Attribute Providers
Attribute providers are external HTTPS endpoints that Paradym can call during OpenID4VC issuance to fetch attribute values for a credential. This lets you keep your source of truth in existing systems and populate credentials dynamically, instead of sending all attribute values when creating an offer.
Attribute providers also integrate with authorization servers. If a credential template is linked to an authorization server, the access token and ID token (when available) are forwarded to your attribute provider so you can retrieve attributes from protected APIs.
By using attribute providers, you can avoid storing personal data in Paradym entirely. Instead of sending attributes to Paradym during offer creation, your backend remains the system of record and provides only the data needed at issuance time.
If avoiding storing personal data in Paradym is your goal, and you’re using an authorization server, please note that ID tokens may contain personal information. Instead, we recommend not requesting an ID token and use the access token to retrieve the required information from the UserInfo endpoint.
Attribute providers are only available for SD-JWT VC and mDoc credentials issued over OpenID4VCI. They cannot be used with AnonCreds or SD-JWT VC direct issuance.
Configuring an Attribute Provider
When configuring an attribute provider, you need to provide the following information:
- The name of the attribute provider, allowing you to recognize it easily.
- The HTTPS URL of the endpoint where Paradym should request attributes.
- The authentication method, which is currently
apiKey.
Once you have these details, you can configure an attribute provider using either the API or the Dashboard.
To configure an attribute provider from the API, make a POST request to https://api.paradym.id/v1/projects/{projectId}/attribute-providers. See the API Reference for detailed usage information.
{
"name": "Example Attribute Provider",
"url": "https://attributes.example.com",
"authentication": {
"type": "apiKey",
"apiKey": "my-attribute-provider-api-key"
}
}Configuring a Credential Template
Once you have configured an attribute provider, you can link it to SD-JWT VC and mDoc credential templates. When linked, Paradym will call the attribute provider during issuance to populate the credential attributes.
To link an attribute provider to a credential template from the API, include attributeProviderId in the template payload. You can do this when creating or updating an SD-JWT VC or mDoc credential template. See the API reference for SD-JWT VC and mDoc for details.
{
"name": "OpenID Profile",
"description": "This is your OpenID profile.",
"issuer": {
"signer": "certificate",
"keyType": "P-256"
},
"type": "org.example.OpenIdProfile",
"attributes": {
"org.example.OpenIdProfile": {
"properties": {
"name": {
"type": "string",
"name": "Name",
"required": true
}
}
}
},
"attributeProviderId": "clu159ps100013evfbvhz22m1"
}Request and Response Formats
Paradym always makes a POST request with a JSON body and includes the attribute provider API key in the X-Api-Key header. Your endpoint should return a JSON response that contains the attributes to include in the credential within 5 seconds. The response payload must be under 50 kB.
Request
type AttributeProviderRequest = {
// The ID obtained when creating an OpenID4VCI offer.
openId4VcIssuanceId: string
// The template associated with this request. Either one is set.
sdJwtVcCredentialTemplateId?: string
mdocCredentialTemplateId?: string
// The authorization server details, if an authorization server was
// configured for this request.
authorizationServer?: {
id: string
url: string
accessToken: string
idToken?: string
}
}Response
type AttributeProviderResponse = {
// The attributes to fulfill the request.
attributes: Record<string, unknown>
}If the response is invalid or required attributes are missing, issuance will fail. Ensure that the returned attributes match the schema of the credential template.