Revocation

Revocation allows you to invalidate previously issued credentials so they can no longer be used. Paradym supports credential revocation for SD-JWT VC, mDoc, and AnonCreds credentials.

Overview

Revocation in Paradym works in two steps:

Enable revocation on a credential template — set the revocable flag to true when creating the template. This cannot be changed after the template is created.
Revoke issued credentials — use the batch revoke API to revoke one or more issued credentials by their issued credential ID.

Paradym hosts the revocation status lists so that any verifier, including third-party verifiers outside of Paradym, can check whether a credential has been revoked. When using Paradym as your verifier, revocation status is checked automatically during verification for all supported credential formats, with no additional setup required.

Enable Revocation on a Credential Template

To issue revocable credentials, you must enable the revocable flag when creating the credential template.

The revocable setting cannot be changed after a template is created. Make sure you enable revocation before using the template to issue credentials.

Revocation is supported for the following formats:

SD-JWT VC — uses the OAuth Status List standard (JWT-based)
mDoc — uses the OAuth Status List standard (CWT-based)
AnonCreds — uses Hyperledger AnonCreds revocation registries

See Standards and Protocols for links to the underlying specifications.

When creating a credential template, add "revocable": true to your request body:

SD-JWT VC

POST/v1/projects/{projectId}/templates/credentials/sd-jwt-vcOpen in Reference

{
  "name": "My Revocable SD-JWT VC Template",
  "type": "UniversityCard",
  "revocable": true,
  "attributes": {
    "first_name": {
      "type": "string",
      "name": "First Name",
      "required": true
    }
  }
}

mDoc

POST/v1/projects/{projectId}/templates/credentials/mdocOpen in Reference

{
  "name": "My Revocable mDoc Template",
  "type": "org.example.UniversityDoc",
  "revocable": true,
  "attributes": {
    "org.example.UniversityDoc": {
      "first_name": {
        "type": "string",
        "name": "First Name",
        "required": true
      }
    }
  }
}

AnonCreds

POST/v1/projects/{projectId}/templates/credentials/anoncredsOpen in Reference

{
  "name": "My Revocable AnonCreds Template",
  "revocable": true,
  "attributes": {
    "first_name": {
      "type": "string",
      "name": "First Name"
    }
  }
}

Revoke Credentials

Use the batch revoke endpoint to revoke one or more issued credentials. You can revoke credentials from different templates and formats in a single request, with a limit of 100 credentials per call.

Each revocation uses one transaction.

Get the Issued Credential IDs

The issued credential id is returned in the response of each issuance API:

OpenID4VC Issuance — the credential id is in the credentials array of the issuance session.
Direct SD-JWT VC Issuance — the credential id is in the credential field of the response.
DIDComm Issuance — the credential id is in the credential object of the issuance session.

You can also retrieve issued credentials and their IDs by making a GET request to https://api.paradym.id/v1/projects/{projectId}/issuance. Refer to retrieve issued credentials in the API reference.

Call the Batch Revoke Endpoint

Make a POST request to https://api.paradym.id/v1/projects/{projectId}/revocation/batch. Refer to batch revoke credentials in the API reference.

POST/v1/projects/{projectId}/revocation/batchOpen in Reference

{
  "issuedCredentialIds": [
    "clu921ps300047eghxvhz33m4",
    "clv168twg000227kynam8v96w"
  ],
  "notifyWallet": false
}

Field	Description
`issuedCredentialIds`	Array of issued credential IDs to revoke. Must be unique. Maximum 100 per request.
`notifyWallet`	(optional, default: `false`) Whether to notify the holder’s wallet. Only supported for AnonCreds credentials issued over DIDComm with an active connection.

The response will list each revoked credential and whether the wallet was notified:


{
  "revokedCredentials": [
    {
      "id": "clu921ps300047eghxvhz33m4",
      "notifiedWallet": false
    },
    {
      "id": "clv168twg000227kynam8v96w",
      "notifiedWallet": false
    }
  ]
}

When revoking AnonCreds credentials, the revocation is processed asynchronously in a background job. It may take up to 2 minutes before the credential is considered revoked during verification.

Revocation During Verification

Paradym hosts the revocation status lists publicly, so any standards-compliant verifier can check revocation status independently. When using Paradym as your verifier, revocation status is checked automatically for all supported credential formats — no extra configuration is needed:

SD-JWT VC — revocation status is checked against the OAuth Status List referenced in the credential.
mDoc — revocation status is checked against the OAuth Status List referenced in the credential.
AnonCreds — revocation status is checked against the AnonCreds revocation registry.

If a revoked credential is presented during a Paradym verification, the verification will fail and the event openid4vc.verification.failed or didcomm.verification.failed will be emitted. Learn more about handling verification results in verify credentials.

Important Notes

Only credentials issued from a template with revocable: true can be revoked. Attempting to revoke a non-revocable credential returns an error.
A credential that has already been revoked cannot be revoked again.
The revocable flag on a credential template cannot be changed after the template is created.