The hierarchy to issue verifiable credentials is the following:
- Support Office issues a credential to register a Root Trusted Accreditation Organisations (RootTAO).
- A RootTAO is the root of a trusted chain and it can issue credentials to register new Trusted Accreditation Organizations (TAO).
- A TAO can issue credentials to register other Trusted Issuers.
Load the issuer
Load the keys of the Trusted Issuer:
Command
==> using user ES256K did1 <ISSUER_PRIVATE_KEY_ES256K> <ISSUER_DID>
==> using user ES256 did1 <ISSUER_PRIVATE_KEY_ES256> <ISSUER_DID>
Before issuing the credential, run the following commands to set the user accreditation URL and accreditation ID.
Command
==> set user.accreditationUrl ACCREDITATION_URL
info
ACCREDITATION_URL is the link (located in the Trusted Issuers Registry) to the credential that authorises the entity to issue other credentials.
Now connect the wallet with the pilot environment and switch to the upcoming APIs:
Command
==> env pilot
==> version upcoming
Define VC payload
Create the reservedAttributeId by computing a random ID:
Command
==> reservedAttributeId: compute randomID
Output - value saved in 'reservedAttributeId'
b84fc4439b46ab5f2c9800e97b2edabfd1bdc83b4778ad1cec3cd92c7cc93bb4
Now create create a JSON file with the payload of the verifiable credential and set the reservedAttributeId there. The payload of the credential depends on its type. Here are the most typical cases:
- VerifiableAuthorisationForTrustChain: VC for RootTAOs
{
"@context": ["https://www.w3.org/2018/credentials/v1"],
"type": [
"VerifiableCredential",
"VerifiableAttestation",
"VerifiableAuthorisationForTrustChain"
],
"issuer": "did:ebsi:zZeKyEJfUTGwajhNyNX928z",
"credentialSubject": {
"id": "did:ebsi:zy8Psj9ez9wrsSZ7vrHE221",
"reservedAttributeId": "b84fc4439b46ab5f2c9800e97b2edabfd1bdc83b4778ad1cec3cd92c7cc93bb4"
},
"termsOfUse": {
"id": "https://api-pilot.ebsi.eu/trusted-issuers-registry/v6/issuers/did:ebsi:zZeKyEJfUTGwajhNyNX928z/attributes/cf89e47e260eda53bb199096ca97347790c84d2c8a5f2ce3f411eaba14d0003e",
"type": "IssuanceCertificate"
},
"credentialSchema": {
"id": "https://api-pilot.ebsi.eu/trusted-schemas-registry/v4/schemas/z3MgUFUkb722uq4x3dv5yAJmnNmzDFeK5UC8x83QoeLJM",
"type": "FullJsonSchemaValidator2021"
}
}
- VerifiableAccreditationToAccredit: VC for TAOs
{
"@context": ["https://www.w3.org/2018/credentials/v1"],
"type": [
"VerifiableCredential",
"VerifiableAttestation",
"VerifiableAccreditation",
"VerifiableAccreditationToAccredit"
],
"issuer": "did:ebsi:zZeKyEJfUTGwajhNyNX928z",
"credentialSubject": {
"id": "did:ebsi:zy8Psj9ez9wrsSZ7vrHE221",
"reservedAttributeId": "b84fc4439b46ab5f2c9800e97b2edabfd1bdc83b4778ad1cec3cd92c7cc93bb4",
"accreditedFor": [
{
"schemaId": "https://api-pilot.ebsi.eu/trusted-schemas-registry/v4/schemas/z3MgUFUkb722uq4x3dv5yAJmnNmzDFeK5UC8x83QoeLJM",
"types": [
"VerifiableCredential",
"VerifiableAttestation",
"CTRevocable"
],
"limitJurisdiction": "https://publications.europa.eu/resource/authority/atu/FIN"
}
]
},
"termsOfUse": [
{
"id": "https://api-pilot.ebsi.eu/trusted-issuers-registry/v6/issuers/did:ebsi:zZeKyEJfUTGwajhNyNX928z/attributes/cf89e47e260eda53bb199096ca97347790c84d2c8a5f2ce3f411eaba14d0003e",
"type": "IssuanceCertificate"
}
],
"credentialSchema": {
"id": "https://api-pilot.ebsi.eu/trusted-schemas-registry/v4/schemas/zjVFNvbEBPAr3a724DttioZpgZmNr75BBtRzZqk7pkDe",
"type": "FullJsonSchemaValidator2021"
}
}
- VerifiableAccreditationToAttest: VC for TIs
{
"@context": ["https://www.w3.org/2018/credentials/v1"],
"type": [
"VerifiableCredential",
"VerifiableAttestation",
"VerifiableAccreditation",
"VerifiableAccreditationToAttest"
],
"issuer": "did:ebsi:zZeKyEJfUTGwajhNyNX928z",
"credentialSubject": {
"id": "did:ebsi:zy8Psj9ez9wrsSZ7vrHE221",
"reservedAttributeId": "b84fc4439b46ab5f2c9800e97b2edabfd1bdc83b4778ad1cec3cd92c7cc93bb4",
"accreditedFor": [
{
"schemaId": "https://api-pilot.ebsi.eu/trusted-schemas-registry/v4/schemas/z3MgUFUkb722uq4x3dv5yAJmnNmzDFeK5UC8x83QoeLJM",
"types": [
"VerifiableCredential",
"VerifiableAttestation",
"CTRevocable"
],
"limitJurisdiction": "https://publications.europa.eu/resource/authority/atu/FIN"
}
]
},
"termsOfUse": [
{
"id": "https://api-pilot.ebsi.eu/trusted-issuers-registry/v6/issuers/did:ebsi:zZeKyEJfUTGwajhNyNX928z/attributes/cf89e47e260eda53bb199096ca97347790c84d2c8a5f2ce3f411eaba14d0003e",
"type": "IssuanceCertificate"
}
],
"credentialSchema": {
"id": "https://api-pilot.ebsi.eu/trusted-schemas-registry/v3/schemas/zjVFNvbEBPAr3a724DttioZpgZmNr75BBtRzZqk7pkDe",
"type": "FullJsonSchemaValidator2021"
}
}
Now import it in the CLI tool:
Command
==> payloadVc: load path-to-file.json
Create and sign the VC
Use this payload to create and sign the VC:
Command
==> vcIssuer: compute createVcJwt payloadVc {} ES256
Output - value saved in 'vcIssuer'
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImRpZDplYnNpOnpaZUt5RUpmVVRHd2FqaE55Tlg5Mjh6I1NvMUhJUnQwS3FmMF9CU3dxdjRWTU5na2F4M21DRjlJamNRSndNbkIzYnMifQ.eyJpYXQiOjE3MDAyMjk5NDksImp0aSI6InVybjp1dWlkOjY2MDI3ZmY4LThmNGQtNGFhNi1iOGJjLTY1ZGQ5YmNlYTMxMSIsIm5iZiI6MTcwMDIyOTk0OSwiZXhwIjoxNzMxNzY1OTQ5LCJzdWIiOiJkaWQ6ZWJzaTp6eThQc2o5ZXo5d3JzU1o3dnJIRTIyMSIsInZjIjp7IkBjb250ZXh0IjpbImh0dHBzOi8vd3d3LnczLm9yZy8yMDE4L2NyZWRlbnRpYWxzL3YxIl0sImlkIjoidXJuOnV1aWQ6NjYwMjdmZjgtOGY0ZC00YWE2LWI4YmMtNjVkZDliY2VhMzExIiwidHlwZSI6WyJWZXJpZmlhYmxlQ3JlZGVudGlhbCIsIlZlcmlmaWFibGVBdHRlc3RhdGlvbiIsIlZlcmlmaWFibGVBY2NyZWRpdGF0aW9uIiwiVmVyaWZpYWJsZUFjY3JlZGl0YXRpb25Ub0F0dGVzdCJdLCJpc3N1ZXIiOiJkaWQ6ZWJzaTp6WmVLeUVKZlVUR3dhamhOeU5YOTI4eiIsImlzc3VhbmNlRGF0ZSI6IjIwMjMtMTEtMTdUMTQ6MDU6NDlaIiwiaXNzdWVkIjoiMjAyMy0xMS0xN1QxNDowNTo0OVoiLCJ2YWxpZEZyb20iOiIyMDIzLTExLTE3VDE0OjA1OjQ5WiIsImV4cGlyYXRpb25EYXRlIjoiMjAyNC0xMS0xNlQxNDowNTo0OVoiLCJjcmVkZW50aWFsU3ViamVjdCI6eyJpZCI6ImRpZDplYnNpOnp5OFBzajllejl3cnNTWjd2ckhFMjIxIiwiYWNjcmVkaXRlZEZvciI6W3sic2NoZW1hSWQiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L3RydXN0ZWQtc2NoZW1hcy1yZWdpc3RyeS92My9zY2hlbWFzL3ozTWdVRlVrYjcyMnVxNHgzZHY1eUFKbW5ObXpERmVLNVVDOHg4M1FvZUxKTSIsInR5cGVzIjpbIlZlcmlmaWFibGVDcmVkZW50aWFsIiwiVmVyaWZpYWJsZUF0dGVzdGF0aW9uIiwiQ1RSZXZvY2FibGUiXSwibGltaXRKdXJpc2RpY3Rpb24iOiJodHRwczovL3B1YmxpY2F0aW9ucy5ldXJvcGEuZXUvcmVzb3VyY2UvYXV0aG9yaXR5L2F0dS9FVVIifV0sInJlc2VydmVkQXR0cmlidXRlSWQiOiJiODRmYzQ0MzliNDZhYjVmMmM5ODAwZTk3YjJlZGFiZmQxYmRjODNiNDc3OGFkMWNlYzNjZDkyYzdjYzkzYmI0In0sInRlcm1zT2ZVc2UiOnsiaWQiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L3RydXN0ZWQtaXNzdWVycy1yZWdpc3RyeS92NS9pc3N1ZXJzL2RpZDplYnNpOnpaZUt5RUpmVVRHd2FqaE55Tlg5Mjh6L2F0dHJpYnV0ZXMvY2Y4OWU0N2UyNjBlZGE1M2JiMTk5MDk2Y2E5NzM0Nzc5MGM4NGQyYzhhNWYyY2UzZjQxMWVhYmExNGQwMDAzZSIsInR5cGUiOiJJc3N1YW5jZUNlcnRpZmljYXRlIn0sImNyZWRlbnRpYWxTY2hlbWEiOnsiaWQiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L3RydXN0ZWQtc2NoZW1hcy1yZWdpc3RyeS92My9zY2hlbWFzL3ozTWdVRlVrYjcyMnVxNHgzZHY1eUFKbW5ObXpERmVLNVVDOHg4M1FvZUxKTSIsInR5cGUiOiJGdWxsSnNvblNjaGVtYVZhbGlkYXRvcjIwMjEifX0sImlzcyI6ImRpZDplYnNpOnpaZUt5RUpmVVRHd2FqaE55Tlg5Mjh6In0.xx2750myIbG9ojkycuHEg9ZSHDCQ1ZJuYKFE59GdlxwD0Ehe75mtVA7z1FAiCpkxkjLBZ9RV_4RBlxyL0ij4OQ
By default, the tool defines the current date as issuance date and 5 years for expiration. If you want to set specific dates, override the payload of the JWT:
Command
==> vcIssuer: compute createVcJwt payloadVc {"iat":1704392000, "exp":1705392000} ES256
Also note that these credentials are signed with the ES256 key (not the ES256K key), which is the key that bash title="Command"ould be used in all credentials.
Request an access token
Request an access token to the authorisation API with the scope tir_write:
Command
==> resAuthTIR: authorisation auth tir_write_presentation ES256
Output - value saved in 'resAuthTIR'
{
"access_token": "eyJhbGciOiJFUzI1NiIsImtpZCI6IldqQVB6c0RyYmtWQU0xYkhpdVh5dDlPRmdQZVRSRGpLVjNncGg1RURWUGMiLCJ0eXAiOiJKV1QifQ.eyJpYXQiOjE3MDAyMjk5NTAsImV4cCI6MTcwMDIzNzE1MCwic3ViIjoiZGlkOmVic2k6elplS3lFSmZVVEd3YWpoTnlOWDkyOHoiLCJhdWQiOiJodHRwczovL2FwaS1waWxvdC5lYnNpLmV1L2F1dGhvcmlzYXRpb24vdjQiLCJzY3AiOiJvcGVuaWQgdGlyX3dyaXRlIiwianRpIjoiOGYwNzcwMDEtNzIyNi00OTQ3LWIwNTYtN2FmNWQzZTdlZjM1IiwiaXNzIjoiaHR0cHM6Ly9hcGktcGlsb3QuZWJzaS5ldS9hdXRob3Jpc2F0aW9uL3Y0In0.Ay6aNPHCNucsqIIZJ1FUIyP7tNTGXYeFiH7BHk-caLmMCrdJY5OKnsbVfy-CGnVvUkDoxoz1CHCaXhG9-8gNzQ",
"token_type": "Bearer",
"expires_in": 7200,
"scope": "openid tir_write",
"id_token": "eyJhbGciOiJFUzI1NiIsImtpZCI6IldqQVB6c0RyYmtWQU0xYkhpdVh5dDlPRmdQZVRSRGpLVjNncGg1RURWUGMiLCJ0eXAiOiJKV1QifQ.eyJpYXQiOjE3MDAyMjk5NTAsImV4cCI6MTcwMDIzNzE1MCwic3ViIjoiZGlkOmVic2k6elplS3lFSmZVVEd3YWpoTnlOWDkyOHoiLCJhdWQiOiJkaWQ6ZWJzaTp6WmVLeUVKZlVUR3dhamhOeU5YOTI4eiIsImp0aSI6ImVjNGUyZmI2LTQwMjQtNDRmMy1iMDYyLTRiYWRkM2JlN2JmOSIsIm5vbmNlIjoiMTYwZGU1NDctYjM3NC00ZjkxLTk2NzQtYTFjM2UyZTk5YTNlIiwiaXNzIjoiaHR0cHM6Ly9hcGktcGlsb3QuZWJzaS5ldS9hdXRob3Jpc2F0aW9uL3Y0In0.4AHlaJHpGsQuViKnfpItuxF5fcXZwVbW3KcoUkCbCU0wOaIo6A22N74Q8mD2ndu_qkHYoRDX3ardzDpQuDsqfQ"
}
Now load the access token:
Command
==> using token resAuthTIR.access_token
Pre-register the VC
Now make the preregistration of the credential in the Trusted Issuers Registry:
Command
==> tir setAttributeMetadata <NEW_ISSUER_DID> reservedAttributeId <ISSUER_TYPE> user.did <USER_ATTRIBUTE_ID>
Output
Issuer did:ebsi:zy8Psj9ez9wrsSZ7vrHE221
{
"attributeId": "b84fc4439b46ab5f2c9800e97b2edabfd1bdc83b4778ad1cec3cd92c7cc93bb4",
"issuerType": "ti"
}
where NEW_ISSUER_DID is the DID of the new issuer, ISSUER_TYPE must be roottao, tao, or ti depending on the case, and USER_ATTRIBUTE_ID is your attribute ID that accredits you to issue this type of credentials.
Congratulations!
You have issued and preregister a new credential for a Trusted Issuer. Now share the credential with the issuer so he can register it.
Script to issue a VC for a Trusted Issuer
The CLI tool is equipped with a script to simplify the process to issue and preregister a VC for a Trusted Issuer. First, setup your wallet and run:
For Root TAO:
Command
==> vcRootTAO: run issueVcRootTAO DID_SUBJECT
==> run preregisterIssuer DID_SUBJECT roottao vcRootTAO
For TAO:
Command
==> vcTAO: run issueVcTAO DID_SUBJECT
==> run preregisterIssuer DID_SUBJECT tao vcTAO
For TI:
Command
==> vcTI: run issueVcTI DID_SUBJECT
==> run preregisterIssuer DID_SUBJECT ti vcTI