Skip to main content

Accredit TAOs and TIs

Now you are almost ready to start issuing Verifiable Credentials. Just a few more steps to go!

info

Verifiable Credential and Presentation

Check out our VC and VP library to create and verify EBSI-compliant W3C Verifiable Credentials and Verifiable Presentations in JWT format

Step 2.1 Authorise TAO to onboard by issuing a V. Authorisation to Onboard

Step 2.1.1 Provide Authorisation Server to authenticate TAO

Now that you have set up your Root Trusted Accreditation Organisation, you can onboard Trusted Accreditation Organisations.

Your Root TAO needs to provide an OIDC Authorisation Server for TAO. Authentication can be performed by using a code flow or by pre-authorisation.

Step 2.1.2 Authentication code flow

For authentication and authorisation, the Root TAO needs to provide an Authorisation Server. The TAO can start authentication by calling the Authorisation Server's authorise endpoint with response_type code. In response, the Authorisation Server should proceed to authenticate the TAO/TI, for example by requesting an ID Token. After successful authentication, the Authorisation Server should respond with a code. Using this code, the TAO/TI can request an access token (by calling the Authorisation Server's token endpoint).

Step 2.1.3 Authentication with pre-authorization

In addition to the code flow above, authentication can also be done using a pre-authorised code. This code is delivered to the TAO via a Credential Offering or out of band method. Using this code, the TAO/TI can invoke the Authorisation Server's token endpoint directly to get an access token.

Step 2.1.4 Provide Credential Issuer service for issuing TAO Authorisation to Onboard

The Root TAO needs to provide a Credential Issuer service for a TAO. It should contain a credential endpoint which is protected by requiring an access token issued in the previous phase.

The TAO should use this endpoint to request a Verifiable Authorisation to Onboard credential. Using this credential the TAO can onboard to EBSI by inserting their DID document into EBSI DID Registry.

Step 2.2 Authorise TAO to register in the TIR

To be able to issue VCs the TAO needs to add themselves to the EBSI Trusted Issuer Registry. The Root TAO authorises this by issuing a Verifiable Accreditation to Attest.

Step 2.2.1 Enable TAO Request a V. Accreditation to Attest

Using the Authorisation Server and Credential Issuer service provided by the Root TAO, the TAO is able to request a Verifiable Accreditation to Attest VC. Using this VC, the TAO can add themselves to the EBSI Trusted Issuers Registry.

Step 2.2.2 Authorise TAO to accredit other TAO/TIs

To be able to accredit other TAO/TIs, a TAO needs register in the Trusted Issuers Registry. The Root TAO authorises this by issuing a Verifiable Accreditation to Accredit VC. Using this VC the TAO can register themselves in the Trusted Issuers Registry.