Skip to main content

3: Create Credential Definition

Once a schema has been created by the governance agent, the Issuer can create a credential definition. They will use the credential definition as a unique reference to the schema.

Creating a Credential Definition

To create a credential definition, the issuer needs to send a POST request to the appropriate endpoint. Below is an example of how to create a non-revocable credential definition:

curl -X 'POST' \
  'https://cloudapi.test.didxtech.com/tenant/v1/definitions/credentials' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -H 'x-api-key: tenant.<Issuer token>' \
  -d '{
  "tag": "Demo Person",
  "schema_id": "QpSW24YVf61A3sAWxArfF6:2:Person:0.1.0",
  "support_revocation": false
}'

Response:

{
  "id": "2hPti9M3aQqsRCy8N6jrDB:3:CL:10:Demo Person",
  "tag": "Demo Person",
  "schema_id": "QpSW24YVf61A3sAWxArfF6:2:Person:0.1.0"
}

Note down the credential definition id in the id field.

If you don't need revocation support, you can continue to the next section: Create Connection. Otherwise, stick around for an explanation of revocable credential definitions.

Creating a Revocable Credential Definition

Revocation enables an issuer to revoke credentials, i.e., make a credential invalid some time after issuance. The process to make credentials revocable is straightforward, but there are a few things the issuer should keep track of. The goal of this section is to explain everything involved in revocation.

To issue credentials that are revocable, the credential definition needs to be created with revocation support enabled. When creating a credential definition, set "support_revocation": true. This will enable revocation on all credentials issued against this credential definition.

Example payload for creating a revocable credential definition:

{
  "tag": "My cred def",
  "schema_id": "QpSW24YVf61A3sAWxArfF6:2:Person:0.1.0",
  "support_revocation": true
}

The creation of a credential definition with revocation enabled can take up to a minute before a user gets a response from the API endpoint. The reason for this is the creation of revocation registries. These registries are essential for the cryptographic processes involved with revocation. See more on this here.

The management of these registries is obfuscated away from the user as it can be complicated and cumbersome. However, there are a few things to take note of. Once a registry is full, the application will automatically switch to a new registry. These registries are created on the fly, and the application will always have two "active" registries: one that is currently being used and the next one in the queue, i.e., the one the application will switch to once the current one is filled.

There is also a fee associated with the creation of these registries as there is a definition of them that needs to end up on the ledger. These definitions are needed for the revocation process to work.

There is an event associated with the creation of these revocation registries with the topic name revocation. Here is an example event of an initial event associated with the creation of the revocation registries:

{
  "wallet_id": "8960ee4d-d79d-4444-abca-ad2edbfef600",
  "topic": "revocation",
  "origin": "tenant faber",
  "group_id": "GroupA",
  "payload": {
    "created_at": "2024-05-02T08:11:11.039583Z",
    "cred_def_id": "WWzcvsHULP1Fkf9GUYRZg8:3:CL:8:Epic",
    "error_msg": null,
    "issuer_did": "WWzcvsHULP1Fkf9GUYRZg8",
    "max_cred_num": 4,
    "pending_pub": [],
    "record_id": "bf1219ca-75bf-4931-911b-1fe2ace39683",
    "revoc_def_type": "CL_ACCUM",
    "revoc_reg_def": null,
    "revoc_reg_entry": null,
    "revoc_reg_id": "WWzcvsHULP1Fkf9GUYRZg8:4:WWzcvsHULP1Fkf9GUYRZg8:3:CL:8:Epic:CL_ACCUM:bf1219ca-75bf-4931-911b-1fe2ace39683",
    "state": "init",
    "tag": null,
    "tails_hash": null,
    "tails_local_path": null,
    "tails_public_uri": null,
    "updated_at": "2024-05-02T08:11:11.039583Z"
  }
}

Note: This event only fires on the creation of registries or when registries fill up and a new one takes its place. This event does not fire with the revocation of credentials.

When a credential is issued with revocation support, it will be intrinsically connected with a registry.

Next: Create Connection