type: string
description: Alt text for logo image.
example: Logo image
required:
- url
- altText
headerText:
type: string
description: Header text displayed in the iframe modal.
example: Share your information.
bodyText:
type: string
description: Optional body text displayed in the iframe modal, explaining the context in which the credentials will be shared.
example: Please scan the QR code to the right to provide information required for this interaction.
privacyPolicyUrl:
type: string
description: Optional privacy policy URL to include in the iframe modal.
example: https://example-privacy-policy.com
primaryColorHex:
type: string
description: Optional hex rgb triplet to indicate the primary color of the iframe modal.
example: '#FFFFFF'
required:
- logoImage
- headerText
WebVerifierApplication:
type: object
title: Web Verifier Application
description: Configuration for an mDocs online verifier web application. Either OpenID4VP or Digital Credentials API configuration must be provided.
properties:
type:
type: string
enum:
- web
description: Defines the type of the verifier application.
domain:
type: string
description: Fully qualified domain name of verifier application that can create an online presentation session. This ensures the verifier tenant only accepts requests from known and trusted applications. Note that `localhost` is not supported. Use local tunneling services for testing.
example: example-verifier-web-application.com
additionalDomains:
type: array
description: List of fully qualified domain names of additional verifier applications who can create an online presentation session.
example:
- example-verifier-web-application.com
minItems: 1
items:
type: string
example: example-verifier-web-application.com
openid4vpConfiguration:
type: object
description: |
Configuration settings that enable verification using OpenID4VP.
At least one of `openid4vpConfiguration` or `dcApiConfiguration` must be provided.
properties:
supportedModes:
type: string
description: Indicates whether a verifier supports only a same-device flow, a cross-device flow, or both. This enables the relying party to adjust verification workflows based on their own business logic and security requirements.
default: all
enum:
- all
- sameDevice
- crossDevice
redirectUris:
type: array
example:
- https://example-verifier-web-application.com/presentation/callback
minItems: 1
description: |
This is the location the user is redirected to when completing a same-device presentation flow. This can be any URI, including custom URI schemes.
- The domain must match one of the domains specified in the `domain` or `additionalDomains` fields.
- Wildcard path fragments are supported (e.g. `https://www.example.com/*/callback`) only in the path component.
items:
type: string
display:
$ref: '#/components/schemas/VerifierApplicationDisplay'
required:
- redirectUris
dcApiConfiguration:
type: object
description: |
Configuration settings that enable verification using the Digital Credentials API.
At least one of `openid4vpConfiguration` or `dcApiConfiguration` must be provided.
> DC API support is currently offered as a **tech preview**. As such, functionality may be limited, may not work in all scenarios, and could change or break without prior notice.
required:
- supportedBrowserPlatforms
properties:
supportedBrowserPlatforms:
type: object
description: |-
Specifies which platforms are supported by the Digital Credentials API, allowing customers to restrict API access to selected platforms.
At least one platform must be enabled.
properties:
desktop:
type: boolean
description: Desktop browser.
mobile:
type: boolean
description: Mobile browser.
example:
desktop: true
mobile: true
required:
- desktop
- mobile
resultAvailableInFrontChannel:
type: boolean
description: Indicates whether or not the verification result should be returned directly to the verifier application (`true`) or only via a configured back-end (`false`). Refer to the [detailed workflow](https://learn.mattr.global/docs/verification/remote-web-verifiers/workflow#the-mattr-vii-verifier-tenant-returns-the-verification-results) for more information.
default: true
required:
- domain
- type
teamId:
type: string
description: Team ID of the iOS app.
example: A2B3C4D5E6
IosVerifierApplication:
type: object
title: iOS Verifier Application
description: Configuration for an mDocs online verifier iOS application.
properties:
type:
type: string
enum:
- ios
description: Defines the type of the verifier application.
bundleId:
type: string
description: Bundle ID of the iOS app.
example: com.example-verifier-ios-application
openid4vpConfiguration:
type: object
properties:
redirectUri:
type: string
example: https://example-verifier-web-application.com/presentation/callback
description: This is the location the user is redirected to when completing the presentation flow. This can be any URI, including custom URI schemes.
required:
- redirectUri
resultAvailableInFrontChannel:
type: boolean
description: Indicates whether or not the verification result should be returned directly to the web application (`true`) or only via a configured back-end (`false`). Refer to the [detailed workflow](https://learn.mattr.global/docs/verification/remote-web-verifiers/workflow#the-mattr-vii-verifier-tenant-returns-the-verification-results) for more information.
default: true
teamId:
$ref: '#/components/schemas/teamId'
required:
- bundleId
- type
- teamId
AndroidVerifierApplication:
type: object
title: Android Verifier Application
description: Configuration for an mDocs online verifier Android application.
properties:
type:
type: string
enum:
- android
description: Defines the type of the verifier application.
packageName:
type: string
description: Package name of the Android application that will interact with this verifier application.
example: com.example-verifier-android-application
packageSigningCertificateThumbprints:
type: array
description: |
- SHA-256 hex-encoded fingerprints of the signing key certificates that were used to sign the Android Package Kit (APK) or app bundle.
- This ensures the verifier tenant only accepts requests from known and trusted applications.
- Any verification requests will fail if the certificate thumbprint does not match. Refer to [Android app signing](https://learn.mattr.global/docs/verification/android-app-signing) for more information.
items:
type: string
example:
- 1232584B6F6A892D356899FB9576C5F226A179E6199F2B7A1D837B5C234C5A8E
openid4vpConfiguration:
type: object
description: |
Configuration settings that enable verification using OpenID4VP.
At least one of `openid4vpConfiguration` or `dcApiConfiguration` must be provided.
properties:
redirectUri:
type: string
example: https://example-verifier-android-application.com/presentation/callback
description: This is the location the user is redirected to when completing the presentation flow. This can be any URI, including custom URI schemes.
required:
- redirectUri
dcApiConfiguration:
description: |
Configuration settings that enable verification using the Digital Credentials API.
At least one of `openid4vpConfiguration` or `dcApiConfiguration` must be provided.
> DC API support is currently offered as a **tech preview**. As such, functionality may be limited, may not work in all scenarios, and could change or break without prior notice.
type: object
properties:
enabled:
type: boolean
resultAvailableInFrontChannel:
type: boolean
description: Indicates whether or not the verification result should be returned directly to the Android application (`true`) or only via a configured back-end (`false`). Refer to the [detailed workflow](https://learn.mattr.global/docs/verification/remote-web-verifiers/workflow#the-mattr-vii-verifier-tenant-returns-the-verification-results) for more information.
default: true
required:
- type
- packageName
- packageSigningCertificateThumbprints
VerifierApplicationResponse:
type: object
title: VerifierApplicationResponse
description: Verifier application response.
properties:
id:
type: string
description: Unique identifier corresponding to the verifier application.
example: 1ef1f867-20b4-48ea-aec1-bea7aff4964c
name:
type: string
description: Unique name to identify the verifier application.
example: Example Verifier Web Application
resultAvailableInFrontChannel:
type: boolean
description: Indicates whether or not the verification result should be returned directly to the web application (`true`) or only via a configured back-end (`false`). Refer to the [detailed workflow](https://learn.mattr.global/docs/verification/remote-web-verifiers/workflow#the-mattr-vii-verifier-tenant-returns-the-verification-results) for more information.
default: true
required:
- id
- name
oneOf:
- $ref: '#/components/schemas/WebVerifierApplication'
- $ref: '#/components/schemas/IosVerifierApplication'
- $ref: '#/components/schemas/AndroidVerifierApplication'
VerifierApplicationRequest:
type: object
description: Configuration for an mDocs online verifier application.
properties:
name:
type: string
description: Unique name to identify the verifier application.
example: Example Verifier Web Application
required:
- name
oneOf:
- $ref: '#/components/schemas/WebVerifierApplication'
- $ref: '#/components/schemas/IosVerifierApplication'
- $ref: '#/components/schemas/AndroidVerifierApplication'
WalletProviderResponse:
type: object
title: WalletProviderResponse
description: Response payload for verifier wallet provider
properties:
id:
type: string
description: Unique system generated id to use as a reference for this wallet.
example: e63a2e46-5afa-48f9-bcc2-2114cf5f331b
name:
type: string
description: Unique identifier for the wallet. This field is compared against the wallet identifier defined in the request by the [Verifier Web SDK](https://api-reference-sdk.mattr.global/verifier-sdk-web/latest/index.html#md:request-credentials-to-support-both-same-device-and-cross-device).
example: Example wallet provider
openid4vpConfiguration:
type: object
properties:
authorizationEndpoint:
description: Url scheme used to invoke this wallet. It is named `authorizationEndpoint` because the wallet acts as an Authorisation server as per the [OAuth 2.0 framework](https://datatracker.ietf.org/doc/html/rfc6749).
type: string
example: com-example.wallet://
required:
- authorizationEndpoint
required:
- id
- name
- openid4vpConfiguration
WalletProviderRequest:
type: object
title: WalletProviderRequest
description: Request payload for verifier wallet provider
properties:
name:
type: string
description: Unique identifier for the wallet. This field is compared against the wallet identifier defined in the request by the [Verifier Web SDK](https://api-reference-sdk.mattr.global/verifier-sdk-web/latest/index.html#md:request-credentials-to-support-both-same-device-and-cross-device). Value must be unique amongst configured wallet providers on your tenant.
example: Example wallet provider
openid4vpConfiguration:
type: object
properties:
authorizationEndpoint:
description: Url scheme used to invoke this wallet. It is named `authorizationEndpoint` because the wallet acts as an Authorisation server as per the [OAuth 2.0 framework](https://datatracker.ietf.org/doc/html/rfc6749).
type: string
example: com-example.wallet://
required:
- authorizationEndpoint
required:
- name
- openid4vpConfiguration
PresentationSuccessResult:
type: object
additionalProperties: false
required:
- sessionId
- challenge
- credentialQuery
properties:
sessionId:
type: string
challenge:
type: string
credentialQuery:
type: array
items:
type: object
credentials:
type: array
items:
type: object
properties:
docType:
type: string
validityInfo:
type: object
properties:
signed:
type: string
validFrom:
type: string
validUntil:
type: string
expectedUpdate:
type: string
claims:
type: object
claimErrors:
type: object
branding:
type: object
properties:
name:
type: string
example: Example Branding
description:
type: string
example: Example Branding Description
backgroundColor:
type: string
example: '#FFFFFF'
watermarkImage:
type: object
properties:
format:
type: string
example: svg
data:
type: string
example: aWNvbg==
issuerLogo:
type: object
properties:
format:
type: string
example: svg
data:
type: string
example: aWNvbg==
issuerIcon:
type: object
properties:
format:
type: string
example: svg
data:
type: string
example: aWNvbg==
issuerInfo:
type: object
properties:
commonName:
type: string
trustedIssuerId:
type: string
verificationResult:
type: object
properties:
verified:
type: boolean
reason:
type: object
properties:
type:
type: string
message:
type: string
ecosystemValidation:
type: object
properties:
validated:
type: boolean
policyVersion:
type: string
failReasons:
type: array
items:
type: object
properties:
type:
type: string
message:
type: string
error:
type: object
properties:
type:
type: string
message:
type: string
credentialErrors:
type: array
items:
type: object
properties:
docType:
type: string
errorCode:
type: string
PresentationFailureResult:
type: object
additionalProperties: false
required:
- sessionId
- challenge
- credentialQuery
- error
properties:
sessionId:
type: string
challenge:
type: string
credentialQuery:
type: array
items:
type: object
error:
type: object
properties:
type:
type: string
message:
type: string
merchantId:
type: string
description: The [merchantIdentifier](https://developer.apple.com/documentation/passkit/pkidentityrequest/merchantidentifier) used by PassKit to retrieve credential data.
example: com.domain.subdomain
AppleIdentityAccessCertificateSigningResponse:
type: object
properties:
id:
type: string
description: Unique identifier corresponding to the Apple Identity Access CSR.
example: fd44e792-45ac-11f0-bef8-bb24f133065e
teamId:
$ref: '#/components/schemas/teamId'
merchantId:
$ref: '#/components/schemas/merchantId'
csrPem:
type: string
description: Certificate Signing Request (CSR) in PEM format.
required:
- id
- teamId
- merchantId
- csrPem
AppleIdentityAccessCertificateSigningRequest:
type: object
properties:
teamId:
$ref: '#/components/schemas/teamId'
merchantId:
$ref: '#/components/schemas/merchantId'
required:
- teamId
- merchantId
TrustedIssuersResponse:
type: object
title: TrustedIssuersResponse
description: Response payload for trusted issuer
properties:
iacas:
type: array
description: List of trusted IACAs.
items:
type: object
properties:
certificate:
type: string
description: Trusted IACA certificate.
WebSemanticCredentialSignRequest:
title: SignWebSemanticCredentialRequest
type: object
required:
- payload
properties:
payload:
type: object
properties:
name:
type: string
example: Course credential
description: Insert a meaningful name for the credential. This string is displayed on the top part of the credential in the holder's digital wallet. Maximum length is 18 characters, and additional characters will not be displayed.
description:
type: string
description: Insert a meaningful description for the credential. This string is displayed below the `name` field on the credential in the holder's digital wallet. Maximum length is 38 characters, and additional characters will not be displayed.
example: This credential shows that the person has attended the mention course and attained the relevant awards.
'@context':
type: array
description: |-
Optional array of contexts that can be used to expand credential claims and convey their meaning. As part of the credential creation MATTR VII will auto-inject the following contexts, which reference the W3C Verifiable Credential definitions:
- https://www.w3.org/2018/credentials/v1
- https://mattr.global/contexts/vc-extensions/v2
- https://w3id.org/vc-revocation-list-2020/v1 (only for revocable credentials).
If you require introducing a different context for your production implementation, please contact us. Referenced contexts must be whitelisted or credential issuance will fail. In-line context definitions would also result in an error.
minLength: 1
example:
- https://optionalschema.example/
items:
type: string
minLength: 0
type:
description: This array of credential types indicates what sort of information a credential holds. This is a unique identifier used to differentiate between various JSON credential types. MATTR VII automatically injects `VerifiableCredential` as the first value of this array, and you must include at least one additional value in the request payload.
type: array
example:
- EducationalOccupationalCredential
- AlumniCredential
items:
type: string
minLength: 1
description: Describes the additional specific types of the claimed data, must be within the scope of @context, resulting credential will always include VerifiableCredential.
credentialSubject:
type: object
description: Each value is a claim defined by one of the JSON-LD schemas.
minItems: 1
example:
id: did:example:abcdb1f712ebc6f1c276e12ec21
givenName: Jamie
familyName: Doe
alumniOf: Example University
credentialBranding:
type: object
description: Includes optional credential branding properties. Refer to [this video](https://www.youtube.com/watch?v=Tu8ApHBWG90) for branding best practices.
properties:
backgroundColor:
type: string
example: '#B00AA0'
description: Insert a color hex code to use for the credential background color in the holder's digital wallet.
watermarkImageUrl:
type: string
example: https://example.edu/img/watermark.png
description: |-
Insert a URL for a watermark image to be included as a pattern on the credential in the holder's digital wallet:
- URL must be publicly available.
- Must be 245x150 px in size.
- **svg**, **png** and **jpg** files are supported, but **svg** is recommended.
issuer:
type: object
description: Includes Issuer id (DID) and domain name.
required:
- id
- name
properties:
id:
type: string
example: did:issuer:abcdb1f712ebc6f1c276e12ec21
description: Use the DID that identifies the credential's issuer, which attests the claims in the credential. This must be a publicly available and resolvable `did:web` for the credential to be valid and verifiable.
name:
type: string
description: Insert a meaningful name to indicate the issuer. This string is used when the credential is offered to the holder. It is also used on the bottom part of the credential when `logoURL` is not provided.
example: ABC University
logoUrl:
type: string
description: |-
Insert a URL for a logo that is displayed on the bottom part of the credential. If no logo is provided, the issuer's `name` and `iconURL` are used instead. The logo must meet the following criteria:
- URL must be publicly available.
- Must be 140x42 px in size.
- **svg**, **png** and **jpg** files are supported, but **svg** is recommended. Raster images, whilst supported, are currently displayed at 1x resolution and may look pixelated on some devices.
- Transparencies are allowed for **svg** or **png** images.
- If no logo is provided, the first letter of the issuer name is displayed instead.
- The recommended maximum size is 50 KB.
example: https://example.edu/img/logo.png
iconUrl:
type: string
example: https://example.edu/img/icon.png
description: |-
Insert a URL for an icon that is displayed next to the issuer's name when the credential is offered to the holder. It is also displayed next to the issuer's name on the bottom part of the credential when `logoURL` is not provided. When `iconURL` is not provided, the first letter from `name` is used instead. The icon must meet the following criteria:
- URL must be publicly available.
- Must be 32x32 px in size.
- **svg**, **png** and **jpg** files are supported, but **svg** is recommended. Raster images, whilst supported, are currently displayed at 1x resolution and may look pixelated on some devices.
- Transparencies are allowed for svg or png images.
- The recommended maximum size is 15 KB.
expirationDate:
type: string
example: '2024-02-01T08:12:38.156Z'
description: Insert the credential expiration date, after which it will not be considered valid and cannot be verified. Expiration date can not be in the past or before `issuanceDate`. When not specified, the credential will not have an expiration date and never expire.
issuanceDate:
type: string
description: The timestamp at which the credential becomes valid. This can be used to issue future-dated credentials. Must not be in the past or after `expirationDate`, when the latter is specified. When not specified, `issuanceDate` will default to the current time.
example: '2023-02-01T08:12:38.156Z'
required:
- type
- claims
- issuer
- credentialSubject
proofType:
description: |-
This is an _optional_ field which defines the cryptographic algorithm used to sign the credential. The credential Issuer's DID must contain a key that supports the corresponding signing capability. If no `proofType` is provided, the credential will be signed using the key that is available in the Issuer's DID:
- If a `Bls12381G2` key is available, the credential will be signed with a `BbsSignature2022` proof. Credentials signed with this proof type support selective disclosure.
- If a `Bls12381G2` key is unavailable but a `Ed25519` key is available, the credential will be signed with a `Ed25519Signature2018 proof`. Credentials signed with this proof type **do not** support selective disclosure.
- If none of the two suitable keys are available, the request will be rejected and the credential will not be created.
type: string
enum:
- Ed25519Signature2018
- BbsSignature2022
example: Ed25519Signature2018
tag:
type: string
description: Insert a case sensitive tag to reference this credential. The gets stored as part of the credential metadata and can be used to search for it in the credential registry.
example: identifier123
minLength: 1
maxLength: 1024
persist:
type: boolean
description: |-
When set to `true`, both the credential and the credential metadata are stored in the credential registry. When set to `false`, only the following metadata is stored in the credential registry:
- `id`
- `tag`
- `credentialStatus`
- `issuanceDate`
Credentials by nature tend to hold Personally Identifying Information (PII). Before storing credential data, familiarize yourself with compliance to any PII restrictions that may apply to your use-case.
default: false
revocable:
type: boolean
description: When set to `true`, the created credential can later be revoked. When set to `false`, the credential cannot be revoked. When set to `true`, `https://w3id.org/vc-revocation-list-2020/v1` is injected into the credential `@context` object when it is issued. This references the JSON-LD definition of the `credentialStatus` object.
default: false
description: Sign JSON credential request
schemas-VerifiableCredential:
type: object
properties:
'@context':
type: array
description: |-
As part of the credential creation MATTR VII will auto-inject the following contexts, which reference the W3C Verifiable Credential definitions:
- https://www.w3.org/2018/credentials/v1
- https://mattr.global/contexts/vc-extensions/v2
- https://w3id.org/vc-revocation-list-2020/v1 (only for revocable credentials).
If you require introducing a different context for your production implementation, please [contact us](mailto:dev-support@mattr.global). Referenced contexts must be whitelisted or credential issuance will fail. In-line context definitions would also result in an error.
example:
- https://www.w3.org/2018/credentials/v1
- https://mattr.global/contexts/vc-extensions/v2
- https://w3id.org/vc-revocation-list-2020/v1
- https://optionalschema.example/
items:
type: string
minLength: 1
type:
type: array
example:
- VerifiableCredential
- AlumniCredential
items:
type: string
minLength: 1
example: '"AlumniCredential", "VerifiableCredential"'
issuer:
description: Includes issuer id (did) and its domain (inside name parameter)
oneOf:
- type: string
- type: object
properties:
id:
type: string
example: did:web:organization.com
name:
type: string
example: Example University
issuanceDate:
type: string
format: date-time
example: '2020-05-02T12:06:29.156Z'
credentialStatus:
$ref: '#/components/schemas/CredentialStatus'
credentialSubject:
type: object
example:
givenName: Jamie
familyName: Doe
alumniOf: Example University
properties:
givenName:
type: string
example: Jamie
familyName:
type: string
example: Doe
alumniOf:
type: string
example: Example University
proof:
$ref: '#/components/schemas/ED25519Signature2018'
name:
type: string
example: Alumni Credential
description: Name of the credential (requires v2 data model)
description:
type: string
example: This credential shows that the person has attended the mentioned university.
description: Description of the credential (requires v2 data model)
required:
- type
- issuanceDate
- credentialSubject
- proof
title: VerifiableCredential
WebSemanticCredentialSignResponse:
title: SignWebSemanticCredentialResponse
type: object
x-examples: {}
properties:
id:
type: string
example: 873277c0-a162-11ea-8a1d-a111119347e6
description: Unique identifier of the new JSON credential.
credential:
$ref: '#/components/schemas/schemas-VerifiableCredential'
tag:
type: string
example: identifier123
description: Credential tag, as inserted in the request. Can be used to search the credential registry.
credentialStatus:
$ref: '#/components/schemas/CredentialStatus'
issuanceDate:
type: string
example: '2020-05-02T12:06:29.156Z'
required:
- id
- credential
- issuanceDate
description: Sign JSON credential response
GetCredentialResponse:
type: object
x-examples: {}
title: WebManifestResponse
properties:
id:
type: string
example: 873277c0-a162-11ea-8a1d-a111119347e6
credential:
$ref: '#/components/schemas/VerifiableCredential'
tag:
type: string
example: identifier123
credentialStatus:
$ref: '#/components/schemas/CredentialStatus'
issuanceDate:
type: string
example: '2020-05-02T12:06:29.156Z'
required:
- id
- issuanceDate
GetCredentialsResponse:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
data:
type: array
items:
$ref: '#/components/schemas/GetCredentialResponse'
title: GetCredentialsResponse
VerifyWebSemanticCredentialRequest:
title: VerifyWebSemanticCredentialRequest
type: object
description: VerifyWebSemanticCredentialRequest
required:
- payload
properties:
payload:
allOf:
- $ref: '#/components/schemas/VerifiableCredential'
description: Replace with the contents of the credential object from the response obtained when creating a JSON credential. Make sure you only include the contents of the `credential` object and not the entire response.
assertExpiry:
type: boolean
description: When set to `true`, verification will fail when expiration date has passed. This field is deprecated in favour of `assertValidUntil`, and will be disabled from September 2024.
default: true
deprecated: true
checkRevocation:
type: boolean
description: When set to `true`, verification will fail when the credential has been revoked.
default: true
assertValidFrom:
type: boolean
description: When set to `true`, verification will fail when `issuanceDate` has not been reached.
default: true
assertValidUntil:
type: boolean
description: When set to `true`, verification will fail when `expirationDate` has passed. When specified, this overrides the deprecated `assertExpiry` property.
default: false
VerifyWebSemanticCredentialResponse:
title: VerifyWebSemanticCredentialResponse
type: object
description: VerifyWebSemanticCredentialResponse
required:
- verified
properties:
verified:
type: boolean
description: |-
Indicates whether the verification status is `true` or `false`. For responses that show the verified status to be `false`, a further error body is returned with more details about the error:
- The credential has been revoked.
- The Issuer DID cannot be resolved.
- The issuer public key is invalid.
- The credential JSON-LD context is invalid.
- The credential signature is invalid.
reason:
type: object
properties:
type:
type: string
message:
type: string
required:
- type
- message
RevocationStatusResponse:
type: object
properties:
isRevoked:
type: boolean
description: Indicates whether the credential is revoked (`true`) or not (`false`).
example: false
required:
- isRevoked
description: ''
title: RevocationStatusResponse
SetRevocationStatus:
type: object
properties:
isRevoked:
type: boolean
description: Indicates whether the credential is revoked (`true`) or not (`false`).
example: false
required:
- isRevoked
description: ''
title: SetRevocationStatus
CreatePayloadRequest:
description: Create a payload
type: object
properties:
from:
type: string
minLength: 1
description: The sender's DID URL, obtained from the `id` field of the first `keyAgreement` entry of the DID document. This must be a DID with a key type suitable for messaging (not a BLS key type).
example: did:web:organization.com
to:
type: array
description: The intended recipients DID URL.
items:
type: string
example:
- did:key:subjectDid1
- did:key:subjectDid2
- did:key:subjectDid3
required:
- from
- to
title: CreatePayloadRequest
RevocationStatusNotification:
title: RevocationStatusNotification
type: object
properties:
id:
type: string
minLength: 1
type:
type: string
minLength: 1
to:
type: array
items:
required:
- string
properties: {}
example:
- did:key:subjectDid1
- did:key:subjectDid2
- did:key:subjectDid3
from:
type: string
minLength: 1
example: did:web:organization.com
created_time:
type: number
body:
type: object
properties:
revocationListCredential:
type: string
minLength: 1
revocationListIndex:
type: string
minLength: 1
isRevoked:
type: boolean
required:
- revocationListCredential
- revocationListIndex
- isRevoked
required:
- id
- type
- to
- from
- created_time
- body
CreatePresentationQueryByExample:
type: object
x-examples: {}
title: CreatePresentationQueryByExample
properties:
type:
type: string
example: QueryByExample
description: Indicates what type of query method would be used by presentation requests created from this presentation template. For basic presentation templates you must use `QueryByExample`.
credentialQuery:
type: array
uniqueItems: true
minItems: 1
items:
type: object
minProperties: 1
properties:
required:
type: boolean
description: When set to `true`, the verification workflow will fail if a matching credential is not provided in the verifiable presentation response. You can only change this to `false` when your templates has multiple `credentialQuery` objects.
reason:
type: string
description: This value is displayed in the mobile wallet to provide the holder with context around why a credential is being requested. Ensure that this is written exactly as you would like it to appear to the user.
example:
type: array
items:
type: object
properties:
'@context':
type: array
description: This is the JSON-LD schema used to expand the `example` in the `query`. Only matched credentials will be included in the presentation response. In case the credential uses a specific JSON-LD schema, you must add that schema into the `@context` array so that the credential could be matched against the presentation request.
items: {}
type:
description: The credential type that the mobile wallet will use to return matching credentials. Upon the holder's consent, the wallet would only return credentials that match this type and have been issued by the issuers included in the `trustedIssuer` object. When you include multiple credential types, the wallet will only return credentials that match **all** of the included types.
oneOf:
- type: string
example: AlumniCredential
- type: array
example:
- '[AlumniCredential]'
items:
type: string
trustedIssuer:
type: array
description: This array is used to determine what credential issuers to accept in this verification workflow.
items:
type: object
properties:
required:
type: boolean
description: Indicates whether this issuer is required for a credential to be accepted in this workflow.
issuer:
type: string
description: Issuer's DID.
required:
- required
- issuer
required:
- '@context'
- type
- trustedIssuer
required:
- required
- example
required:
- type
- credentialQuery
CreatePresentationQueryByFrame:
type: object
title: CreatePresentationQueryByFrame
properties:
type:
type: string
description: Indicates what type of query method would be used by presentation requests created from this presentation template. For selective-disclosure presentation templates you must use `QueryByFrame`.
credentialQuery:
type: array
uniqueItems: true
minItems: 1
items:
type: object
properties:
reason:
type: string
description: This value is displayed in the mobile wallet to provide the holder with context around why a credential is being requested. Ensure that this is written exactly as you would like it to appear to the user.
frame:
type: object
required:
- '@context'
- type
- credentialSubject
properties:
'@context':
type: array
description: This is the JSON-LD schema used to expand the `credentialSubject`.
items:
type: object
type:
description: The credential type that the mobile wallet will use to return matching credentials. Upon the holder's consent, the wallet would only return credentials that match this type and have been issued by the issuers included in the `trustedIssuer` object. When you include multiple credential types, the wallet will only return credentials that match **all** of the included types.
oneOf:
- type: string
example: VerifiableCredential
description: The value must be VerifiableCredential
- type: array
example:
- '[VerifiableCredential, AlumniCredential]'
items:
type: string
description: VerifiableCredential must be the first value
credentialSubject:
type: object
description: This object details what claims are required for this verification workflow. Only claims included in this object will be included in the verifiable presentation, as long as you set `@explicit` to `true`.
required:
- '@explicit'
- educationalCredentialAwarded
- familyName
properties:
'@explicit':
type: boolean
educationalCredentialAwarded:
type: object
familyName:
type: object
trustedIssuer:
type: array
description: This array is used to determine what credential issuers to accept in this verification workflow. If you want to accept credentials from any issuer as long as they match the defined credential `type`, leave this array empty.
uniqueItems: true
minItems: 0
items:
type: object
properties:
required:
type: boolean
description: Indicates whether this issuer is required for a credential to be accepted in this workflow.
issuer:
type: string
description: Issuer's DID, must include a BLS key type.
required:
- required
- issuer
required:
- reason
- frame
- trustedIssuer
required:
- type
- credentialQuery
CreatePresentationDidAuthTemplate:
type: object
title: CreatePresentationDidAuthTemplate
properties:
type:
type: string
description: DIDAuth
example: DIDAuth
required:
- type
PresentationTemplateResponse:
type: object
properties:
id:
type: string
example: 64e45290-9980-11ea-b872-f1bee5fb328f
description: Unique identifier for this presentation template. You will need it to [create a presentation request](#operation/createPresRequestV2) based on this template. You can also use it to [retrieve](#operation/retrievePresTemplateV2), [update](#operation/updatePresTemplateV2) or [remove](#operation/removePresTemplateV2) this presentation template.
domain:
type: string
example: tenant.vii.mattr.global
name:
type: string
example: alumni_credential_request
query:
type: array
items:
oneOf:
- $ref: '#/components/schemas/CreatePresentationQueryByExample'
- $ref: '#/components/schemas/CreatePresentationQueryByFrame'
- $ref: '#/components/schemas/CreatePresentationDidAuthTemplate'
required:
- id
- domain
- name
- query
title: PresentationTemplateResponse
PresentationTemplateArrayResponse:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
data:
type: array
items:
$ref: '#/components/schemas/PresentationTemplateResponse'
title: PresentationTemplateArrayResponse
CreatePresentationTemplate:
type: object
title: CreatePresentationTemplate
description: ''
properties:
domain:
type: string
description: |-
Informs the wallet holder what domain is the verification request coming from. The value must match your tenant URL or your custom domain (if you have one set up). If the domain validation is unsuccessful, the wallet will not let the user proceed with the verification workflow.
If you set up a custom domain later, any previous templates created where the domain is your tenant URL will become invalid. You will need to change any prior templates to use the custom domain.
name:
type: string
description: Unique value that is used internally to manage your templates. It must be unique across all presentation templates on your tenant, but is not shown to the holder.
query:
type: array
description: |-
Indicates what type of query method would be used by presentation requests created from this presentation template:
- QueryByExample: This query method uses the credential `type` and `trustedIssuer` to only accept verifiable presentations that match these parameters.
- QueryByFrame: This query method is used to create presentation requests that only require specific claims in the verifiable presentations and thus enable selective disclosure.
- DidAuth: This query method id used to authenticate with the tenant and provide the holder's DID.
You can request multiple credentials in one request by adding additional `credentialQuery` objects to the `query` array.
items:
oneOf:
- $ref: '#/components/schemas/CreatePresentationQueryByExample'
- $ref: '#/components/schemas/CreatePresentationQueryByFrame'
- $ref: '#/components/schemas/CreatePresentationDidAuthTemplate'
required:
- domain
- name
- query
UpdatePresentationTemplate:
title: UpdatePresentationTemplate
allOf:
- type: object
properties:
id:
type: string
- $ref: '#/components/schemas/CreatePresentationTemplate'
CreatePresentationRequestRequest:
type: object
required:
- challenge
- templateId
- did
- callbackUrl
properties:
challenge:
type: string
description: This unique identifier will be used to validate the presentation response sent to the configured `callbackUrl`. By comparing `challenge` with the `challengeId` value in the response, you can ensure it was sent by the intended MATTR VII tenant.
example: 64e45290-9980-11ea-b872-f1bee5fb328f
did:
type: string
description: This is the DID associated with the verifier. It must be available on the tenant and have a key type that is able to be used for messaging (e.g. a ed25519 key type).
example: did:key:z6Mkt7bFYc4V2HdAxwhMtaY6cgJckYXwhYdPLJCcnVqzrkpr
templateId:
type: string
description: The `id` value of an existing presentation template that will be used to create the presentation request.
example: 64e45290-9980-11ea-b872-f1bee5fb328f
expiresTime:
type: number
description: Once the time (Unix time) is reached the presentation corresponding to the challenge will not be accepted. For the purpose of testing you may wish to extend this out. Value cannot be more than 30 minutes (1800000ms) in the future, which is the maximal expiry period for a presentation request. Defaults to five minutes if no value is provided.
example: 1592955632103
callbackUrl:
type: string
format: uri
description: |-
This is the path that you want MATTR VII to message (in the form of a JSON body) once it has received and processed the verifiable presentation from the mobile wallet holder:
- Must be a valid URL.
- Must use the HTTPS protocol.
- Must not be an IP address.
- Must be available, accept POST requests and respond with a 200 OK.
The callback URL will not be present directly in the signed presentation request. We highly recommend protecting the callback endpoint by including a unique identifier in the URL to create a unique callback URL for each request, which would make it hard to guess.
We recommend the callback endpoint always responds with a 404 header to any unsuccessful calls.
example: https://your-website.com/api/callback
title: CreatePresentationRequestRequest
CreatePresentationRequestResponse:
type: object
properties:
id:
type: string
description: Presentation Request id
example: c74128a0-9949-11ea-9554-b5a630b3c119
callbackUrl:
type: string
format: uri
description: Endpoint that will receive the Verifiable Presentation
example: https://your-website.com/api/callback
request:
type: object
description: Presentation Request Details
properties:
id:
type: string
format: uuid
description: Presentation Request id
example: c74128a0-9949-11ea-9554-b5a630b3c119
type:
type: string
format: uri
description: Presentation Request schema
example: https://mattr.global/schemas/verifiable-presentation/request/QueryByExample
from:
type: string
description: Verifier DID
example: did:key:z6MkrYVmyqSA93o4B1GwERM8kaQDMAUKAFV2TC3weQKeg9Gq
created_time:
type: number
description: Creation time
example: 1606709582907
expires_time:
type: number
description: Expiry time
example: 2594859115000
reply_url:
type: string
description: Endpoint that will receive the Verifiable Presentation
example: https://your-website.com/api/callback
reply_to:
type: array
description: Verifier DID
items:
type: string
example: did:key:z6MkrYVmyqSA93o4B1GwERM8kaQDMAUKAFV2TC3weQKeg9Gq
body:
description: Definition of what type of Credential is being requested
allOf:
- $ref: '#/components/schemas/PresentationTemplateResponse'
- type: object
properties:
challenge:
type: string
format: uuid
description: Challenge to match the response to a request
example: e1b35ae0-9e0e-11ea-9bbf-a387b27c9e60
didcommUri:
type: string
format: uri
description: A DIDComm URI that is pointing to a shortened presentation request JWS message
title: CreatePresentationRequestResponse
VerifiablePresentation:
description: ''
type: object
x-examples: {}
title: VerifiablePresentation
properties:
presentation:
type: object
required:
- '@context'
- type
- verifiableCredential
- id
- holder
- proof
properties:
'@context':
type: array
items:
type: object
type:
type: array
items:
type: object
verifiableCredential:
type: array
uniqueItems: true
minItems: 1
items:
$ref: '#/components/schemas/VerifiableCredential'
id:
type: string
minLength: 1
holder:
type: string
minLength: 1
proof:
type: array
uniqueItems: true
minItems: 1
items:
type: object
properties:
type:
type: string
minLength: 1
created:
type: string
minLength: 1
challenge:
type: string
minLength: 1
domain:
type: string
minLength: 1
jws:
type: string
minLength: 1
proofPurpose:
type: string
minLength: 1
verificationMethod:
type: string
minLength: 1
required:
- type
- created
- challenge
- domain
- jws
- proofPurpose
- verificationMethod
challenge:
type: string
example: 3182bdea-63d9-11ea-b6de-3b7c1404d57f
domain:
type: string
example: example.com
required:
- presentation
VerifyPresentation:
title: VerifyPresentation
type: object
properties:
verified:
type: boolean
description: Set to `true` if the presentation passed all checks, and `false` otherwise.
reason:
type: string
description: When `verified` is `false`, details why the verification had failed.
required:
- verified
web-semantic-credential-configurations.v2_components-schemas-CredentialConfiguration:
type: object
properties:
name:
type: string
minLength: 1
maxLength: 1024
description: Insert a meaningful name for the credential. This string is displayed on the top part of the credential in the holder's digital wallet. It is recommended to limit this value to 18 characters as any additional characters are not displayed on the credential.
example: Course credential
description:
type: string
maxLength: 1024
description: Insert a meaningful description for the credential. This string is displayed below the name field on the credential in the holder's digital wallet. It is recommended to limit this value to 38 characters as any additional characters are not displayed on the credential.
example: This credential shows that the person has attended a course.
type:
description: |-
Used to differentiate between different JSON credentials configurations on your tenant. Thus, its value must:
- Be unique across all JSON credentials configurations on your tenant.
- Not be `VerifiableCredential`.
type: string
minLength: 1
maxLength: 1024
example: CourseCredential
additionalTypes:
description: Additional credential types that can be referenced. Each entry must be 1-1024 characters long, with no whitespaces allowed.
type: array
example:
- AlumniCredential
- EducationCredential
items:
type: string
maxLength: 1024
contexts:
type: array
description: |-
Additional JSON-LD contexts to be included in the credential. As part of the credential issuance MATTR VII will auto-inject the following contexts, which reference the W3C Verifiable Credential definitions:
- https://www.w3.org/2018/credentials/v1
- https://mattr.global/contexts/vc-extensions/v2
- https://w3id.org/vc-revocation-list-2020/v1
If you require introducing a different context for your production implementation, please [contact us](https://mailto:dev-support@mattr.global). Referenced contexts must be whitelisted or credential issuance will fail.
example:
- https://optionalschema.example/
items:
type: string
description: Must be an HTTPS URL.
issuer:
type: object
description: Issuer details and branding for issued credentials. Refer to this [video](https://www.youtube.com/watch?v=Tu8ApHBWG90) to learn more about branding best practices.
required:
- name
properties:
name:
type: string
description: Insert a meaningful name to indicate the issuer. This string is used when the credential is offered to the holder. It is also used on the bottom part of the credential when `logoURL` is not provided.
example: ABC University
logoUrl:
type: string
description: |-
Insert a URL for a logo that is displayed on the bottom part of the credential. If no logo is provided, the issuer's `name` and `iconURL` are used instead. The logo must meet the following criteria:
- URL must be publicly available.
- Must be 140x42 px in size.
- **svg**, **png** and **jpg** files are supported, but **svg** is recommended. Raster images, whilst supported, are currently displayed at 1x resolution and may look pixelated on some devices.
- Transparencies are allowed for **svg** or **png** images.
- If no logo is provided, the first letter of the issuer name is displayed instead.
- The recommended maximum size is 50 KB.
example: https://example.edu/img/logo.png
iconUrl:
type: string
example: https://example.edu/img/icon.png
description: |-
Insert a URL for an icon that is displayed next to the issuer's name when the credential is offered to the holder. It is also displayed next to the issuer's name on the bottom part of the credential when `logoURL` is not provided. When `iconURL` is not provided, the first letter from `name` is used instead. The icon must meet the following criteria:
- URL must be publicly available.
- Must be 32x32 px in size.
- **svg**, **png** and **jpg** files are supported, but **svg** is recommended. Raster images, whilst supported, are currently displayed at 1x resolution and may look pixelated on some devices.
- Transparencies are allowed for svg or png images.
- The recommended maximum size is 15 KB.
proofType:
description: |-
This is an _optional_ field which defines the cryptographic algorithm used to sign the credential. The credential Issuer's DID must contain a key that supports the corresponding signing capability. If no `proofType` is provided, the credential will be signed using the key that is available in the Issuer's DID:
- If a `Bls12381G2` key is available, the credential will be signed with a `BbsSignature2022` proof. Credentials signed with this proof type support selective disclosure.
- If a `Bls12381G2` key is unavailable and a `Ed25519` key is available, the credential will be signed with a `Ed25519Signature2018` proof. Credentials signed with this proof type do not support selective disclosure.
- If none of the two suitable keys are available, the request will be rejected and the credential will not be created.
type: string
enum:
- Ed25519Signature2018
- BbsSignature2022
example: Ed25519Signature2018
credentialBranding:
type: object
description: Additional branding that will be applied to issued credentials. Refer to this [video](https://www.youtube.com/watch?v=Tu8ApHBWG90) to learn more about branding best practices.
properties:
backgroundColor:
type: string
example: '#B00AA0'
description: Insert a color hex code to use for the credential background color in the holder's digital wallet.
watermarkImageUrl:
type: string
example: https://example.edu/img/watermark.png
description: |-
Insert a URL for a watermark image to be included as a pattern on the credential in the holder's digital wallet:
- URL must be publicly available.
- Must be 245x150px in size.
- **svg**, **png** and **jpg** files are supported, but **svg** is recommended.
- If no watermark image is provided, a wave pattern is applied to the credentials by default.
- The recommended maximum size is 150 KB.
claimMappings:
$ref: '#/components/schemas/credentialConfigurationClaimMappings'
persist:
type: boolean
default: false
description: |-
When set to `true`, both the issued credential and its metadata are stored in the credential registry. When set to `false` (default) only the following metadata is stored:
- `id`
- `tag`
- `credentialStatus`
- `issuanceDate`
revocable:
type: boolean
default: true
description: When set to `true` (default), the created credential can later be revoked. When set to `false`, the credential cannot be revoked. When set to `true`, `https://w3id.org/vc-revocation-list-2020/v1` is injected into the credential `@context` object when it is issued. This references the JSON-LD definition of the `credentialStatus` object used to manage revocation status.
claimSourceId:
type: string
format: uuid
description: References the unique identifier of a claims source that can be used to retrieve claims and include them in the issued credential.
expiresIn:
type: object
description: Used to determine when will issued credentials expire. Can include any combination of `years`, `months`, `weeks`, `days`, `hours`, `minutes` and `seconds`.
properties:
years:
type: number
months:
type: number
example: 3
weeks:
type: number
days:
type: number
hours:
type: number
minutes:
type: number
seconds:
type: number
web-semantic-credential-configurations.v2_components-schemas-CredentialConfigurationResponse:
required:
- id
- name
- type
- issuer
- persist
- revocable
allOf:
- type: object
properties:
id:
type: string
format: uuid
description: Credential Configuration ID
example: 983c0a86-204f-4431-9371-f5a22e506599
- $ref: '#/components/schemas/web-semantic-credential-configurations.v2_components-schemas-CredentialConfiguration'
title: CredentialConfigurationResponse
web-semantic-credential-configurations.v2_components-schemas-GetCredentialConfigurationsResponse:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
data:
type: array
items:
$ref: '#/components/schemas/web-semantic-credential-configurations.v2_components-schemas-CredentialConfigurationResponse'
title: GetCredentialConfigurationsResponse
web-semantic-credential-configurations.v2_components-schemas-CredentialConfigurationRequest:
required:
- name
- type
- issuer
allOf:
- $ref: '#/components/schemas/web-semantic-credential-configurations.v2_components-schemas-CredentialConfiguration'
title: CreateCredentialConfigurationRequest
UnauthorizedError:
title: UnauthorizedError
description: The request does not have a valid Authorization header
type: string
example: Unauthorized
CredentialResponseEncryption:
type: object
description: JSON object containing details for encrypting the issued credential in the response.
required:
- jwk
- enc
properties:
jwk:
type: object
description: JSON Web Key (JWK) containing the public key to use for encrypting the issued credential.
required:
- kty
- crv
- alg
- x
- 'y'
properties:
kty:
type: string
example: EC
kid:
type: string
example: kid
use:
type: string
example: enc
crv:
type: string
example: P-256
alg:
type: string
example: HPKE-7
x:
type: string
example: YO4epjifD-KWeq1sL2tNmm3...
'y':
type: string
example: Hekpm0zfK7C-YccH5iBjcIXg...
enc:
type: string
description: Encryption algorithm to use when encrypting the issued credential.
example: A256GCM
ldpvcIssueCredentialRequest:
title: JSON
type: object
required:
- credential_configuration_id
properties:
credential_configuration_id:
type: string
description: Credential configuration identifier.
proofs:
type: object
description: JSON object containing proof of possession of the key material the issued Credential shall be bound to.
properties:
jwt:
type: array
items:
type: string
description: The JSON Web Token (JWT) containing the proof data.
credential_response_encryption:
$ref: '#/components/schemas/CredentialResponseEncryption'
cwtIssueCredentialRequest:
title: CWT
type: object
required:
- credential_configuration_id
properties:
credential_configuration_id:
type: string
description: Credential configuration identifier.
credential_response_encryption:
$ref: '#/components/schemas/CredentialResponseEncryption'
cwtvcIssueCredentialRequest:
title: Semantic CWT
type: object
required:
- credential_configuration_id
properties:
credential_configuration_id:
type: string
description: Credential configuration identifier.
credential_response_encryption:
$ref: '#/components/schemas/CredentialResponseEncryption'
msomdocIssueCredentialRequest:
title: mDoc
type: object
required:
- credential_configuration_id
- proofs
properties:
credential_configuration_id:
type: string
description: Credential configuration identifier.
proofs:
type: object
description: JSON object containing proof of possession of the key material the issued Credential shall be bound to.
properties:
jwt:
type: array
items:
type: string
description: The JSON Web Token (JWT) containing the proof data.
credential_response_encryption:
$ref: '#/components/schemas/CredentialResponseEncryption'
deprecatedLdpvcIssueCredentialRequest:
title: JSON (Deprecated)
type: object
required:
- format
- credential_definition
properties:
format:
type: string
description: Credential format, always `ldp_vc` for JSON credentials.
enum:
- ldp_vc
credential_definition:
type: object
properties:
type:
type: array
description: Credential types, as defined in the credential schema.
items:
type: string
'@context':
type: array
description: Credential contexts, as defined in the credential schema.
items:
type: string
required:
- type
- '@context'
proof:
type: object
description: JSON object containing proof of possession of the key material the issued Credential shall be bound to.
properties:
proof_type:
type: string
description: Proof type - must be `jwt`.
enum:
- jwt
jwt:
type: string
description: The JSON Web Token (JWT) containing the proof data.
credential_response_encryption:
$ref: '#/components/schemas/CredentialResponseEncryption'
deprecatedCwtIssueCredentialRequest:
title: CWT (Deprecated)
type: object
required:
- format
- type
properties:
format:
type: string
description: Credential format, always `cwt` for CWT credentials.
example: cwt
enum:
- cwt
type:
type: string
credential_response_encryption:
$ref: '#/components/schemas/CredentialResponseEncryption'
deprecatedCwtvcIssueCredentialRequest:
title: Semantic CWT (Deprecated)
type: object
required:
- format
- types
properties:
format:
type: string
description: Credential format, always `cwt_vc` for Semantic CWT credentials.
enum:
- cwt_vc
types:
type: array
items:
type: string
credential_response_encryption:
$ref: '#/components/schemas/CredentialResponseEncryption'
deprecatedMsomdocIssueCredentialRequest:
title: mDoc (Deprecated)
type: object
required:
- format
- doctype
properties:
format:
type: string
description: Credential format, always `mso_mdoc` for mDocs.
enum:
- mso_mdoc
doctype:
type: string
description: The document type identifier for the credential, as defined in ISO/IEC 18013-5:2021.
example: org.iso.18013.5.1.mDL
proof:
type: object
description: JSON object containing proof of possession of the key material the issued credential shall be bound to.
properties:
proof_type:
description: Proof type - must be `jwt`.
type: string
enum:
- jwt
jwt:
type: string
description: |
A single JSON Web Token (JWT) containing the proof data.
The JWT header must include the following elements:
- `typ` (String): Must be `openid4vci-proof+jwt`.
- `alg` (String): Must be `ES256`.
- `jwk` (Object): JWK object containing the key material the new credential shall be bound to.
The JWT payload must include the following elements:
- `iss` (String): Must be the `client_id` of the client making the credential request.
- `aud` (String): Must be the `credential_issuer` URL of the issuer.
- `iat` (NumericDate): Must be the time at which the proof was issued using the syntax defined in RFC 7519. The value must not be older than 5 minutes.
The following JWT payload elements are optional:
- `exp` (NumericDate): Must be the time at which the proof expires. When provided, must not be in the past.
- `jti` (String): A unique identifier for the JWT.
credential_response_encryption:
$ref: '#/components/schemas/CredentialResponseEncryption'
ldpvcSupportedCredentialResponse:
title: JSON
type: object
required:
- credentials
properties:
credentials:
type: array
items:
type: object
properties:
credential:
allOf:
- $ref: '#/components/schemas/VerifiableCredential'
description: The verifiable credential that was issued.
msomdocIssueCredentialResponse:
title: mDoc
type: object
required:
- credentials
properties:
credentials:
type: array
items:
type: object
properties:
credential:
type: string
description: The verifiable credential that was issued.
cwtvcIssueCredentialResponse:
title: Semantic CWT
type: object
required:
- credentials
properties:
credentials:
type: array
items:
type: object
properties:
credential:
type: string
description: The verifiable credential that was issued.
pdf:
type: string
description: A base64-encoded PDF representation of the issued credential, if requested.
cwtIssueCredentialResponse:
title: CWT
type: object
required:
- credentials
properties:
credentials:
type: array
items:
type: object
properties:
credential:
type: string
description: The verifiable credential that was issued.
pdf:
type: string
description: A base64-encoded PDF representation of the issued credential, if requested.
deprecatedLdpvcSupportedCredentialResponse:
title: JSON (Deprecated)
type: object
required:
- credential
- format
properties:
credential:
allOf:
- $ref: '#/components/schemas/VerifiableCredential'
description: The verifiable credential that was issued.
format:
type: string
description: The format of the issued credential.
example: ldp_vc
deprecatedMsomdocIssueCredentialResponse:
title: mDoc (Deprecated)
type: object
required:
- credential
- format
properties:
credential:
type: string
description: The mobile credential that was issued.
format:
type: string
description: The format of the issued credential.
example: mso_mdoc
deprecatedCwtvcIssueCredentialResponse:
title: Semantic CWT (Deprecated)
type: object
required:
- credential
- format
properties:
credential:
type: string
description: The compact semantic credential that was issued.
format:
type: string
description: The format of the issued credential.
example: cwt_vc
pdf:
type: string
description: A base64-encoded PDF representation of the issued credential, if requested.
deprecatedCwtIssueCredentialResponse:
title: CWT (Deprecated)
type: object
required:
- credential
- format
properties:
credential:
type: string
description: The compact credential that was issued.
format:
type: string
description: The format of the issued credential.
example: cwt
pdf:
type: string
description: A base64-encoded PDF representation of the issued credential, if requested.
CryptographicBindingMethodsSupported:
title: Cryptographic Binding Methods Supported
type: array
items:
type: string
description: Array of case-sensitive strings indicating supported cryptographic key binding representations for the issued credential.
example:
- did:key
- mso
CryptographicSuitesSupported:
title: Cryptographic Suites Supported
type: array
items:
type: string
description: Array of case-sensitive strings indicating supported cryptographic suites for the issued credential.
example:
- Ed25519Signature2018
- ES256
ldpvcSupportedCredential:
type: object
properties:
format:
type: string
id:
type: string
scope:
type: string
'@context':
type: array
items:
type: string
type:
type: array
items:
type: string
credentialSubject:
type: object
cryptographic_binding_methods_supported:
$ref: '#/components/schemas/CryptographicBindingMethodsSupported'
cryptographic_suites_supported:
$ref: '#/components/schemas/CryptographicSuitesSupported'
cwtvcSupportedCredential:
type: object
properties:
format:
type: string
id:
type: string
scope:
type: string
types:
type: array
items:
type: string
credentialSubject:
type: object
cryptographic_binding_methods_supported:
$ref: '#/components/schemas/CryptographicBindingMethodsSupported'
cryptographic_suites_supported:
$ref: '#/components/schemas/CryptographicSuitesSupported'
cwtSupportedCredential:
type: object
properties:
format:
type: string
id:
type: string
scope:
type: string
type:
type: string
claims:
type: object
cryptographic_binding_methods_supported:
$ref: '#/components/schemas/CryptographicBindingMethodsSupported'
cryptographic_suites_supported:
$ref: '#/components/schemas/CryptographicSuitesSupported'
msomdocSupportedCredential:
type: object
properties:
format:
type: string
description: Credential format. Always `mso_mdoc` for mDocs.
example: mso_mdoc
enum:
- mso_mdoc
scope:
type: string
doctype:
type: string
description: The document type identifier for the credential, as defined in ISO/IEC 18013-5:2021.
example: org.iso.18013.5.1.mDL
id:
type: string
cryptographic_binding_methods_supported:
$ref: '#/components/schemas/CryptographicBindingMethodsSupported'
cryptographic_suites_supported:
$ref: '#/components/schemas/CryptographicSuitesSupported'
claims:
type: object
display:
description: Display information for issued credentials.
type: array
items:
type: object
example:
name: Driver's License
description: Official state-issued driver's license.
background_color: '#FFFFFF'
CredentialSigningAlgValuesSupported:
title: Credential Signing Algorithm Values Supported
type: array
items:
type: string
description: Array of algorithm identifiers indicating the signing algorithms supported by the issuer for issued credentials.
example:
- Ed25519Signature2018
- BbsSignatureProof2022
- -7
ProofTypesSupported:
title: Proof Types Supported
type: object
description: Describes specifics of the key proof(s) that the credential issuer supports. Contains a list of name/value pairs, where each name is a unique identifier of the supported proof type(s). If absent, the wallet is not required to supply proofs when requesting this credential.
properties:
jwt:
type: object
properties:
proof_signing_alg_values_supported:
type: array
items:
type: string
key_attestations_required:
type: object
properties:
key_storage:
type: array
items:
type: string
user_authentication:
type: array
items:
type: string
example:
jwt:
proof_signing_alg_values_supported:
- EdDSA
key_attestations_required:
key_storage:
- iso_18045_moderate
user_authentication:
- iso_18045_moderate
CredentialDisplay:
title: Credential Display
description: Array of objects that contain display properties of the issued credential for a certain language.
type: array
items:
type: object
example:
- name: Driver's License
logo:
uri: https://example.com/logo.png
alt_text: Example Logo
locale: en-US
background_color: '#FFFFFF'
text_color: '#000000'
ClaimDisplay:
title: Claim Display
type: object
properties:
name:
type: string
locale:
type: string
example:
name: First Name
locale: en-US
CredentialClaim:
title: Credential Claim
description: Array of objects that describe the claims included in the credential. Each object contains the path to the claim in the credential, whether the claim is mandatory, and its display information.
type: object
properties:
path:
type: array
items:
type: string
mandatory:
type: boolean
display:
description: Each object in this array contains display properties of a certain claim in the credential for a certain language.
type: array
items:
$ref: '#/components/schemas/ClaimDisplay'
example:
path:
- firstName
mandatory: true
display:
- name: First Name
locale: en-US
CredentialMetadata:
title: Credential Metadata
type: object
description: Display information for issued credentials.
properties:
display:
$ref: '#/components/schemas/CredentialDisplay'
claims:
type: array
items:
$ref: '#/components/schemas/CredentialClaim'
ldpvcCredentialConfigurationSupported:
title: JSON Credential
type: object
properties:
format:
type: string
id:
type: string
scope:
type: string
credential_definition:
description: The credential definition as defined in the credential schema.
type: object
properties:
type:
type: array
items:
type: string
'@context':
type: array
items:
type: string
credential_signing_alg_values_supported:
$ref: '#/components/schemas/CredentialSigningAlgValuesSupported'
cryptographic_binding_methods_supported:
$ref: '#/components/schemas/CryptographicBindingMethodsSupported'
proof_types_supported:
$ref: '#/components/schemas/ProofTypesSupported'
credential_metadata:
$ref: '#/components/schemas/CredentialMetadata'
example:
format: ldp_vc
id: 2cdb2c15-39a7-4556-abab-4515ce2d831b
scope: ldp_vc:TestCredential
credential_definition:
'@context':
- https://www.w3.org/2018/credentials/v1
- https://schema.org
type:
- VerifiableCredential
- TestCredential
credential_signing_alg_values_supported:
- Ed25519Signature2018
- BbsSignatureProof2022
cryptographic_binding_methods_supported:
- did:key
proof_types_supported:
jwt:
proof_signing_alg_values_supported:
- EdDSA
credential_metadata:
display:
- name: Test Credential
logo:
uri: https://example.com/logo.png
alt_text: Example Logo
locale: en-US
background_color: '#FFFFFF'
text_color: '#000000'
claims:
- path:
- credentialSubject
- firstName
mandatory: true
display:
- name: First Name
locale: en-US
cwtvcCredentialConfigurationSupported:
title: CWT Credential
type: object
properties:
format:
type: string
id:
type: string
scope:
type: string
types:
type: array
items:
type: string
credential_signing_alg_values_supported:
$ref: '#/components/schemas/CredentialSigningAlgValuesSupported'
cryptographic_binding_methods_supported:
$ref: '#/components/schemas/CryptographicBindingMethodsSupported'
credential_metadata:
$ref: '#/components/schemas/CredentialMetadata'
example:
format: cwt_vc
id: 3dfe1c4a-5b6c-4e2f-9f3a-2b1c4d5e6f7g
scope: cwt_vc:TestCredential
types:
- VerifiableCredential
- TestCredential
cryptographic_binding_methods_supported: []
credential_signing_alg_values_supported:
- -7
credential_metadata:
claims:
- path:
- vc
- credentialSubject
- firstName
mandatory: true
display:
- name: First Name
locale: en-US
cwtCredentialConfigurationSupported:
title: Semantic CWT Credential
type: object
properties:
format:
type: string
id:
type: string
scope:
type: string
type:
type: string
credential_signing_alg_values_supported:
$ref: '#/components/schemas/CredentialSigningAlgValuesSupported'
cryptographic_binding_methods_supported:
$ref: '#/components/schemas/CryptographicBindingMethodsSupported'
credential_metadata:
$ref: '#/components/schemas/CredentialMetadata'
example:
format: cwt
id: b068c060-cc72-4758-9526-92d29edb821f
scope: cwt:TestCredential
type: TestCredential
cryptographic_binding_methods_supported: []
credential_signing_alg_values_supported:
- -7
credential_metadata:
claims:
- path:
- firstName
mandatory: true
display:
- name: First Name
locale: en-US
msomdocCredentialConfigurationSupported:
title: mDoc
type: object
properties:
format:
type: string
doctype:
type: string
description: The document type identifier for the credential, as defined in ISO/IEC 18013-5:2021.
example: org.iso.18013.5.1.mDL
scope:
type: string
id:
type: string
credential_signing_alg_values_supported:
$ref: '#/components/schemas/CredentialSigningAlgValuesSupported'
cryptographic_binding_methods_supported:
$ref: '#/components/schemas/CryptographicBindingMethodsSupported'
proof_types_supported:
$ref: '#/components/schemas/ProofTypesSupported'
credential_metadata:
$ref: '#/components/schemas/CredentialMetadata'
example:
format: mso_mdoc
doctype: org.iso.18013.5.1.mDL.T
scope: mso_mdoc:TestCredential
id: a1b2c3d4-e5f6-4789-abcd-ef0123456789
cryptographic_binding_methods_supported:
- mso
credential_signing_alg_values_supported:
- -7
proof_types_supported:
jwt:
proof_signing_alg_values_supported:
- ES256
credential_metadata:
claims:
- path:
- org.iso.18013.5.1
- firstName
mandatory: true
display:
- name: First Name
locale: en-US
display:
- name: Test Mobile Credential
logo:
uri: https://example.com/logo.png
alt_text: Example Logo
locale: en-US
background_color: '#FFFFFF'
text_color: '#000000'
ClaimSourceSchema:
type: object
required:
- name
- url
- requestParameters
properties:
name:
type: string
description: Claims source name.
example: My claims from example.com
url:
type: string
description: |-
Claims source URL (and any redirects it may include):
- Must be a valid URL.
- Must use the HTTPS protocol.
- Must not be an IP address.
- Must not include query parameters.
- Unicode will be converted to ASCII.
example: https://example.com
requestMethod:
type: string
description: |-
Indicates the request method MATTR VII will use when retrieving data from this claims source. Both the GET and POST method are supported. If no value is provided, GET is used by default.
When using POST, all `requestParameters` must be included in the request body in JSON format.
enum:
- GET
- POST
requestParameters:
description: |-
Use this object to define how to map request parameters that are sent to your claims source using the `mapFrom` and `defaultValue` properties:
- When only providing `mapFrom`, the request parameter will be mapped from the defined path. If mapping fails, no alternative value is used. You can map data from both the `claims` and `credentialConfiguration` objects.
- When providing both `mapFrom` and `defaultValue`, MATTR VII will attempt to map the request parameter from the defined path. If mapping fails, the `defaultValue` is used instead.
- When only providing `defaultValue`, its value is used to populate the request parameter, regardless of any available claims values.
oneOf:
- type: object
title: Mapping only
required:
- mapFrom
properties:
mapFrom:
type: string
description: Path to map the claim from.
example: claims.accountType
- type: object
title: Mapping with fallback
required:
- mapFrom
- defaultValue
properties:
mapFrom:
type: string
description: Path to map the claim from.
example: claims.accountType
defaultValue:
description: Static value to be used when `mapFrom` fails or evaluated to undefined (attribute doesn't exist).
oneOf:
- type: string
- type: array
items: {}
- type: object
- type: object
title: Static value
required:
- defaultValue
properties:
defaultValue:
description: Static value to be used for all issued credentials, without querying the claims source.
oneOf:
- type: string
- type: array
items: {}
- type: object
ClaimSourceAuthorizationApiKeySchema:
title: API Key
description: API Key for claim source authorization.
type: object
required:
- type
properties:
type:
type: string
enum:
- api-key
example: api-key
value:
type: string
example: 6hrFDATxrG9w14QY9wwnmVhLE0Wg6LIvwOwUaxz761m1J
ClaimSourceAuthorizationApiKeyResponse:
title: API Key
description: API Key used to authenticate the request to the claims source server.
required:
- value
allOf:
- $ref: '#/components/schemas/ClaimSourceAuthorizationApiKeySchema'
- type: object
properties:
value:
type: string
description: |
Masked API key value. Completely masked if it is less than 20 characters, while if it is 20 characters or longer only the last 5 characters are exposed.
example: '****************************************61m1J'
ClaimSourceAuthorizationOAuthSchema:
type: object
required:
- type
- tokenEndpoint
- clientId
properties:
type:
type: string
enum:
- oauth-client-credentials
example:
- oauth-client-credentials
tokenEndpoint:
type: string
description: OAuth 2.0 token endpoint URL for obtaining an access token for this claims source.
format: url
clientId:
type: string
description: Your client identifier for this claims source.
clientSecret:
type: string
description: Your client secret for this claims source.
tokenEndpointAuthMethod:
type: string
enum:
- client_secret_basic
- client_secret_post
description: |-
Two authentication methods are available:
- `client_secret_basic` (default): Credentials are passed as a base 64 encoded basic token.
- `client_secret_post`: Credentials are passed as parameters within the request body.
audience:
type: string
description: Optional audience for the claims source token.
ClaimSourceAuthorizationOAuthResponse:
title: OAuth Client Credentials
description: OAuth client credentials used for getting an access token for the claim source.
required:
- clientSecret
allOf:
- $ref: '#/components/schemas/ClaimSourceAuthorizationOAuthSchema'
- type: object
properties:
clientSecret:
type: string
description: |
Masked OAuth 2.0 client secret. Completely masked if it is less than 20 characters, while if it is 20 characters or longer only the last 5 characters are exposed.
example: '***********************************6d0f5'
CreateClaimSourceResponse:
description: Returns the claims source details, including a `claimSourceId`. You will use the this identifier to reference your claims source when creating your credential configuration.
allOf:
- type: object
properties:
id:
type: string
format: uuid
description: Claims source unique identifier
example: 57fa09e2-82f3-4d3d-9eca-d0253e84a4e6
- $ref: '#/components/schemas/ClaimSourceSchema'
- type: object
required:
- authorization
properties:
authorization:
description: Authentication method configuration to access the claims source.
oneOf:
- $ref: '#/components/schemas/ClaimSourceAuthorizationApiKeyResponse'
- $ref: '#/components/schemas/ClaimSourceAuthorizationOAuthResponse'
GetClaimSourcesResponse:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page.
data:
type: array
items:
$ref: '#/components/schemas/CreateClaimSourceResponse'
ClaimSourceAuthorizationApiKeyRequest:
title: API Key
description: API Key used to authenticate the request to the claims source server.
allOf:
- $ref: '#/components/schemas/ClaimSourceAuthorizationApiKeySchema'
- type: object
properties:
value:
type: string
description: API key value. Note that MATTR VII does not validate your input, which means it's up to you to provide the correct API key for your claim sources.
example: 6hrFDATxrG9w14QY9wwnmVhLE0Wg6LIvwOwUaxz761m1J
ClaimSourceAuthorizationOAuthRequest:
title: OAuth Client Credentials
description: OAuth client credentials used for getting an access token for the claim source.
type: object
allOf:
- $ref: '#/components/schemas/ClaimSourceAuthorizationOAuthSchema'
- type: object
properties:
clientSecret:
type: string
description: OAuth 2.0 client secret that will be used for the token endpoint request.
example: 1b41186347e4cc716155155cdecbded07536d0f5
ClaimSourceRequest:
allOf:
- $ref: '#/components/schemas/ClaimSourceSchema'
- type: object
required:
- authorization
properties:
authorization:
required:
- clientSecret
- value
description: Authentication method configuration to access the claims source.
oneOf:
- $ref: '#/components/schemas/ClaimSourceAuthorizationApiKeyRequest'
- $ref: '#/components/schemas/ClaimSourceAuthorizationOAuthRequest'
UpdateClaimSourcesRequest:
allOf:
- $ref: '#/components/schemas/ClaimSourceSchema'
- type: object
required:
- authorization
properties:
authorization:
description: Authentication method configuration to access the claims source.
oneOf:
- $ref: '#/components/schemas/ClaimSourceAuthorizationApiKeyRequest'
- $ref: '#/components/schemas/ClaimSourceAuthorizationOAuthRequest'
MessagingInbox:
title: MessagingInbox
type: object
properties:
id:
type: string
example: f04faabf-cea8-4f39-95b3-0ce357ac4d03
name:
type: string
example: My_Inbox
required:
- id
- name
MessagingInboxDIDs:
title: MessagingInboxDIDs
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
data:
type: array
description: Array of DIDs which are registered with this inbox.
example:
- did:key:did1
- did:key:did2
- did:key:did3
items:
type: string
MessageInboxMessage:
title: MessageInboxMessage
type: object
properties:
name:
type: string
description: Message name.
createdAt:
type: string
format: date
description: Message creation date.
id:
type: string
description: Unique identifier of this message.
inboxId:
type: string
description: Unique identifier of the inbox this message is held in.
payload:
type: string
description: Message payload.
required:
- name
- createdAt
JSONObjectMessage:
type: object
description: A JSON Object plaintext message
example:
msg: this is a message
title: JSONObjectMessage
SignMessageRequest:
type: object
required:
- didUrl
- payload
properties:
didUrl:
type: string
description: The did key that will be used to sign the message, which must supports signing. You can obtain it from the DID document `DID.localMetadata.initialDidDocument.authentication[0]` path.
example: did:example:abcdefghijkl#key1
payload:
$ref: '#/components/schemas/JSONObjectMessage'
title: SignMessageRequest
SignMessageResponse:
title: SignMessageResponse
type: string
description: Signed message in a response
example: eyJhbGciOiJFZERTQSIsImtpZCI6ImRpZDprZXk6ejZNa21mazNtMldIQlVxVm94SlZ3R1NQejVrYmFKNnpBMXRwN1JRWUJiUUdtczNoI3o2TWttZmszbTJXSEJVcVZveEpWd0dTUHo1a2JhSjZ6QTF0cDdSUVlCYlFHbXMzaCJ9.eyJtc2ciOiJUaGlzIGlzIGEgcGF5bG9hZCJ9.5E9qEmmSOMHLABAr4A9VzuNKFaO4EDo2GSCMoxQm9zsE7eCmEEuaAxtNhOUdd-Wvj64vqBBVl84XB1Yg7X9wBg
required:
- ciphertext
VerifyRequest:
type: object
properties:
jws:
type: string
description: JWS (JSON Web Siganture) in its compact form.
example: EXAMPLE_JWS_TOKEN_eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
title: VerifyRequest
VerifyMessageResponse:
type: object
properties:
didUrl:
type: string
description: The `didUrl` included in the JWS (JSON Web Signature) object.
example: did:web:organization.com#2vcj3MjR4d
did:
type: string
description: The DID URI parsed from the `didUrl`.
example: did:web:organization.com
verified:
type: boolean
description: Verification result.
example: true
payload:
oneOf:
- type: string
- type: object
description: The payload of the verified message
title: VerifyMessageResponse
EncryptMessageRequest:
title: EncryptMessageRequest
type: object
properties:
senderDidUrl:
type: string
description: The sender's DID URL, obtained from the `id` field of the first `keyAgreement` entry of its DID document (`DID.localMetadata.initialDidDocument.keyAgreement[0].id`). This must reference a key that supports key agreement.
recipientDidUrls:
type: array
description: The intended recepient's Subject DID.
items:
type: string
payload:
type: object
description: The message to be encrypted.
required:
- senderDidUrl
- recipientDidUrls
- payload
EncryptedMessage:
title: EncryptedMessage
type: object
properties:
jwe:
type: object
description: The encrypted message in JWM format.
properties:
protected:
type: string
minLength: 1
recipients:
type: array
uniqueItems: true
minItems: 1
items:
required:
- encryption_key
properties:
header:
type: object
properties:
alg:
type: string
minLength: 1
kid:
type: string
minLength: 1
epk:
type: object
properties:
kty:
type: string
minLength: 1
crv:
type: string
minLength: 1
x:
type: string
minLength: 1
required:
- kty
- crv
- x
skid:
type: string
minLength: 1
required:
- alg
- kid
- epk
- skid
encryption_key:
type: string
minLength: 1
ciphertext:
type: string
minLength: 1
iv:
type: string
minLength: 1
tag:
type: string
minLength: 1
required:
- protected
- recipients
- ciphertext
- iv
- tag
required:
- jwe
DecryptMessageRequest:
title: DecryptMessageRequest
type: object
properties:
jwe:
description: |-
The `jwe` object to be decrypted. It can be extracted from the `jwe` attribute of the response body you get when [encrypting a message](#operation/encryptMessage).
Alternatively, you can use a `jwe string` using `Base64` encoding method and following the [JWE open-standard](https://datatracker.ietf.org/doc/rfc7516/):
`BASE64URL(UTF8(JWE Protected Header)) || '.' || BASE64URL(JWE Encrypted Key) || '.' || BASE64URL(JWE Initialization Vector) || '.' || BASE64URL(JWE Ciphertext) || '.' || ASE64URL(JWE Authentication Tag)`
oneOf:
- type: string
example: eyJhbGciOiJFZERTQSIsImtpZCI6ImRpZDp3ZWI6bWF0dHIuZ2xvYmFsI0V5MkN2V2N5MzQifQ.eyJtZXNzYWdlIjoidGVzdCJ9.dMvOGkfbRrjUJL7XYYAp1UxoHlt8J0N5_vRRLpTEHtQ4s8lwnMd0lhg7HiZVfvEyzk54f6J0CgTV5oHzVscdAA
- $ref: '#/components/schemas/EncryptedMessage'
required:
- jwe
DecryptMessageResponse:
type: object
properties:
payload:
oneOf:
- type: string
- type: object
senderDidUrl:
type: string
description: Sender DID retrieved from the decrypted message.
example: did:web:organization.com#2vcj3MjR4d
senderPublicJwk:
type: object
description: The sender public JWK (JSON Web Key) retrieved from the decrypted message.
recipientDidUrl:
type: string
description: Intended recipient DID URI retrieved from the decrypted message.
example: did:key:z6MkgmEkNM32vyFeMXcQA7AfQDznu47qHCZpy2AYH2Dtdu1d
title: DecryptMessageResponse
SendMessageRequest:
type: object
properties:
to:
type: string
description: Recipient DID.
message:
oneOf:
- type: string
- type: object
description: Message in JWE (JSON Web Encryption) format. This endpoint only accepts Encrypted payloads to ensure that messages are encrypted-at-rest whilst in messaging inboxes. The message should be encrypted for the recipient based on a key available in the DID Document.
title: SendMessageRequest
CreateOidcVerifierRequest:
type: object
properties:
verifierDid:
type: string
description: Specifies the DID where the verifiable presentation will be sent to.
example: did:key:z6MkrYVmyqSA93o4B1GwERM8kaQDMAUKAFV2TC3weQKeg9Gq
presentationTemplateId:
type: string
format: uuid
description: References the unique identifier of a Presentation Request Template that will be used by this verifier to create presentation requests.
example: 364b6a1b-3600-4927-a6ac-4d66aa6bbac3
claimMappings:
type: array
description: |-
As part of verifying a credential, the OIDC client initiates the request expecting a standard OIDC ID Token. However, as the digital wallet provides the credential in JSON-LD terms, it is required to map JSON-LD claims to OpenID Connect terms.
- Currently the platform only supports `schema.org` for data vocabularies.
- Make sure to use `http://` and not `https://` when entering jsonLdFqn values for schema.org. Otherwise you may not get the claims returned in your ID Token.
items:
type: object
required:
- jsonLdFqn
- oidcClaim
properties:
jsonLdFqn:
type: string
description: Fully qualified JSON-LD term.
example: http://schema.org/alumniOf
oidcClaim:
type: string
description: OpenID Connect term.
example: alumni_of
includePresentation:
type: boolean
description: When set to `true`, the generated `id_token` will include the original presentation from the wallet.
example: true
required:
- verifierDid
- presentationTemplateId
- claimMappings
title: CreateOidcVerifierRequest
CreateOidcVerifierResponse:
allOf:
- type: object
properties:
id:
type: string
format: uuid
description: Uniquely identifies this OIDC Verifier. You will need it to configure an OIDC Client on your OIDC Verifier. You can also use it to retrieve, update or remove this OIDC Verifier.
example: 41458e5a-9092-40b7-9a26-d4eb43c5792f
- $ref: '#/components/schemas/CreateOidcVerifierRequest'
title: CreateOidcVerifierResponse
GetOidcVerifiersResponse:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
data:
$ref: '#/components/schemas/CreateOidcVerifierResponse'
title: GetOidcVerifiersResponse
CreateOidcVerifierClientRequest:
type: object
properties:
name:
type: string
description: Insert a meaningful name for your OIDC Client.
example: OIDC Client for the verifier
redirectUris:
type: array
items:
type: string
format: uri
description: |-
This array can include a list of URLs. One of the URIs in that list must match the callback URI configured for your OIDC Client for the Authorization Request:
- Must be a valid URL.
- Must use the HTTPS protocol.
- Must not be an IP address.
- Must not include query parameters.
- For testing, it’s okay to add a localhost uri like https://localhost:9090/callback
example:
- https://example.com/callback
responseTypes:
type: array
items:
type: string
description: Determines the authorization processing flow.
example:
- code
grantTypes:
type: array
items:
type: string
description: OAuth Grant Type.
example:
- authorization_code
tokenEndpointAuthMethod:
type: string
description: OAuth Token Endpoint Authentication Method.
example: client_secret_post
idTokenSignedResponseAlg:
type: string
description: Algorithm must match configured jwks. Defaults to `ES256`.
example: ES256
applicationType:
type: string
example: web
logoUri:
type: string
format: uri
description: The logo to display above the QR code.
example: https://example.com/logo.png
required:
- name
- redirectUris
- idTokenSignedResponseAlg
title: CreateOidcVerifierClientRequest
CreateOidcVerifierClientResponse:
allOf:
- type: object
properties:
id:
type: string
format: uuid
description: Make note of your id with this OIDC Client.
example: da9bb6e4-c9ae-4468-b6ac-72b90d6efd5d
secret:
type: string
description: Make note of your secret with this OIDC Client.
example: H2epdcmNJ46hXJo5opdzvhbZK9W2ZGPkQh.E
- $ref: '#/components/schemas/CreateOidcVerifierClientRequest'
title: CreateOidcVerifierClientResponse
GetOidcVerifierClientsResponse:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
data:
$ref: '#/components/schemas/CreateOidcVerifierClientResponse'
title: GetOidcVerifierClientsResponse
OpenIdConfiguration:
type: object
properties:
authorization_endpoint:
type: string
format: uri
example: https://tenant.vii.mattr.global/ext/oidc/v1/issuers/983c0a86-204f-4431-9371-f5a22e506599/authorize
claims_parameter_supported:
type: boolean
example: true
claims_supported:
type: array
items:
type: string
example:
- sub
- sid
- auth_time
- iss
code_challenge_methods_supported:
type: array
items:
type: string
example:
- S256
end_session_endpoint:
type: string
format: uri
example: https://tenant.vii.mattr.global/ext/oidc/v1/issuers/983c0a86-204f-4431-9371-f5a22e506599/session/end
grant_types_supported:
type: array
items:
type: string
example:
- implicit
- authorization_code
- refresh_token
id_token_signing_alg_values_supported:
type: array
items:
type: string
example:
- HS256
- ES256
issuer:
type: string
format: uri
example: https://tenant.vii.mattr.global
jwks_uri:
type: string
format: uri
example: https://tenant.vii.mattr.global/ext/oidc/v1/issuers/983c0a86-204f-4431-9371-f5a22e506599/jwks
registration_endpoint:
type: string
format: uri
example: https://tenant.vii.mattr.global/ext/oidc/v1/issuers/983c0a86-204f-4431-9371-f5a22e506599/clients
request_object_signing_alg_values_supported:
type: array
items:
type: string
example:
- HS256
- RS256
- PS256
- ES256
- EdDSA
request_parameter_supported:
type: boolean
example: true
request_uri_parameter_supported:
type: boolean
example: true
require_request_uri_registration:
type: boolean
example: true
response_modes_supported:
type: array
items:
type: string
example:
- form_post
- fragment
- query
response_types_supported:
type: array
items:
type: string
example:
- code id_token
- code
- id_token
- none
scopes_supported:
type: array
items:
type: string
example:
- openid
- offline_access
subject_types_supported:
type: array
items:
type: string
example:
- public
token_endpoint_auth_methods_supported:
type: array
items:
type: string
example:
- none
- client_secret_basic
- client_secret_jwt
- client_secret_post
- private_key_jwt
token_endpoint_auth_signing_alg_values_supported:
type: array
items:
type: string
example:
- HS256
- RS256
- PS256
- ES256
- EdDSA
token_endpoint:
type: string
format: uri
example: https://tenant.vii.mattr.global/ext/oidc/v1/issuers/983c0a86-204f-4431-9371-f5a22e506599/token
userinfo_endpoint:
type: string
format: uri
example: https://tenant.vii.mattr.global/ext/oidc/v1/issuers/983c0a86-204f-4431-9371-f5a22e506599/me
userinfo_signing_alg_values_supported:
type: array
items:
type: string
example:
- HS256
- ES256
claim_types_supported:
type: array
items:
type: string
example:
- normal
title: OpenIdConfiguration
InitialTokenRequest:
type: object
properties:
client_id:
oneOf:
- example: G1s1EPMml4L0zFd63R1YP
type: string
client_secret:
type: string
example: aYzQUXD0VtlNHhTnxt6cyJeMgLczIBm-AA87STG0narCG8P0iL78fAO7TcWjPBYKwpoZY7Sw8MWNwvqf5VVqFw
grant_type:
type: string
example: authorization_code
code:
type: string
example: shdT2ks5tg9b
redirect_uri:
type: string
format: uri
example: https://my-client-rp.example.com
title: InitialTokenRequest
RefreshTokenRequest:
type: object
properties:
client_id:
type: string
client_secret:
type: string
grant_type:
type: string
example: authorization_code
refresh_token:
type: string
redirect_uri:
type: string
format: uri
title: RefreshTokenRequest
TokenRequest:
oneOf:
- $ref: '#/components/schemas/InitialTokenRequest'
- $ref: '#/components/schemas/RefreshTokenRequest'
title: TokenRequest
TokenResponse:
type: object
properties:
access_token:
type: string
token_type:
type: string
enum:
- bearer
refresh_token:
type: string
expires_in:
type: integer
id_token:
type: string
title: TokenResponse
GetUserResponse:
type: object
properties:
id:
type: string
format: uuid
description: User unique identifier.
example: 0c3fad74-a8df-4a2d-8e75-f2d356b413ba
claims:
type: object
description: User claims.
example:
externalUserId: 0c3fad74-a8df-4a2d-8e75-f2d356b413ba
authenticationProvider:
type: object
description: Authentication Provider information for the user.
properties:
providerId:
type: string
description: Authentication Provider identifier.
example: 41458e5a-9092-40b7-9a26-d4eb43c5792f
url:
type: string
description: Authentication Provider url.
example: https://example-university.au.auth0.com
subjectId:
type: string
description: Unique identifier of the user in the Authentication Provider.
example: example-university-oauth2|123456789
title: GetUserResponse
SearchUsersResponse:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
data:
type: array
description: Includes all matching user objects.
items:
$ref: '#/components/schemas/GetUserResponse'
title: SearchUsersResponse
GetUsersResponse:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
data:
type: array
description: Includes matching user objects.
items:
$ref: '#/components/schemas/GetUserResponse'
title: GetUsersResponse
CreateUserRequest:
type: object
properties:
claims:
type: object
description: User claims to be persisted. No claims are persisted by default. Consider PII implications before persisting any claims.
example:
externalUserId: 0c3fad74-a8df-4a2d-8e75-f2d356b413ba
authenticationProvider:
type: object
description: |-
Authentication Provider information for the user. This enables linking the user to an external identity provider. If implemented insecurely, this process can be exploited by malicious actors to gain unauthorized access to legitimate user accounts.
To mitigate this risk, require authentication for both accounts involved in the link, whether the link is created manually or automatically. Always prompt the user to enter credentials to verify ownership before establishing the link.
required:
- providerId
- subjectId
properties:
providerId:
type: string
description: Authentication Provider identifier.
example: 41458e5a-9092-40b7-9a26-d4eb43c5792f
subjectId:
type: string
description: Unique identifier of the user in the Authentication Provider. Must be an exact match.
example: example-university-oauth2|123456789
example:
providerId: 41458e5a-9092-40b7-9a26-d4eb43c5792f
subjectId: example-university-oauth2|123456789
title: CreateUserRequest
NextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
GetUserCredentialsResponse:
type: object
properties:
data:
type: array
description: |-
- Includes metadata for all credentials referenced by the provided `UserId`.
- Properties returned depend on the credential type, with the exception of the following properties which are always returned:
- `id`
- `type`
- `profile`
- `sessionId`
- `credentialConfigurationId`
- Properties are only returned for credentials issued using Platform v11.0.0 or later, with the exception of the following properties which are always returned:
- `id`
- `type`
- `profile`
- `sessionId`
items:
oneOf:
- type: object
title: mDoc
required:
- id
- type
- profile
- sessionId
- credentialConfigurationId
- devicePublicKey
- namespaces
- msoHash
- issuedDate
- validFrom
- validUntil
properties:
id:
type: string
description: Credential unique identifier.
example: 552b35fe-a3ed-4c33-8c3c-64810c712323
type:
type: string
description: Credential type.
example: org.iso.18013.5.1.mDL
profile:
type: string
enum:
- mobile
description: Credential format.
example: mobile
offerId:
type: string
description: Identifier of the credential offer used to claim this credential.
example: b0877ef9-deaf-4c88-8765-2b5aad2913d9
sessionId:
type: string
description: Identifier of the session in which this credential was claimed.
example: 4da5bce7-39d0-482e-8972-c674c688e01a
credentialConfigurationId:
type: string
description: Identifier of the credential configuration used to issue this credential.
example: 3948c40e-6e19-4ffc-933c-91f643f24264
devicePublicKey:
type: object
description: The device public key that is bound to this credential.
properties:
kty:
type: string
description: Key type.
example: EC
crv:
type: string
description: Elliptic curve used with the key.
example: P-256
x:
type: string
description: The x coordinate for the elliptic curve point.
example: 11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo
title: PublicJsonWebKey
namespaces:
type: object
description: Namespaces used in the credential.
example:
org.iso.18013.5.1:
given_name:
digestID: 0
digest: 8GWbUyIRA2xATs5ILEa0fVZF1QQt4JL5gG2aCtVsazU
family_name:
digestID: 1
digest: R4jk/m0wX9KhENp7DVPr9AM7Hz+CJoEJNKJRQo92FCI
msoHash:
type: string
description: Base64NoPadding encoded string of the Sha256 hash of the Mobile Security Object (MSO) Bytes.
example: OsPO++ARsvvJYswmuzN8E3rxN+jAkbWbxhqVIOfM1Go
issuedDate:
type: string
format: date-time
example: '2025-06-28T12:34:56.000Z'
description: The date and time when the credential was issued.
validFrom:
type: string
format: date-time
example: '2025-06-30T12:00:00.000Z'
description: The date and time when the credential becomes valid.
validUntil:
type: string
format: date-time
example: '2025-07-30T12:00:00.000Z'
description: The date and time when the credential expires.
status:
type: string
enum:
- valid
- invalid
- suspended
description: The credential's current revocation status.
example: valid
- type: object
title: CWT
required:
- id
- type
- profile
- sessionId
- credentialConfigurationId
properties:
id:
type: string
description: Credential unique identifier.
example: 552b35fe-a3ed-4c33-8c3c-64810c712323
type:
type: string
description: Credential type.
example: CourseCredential
profile:
type: string
enum:
- compact
- compact-semantic
description: Credential format.
example: compact-semantic
offerId:
type: string
description: Identifier of the credential offer used to claim this credential.
example: b0877ef9-deaf-4c88-8765-2b5aad2913d9
sessionId:
type: string
description: Identifier of the session in which this credential was claimed.
example: 4da5bce7-39d0-482e-8972-c674c688e01a
credentialConfigurationId:
type: string
description: Identifier of the credential configuration used to issue this credential.
example: 3948c40e-6e19-4ffc-933c-91f643f24264
issuedDate:
type: string
format: date-time
example: '2025-06-28T12:34:56.000Z'
description: The date and time when the credential was issued.
validFrom:
type: string
format: date-time
example: '2025-06-30T12:00:00.000Z'
description: The date and time when the credential becomes valid.
validUntil:
type: string
format: date-time
example: '2025-07-30T12:00:00.000Z'
description: The date and time when the credential expires.
- type: object
title: JSON
required:
- id
- type
- profile
- sessionId
- credentialConfigurationId
properties:
id:
type: string
description: Credential unique identifier.
example: 552b35fe-a3ed-4c33-8c3c-64810c712323
type:
type: string
description: Credential type.
example: CourseCredential
profile:
type: string
enum:
- web-semantic
description: Credential format.
example: web-semantic
offerId:
type: string
description: Identifier of the credential offer used to claim this credential.
example: b0877ef9-deaf-4c88-8765-2b5aad2913d9
sessionId:
type: string
description: Identifier of the session in which this credential was claimed.
example: 4da5bce7-39d0-482e-8972-c674c688e01a
credentialConfigurationId:
type: string
description: Identifier of the credential configuration used to issue this credential.
example: 3948c40e-6e19-4ffc-933c-91f643f24264
nextCursor:
$ref: '#/components/schemas/NextCursor'
title: GetUserCredentialsResponse
AuthenticationProviderSchema:
type: object
required:
- clientId
properties:
scope:
type: array
description: OpenID scopes to use during authentication. Each scope returns a set of user attributes which are called claims. Be sure to test that right scopes are added to get all the information you need. If no scopes are provided, [`openid`,`profile`,`email`] are added by default. If any scopes are provided, `openid` must also be included in the array.
example:
- openid
- profile
- email
- address
- phone
default:
- openid
- profile
- email
items:
type: string
clientId:
type: string
description: The client ID of the application client created on your IdP.
example: vJ0SCKchr4XjC0xHNE8DkH6Pmlg2lkCN
clientSecret:
type: string
description: The client secret of the application client created on your IdP.
tokenEndpointAuthMethod:
type: string
description: |-
Authentication method for your IdP token endpoint:
- `client_secret_post`: Your credentials are passed as parameters in the request body.
- `client_secret_basic` (default): Your credentials are passed as a base 64 encoded token.
example: client_secret_post
default: client_secret_basic
enum:
- client_secret_basic
- client_secret_post
staticRequestParameters:
type: object
maxProperties: 1000
description: Additional parameters (maximum 1000 entries allowed) that will be included in the request to your IdP. These parameters are identical for every request as defined in your configuration. An example would be setting the prompt to be login to let your IdP know it should show the login page every time. Keys must be strings. Values of top-level object keys must stringify to less than 1000 characters.
additionalProperties:
oneOf:
- type: string
- type: number
- type: boolean
- type: array
- type: object
example:
prompt: login
max_age: 10000
forwardedRequestParameters:
type: array
description: In contrast to `staticRequestParameters`, you can provide dynamic parameters that are fetched uniquely for each request to make the user journey more seamless. You can forward params to your IdP like `login_hint` which will pass the email of the user starting the flow. Values are limited to 1000 characters each, and cannot override any core [Authorize Parameters](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest).
default: []
example:
- login_hint
items:
type: string
maxLength: 1000
claimsToPersist:
type: array
description: List of claims to persist from your IdP to MATTR VII. If you have attributes from the ID token (e.g. user identifier, email, etc.) that you would like persisted on MATTR VII, add them to this array. By default this array is empty, meaning no claims are persisted on MATTR VII.
items:
type: string
default: []
example:
- userId
CreateAuthenticationProviderResponse:
required:
- clientSecret
allOf:
- type: object
properties:
id:
type: string
format: uuid
description: Unique identifier for the configured authentication provider. This identifier can be used to retrieve, update or remove the authentication provider configuration.
example: 983c0a86-204f-4431-9371-f5a22e506599
redirectUrl:
type: string
format: uri
description: You will need to add this URL to your IdP's allowed redirects list, to enable it to redirect the user back to the wallet upon successful authentication with your IdP. If you are using Auth0 as your identity provider, [this guide](https://auth0.com/docs/authenticate/login/redirect-users-after-login) shows how to add callback URLs. For others, consult your provider for instructions on adding callback URLs.
example: https://tenant.vii.mattr.global/v1/oauth/authentication/callback
url:
type: string
format: uri
description: Base url for your Authentication Provider well-known endpoint.
- $ref: '#/components/schemas/AuthenticationProviderSchema'
- type: object
properties:
clientSecret:
type: string
description: Your authentication provider client secret will be masked in the response without revealing the actual secret. If the secret is less than 20 characters it will be completely masked, and if it is over 20 only the last 5 characters are revealed.
example: '***********************************************************6-OjH'
title: CreateAuthenticationProviderResponse
GetAuthenticationProvidersResponse:
type: object
properties:
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1hNjZmZmVhNS04NDhlLTQzOWQtODBhNC1kZGE1NWY1M2UzNmM
description: Starting point for next cursor to use in a page
data:
type: array
items:
$ref: '#/components/schemas/CreateAuthenticationProviderResponse'
title: GetAuthenticationProvidersResponse
AuthenticationProviderRequest:
type: object
allOf:
- $ref: '#/components/schemas/AuthenticationProviderSchema'
- type: object
properties:
clientSecret:
description: The client secret of the application client created on your IdP.
example: QNwfa4Yi4Im9zy1u_15n7SzWKt-9G5cdH0r1bONRpUPfN-UIRaaXv_90z8V6-OjH
OpenIdConfigurationInteractionHookRequest:
type: object
description: Interaction Hook configuration.
properties:
url:
type: string
format: uri
description: |-
The interaction hook URL that the user will be redirected to after completing the authentication process:
- Must be a valid URL.
- Must use the HTTPS protocol.
- Must not be an IP address.
- Must not include query parameters. Port and fragment parameters will be dropped.
- Must have a valid public TLD.
- Unicode will be converted to ASCII.
example: https://example-university.com/callback
claims:
type: array
description: An array of user attributes that will be returned in the authentication response. These claims are included in the session token that is sent to the interaction hook. Claims can only include alphanumeric characters, ''_'', or ''-''. If the value is empty or not defined, no claims are sent.
items:
type: string
default: []
example:
- first_name
- last_name
- email
sessionTimeoutInSec:
type: number
description: Interaction hook session duration (in seconds). Once a session expires, the user is shown an error when they are redirected. If not specified, the default environment session duration is applied.
example: 1200
minimum: 300
maximum: 7200
disabled:
type: boolean
description: Indicates whether the interactions hook is disabled. When `false`, the interactions hook is **enabled** and users will be redirected to your configured interaction hook component after they've authenticated themselves against your IdP.
default: true
example: false
title: OpenIdConfigurationInteractionHookRequest
OpenIdConfigurationInteractionHook:
type: object
description: Interaction Hook configuration.
allOf:
- $ref: '#/components/schemas/OpenIdConfigurationInteractionHookRequest'
- type: object
properties:
secret:
type: string
description: A Base64 encoded HMAC secret that must be used by your interaction hook component to sign a new JWT with any additional claims that you may include. Refer to the [Interaction hook tutorial](https://learn.mattr.global/docs/issuance/authorization-code/interaction-hook/tutorial#sign-the-interaction-hook-response-jwt-and-redirect-back-to-mattr-vii) for more information.
example: dGtUrijBOT6UUJ8JO4kAFyGfhahDlVVeIk/sPbWTa7c=
title: OpenIdConfigurationInteractionHook
schemas-OpenIdConfiguration:
type: object
properties:
interactionHook:
$ref: '#/components/schemas/OpenIdConfigurationInteractionHook'
title: OpenIdConfiguration
UpdateOpenIdConfigurationRequest:
type: object
properties:
interactionHook:
$ref: '#/components/schemas/OpenIdConfigurationInteractionHookRequest'
title: UpdateOpenIdConfigurationRequest
Event:
type: object
properties:
id:
type: string
format: uuid
description: Event identifier.
example: 0c099611-19c4-4f29-8724-6b9e5ba1ef7c
type:
type: string
description: Event type.
example: CREDENTIAL_COMPACT_SIGN_START
timestamp:
type: string
description: Timestamp of when the event was generated.
example: '2023-06-01T02:45:44.087Z'
category:
type: string
description: Event category.
example: credential-compact
requestId:
type: string
description: Identifier for the request this event is part of.
example: 4SO6JZz3sPYLjOQvxIVHr5
requestIp:
type: string
description: IP address from which the request originated.
example: 192.0.2.1
managementUserId:
type: string
format: uuid
description: Identifier for the management user associated with this event.
example: ea691ed4-90ff-4be2-bd85-f2c74efa72c3
clientId:
type: string
description: Identifier for the client associated with this event.
example: 54rp8Z8yGnlva19mThj7tJzNXFSyXrCf
metadata:
type: object
description: Available metadata will vary based on event type and logging level.
data:
type: object
description: Available data will vary based on event type and logging level.
required:
- id
- type
- timestamp
- category
- metadata
- data
MattrIntegration:
title: MATTR Integration
type: object
required:
- format
- url
- enabled
properties:
format:
type: string
description: Integration format.
enum:
- MATTR
url:
type: string
description: URL where this integration's trust information is retrieved from.
example: https://example.vii.au01.mattr.global/v1/ecosystems/489755c9-1d74-4f59-a127-db7105667bfe/policy
enabled:
type: boolean
description: Flag indicating whether the integration is enabled.
example: true
VicalIntegration:
title: VICAL Integration
type: object
required:
- format
- url
- enabled
- rootCertificatePems
properties:
format:
type: string
description: Integration format.
enum:
- VICAL
url:
type: string
description: URL where this integration's trust information is retrieved from.
example: https://example.vii.au01.mattr.global/v1/ecosystems/489755c9-1d74-4f59-a127-db7105667bfe/vicals/public/latest
enabled:
type: boolean
description: Flag indicating whether the integration is enabled.
example: true
rootCertificatePems:
type: array
description: The root certificate PEM that should be used to verify this [VICAL](https://learn.mattr.global/docs/issuance/vical/overview).
items:
type: string
example: "-----BEGIN CERTIFICATE-----\r\nMIIBwzCCAWigAwIBAgIKRGC+CqoTGJKkkTAKBggqhkjOPQQDAjAgMR4wCQYDVQQG\r\nEwJOWjARBgNVBAMTCk1BVFRSIElBQ0EwHhcNMjMwODA4MDAwOTIxWhcNMzMwODA1\r\nMDAwOTIxWjAgMR4wCQYDVQQGEwJOWjARBgNVBAMTCk1BVFRSIElBQ0EwWTATBgcq\r\nhkjOPQIBBggqhkjOPQMBBwNCAASRu69fzdgM4odkyPtRcZd3eGWCw4BB7StZNGRm\r\nuIlrraUyv9SWPHgUYjYmRB1g7ERzj/pOSAspk71Y+QA+j9nPo4GJMIGGMBIGA1Ud\r\nEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgAGMB0GA1UdDgQWBBSONcHGh4If\r\nO1dYorRpsuFrs+f8SDAcBgNVHRIEFTATgRFpbmZvQG1hdHRyLmdsb2JhbDAjBgNV\r\nHR8EHDAaMBiiFoYUaHR0cHM6Ly9tYXR0ci5nbG9iYWwwCgYIKoZIzj0EAwIDSQAw\r\nRgIhAPKJIGDSvp7VxRBLCWWeghqi8UUeO+dZsC49TUZcDMNxAiEAoh+7dT+l+GzX\r\nk0J2SoGmPiagrbAuIYyTHwzZZuYr1W4=\r\n-----END CERTIFICATE-----\r\n"
EcosystemIntegration:
oneOf:
- allOf:
- $ref: '#/components/schemas/MattrIntegration'
- type: object
properties:
integrationResult:
type: object
required:
- success
- lastSyncedAt
properties:
success:
type: boolean
description: Flag indicating whether the integration was successful.
example: true
lastSyncedAt:
type: string
description: The timestamp when the integration was last synced.
format: date-time
example: '2024-09-10T02:28:36.550Z'
lastModifiedAt:
type: string
description: The timestamp when the integrated trust information was last modified.
format: date-time
example: '2024-08-10T02:28:36.550Z'
failReasons:
type: array
description: A list of integration failure reasons, present only when `success` is `false`.
items:
type: object
required:
- type
properties:
type:
type: string
example: UnknownVerificationError
message:
type: string
example: Unknown verification error occurred
- allOf:
- $ref: '#/components/schemas/VicalIntegration'
- type: object
properties:
integrationResult:
type: object
required:
- success
- lastSyncedAt
properties:
success:
type: boolean
description: Flag indicating whether the integration was successful.
example: true
lastSyncedAt:
type: string
description: The timestamp when the integration was last synced.
format: date-time
example: '2024-09-10T02:28:36.550Z'
vicalIssueID:
type: integer
description: vicalIssueID identifies the specific issue of the VICAL.
example: 112
date:
type: string
description: The timestamp when the VICAL was signed.
format: date-time
example: '2024-05-01T00:00:00.000Z'
failReasons:
type: array
description: A list of integration failure reasons, present only when `success` is `false`.
items:
type: object
required:
- type
properties:
type:
type: string
example: InvalidCertificatePem
message:
type: string
example: Invalid certificate PEM
Ecosystem:
type: object
properties:
id:
type: string
format: uuid
description: The UUID of the ecosystem.
example: 87880d7e-a4d0-462e-8383-3f1e5e16865d
readOnly: true
name:
type: string
description: The name of the ecosystem.
minLength: 1
maxLength: 50
example: My Ecosystem
integrations:
type: array
items:
$ref: '#/components/schemas/EcosystemIntegration'
name:
type: string
description: The name of the ecosystem.
minLength: 1
maxLength: 50
example: My Ecosystem
EcosystemConfig:
type: object
properties:
ecosystems:
type: array
minItems: 1
maxItems: 1
items:
type: object
properties:
url:
type: string
description: Ecosystem URL
example: https://example.vii.au01.mattr.global/v1/ecosystems/cdd42cec-e961-447c-9083-1312ee316053
isIssuanceRestricted:
type: boolean
description: Indicates whether issuance is restricted (`true`) or not (`false`).
example: false
isVerificationRestricted:
type: boolean
description: Indicates whether verification is restricted (`true`) or not (`false`).
example: false
id:
type: string
format: uuid
description: The UUID of the ecosystem.
example: 87880d7e-a4d0-462e-8383-3f1e5e16865d
readOnly: true
CreatePolicyResponse:
type: object
properties:
id:
type: string
format: uuid
description: Unique identifier for this policy.
example: 782f1885-c7c2-4459-8426-b6d7c111b0b1
policyPublishedAt:
type: string
format: date-time
description: The timestamp when the policy was published.
example: '2024-10-22T00:00:00Z'
CredentialProfile:
type: string
enum:
- compact
- compact-semantic
- web-semantic
Credential:
title: Web/Compact
type: object
required:
- id
- ecosystemId
- profile
- type
- name
properties:
id:
type: string
format: uuid
example: 599bf148-d711-405a-a20b-9c8a87ac8850
description: Unique identifier for this credential type.
readOnly: true
ecosystemId:
$ref: '#/components/schemas/id'
profile:
$ref: '#/components/schemas/CredentialProfile'
type:
type: string
example: DriverLicense
name:
type: string
description: The name of the credential
minLength: 1
maxLength: 50
example: Driver's License
ParticipantIdentifiers:
type: object
description: |-
Define the unique identifier that will be used by this participant to issue and/or verify credentials. Participants can have different identifiers for different credential formats. Each participant must have at least one defined credential format, and for each credential format a participant can define exactly one unique identifier.
- Credentials are only valid in the ecosystem if they include an identifier of an issuer that is a participant in the ecosystem.
- Verification requests are only valid in the ecosystem if they include an identifier of a verifier that is a participant in the ecosystem.
- For mDocs this must be the PEM of a valid [IACA](#operation/create-mobile-credential-iaca) used by this participant to sign mDocs, as defined in annex B of [ISO/IEC 18013-5:2021](https://www.iso.org/standard/69084.html). An exception to this aforementioned definition is that IACAs with a `notBefore` date in the future are considered valid.
properties:
web-semantic:
type: string
example: did:web:example.com
compact-semantic:
type: string
example: did:web:example.com
compact:
type: string
example: did:web:example.com
mobile:
type: array
minItems: 1
items:
type: object
properties:
certificatePem:
type: string
description: Must be the PEM of a valid [IACA](/docs/issuance/certificates/api-reference/iaca#create-an-iaca) used by this participant to sign mDocs, as defined in annex B of [ISO/IEC 18013-5:2021](https://www.iso.org/standard/69084.html). An exception to this aforementioned definition is that IACAs with a `notBefore` date in the future are considered valid.
example: "-----BEGIN CERTIFICATE-----\r\nMIIBwzCCAWigAwIBAgIKRGC+CqoTGJKkkTAKBggqhkjOPQQDAjAgMR4wCQYDVQQG\r\nEwJOWjARBgNVBAMTCk1BVFRSIElBQ0EwHhcNMjMwODA4MDAwOTIxWhcNMzMwODA1\r\nMDAwOTIxWjAgMR4wCQYDVQQGEwJOWjARBgNVBAMTCk1BVFRSIElBQ0EwWTATBgcq\r\nhkjOPQIBBggqhkjOPQMBBwNCAASRu69fzdgM4odkyPtRcZd3eGWCw4BB7StZNGRm\r\nuIlrraUyv9SWPHgUYjYmRB1g7ERzj/pOSAspk71Y+QA+j9nPo4GJMIGGMBIGA1Ud\r\nEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgAGMB0GA1UdDgQWBBSONcHGh4If\r\nO1dYorRpsuFrs+f8SDAcBgNVHRIEFTATgRFpbmZvQG1hdHRyLmdsb2JhbDAjBgNV\r\nHR8EHDAaMBiiFoYUaHR0cHM6Ly9tYXR0ci5nbG9iYWwwCgYIKoZIzj0EAwIDSQAw\r\nRgIhAPKJIGDSvp7VxRBLCWWeghqi8UUeO+dZsC49TUZcDMNxAiEAoh+7dT+l+GzX\r\nk0J2SoGmPiagrbAuIYyTHwzZZuYr1W4=\r\n-----END CERTIFICATE-----\r\n"
status:
type: string
description: The status of the mobile identifier.
enum:
- Active
- Inactive
- Delisted
example: Active
docTypes:
type: array
description: |
Determines the document types that a participant is permitted to issue. This parameter governs how the participant’s permissions are represented in published VICALs and ecosystem policies, limiting issuance to the defined `docTypes`.
Note: This is a metadata-level declaration and does not enforce validation during credential assignment or issuance.
items:
type: string
example: org.iso.18013.5.1
required:
- certificatePem
- status
- docTypes
Participant:
required:
- id
- ecosystemId
- name
- identifiers
type: object
properties:
id:
type: string
format: uuid
description: The UUID of the participant.
example: a24e391a-c27f-4b6e-9805-1ee7e03f3c58
readOnly: true
ecosystemId:
$ref: '#/components/schemas/id'
name:
type: string
description: Name to easily identify the participant.
minLength: 1
maxLength: 50
example: My Participant
identifiers:
$ref: '#/components/schemas/ParticipantIdentifiers'
isIssuer:
type: boolean
description: Indicates whether the participant is an issuer in the ecosystem (`true`) or not (`false`). When set to `false`, the participant will not be able to issue any valid credential types, even if it is added to an issuer policy. The default value is `false`, as this assigns the least privileges to the new participant.
default: false
example: false
isVerifier:
type: boolean
description: Indicates whether the created participant is a verifier in the ecosystem (`true`) or not (`false`). When set to `false`, the participant will not be able to verify any valid credential types, even if it is added to a verifier policy. The default value is `false`, as this assigns the least privileges to the new participant.
default: false
example: false
isIssuerConstrained:
type: boolean
description: Indicates whether the created participant is constrained to only issue specific types of valid credentials (`true`) or not (`false`). When set to `false`, the issuer can issue all valid credential types defined within the ecosystem, even if it is added to a more limited issuer policy. The default value is `true`, as this assigns the least privileges to the new participant.
default: true
example: true
isVerifierConstrained:
type: boolean
description: Indicates whether the created participant is constrained to only verify specific types of valid credentials (`true`) or not (`false`). When set to `false`, the verifier can verify all valid credential types defined within the ecosystem, even if it is added to a more limited verifier policy. The default value is `true`, as this assigns the least privileges to the new participant.
default: true
example: true
status:
type: string
enum:
- Active
- Inactive
description: Indicates whether the participant is active or inactive. Only active participants are included in the ecosystem policy.
default: Inactive
example: Active
country:
type: string
description: The country in which the participant is based. When provided, must be a valid [Alpha 2 country code](https://www.iso.org/glossary-for-iso-3166.html) as per [ISO 3166-1](https://www.iso.org/standard/72482.html) and match the `country` value in the PEM certificate associated with the `mobile` [identifier](#operation/createEcosystemParticipant!path=identifiers&t=request) of this participant.
example: US
stateOrProvince:
type: string
description: The state or province in which the participant is based, in [ISO 3166-2](https://www.iso.org/standard/72483.html) subdivision code format. When provided, must match the `stateOrProvinceName` value in the PEM certificate associated with the `mobile` [identifier](#operation/createEcosystemParticipant!path=identifiers&t=request) of this participant.
example: US-AL
organizationAddress:
type: string
description: The address of the organization that the participant represents.
example: 1234 Main St, City, State, 12345
organizationPhoneNumber:
type: string
description: The phone number of the organization that the participant represents.
example: 012-3456789
EcosystemPolicy:
type: object
properties:
policyModifiedAt:
description: The timestamp when the ecosystem policy was last modified.
type: string
format: date-time
example: '2023-10-17T00:00:00Z'
policyPublishedAt:
type: string
format: date-time
description: The timestamp when the policy was published.
example: '2024-10-22T00:00:00Z'
credentials:
description: A map of credential IDs to credentials associated with the ecosystem policy.
type: object
properties:
599bf148-d711-405a-a20b-9c8a87ac8850:
$ref: '#/components/schemas/Credential'
participants:
description: A list of participants associated with the ecosystem policy.
type: object
properties:
a24e391a-c27f-4b6e-9805-1ee7e03f3c58:
allOf:
- $ref: '#/components/schemas/Participant'
- type: object
properties:
identifiers:
allOf:
- $ref: '#/components/schemas/ParticipantIdentifiers'
- type: object
properties:
mobile:
type: array
minItems: 1
items:
type: object
properties:
certificatePem:
type: string
description: Must be the PEM of a valid [IACA](/docs/issuance/certificates/api-reference/iaca#create-an-iaca) used by this participant to sign mDocs, as defined in annex B of [ISO/IEC 18013-5:2021](https://www.iso.org/standard/69084.html). An exception to this aforementioned definition is that IACAs with a `notBefore` date in the future are considered valid.
example: "-----BEGIN CERTIFICATE-----\r\nMIIBwzCCAWigAwIBAgIKRGC+CqoTGJKkkTAKBggqhkjOPQQDAjAgMR4wCQYDVQQG\r\nEwJOWjARBgNVBAMTCk1BVFRSIElBQ0EwHhcNMjMwODA4MDAwOTIxWhcNMzMwODA1\r\nMDAwOTIxWjAgMR4wCQYDVQQGEwJOWjARBgNVBAMTCk1BVFRSIElBQ0EwWTATBgcq\r\nhkjOPQIBBggqhkjOPQMBBwNCAASRu69fzdgM4odkyPtRcZd3eGWCw4BB7StZNGRm\r\nuIlrraUyv9SWPHgUYjYmRB1g7ERzj/pOSAspk71Y+QA+j9nPo4GJMIGGMBIGA1Ud\r\nEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgAGMB0GA1UdDgQWBBSONcHGh4If\r\nO1dYorRpsuFrs+f8SDAcBgNVHRIEFTATgRFpbmZvQG1hdHRyLmdsb2JhbDAjBgNV\r\nHR8EHDAaMBiiFoYUaHR0cHM6Ly9tYXR0ci5nbG9iYWwwCgYIKoZIzj0EAwIDSQAw\r\nRgIhAPKJIGDSvp7VxRBLCWWeghqi8UUeO+dZsC49TUZcDMNxAiEAoh+7dT+l+GzX\r\nk0J2SoGmPiagrbAuIYyTHwzZZuYr1W4=\r\n-----END CERTIFICATE-----\r\n"
docTypes:
type: array
description: |
Defines which document types a participant is permitted to issue.
Note: This is a metadata-level declaration and does not enforce validation during credential assignment or issuance.
items:
type: string
example: org.iso.18013.5.1
required:
- certificatePem
- docTypes
issuerAllowedCredentials:
description: A list of credentials that can be validly issued within the ecosystem.
type: array
items:
type: string
format: uuid
example:
- e0a07846-44e1-41a4-b704-1ccf6eb1a5af
- 25fa6ffc-bf6e-417c-865c-96fcf1d7d1a3
verifierAllowedCredentials:
description: A list of credentials that can be validly verified within the ecosystem.
type: array
items:
type: string
format: uuid
example:
- 4e25a240-76bb-4e9f-9f93-b93be287922b
- daca4a43-3ff9-4ecb-93fe-d9104e36bf74
required:
- policyModifiedAt
- policyPublishedAt
- credentials
- participants
properties-id:
type: string
format: uuid
description: The UUID of the participant.
example: a24e391a-c27f-4b6e-9805-1ee7e03f3c58
readOnly: true
ParticipantContactResponse:
type: object
description: Point of contact associated with a participant.
required:
- id
- fullName
- active
- createdBy
- createdAt
- lastModifiedBy
- lastModifiedAt
properties:
id:
type: string
format: uuid
example: 920f2489-d953-42f2-b2dd-f37c29b818cf
description: Unique identifier of a specific point of contact entry.
fullName:
type: string
example: John Doe
description: Full name of the point of contact.
active:
type: boolean
example: true
description: Indicates whether the point of contact is active.
emailAddress:
type: string
format: email
example: john.doe@example.com
description: Email address of the point of contact.
primaryPhoneNumber:
type: string
example: 1234567890
description: Primary phone number of the point of contact.
secondaryPhoneNumber:
type: string
example: 987654321
description: Secondary phone number of the point of contact.
createdBy:
type: object
properties:
clientId:
type: string
example: f7b9ecfc-8431-470e-a1de-94b68dd92f68
description: Identifier of the API client that created the point of contact.
managementUserId:
type: string
example: ab16dc65-b58e-4be2-ba77-a6f35021cb2b
description: Identifier of the user that created the point of contact.
createdAt:
type: string
format: date-time
example: '2025-07-01T00:00:00.000Z'
description: Timestamp indicating when the point of contact was created.
lastModifiedBy:
type: object
properties:
clientId:
type: string
example: f7b9ecfc-8431-470e-a1de-94b68dd92f68
description: Identifier of the API client that created the point of contact.
managementUserId:
type: string
example: ab16dc65-b58e-4be2-ba77-a6f35021cb2b
description: Identifier of the user that created the point of contact.
lastModifiedAt:
type: string
format: date-time
example: '2025-07-01T00:00:00.000Z'
description: Timestamp indicating when the point of contact was last updated.
ParticipantContactRequest:
type: object
description: Point of contact associated with a participant.
required:
- fullName
- active
properties:
fullName:
type: string
example: John Doe
description: Full name of the point of contact.
active:
type: boolean
example: true
description: Indicates whether the point of contact is active.
emailAddress:
type: string
format: email
example: john.doe@example.com
description: Email address of the point of contact.
primaryPhoneNumber:
type: string
example: 1234567890
description: Primary phone number of the point of contact.
secondaryPhoneNumber:
type: string
example: 987654321
description: Secondary phone number of the point of contact.
ParticipantContactResponse-properties-id:
type: string
format: uuid
example: 920f2489-d953-42f2-b2dd-f37c29b818cf
description: Unique identifier of a specific point of contact entry.
ParticipantEvidence:
type: object
description: PDF evidence associated with a participant.
properties:
filename:
type: string
example: pdf-evidence.pdf
description: Filename of the uploaded PDF.
fileDescription:
type: string
example: This is an example file description
description: Optional plaintext description of the PDF evidence.
id:
type: string
format: uuid
example: 920f2489-d953-42f2-b2dd-f37c29b818cf
description: Unique identifier of the PDF evidence.
uploadedBy:
type: object
description: Identifiers of the user that uploaded the PDF evidence.
properties:
clientId:
type: string
description: Identifier of the API client that uploaded the PDF.
managementUserId:
type: string
description: Identifier of the user that uploaded the PDF.
uploadedAt:
type: string
format: date-time
example: '2025-07-01T00:00:00.000Z'
description: Timestamp indicating when the PDF was uploaded.
ParticipantEvidence-properties-id:
type: string
format: uuid
example: 920f2489-d953-42f2-b2dd-f37c29b818cf
description: Unique identifier of the PDF evidence.
CredentialProfileMobile:
type: string
enum:
- mobile
example: mobile
CredentialMobile:
title: Mobile
type: object
required:
- id
- ecosystemId
- profile
- docType
- name
properties:
id:
type: string
format: uuid
readOnly: true
example: 49b6beb2-1006-4fb7-9284-7ec920475abe
ecosystemId:
$ref: '#/components/schemas/id'
profile:
$ref: '#/components/schemas/CredentialProfileMobile'
docType:
type: string
example: org.iso.18013.5.1
name:
type: string
description: The name of the credential
minLength: 1
maxLength: 50
example: Driver's License
Credential-properties-id:
type: string
format: uuid
example: 599bf148-d711-405a-a20b-9c8a87ac8850
description: Unique identifier for this credential type.
readOnly: true
ParticipantValidationRequest:
oneOf:
- type: object
title: Web/Compact
required:
- profile
- identifier
properties:
profile:
type: string
description: The credential profile to be validated against the ecosystem policy.
enum:
- compact
- compact-semantic
- web-semantic
identifier:
description: The participant's (issuer/verifier) identifier for issuing/verifying the provided credential format.
example: did:example:abcdb1f712ebc6f1c276e12ec21
type: string
type:
description: The credential type.
type: string
example: DriverLicense
- type: object
title: Mobile
required:
- profile
- identifier
- docType
properties:
profile:
description: The credential format associated with this identifier.
type: string
enum:
- mobile
identifier:
description: The participant's identifier (This should be the PEM of the [IACA](#operation/create-mobile-credential-iaca) in use).
example: "-----BEGIN CERTIFICATE-----\r\nMIIBdjCCAR2gAwIBAgIBATAKBggqhkjOPQQDAjAgMR4wCQYDVQQGEwJOWjARBgNV BAMeCgBNAGEAdAB0AHIwHhcNMjEwNzExMjEzMDU3WhcNMjIwNzExMjEzMDU3WjAg MR4wCQYDVQQGEwJOWjARBgNVBAMeCgBNAGEAdAB0AHIwWTATBgcqhkjOPQIBBggq hkjOPQMBBwNCAAQtyjLgdBIkwZbwQjnJ1J+1md176GwiWESb0hAc3O0ulaSIYRQk HrtZk0/Wmxj/iiU/QAdQ0MxHgTw3tdceZ3gIo0gwRjASBgNVHRMBAf8ECDAGAQH/ AgEDMDAGA1UdJQQpMCcGCysGAQQBjjePZQEBBgsrBgEEAY43j2UBAgYLKwYBBAGO N49lAQMwCgYIKoZIzj0EAwIDRwAwRAIhAI5zqK+cFUgJiVc+kAKNRuBvrjkRRq9C fs+oaGyHWh5AAh8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n-----END CERTIFICATE-----"
type: string
docType:
description: The credential type.
type: string
example: DriverLicense
- type: object
title: Mobile (SKI)
required:
- profile
- subjectKeyIdentifierHex
- docType
properties:
profile:
description: The credential format associated with this identifier.
type: string
enum:
- mobile
subjectKeyIdentifierHex:
description: The SKI of participant's identifier (This should be encoded as a hex value).
example: 292f5bc1c752e4da9167dbb169ae686ac8dc79c6
type: string
docType:
description: The credential type.
type: string
example: DriverLicense
ParticipantValidationResponse:
oneOf:
- type: object
title: Valid
required:
- validated
properties:
validated:
description: Indicates the results of the validation operation. When `true`, the participant (issuer/verifier) is allowed to issue/verify the provided credential format according to the ecosystem policy.
type: boolean
example: true
policyVersion:
description: The ecosystem policy version that the validation was performed against.
example: '1698371362017'
type: string
identifier:
description: The participant's identifier within the ecosystem.
example: did:example:abcdb1f712ebc6f1c276e12ec21
type: string
- type: object
title: Failed
required:
- validated
- failReasons
properties:
validated:
description: Indicates the results of the validation operation. When `false`, the participant (issuer/verifier) is not allowed to issue/verify the provided credential format according to the ecosystem policy.
type: boolean
example: false
policyVersion:
description: The ecosystem policy version that the validation was performed against.
example: '1698371362017'
type: string
identifier:
description: The participant's identifier within the ecosystem.
example: did:example:abcdb1f712ebc6f1c276e12ec21
type: string
failReasons:
description: This array includes reasons for validation failure.
type: array
items:
type: string
example: The specified credential is not valid in the ecosystem
enum:
- Config does not exist for the specified tenant
- The specified credential is not valid in the ecosystem
- The specified issuer is not valid in the ecosystem
- The specified issuer is not authorized in the ecosystem
- The specified verifier is not valid in the ecosystem
- The specified verifier is not authorized in the ecosystem
EcosystemPolicyPreview:
type: object
properties:
policyModifiedAt:
description: The timestamp when the ecosystem policy was last modified.
type: string
format: date-time
example: '2023-10-17T00:00:00Z'
credentials:
description: A map of credential IDs to credentials associated with the ecosystem policy.
type: object
properties:
599bf148-d711-405a-a20b-9c8a87ac8850:
$ref: '#/components/schemas/Credential'
participants:
properties:
a24e391a-c27f-4b6e-9805-1ee7e03f3c58:
allOf:
- $ref: '#/components/schemas/Participant'
- type: object
properties:
identifiers:
allOf:
- $ref: '#/components/schemas/ParticipantIdentifiers'
- type: object
properties:
mobile:
type: array
minItems: 1
items:
type: object
properties:
certificatePem:
type: string
description: Must be the PEM of a valid [IACA](/docs/issuance/certificates/api-reference/iaca#create-an-iaca) used by this participant to sign mDocs, as defined in annex B of [ISO/IEC 18013-5:2021](https://www.iso.org/standard/69084.html). An exception to this aforementioned definition is that IACAs with a `notBefore` date in the future are considered valid.
example: "-----BEGIN CERTIFICATE-----\r\nMIIBwzCCAWigAwIBAgIKRGC+CqoTGJKkkTAKBggqhkjOPQQDAjAgMR4wCQYDVQQG\r\nEwJOWjARBgNVBAMTCk1BVFRSIElBQ0EwHhcNMjMwODA4MDAwOTIxWhcNMzMwODA1\r\nMDAwOTIxWjAgMR4wCQYDVQQGEwJOWjARBgNVBAMTCk1BVFRSIElBQ0EwWTATBgcq\r\nhkjOPQIBBggqhkjOPQMBBwNCAASRu69fzdgM4odkyPtRcZd3eGWCw4BB7StZNGRm\r\nuIlrraUyv9SWPHgUYjYmRB1g7ERzj/pOSAspk71Y+QA+j9nPo4GJMIGGMBIGA1Ud\r\nEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgAGMB0GA1UdDgQWBBSONcHGh4If\r\nO1dYorRpsuFrs+f8SDAcBgNVHRIEFTATgRFpbmZvQG1hdHRyLmdsb2JhbDAjBgNV\r\nHR8EHDAaMBiiFoYUaHR0cHM6Ly9tYXR0ci5nbG9iYWwwCgYIKoZIzj0EAwIDSQAw\r\nRgIhAPKJIGDSvp7VxRBLCWWeghqi8UUeO+dZsC49TUZcDMNxAiEAoh+7dT+l+GzX\r\nk0J2SoGmPiagrbAuIYyTHwzZZuYr1W4=\r\n-----END CERTIFICATE-----\r\n"
status:
type: string
description: The status of the mobile identifier.
enum:
- Active
- Inactive
- Delisted
example: Active
docTypes:
type: array
description: |
Determines the document types that a participant is permitted to issue. This parameter governs how the participant’s permissions are represented in published VICALs and ecosystem policies, limiting issuance to the defined `docTypes`.
Note: This is a metadata-level declaration and does not enforce validation during credential assignment or issuance.
items:
type: string
example: org.iso.18013.5.1
validationResult:
type: object
properties:
validated:
type: boolean
example: true
failReasons:
type: array
description: A list of validation failure reasons, present only when `validated` is `false`.
items:
type: string
required:
- validated
required:
- certificatePem
- status
- docTypes
- validationResult
issuerAllowedCredentials:
description: A list of credentials that can be validly issued within the ecosystem.
type: array
items:
type: string
format: uuid
example:
- e0a07846-44e1-41a4-b704-1ccf6eb1a5af
- 25fa6ffc-bf6e-417c-865c-96fcf1d7d1a3
verifierAllowedCredentials:
description: A list of credentials that can be validly verified within the ecosystem.
type: array
items:
type: string
format: uuid
example:
- 4e25a240-76bb-4e9f-9f93-b93be287922b
- daca4a43-3ff9-4ecb-93fe-d9104e36bf74
required:
- policyModifiedAt
- credentials
- participants
Vical:
type: object
required:
- vicalIssueID
- date
properties:
vicalIssueID:
description: Unique identifier of a specific VICAL version. This numeric value is continuously increased whenever a VICAL is created.
type: integer
format: int32
example: 1337
date:
description: Date and time of VICAL issuance.
type: string
format: date-time
example: '2024-07-28T23:01:13.000Z'
VicalWithFilename:
allOf:
- $ref: '#/components/schemas/Vical'
- type: object
required:
- filename
- isAutoPublished
properties:
filename:
type: string
description: Name of the VICAL file.
example: vical-2024-07-28-1722164473000.cbor
isAutoPublished:
type: boolean
description: Indicates whether the VICAL was automatically published.
example: false
vicalIssueID:
description: Unique identifier of a specific VICAL version. This numeric value is continuously increased whenever a VICAL is created.
type: integer
format: int32
example: 1337
VicalConfigurationData:
type: object
properties:
vicalProvider:
description: VICAL provider name.
type: string
example: Mattr
autoPublish:
type: object
description: Configuration for automatic scheduled publishing of VICALs.
required:
- enabled
properties:
enabled:
type: boolean
description: Indicates whether automatic scheduled publishing of VICALs is enabled.
example: true
frequency:
type: string
enum:
- Daily
- Weekly
description: Frequency of automatic VICAL publishing. Required when `enabled` is `true`, ignored when `enabled` is `false`.
example: Daily
required:
- vicalProvider
DtsCaResponse:
type: object
required:
- id
- active
- certificatePem
- certificateFingerprint
- certificateData
- isManaged
properties:
id:
type: string
format: uuid
description: Unique identifier for this DTS root CA certificate.
example: 782f1885-c7c2-4459-8426-b6d7c111b0b1
active:
type: boolean
description: Indicates if the DTS root CA certificate is active. Only active DTS root CA certificates can be used to sign other intermediate certificates.
example: true
certificatePem:
type: string
description: DTS root CA certificate in PEM format.
example: |-
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAL5...
-----END CERTIFICATE-----
certificateFingerprint:
type: string
description: Hash that includes all the DTS root CA certificate data and its signature.
example: f6cad6e579d70b3973efa60624af731a580d1a11a7579e70f2f10f059dc86172
certificateData:
type: object
required:
- commonName
- country
- notAfter
- notBefore
- organisationName
properties:
commonName:
type: string
description: The common name of the DTS root CA certificate.
example: example.com
country:
type: string
description: The country associated with the DTS root CA certificate.
example: US
organisationName:
type: string
description: The organization associated with the DTS root CA certificate.
example: Example Inc.
notAfter:
type: string
format: date-time
description: The DTS root CA certificate's expiration date and time.
example: '2024-10-22T00:00:00Z'
notBefore:
type: string
format: date-time
description: The DTS root CA certificate's validity period start date and time.
example: '2023-10-22T00:00:00Z'
isManaged:
type: boolean
description: Indicates whether the private key for this DTS root CA certificate is managed by MATTR (`true`) or out of band by the customer as an external certificate (`false`).
example: true
DtsCaCreateRequestManaged:
title: Managed DTS root CA certificate
type: object
required:
- organisationName
properties:
commonName:
type: string
description: Indicates the common name of the DTS root CA certificate. When specified, the value must be a valid `PrintableString` and cannot be an empty string. If not provided and a custom domain is configured and verified, the custom domain is used followed by the words `DTS CA`. If no custom domain is configured, the tenant subdomain is used instead.
example: example.com
country:
type: string
description: Indicates the DTS provider's country. If not provided, a country is selected based on the region of the tenant subdomain cloud host. When specified, the value must be a valid [Alpha 2 country code](https://www.iso.org/glossary-for-iso-3166.html) as per [ISO 3166-1](https://www.iso.org/standard/72482.html).
example: US
organisationName:
type: string
description: Indicates the organization associated with the DTS root CA certificate.
example: Example Inc.
notAfter:
type: string
format: date-time
description: |
Used to set the date and time when the DTS root CA certificate expires.
- If not provided, calculated as `notBefore` + 20 years.
- If not provided and `notBefore` is not provided, calculated as time of creation + 20 years.
- Maximum value is 20 years from creation.
- Must be after `notBefore`, if provided.
example: '2024-10-22T00:00:00Z'
notBefore:
type: string
format: date-time
description: |
Used to set the date and time when the DTS root CA certificate becomes valid and can be used to sign other intermediate certificates.
- Must not be in the past.
- Must be before `notAfter`.
example: '2023-10-22T00:00:00Z'
DtsCaCreateRequestUnmanaged:
title: Unmanaged DTS root CA certificate
type: object
required:
- certificatePem
properties:
certificatePem:
type: string
description: DTS root CA certificate in PEM format. The certificate must be valid and not expired.
example: |-
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAL5...
-----END CERTIFICATE-----
dtsCaCertificateId:
description: Unique identifier of the DTS root CA certificate.
type: string
format: uuid
example: b0aae560-10e7-4247-8e96-7cdd3578a1e2
DtsCaUpdateRequest:
type: object
required:
- active
properties:
active:
type: boolean
description: Indicates if the DTS root CA certificate is active. Only active certificates can be used to sign other intermediate certificates.
example: true
DtsCaPublicResponse:
type: object
properties:
rootCertificates:
type: array
items:
type: object
properties:
certificate:
type: string
description: Certificate in PEM format.
example: |-
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAL5...
-----END CERTIFICATE-----
notBefore:
type: string
format: date-time
description: The DTS root CA certificate's validity period start date and time.
example: '2023-10-22T00:00:00Z'
notAfter:
type: string
format: date-time
description: The DTS root CA certificate's expiration date and time.
example: '2024-10-22T00:00:00Z'
fingerprint:
type: string
description: Hash that includes all the DTS root CA certificate data and its signature.
example: f6cad6e579d70b3973efa60624af731a580d1a11a7579e70f2f10f059dc86172
commonName:
type: string
description: The common name of the DTS root CA certificate.
example: example.com
UpdateVicalSignerResponse:
title: VICAL Signer with certificate
description: VICAL signer after a VICAL Signer Certificate (VSC) has been uploaded. Includes the uploaded certificate in PEM format, as well as the certificate's fingerprint and data.
type: object
required:
- id
- active
- certificatePem
- certificateFingerprint
- certificateData
properties:
id:
type: string
format: uuid
description: Each VICAL signer will have a unique identifier which must be provided when using this VICAL signer to sign a VICAL.
example: 782f1885-c7c2-4459-8426-b6d7c111b0b1
active:
type: boolean
description: Indicates if the VICAL signer is active. Only active VICAL signers can be used to sign VICALs.
example: true
certificatePem:
type: string
description: VICAL Signer Certificate (VSC) in PEM format.
example: |-
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAL5...
-----END CERTIFICATE-----
certificateFingerprint:
type: string
description: VSC Hash that includes all certificate data and its signature.
example: f6cad6e579d70b3973efa60624af731a580d1a11a7579e70f2f10f059dc86172
certificateData:
type: object
required:
- commonName
- country
- notAfter
- notBefore
properties:
commonName:
type: string
description: The common name of the VSC.
example: example.com
country:
type: string
description: The country associated with the VSC.
example: US
notAfter:
type: string
format: date-time
description: VSC expiration date and time.
example: '2024-10-22T00:00:00Z'
notBefore:
type: string
format: date-time
description: VSC validity period start date and time.
example: '2023-10-22T00:00:00Z'
CreateVicalSignerResponse:
title: VICAL Signer without certificate
description: VICAL signer before a VICAL Signer Certificate (VSC) has been uploaded. Includes the Certificate Signing Request (CSR).
type: object
required:
- id
- csrPem
- caId
- active
properties:
id:
type: string
format: uuid
description: Each VICAL signer will have a unique identifier which must be provided when using this VICAL signer to sign a VICAL.
example: 782f1885-c7c2-4459-8426-b6d7c111b0b1
csrPem:
type: string
description: The X.509 Certificate Signing Request (CSR) in PEM format, base64 encoded. Use this CSR to generate a valid certificate, then update the VICAL signer with the resulting certificate.
example: |-
-----BEGIN CERTIFICATE REQUEST-----
MIIDXTCCAkWgAwIBAgIJAL5...
-----END CERTIFICATE REQUEST-----
caId:
type: string
format: uuid
description: Unique identifier of the VICAL root CA certificate used to sign the VICAL signer.
example: b0aae560-10e7-4247-8e96-7cdd3578a1e2
active:
type: boolean
description: |
Indicates if the VICAL signer is active.
- Only active VICAL signers can be used to sign VICALs.
- VICAL signers are created as inactive by default.
enum:
- false
example: false
VicalSignerCreateRequest:
type: object
required:
- caId
properties:
caId:
type: string
format: uuid
description: |
Internal identifier of the DTS root CA certificate that will be used for signing the VICAL signer.
- Must be an unmanaged (external) DTS root CA certificate.
example: b0aae560-10e7-4247-8e96-7cdd3578a1e2
vicalSignerId:
description: Unique identifier of the VICAL signer.
type: string
format: uuid
example: 123e4567-e89b-12d3-a456-426614174000
VicalSignerUpdateRequest:
type: object
properties:
active:
type: boolean
description: Indicates if the VICAL signer is active. Only active VICAL signers can be used to sign VICALs.
example: true
certificatePem:
type: string
description: VICAL Signer Certificate (VSC) in PEM format.
example: |-
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAL5...
-----END CERTIFICATE-----
caCertificateId:
description: Unique identifier of a specific VICAL version. This numeric value is continuously increased whenever a VICAL is created.
type: string
format: uuid
example: b0aae560-10e7-4247-8e96-7cdd3578a1e2
GetWebhooksResponse:
type: object
properties:
data:
type: array
minItems: 2
items:
type: object
properties:
id:
type: string
format: uuid
description: Webhook id
example: 0c099611-19c4-4f29-8724-6b9e5ba1ef7c
events:
type: array
description: List of events that trigger the Webhook.
example:
- OpenIdCredentialIssued
items:
type: string
url:
description: The URL that will receive the Webhook events data payload when they are triggered.
type: string
example: https://example.com
format: uri
disabled:
type: boolean
description: Indicates whether ot not the Webhook is disabled. When set to `true` the webhook is disabled, and notifications for events associated with it will not be sent.
default: false
nextCursor:
type: string
example: Y3JlYXRlZEF0PTIwMjItMDgtMjJUMDElM0E1OSUzQTE5LjYyMFomaWQ9MGMwOTk2MTEtMTljNC00ZjI5LTg3MjQtNmI5ZTViYTFlZjdj
title: GetWebhooksResponse
CreateWebhookRequest:
type: object
properties:
events:
type: array
description: |-
This array includes the event types that will trigger this Webhook. The following events are currently supported:
- **OpenIdCredentialIssued**: Triggered upon completion of an OpenID4VCI issuance flow and includes credential data.
- **OpenIdCredentialIssuedSummary**: Triggered upon completion of an OpenID4VCI issuance flow but does not include credential data.
- **OidcIssuerCredentialIssued**: Triggered upon completion of an OICD Bridge issuance flow.
example:
- OpenIdCredentialIssued
items:
type: string
enum:
- OidcIssuerCredentialIssued
- OpenIdCredentialIssued
- OpenIdCredentialIssuedSummary
url:
description: |-
This is the URL that will receive the Webhook events data payload when they are triggered by MATTR VII for the specified events:
- Must be a valid URL.
- Must use the HTTPS protocol.
- Must not be an IP address.
- Must not include query parameters or have fragments.
- Non-ASCII characters are normalized.
- Must return a 2xx response, otherwise it will go through a retry cycle and eventually fail.
type: string
example: https://example.com
format: uri
disabled:
type: boolean
description: Indicates whether or not the Webhook is disabled. When set to `true` the webhook is disabled, and notifications for events associated with it will not be sent. If no value is provided, defaults to `false`.
required:
- events
- url
title: CreateWebhookRequest
CreateWebhookResponse:
type: object
properties:
id:
type: string
format: uuid
description: Unique identifier for the created Webhook. You will need it to [verify Webhook requests](https://learn.mattr.global/docs/platform-management/webhooks-guide#verify-webhook-requests).
example: 0c099611-19c4-4f29-8724-6b9e5ba1ef7c
events:
type: array
description: List of events that trigger the Webhook, as defined in the request.
example:
- OpenIdCredentialIssued
items:
type: string
url:
description: The URL that will receive the Webhook events data payload when they are triggered, as defined in the request.
type: string
example: https://example.com
format: uri
disabled:
type: boolean
description: Indicates whether ot not the Webhook is disabled. When set to `true` the webhook is disabled, and notifications for events associated with it will not be sent.
default: false
title: CreateWebhookResponse
GetWebhookResponse:
type: object
properties:
id:
type: string
format: uuid
description: Webhook id
example: 0c099611-19c4-4f29-8724-6b9e5ba1ef7c
events:
type: array
description: List of events that trigger the Webhook.
example:
- OpenIdCredentialIssued
items:
type: string
url:
description: The URL that will receive the Webhook events data payload when they are triggered.
type: string
example: https://example.com
format: uri
disabled:
type: boolean
description: Indicates whether ot not the Webhook is disabled. When set to `true` the webhook is disabled, and notifications for events associated with it will not be sent.
default: false
title: GetWebhookResponse
GetWebhooksJwksResponse:
type: object
properties:
keys:
type: array
items:
oneOf:
- type: object
properties:
kty:
type: string
description: Key type.
example: OKP
crv:
type: string
description: Elliptic curve used to generate the key.
example: Ed25519
x:
type: string
example: 11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo
use:
type: string
example: sig
kid:
type: string
description: Key identifier. You should use the `kid` specified in the JWK key object to identify which key a particular HTTP request is signed with, as the key set can change or contain multiple keys.
example: FdFYFzERwC2uCBB46pZQi4GG85LujR8obt-KWRBICVQ
responses:
'304':
description: Not Modified. The resource has not been modified since the last request.
'400':
description: Bad Request. The request was malformed or missing required parameters.
content:
application/json:
schema:
$ref: '#/components/schemas/ValidationError'
'401':
description: Unauthorized. The client is not recognized by authorization server.
content:
text/plain:
schema:
$ref: '#/components/schemas/UnauthorizedError'
'403':
description: Forbidden. The client is recognized by authorization server but is not allowed to access this resource.
'404':
description: Not Found. The specified resource was not found.
content:
application/json:
schema:
$ref: '#/components/schemas/NotFoundError'
'500':
description: Internal Server Error. An unexpected error occurred.
parameters:
limit:
schema:
type: number
example: 2
maximum: 1000
minimum: 1
default: 100
in: query
name: limit
description: Range size of returned list.
cursor:
schema:
type: string
example: Y3JlYXRlZEF0PTIwMjAtMDgtMjVUMDY6NDY6MDkuNTEwWiZpZD1h
in: query
name: cursor
description: Starting point for the list of entries.
verifierSignerId:
in: path
name: verifierSignerId
description: Unique identifier of the Verification request signer.
required: true
schema:
$ref: '#/components/schemas/verifierSignerId'
SessionId:
name: sessionId
in: path
description: Session ID
schema:
type: string
format: uuid
required: true
DPoP:
name: DPoP
in: header
required: false
description: |
DPoP proof JWT. A signed JWT that demonstrates proof-of-possession of a private key.
> DPoP is offered as a **closed beta preview** feature and is not generally available yet. If you are interested in trying this feature, please [contact us](mailto:dev-support@mattr.global)
**When to use:**
- Token endpoint: Required when `dpop_jkt` was provided in the authorization request
- Credential endpoint: Required when using DPoP-bound access tokens (Authorization header must use format: `Authorization: DPoP `)
The DPoP proof must be a signed JWT with the following structure:
**Header:**
- `alg`: Must be `ES256`
- `typ`: Must be `dpop+jwt`
- `jwk`: Public key (JWK format)
**Payload:**
- `htu`: HTTP URI of the target endpoint
- `htm`: HTTP method (e.g., `POST`)
- `jti`: Unique identifier for this DPoP proof
- `iat`: Unix timestamp when the DPoP proof was created
- `ath`: Optional base64url-encoded SHA-256 hash of the `access_token`. Required when authenticating with the resource server.
- `htcd`: Optional base64-encoded SHA-256 hash (content digest) of the HTTP request payload used to validate integrity.
Each DPoP proof must be unique and cannot be reused across requests.
schema:
type: string
example: eyJhbGciOiJFUzI1NiIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6IkVDIiwieCI6IlljWkdRdXpfRmRBUW5MYzkwNjVFYkMzb09Dd1l3SVZnSFJQUVJfRHdpdU0iLCJ5IjoidWpwODhlMGNYSjRKRmN5ZEJkS3pyUVprMzVfam45ZWNqeFpNN2RsWmV5TSIsImNydiI6IlAtMjU2In19.eyJodHUiOiJodHRwczovL3lvdXItdGVuYW50LnJlZ2lvbi5tYXR0ci5nbG9iYWwvdjEvb2F1dGgvdG9rZW4iLCJodG0iOiJQT1NUIiwianRpIjoiZTQ5YmNiOGMtZDM0ZC00N2U4LWE0NTEtNzc5NDI3MjExY2ZlIiwiaWF0IjoxNzYyNDc5NjgyfQ.Du74EnQpyxqf13_IoXZfyow00TsRG5DTh_oyIX2ouW7Ys9OyeW774HFyfQdmAkD1oYdM0ucKtxRp6k_bZr2slw
OAuthClientAttestationPoP:
name: OAuth-Client-Attestation-PoP
in: header
required: false
description: |
OAuth-Client-Attestation-PoP proof JWT that demonstrates:
- Proof-of-possession of a private key from a wallet instance
- Binding to OAuth-Client-Attestation JWT
> OAuth-Client-Attestation-PoP and client attestation in general are offered as **closed beta preview** features and are not generally available yet. If you are interested in trying this feature, please [contact us](mailto:dev-support@mattr.global)
**When to use:**
- Token endpoint: When OAuth Client has client attestation enabled with `dpopRequired` set to false.
The `OAuth-Client-Attestation-PoP` proof MUST be signed with a wallet instance's private key that corresponds to the `cnf.jwk` claim from the provided
`OAuth-Client-Attestation` and must use the following structure:
**Header:**
- `alg`: Must be `ES256`
- `typ`: Must be `oauth-client-attestation-pop+jwt`
**Payload:**
- `aud`: HTTP Host of the target endpoint
- `jti`: Unique identifier for this OAuth-Client-Attestation-PoP proof
- `iat`: Unix timestamp when the OAuth-Client-Attestation-PoP proof was created
Each OAuth-Client-Attestation-PoP proof must be unique and cannot be reused across requests.
schema:
type: string
example: eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWNsaWVudC1hdHRlc3RhdGlvbi1wb3Arand0In0.eyJhdWQiOiJodHRwczovL3lvdXItdGVuYW50LnJlZ2lvbi5tYXR0ci5nbG9iYWwiLCJqdGkiOiI2ZmU2ZWMwMi00NGRlLTQ0OTktYWFiYy1iNzZiNzRiMzJjZjciLCJpYXQiOjE3NzA4Njc1ODh9.NBMLwAa65ICxE_nwsZoJeuyFmCFWV-1s7anheUC-qTtL4ZdOE5sfzS1_v_GourNUTTdtszIJTfhYYnRhwB7t6A
UserId:
name: userId
in: path
description: User ID
schema:
type: string
format: uuid
example: 41458e5a-9092-40b7-9a26-d4eb43c5792f
required: true
ecosystemId:
in: path
name: ecosystemId
description: The UUID of the ecosystem
required: true
schema:
$ref: '#/components/schemas/id'
ifNoneMatch:
in: header
name: If-None-Match
description: The If-None-Match parameter enables caching. Specify the ETag of the latest retrieved policy version, so that the policy is only retrieved if it had changed since.
schema:
type: string
acceptEncoding:
in: header
name: Accept-Encoding
description: Use the Accept-Encoding header to specify the supported content encodings.
schema:
type: string
enum:
- gzip
- deflate
participantId:
in: path
name: participantId
description: The UUID of the participant
required: true
schema:
$ref: '#/components/schemas/properties-id'
contactId:
in: path
name: contactId
description: Unique identifier of the points of contact for a given participant.
required: true
schema:
$ref: '#/components/schemas/ParticipantContactResponse-properties-id'
evidenceId:
in: path
name: evidenceId
description: The UUID of the participant evidence
required: true
schema:
$ref: '#/components/schemas/ParticipantEvidence-properties-id'
credentialId:
in: path
name: credentialId
description: The UUID of the credential
required: true
schema:
$ref: '#/components/schemas/Credential-properties-id'
vicalIssueId:
in: path
name: vicalIssueId
description: Unique identifier of a specific VICAL version. This numeric value is continuously increased whenever a VICAL is created.
required: true
schema:
$ref: '#/components/schemas/vicalIssueID'
dtsCaCertificateId:
in: path
name: dtsCaCertificateId
description: Unique identifier of the DTS root CA certificate.
required: true
schema:
$ref: '#/components/schemas/dtsCaCertificateId'
vicalSignerId:
in: path
name: vicalSignerId
description: Unique identifier of the VICAL signer.
required: true
schema:
$ref: '#/components/schemas/vicalSignerId'
caCertificateId:
in: path
name: caCertificateId
description: Unique identifier of the VICAL root CA certificate.
required: true
schema:
$ref: '#/components/schemas/caCertificateId'
examples:
PayloadNotStringError:
value:
code: BadRequest
message: Validation Error
details:
- value: '1'
msg: must be a string
param: payload
location: body
InvalidCompactCredentialError:
value:
code: BadRequest
message: Validation Error
details:
- value: CSS:/1/BASE_32_ENCODED_PAYLOAD
msg: The payload does not belong to compact credential profile
param: payload
location: body
QRCodeTooLargeDataError:
value:
code: BadRequest
message: Validation Error
details:
- value: CSC:/1/BASE_32_ENCODED_PAYLOAD
msg: The amount of data is too big to be stored in a QR Code
param: payload
location: body
QRCodeLargerWidthError:
value:
code: BadRequest
message: Validation Error
details:
- value: '5'
msg: The generated QR Code is larger than the provided width
param: width
location: body
IssuerNotTrusted:
value:
verified: false
reason:
- type: IssuerNotTrusted
msg: ...
decoded:
jti: urn:uuid:03ae824d-7179-4c01-aa29-f80ba93122d2
iss: did:web:xxx
nbf: 1649037604
vc:
'@context':
- https://www.w3.org/2018/credentials/v1
- https://example.com/credentials/pass
type:
- VerifiableCredential
- PublicCovidPass
credentialSubject:
givenName: Jack
familyName: Sparrow
dob: '1979-04-14'
IssuerPublicKeyInvalid:
value:
verified: false
reason:
- type: IssuerPublicKeyInvalid
msg: ...
decoded:
jti: urn:uuid:03ae824d-7179-4c01-aa29-f80ba93122d2
iss: did:web:xxx
nbf: 1649037604
vc:
'@context':
- https://www.w3.org/2018/credentials/v1
- https://example.com/credentials/pass
type:
- VerifiableCredential
- PublicCovidPass
credentialSubject:
givenName: Jack
familyName: Sparrow
dob: '1979-04-14'
SignatureInvalid:
value:
verified: false
reason:
- type: SignatureInvalid
msg: ...
decoded:
jti: urn:uuid:03ae824d-7179-4c01-aa29-f80ba93122d2
iss: did:web:xxx
nbf: 1649037604
vc:
'@context':
- https://www.w3.org/2018/credentials/v1
- https://example.com/credentials/pass
type:
- VerifiableCredential
- PublicCovidPass
credentialSubject:
givenName: Jack
familyName: Sparrow
dob: '1979-04-14'
Expired:
value:
verified: false
reason:
- type: Expired
msg: ...
decoded:
jti: urn:uuid:03ae824d-7179-4c01-aa29-f80ba93122d2
iss: did:web:xxx
nbf: 1649037604
vc:
'@context':
- https://www.w3.org/2018/credentials/v1
- https://example.com/credentials/pass
type:
- VerifiableCredential
- PublicCovidPass
credentialSubject:
givenName: Jack
familyName: Sparrow
dob: '1979-04-14'
NotActive:
value:
verified: false
reason:
- type: NotActive
msg: ...
decoded:
jti: urn:uuid:03ae824d-7179-4c01-aa29-f80ba93122d2
iss: did:web:xxx
nbf: 1649037604
vc:
'@context':
- https://www.w3.org/2018/credentials/v1
- https://example.com/credentials/pass
type:
- VerifiableCredential
- PublicCovidPass
credentialSubject:
givenName: Jack
familyName: Sparrow
dob: '1979-04-14'
Revoked:
value:
verified: false
reason:
- type: Revoked
msg: ...
decoded:
jti: urn:uuid:03ae824d-7179-4c01-aa29-f80ba93122d2
iss: did:web:xxx
nbf: 1649037604
vc:
'@context':
- https://www.w3.org/2018/credentials/v1
- https://example.com/credentials/pass
type:
- VerifiableCredential
- PublicCovidPass
credentialSubject:
givenName: Jack
familyName: Sparrow
dob: '1979-04-14'
InvalidCompactSemanticCredentialError:
value:
code: BadRequest
message: Validation Error
details:
- value: CSC:/1/BASE_32_ENCODED_PAYLOAD
msg: The payload does not belong to compact semantic credential profile
param: payload
location: body
InboxIdNotUuid:
value:
code: BadRequest
message: Validation Error
details:
- value: notUUIDvalue
msg: Invalid value
param: inboxId
location: params
InboxNameNotUnique:
value:
code: BadRequest
message: Unique Constraint Error
details:
- param: name
message: Must be unique
MessageIdNotUuid:
value:
code: BadRequest
message: Validation Error
details:
- value: notUUIDvalue
msg: Invalid value
param: messageId
location: params
ResourceNotFound:
value:
code: NotFound
message: Resource Not Found
x-tagGroups:
- name: General
tags:
- Analytics
- Messaging
- Inboxes
- name: Tenant configuration
tags:
- Security
- Custom Domain
- Webhooks
- Denylist
- Admin Tenant
- name: Identifiers
tags:
- DIDs
- IACA
- name: Digital Trust Service
tags:
- Ecosystems
- Configuration
- Participants
- Credential types
- Participants assignment
- Participants contacts
- Participants evidence
- Participants validation
- Policy
- DTS root CA certificates
- name: VICAL
tags:
- VICAL
- VICAL Configuration
- VICAL signers
- name: Direct credential issuance
tags:
- CWT credentials issuance
- Semantic CWT credentials issuance
- JSON credentials issuance
- name: OID4VCI
tags:
- Authentication Provider
- Interaction Hook
- Claims Source
- Credential offers
- Credential issuance
- Issuer metadata
- Users
- OpenID OAuth Client
- name: Credential configurations
tags:
- CWT credentials configuration
- Semantic CWT credentials configuration
- JSON credentials configuration
- mDoc credentials configuration
- name: CWT and JSON Credential management
tags:
- CWT credentials management
- Semantic CWT credentials management
- JSON credentials management
- name: mDocs management
tags:
- Document Signers
- Status list signers
- Status list configuration
- Status list retrieval
- mDocs status
- mDocs management
- name: CWT Credential verification
tags:
- CWT credentials verification
- Semantic CWT credentials verification
- name: JSON Credential verification
tags:
- JSON credentials verification
- name: mDocs verification
tags:
- Trusted issuers
- Verifier root CA certificates
- Verification request signers
- Apple Identity Access certificates
- Verifier applications
- Wallet providers
- mDocs presentation sessions
- mDocs web presentation sessions
- mDocs Android presentation sessions
- mDocs iOS presentation sessions
- name: CWT credential templates
tags:
- CWT credentials PDF templates
- CWT credentials Apple Pass templates
- CWT credentials Google Pass templates
- name: Semantic CWT credential templates
tags:
- Semantic CWT credentials PDF templates
- Semantic CWT credentials Apple Pass templates
- Semantic CWT credentials Google Pass templates
- name: OIDC Bridge verification
tags:
- OIDC Verifier Auth
- OIDC Verifiers
- OIDC Verifier Client