Issue credentials

Verifiable credentials, once issued, belong to the recipient. They contain issued proof of certain attributes that can be presented to a verifying party at a later date. Like showing a drivers license to prove your age in person, the recipients of a credential can show their digital proofs to prove information digitally.

This guide contains everything you need to know about issuing credentials with Paradym. It will show you how to to:

Create a credential template
Use a credential template to issue a credential
View your issued credentials

Let's get started! 🚀

Create a credential template

To issue credentials in your solution you'll first need to create a credential template. A credential template defines the characteristics of your credential, as well as the attributes that it will contain. Once created, a template can be used to issue as many credentials as you want.

💡

A credential template does not contain the values of attributes (such as the first name "John"), just the general schematics and structure of the credential, it is not linked to any specific person or personal information.

When creating your credential template you are basically making the blueprint that all your credentials of that type will follow. The key things you need to know before creating a template are:

The credential format and type of credential you want to issue
The issuer identifier to use (did:web, did:cheqd:testnet or did:cheqd:mainnet)
The attributes your credential needs to have
[Optional] The branding you'd like to add

When you create a credential template, you need to define the credential format that will be used when a credential is issued. Each credential format has different characteristics, and can influence factors such as privacy, security and efficiency. The credential format you choose will also influence the exchange protocol you need to use when issuing the credential:

sd-jwt-vc with OpenID4VC Issuance (opens in a new tab) or without exchange protocol when using Direct SD-JWT VC Issuance (opens in a new tab).
anoncreds with OpenID4VC Verification (opens in a new tab).

Creating your first credential template is easiest to do within the dashboard. It gives you a preview of the credential branding, and guides you through configuring the attributes of the credential. However, if you've set up a credential template multiple times already, it might be beneficial to create a credential template using the API.

The easiest way to get started with the API is using the interactive API Reference (opens in a new tab). If you would like to follow along using a custom API client, make sure follow the Quickstart guide. You can read more on interacting with the API.

SD JWT VC

To create an sd-jwt-vc credential template in the API we will make a POST request to https://api.paradym.id/v1/projects/{projectId}/templates/credentials/sd-jwt-vc. For detailed information on the endpoint, refer to the create sd-jwt-vc credential template (opens in a new tab) in the API reference.

{
  "name": "My SD-JWT VC template",
  "description": "This is a description",
  "background": {
    "color": "#FFFFFF",
    "url": "https://example.com/image.png"
  },
  "text": {
    "color": "#000000"
  },
  "type": "UniversityCard",
  "attributes": {
    "first_name": {
      "type": "string",
      "name": "First Name",
      "description": "First name must always be disclosed and is required",
      "required": true,
      "alwaysDisclosed": true
    },
    "last_name": {
      "type": "string",
      "name": "Last Name",
      "description": "Last name does not always have to be disclosed and is optional",
      "required": false,
      "alwaysDisclosed": false
    }
  }
}

AnonCreds

⚠️

It is not possible at the moment to update an AnonCreds template because the schema and credential definition generated are static. Instead to make changes to an AnonCreds credential template, a new template needs to be created.

To create an anoncreds credential template in the API we will make a POST request to https://api.paradym.id/v1/projects/{projectId}/templates/credentials/anoncreds. For detailed information on the endpoint, refer to the create anoncreds credential template (opens in a new tab) in the API reference.

The AnonCreds credential template is similar in structure as an SD-JWT credential template, but has a few differences:

credential branding (text and background) is not supported.
Only string and number attribute types are supported
For attribute properties alwaysDisclosed is not supported, as AnonCreds credential cannot influence which fields the holder MUST disclose.
For attribute properties required is not supported. All attributes MUST be included in the credential. This is a limitation of the AnonCreds credential format. A fake value (such as ""/"null" or 0) could be used if there is no value.
The schema property is used instead of the type property and is not required.

💡

When no schema is provided, Paradym will create a schema for you and host this along with your DID. You can provide an existing schema as the schema property to create the credential template based on the existing schema (whether created inside or outside Paradym). In this case the attributes MUST exactly match those of the existing schema, and schema network (did:web, did:cheqd:testnet or did:cheqd:mainnet) MUST match the issuer identifier (did:web by default).

{
  "name": "My AnonCreds template",
  "description": "This is a description",
  "attributes": {
    "first_name": {
      "type": "string",
      "name": "First Name",
      "description": "First name is required"
    },
    "last_name": {
      "type": "string",
      "name": "Last Name",
      "description": "Last name is optional"
    }
  }
}

For both AnonCreds and SD-JWT VC template, the return value will be approximately the same as the payload you provided, with a few extra fields (such as id, createdAt and format) added. The type you provided has been transformed into an URL.

Use a credential template to issue a credential

The Paradym API currently supports issuing and verifying SD-JWT credentials over OpenID4VC, or Anoncreds credentials over DIDComm. Read more about the different standards and protocols.

Based on the credential format you selected in the credential template you should choose the issuance flow:

SD-JWT VC (sd-jwt-vc) with OpenID4VC Issuance (opens in a new tab) or Direct SD-JWT VC Issuance (opens in a new tab).
Anoncreds (anoncreds) with DIDComm Issuance (opens in a new tab).

If you created your credential template using the dashboard, make sure to get yourself familiar with the API Reference (opens in a new tab). If you would like to follow along using a custom API client, make sure follow the Quickstart guide. You can read more on interacting with the API.

To issue an sd-jwt-vc credential using OpenID4VCI based on the created template, we will make a POST request to https://api.paradym.id/v1/projects/{projectId}/openid4vc/issuance/offer. For detailed information on the endpoint, refer to create OpenID4VC credential offer (opens in a new tab) in the API reference.

In the payload below we create a credential offer containing one credential, based on the credential template we created earlier. Make sure to update the attributes object to match with the keys of the credential template, and update the credentialTemplateId to the ID of the credential template. The keys in the attributes object must match with the keys you provided when creating the credential template.

{
  "credentials": [
    {
      "credentialTemplateId": "clu921ps300047eghxvhz33m4",
      "attributes": {
        "first_name": "John",
        "last_name": "Doe"
      }
    }
  ]
}

The payload that is returned will look as follows:

{
  "id": "clv168twg000227kynam8v96w",
  "createdAt": "2024-04-15T16:30:54.304Z",
  "updatedAt": "2024-04-15T16:30:54.304Z",
  "projectId": "cluo51f8c000kp0dwmk33uzaj",
  "status": "offered",
  "error": null,
  "offerUri": "https://paradym.id/invitation?credential_offer_uri=https%3A%2F%2Fparadym.id%2Finvitation%2F7d7628cc-8221-4783-a5ce-f0f2b335361f%2Foffers%2Fe5fade58-5145-4b9b-a3bd-7428fbc995b2%3Fraw%3Dtrue",
  "credentials": [
    {
      "credentialTemplateId": "clu921ps300047eghxvhz33m4",
      "status": "offered"
    }
  ]
}

The offerUri contains an OpenID4VC issuance invitation url which you can open in the browser and it will render a QR code which you can scan with the Paradym Wallet.

You can use webhooks to get notified of changes in the credential issuance session.

View your issued credentials

OpenID4VC Issuance Sessions You can retrieve all your OpenID4VC issuance sessions by making a GET request to https://api.paradym.id/v1/projects/{projectId}/openid4vc/issuance. For detailed information on the endpoint, refer to retrieve OpenID4VC issuance sessions (opens in a new tab) in the API reference.

DIDComm Issuance Sessions You can retrieve all your DIDComm issuance sessions by making a GET request to https://api.paradym.id/v1/projects/{projectId}/didcomm/issuance. For detailed information on the endpoint, refer to retrieve DIDComm issuance sessions (opens in a new tab) in the API reference.

Issued Credentials Metadata about all issued credentials can be retrieved by making a GET request to https://api.paradym.id/v1/projects/{projectId}/issuance. For detailed information on the endpoint, refer to retrieve issued credentials (opens in a new tab) in the API reference. This endpoint is mostly relevant for revoking previously issued credentials.

That's it! 🚀

That concludes this guide. You now know how to:

Create a credential template
Use a credential template to issue a credential
View your issued credentials

If you have any suggestions, remarks or questions, join the Paradym Community (opens in a new tab) and let us know. Happy building!

API Reference Verify Credentials