Skip to main content

Issue credential

POST 
/v2/config/digital-wallet/openid/sdjwt/credential/issue

Issues a Verifiable Credential to a holder using the OpenID for Verifiable Credentials Issuance (OID4VCI) protocol. Supports two issuance modes: InTime (credential issued immediately via the Credential Endpoint) and Deferred (credential issued later via the Deferred Credential Endpoint by calling the Issue deferred credential API). Supports W3C VC (JWT), IETF SD-JWT VC, and ISO 18013-5 mDoc/mDL credential formats.

Request

Body

    oneOf
    issuanceMode stringrequired

    Issuance mode: InTime for immediate availability, Deferred for issuance after backend processing.

    urlScheme string

    Possible values: [openid-credential-offer://, haip://]

    URL scheme for the credential offer deep link. openid-credential-offer:// is the standard OID4VCI scheme. haip:// is used for HAIP-compliant wallets.

    credentialDefinitionId stringrequired

    Identifier of a pre-configured credential definition. The credential will be issued using the format, type, claims structure, and revocation settings defined in this credential definition.

    userPin string

    Pre-Authorized Code Flow transaction code (tx_code). When set, the wallet must include this value in the Token Request to obtain an access token.

    credentialOfferEndpoint string

    Wallet's credential offer endpoint URL for issuer-initiated issuance. When provided, the issuer sends the OID4VCI Credential Offer directly to this endpoint.

    credentials object[]
  • Array [
    • type string[]

    Array of W3C Verifiable Credential type strings (e.g. ['LegalPersonIdentificationData']). Required for W3C VC (JWT) format (jwt_vc_json).

    credentialSubject object

    Key-value pairs representing the credential claims for W3C VC (JWT) format (jwt_vc_json).

    property name* any

    Key-value pairs representing the credential claims for W3C VC (JWT) format (jwt_vc_json).

    credentialMetadata object

    Additional metadata to include in the issued credential, such as evidence or terms of use.

    property name* any

    Additional metadata to include in the issued credential, such as evidence or terms of use.

    vct string

    Verifiable Credential Type identifier for IETF SD-JWT VC format (dc+sd-jwt).

    doctype string

    Document type identifier for ISO 18013-5 mDoc/mDL format (mso_mdoc).

    claims object

    Key-value pairs representing the credential claims for IETF SD-JWT VC (dc+sd-jwt) or ISO 18013-5 mDoc/mDL (mso_mdoc) formats.

    id string

    Optional identifier for the credential object when issuing multiple credentials in a batch request.

  • ]
    • presentationDefinitionId string

    Identifier of a presentation definition for dynamic credential requests. When set, the issuer requires the holder to present matching credentials via OpenID for Verifiable Presentation (OpenID4VP) before issuance proceeds.

    individualId string

    Optional. Non-OID4VCI extension — used only for data agreement enabled workflows. Identifier of a specific individual recipient. When provided, the credential offer is sent directly to the individual's registered device.

Responses

Response Headers
    Schema
      credentialHistory object
      oneOf
      CredentialExchangeId string

      Unique identifier for the credential exchange record, tracking the full lifecycle of a single OID4VCI credential issuance.

      issuanceMode string

      Issuance mode used for this exchange. InTime means the credential was issued immediately via the OID4VCI Credential Endpoint. Deferred means the credential is pending via the Deferred Credential Endpoint.

      isPreAuthorised boolean

      When true, the issuance used the OID4VCI Pre-Authorized Code Flow. When false, the Authorization Code Flow was used.

      credentialOffer string

      The OID4VCI Credential Offer URI or JSON sent to the holder to initiate the issuance flow.

      credentialStatus string

      Possible values: [pending, ready]

      Processing status of the credential. pending means the credential is being prepared. ready means it is available for the holder to retrieve.

      status string

      Possible values: [offer_sent, offer_received, credential_issued, credential_acked, credential_accepted, credential_deleted, issuance_denied]

      Lifecycle status of the credential exchange in the OID4VCI protocol flow: offer_sent (Credential Offer sent to holder), offer_received (holder scanned/received offer), credential_issued (credential issued via Credential Endpoint), credential_acked (holder acknowledged receipt), credential_accepted (holder accepted credential), credential_deleted (holder deleted credential), issuance_denied (issuer denied issuance).

      clientId string

      Client identifier of the holder's wallet, typically a DID or URL. Provided during the OID4VCI Token Request.

      userPin string

      Transaction code (tx_code) for the Pre-Authorized Code Flow.

      createdAt number

      Unix timestamp (in seconds) when this exchange record was created.

      updatedAt number

      Unix timestamp (in seconds) when this exchange record was last modified.

      credential object

      The credential payload being issued. Contains type and credentialSubject for W3C VC (JWT) format, or vct/doctype and claims for IETF SD-JWT VC / ISO 18013-5 mDoc/mDL formats.

      property name* any

      The credential payload being issued. Contains type and credentialSubject for W3C VC (JWT) format, or vct/doctype and claims for IETF SD-JWT VC / ISO 18013-5 mDoc/mDL formats.

      disclosureMapping object

      Selective disclosure mapping for IETF SD-JWT VC credentials. Each entry maps a claim path to its disclosure setting.

      property name* any

      Selective disclosure mapping for IETF SD-JWT VC credentials. Each entry maps a claim path to its disclosure setting.

      presentationDefinitionId string

      Identifier of a presentation definition required for dynamic credential requests.

      presentationExchangeId string

      Identifier of the presentation exchange session linked to a dynamic credential request.

      holder object

      Metadata about the credential holder obtained during the OID4VCI exchange.

      name stringrequired

      Identifier of the holder, typically a DID or display name resolved from wallet client metadata.

      credentialFormat string

      Possible values: [jwt_vc_json, dc+sd-jwt, mso_mdoc]

      Credential format used for this issuance. Values: jwt_vc_json (W3C VC JWT), dc+sd-jwt (IETF SD-JWT VC), mso_mdoc (ISO 18013-5 mDoc/mDL).

      supportRevocation boolean

      Indicates whether revocation is enabled for the issued credential.

      revocationStatus string

      Possible values: [Operational, Revoked, Suspended]

      Current revocation status: Operational (valid), Revoked (permanently invalidated), Suspended (temporarily invalidated).

      clientAssertion string

      OAuth 2.0 client assertion JWT provided by the holder's wallet for client authentication.

      clientAssertionTokenType string

      Type of the client assertion token.

      isClientAssertionVerified boolean

      Indicates whether the holder's client assertion JWT was verified.

      walletUnitAttestation string

      Wallet Unit Attestation (WUA) credential presented by the holder, certifying the wallet instance is genuine.

      walletUnitAttestationPoP string

      Proof of Possession for the Wallet Unit Attestation.

      walletUnitAttestationVerified boolean

      Indicates whether the Wallet Unit Attestation was verified.

      credentialToken string

      The signed credential token (JWT, SD-JWT, or mDoc) issued to the holder.

      cnf object

      Confirmation claim (cnf) containing the holder's public key JWK for key binding.

      property name* any

      Confirmation claim (cnf) containing the holder's public key JWK for key binding.

      jti string

      JWT Token Identifier (jti) — unique identifier for the issued credential token.

      proof string

      Proof JWT provided by the holder in the OID4VCI Credential Request, demonstrating key possession.

      proofType string

      Type of the proof provided in the Credential Request (e.g. jwt).

      decodedWalletUnitAttestation object

      Decoded payload of the holder's Wallet Unit Attestation credential.

      property name* any

      Decoded payload of the holder's Wallet Unit Attestation credential.

      idToken string

      OpenID Connect ID Token shared by the holder during the issuance flow.

      idTokenDecoded object

      Decoded payload of the holder's OpenID Connect ID Token.

      idTokenVerified boolean

      Indicates whether the holder's OpenID Connect ID Token was verified.

      issuanceDeniedReason string

      Human-readable reason why the issuer denied the credential issuance request.

      expiredCredentialTokens string[]

      Array of previously issued credential tokens that have expired.

      expiredCredentials object[]

      Array of decoded expired credential payloads.

      credentialResponseEncryption object
      alg string
      enc string
      jwk object
      issuerTrustServiceProvider object

      The details of issuer trust service provider

      holderTrustServiceProvider object

      The details of holder trust service provider

      individualId string

      Identifier of the individual recipient the credential offer was sent to.

      mapperId string

      Mapper identifier linking the credential offer to an external individual record.

      credentialResponseInterval number

      Minimum polling interval (in seconds) for the OID4VCI Deferred Credential Endpoint.

    Loading...
    Last updated on