Verifiable Credentials HTTP API v0.3

A HTTP API for Verifiable Credentials lifecycle management

Draft Community Group Report

Latest published version:
https://www.w3.org/TR/vc-http-api/
Latest editor's draft:
https://w3c-ccg.github.io/vc-http-api/
Editor:
TBD
Author:
Participate:
GitHub w3c-ccg/vc-http-api
File an issue
Commit history
Pull requests

Copyright © 2021 the Contributors to the Verifiable Credentials HTTP API v0.3 Specification, published by the Credentials Community Group under the W3C Community Contributor License Agreement (CLA) . A human-readable summary is available.

Abstract

Verifiable credentials provide a mechanism to express credentials on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable. This specification provides data model and HTTP protocols to issue, verify, present, and manage data used in such an ecosystem.

Status of This Document

This is a preview

Do not attempt to implement this version of the specification. Do not reference this version as authoritative in any way. Instead, see https://w3c-ccg.github.io/vc-http-api/ for the Editor's draft.

This specification was published by the Credentials Community Group . It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Contributor License Agreement (CLA) there is a limited opt-out and other conditions apply. Learn more about W3C Community and Business Groups .

This specification is highly experimental and changing rapidly. Implementation in non-experimental systems is discouraged unless you are participating in the weekly meetings that coordinate activity around this specification.

Comments regarding this document are welcome. Please file issues directly on GitHub , or send them to public-credentials@w3.org ( subscribe , archives ).

GitHub Issues are preferred for discussion of this specification. Alternatively, you can send comments to our mailing list. Please send them to public-credentials@w3.org ( subscribe , archives ).

1. Introduction

This section is non-normative.

1.1 A Simple Example

This section is non-normative.

An example of Verifiable Credential issuance.
Figure 1 A simple example of issuing a Verifiable Credential.

1.2 Design Goals

This section is non-normative.

Goal Description
TBD TBD

1.3 Architecture Overview

This section is non-normative.

This section provides a basic overview of the major components of this specification's architecture.

Diagram showing how credentials flow from issuer to holder and presentations flow from holder to verifier where all three parties can use information from a logical verifiable data registry
Figure 2 The roles and information flows forming the basis for this specification.
Note

The ecosystem overview above is an example ecosystem in which to ground the rest of the concepts in this specification. Other ecosystems exist, such as protected environments or proprietary systems, where verifiable credentials also provide benefit.

Issue 1

TODO: Explain example issuer architecture overview. The blue highlights around some boxes identify APIs defined by this specification.

TODO
Figure 3 A detailed view of an example issuer architecture.
Issue 2

TODO: Explain example holder architecture overview. The blue highlights around some boxes identify APIs defined by this specification.

TODO
Figure 4 A detailed view of an example holder architecture.
Issue 3

TODO: Explain example holder architecture overview. The blue highlights around some boxes identify APIs defined by this specification.

TODO
Figure 5 A detailed view of an example verifier architecture.

1.4 Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words MAY , MUST , NOT RECOMMENDED , and RECOMMENDED in this document are to be interpreted as described in BCP 14 [ RFC2119 ] [ RFC8174 ] when, and only when, they appear in all capitals, as shown here.

A conforming VC HTTP API client is ...

A conforming VC HTTP API server is ...

2. Terminology

This section is non-normative.

This section defines the terms used in this specification and throughout decentralized identifier infrastructure. A link to these terms is included whenever they appear in this specification.

decentralized identifier (DID)
A globally unique persistent identifier that does not require a centralized registration authority and is often generated and/or registered cryptographically. The generic format of a DID is defined in DID Core: Syntax . Many—but not all—DID methods make use of distributed ledger technology (DLT) or some other form of decentralized network.

3. The VC HTTP API

3.1 Authorization

As an API built on top of HTTP, the VC HTTP API MAY be protected by any security technology that is applicable to such HTTP APIs. It is RECOMMENDED that deployments use standard delegation protocols to allow for interoperable access to the functions of the API without divulging end-user credentials or details unnecessarily to different parties. It is NOT RECOMMENDED that deployments use direct authentication technologies such as HTTP Basic Authentication.

This specification defines interoperable bindings to several standard delegation and authorization protocols. A conformant implementation deployed with one of these technologies MUST use these profiles and MAY further profile the connections as necessary. Each VC HTTP API endpoint defines a an authorization type , actions , datatypes , and other security values relevant to the different actions that can be taken on an endpoint. These security values are combined and encoded in different ways for the associated security protocol, allowing a client to request and a policy to specify fine-grained access control for the VC HTTP API endpoints under protection.

3.1.1 OAuth 2.0

When calling a VC HTTP API using OAuth 2.0, the request MUST be made using OAuth 2.0 Rich Authorization Requests to describe the rights requested for the given API. The security parameters relevant for the rights requested for the endpoints in question are encoded as separate objects within the authorization details array.

For example, a client requesting access to the issuing endpoint hosted at https://example.com/issue for the purposes of issuing credentials would combine the security parameters defined in the issuing endpoint as follows: 

[
  {
    "type": "https://www.w3c.org/TR/vc-http-api",    "actions": [ "issue" ],    "locations": [ "https://example.com/issue" ],    "datatypes": [ "credential" ]
  }
]

If this is the only request, it is encoded into the OAuth 2.0 Rich Authorization Request as follows:

authorization_details=%5B%7B%22type%22%3A%22https%3A%2F%2Fwww.w3c.org%2FTR%2Fvc-http-api%22%2C%22actions%22%3A%5B%22issue%22%5D%2C%22locations%22%3A%5B%22https%3A%2F%2Fexample.com%2Fissue%22%5D%2C%22datatypes%22%3A%5B%22credential%22%5D%7D%5D&client_id=...

The OAuth 2.0 scope and resource parameters are not defined for the VC HTTP API, though these parameters MAY be used to combine requests for other APIs with the request for access to the VC HTTP API. Requests for different actions and endpoints MAY be combined into the authorization details request list as different objects.

The access tokens granted from this process MAY be OAuth 2.0 Bearer tokens or any other valid OAuth 2.0 token type.

3.1.2 Grant Negotiation and Authorization Protocol (GNAP)

When calling a VC HTTP API using GNAP , the request MUST be made using the GNAP resource access rights data structures to describe the rights requested for the given API. The security parameters relevant for the rights requested for the endpoints in question are encoded as separate objects within the access array.

For example, a client requesting access to the issuing endpoint hosted at https://example.com/issue for the purposes of issuing credentials would combine the security parameters defined in the issuing endpoint in the following grant request structure: 

{  "access_token": {    "access": [
      {
        "type": "https://www.w3c.org/TR/vc-http-api",        "actions": [ "issue" ],        "locations": [ "https://example.com/issue" ],        "datatypes": [ "credential" ]
      }
    ]
  },
  "client": ...
}

This example shows a single request for a single access token, but the same structures apply to multiple requests or multiple access tokens.

GNAP resource reference values are not defined for the VC HTTP API, though such values MAY be used to combine requests for other APIs with the request for access to the VC HTTP API. Requests for different actions and endpoints MAY be combined into the access request list as different objects, or used in separate access tokens.

3.2 Issuing

3.3 Verifying

3.4 Presenting

A. Privacy Considerations

B. Security Considerations

C. Acknowledgements

The Working Group thanks the following individuals for their contributions to this specification: The final list of acknowledgements will be compiled at the end of the Candidate Recommendation phase.

Portions of the work on this specification have been funded by the United States Department of Homeland Security's Silicon Valley Innovation Program under contracts 70RSAT20T00000003, 70RSAT20T00000010, 70RSAT20T00000029, 70RSAT20T00000031, 70RSAT20T00000033, and 70RSAT20T00000043. The content of this specification does not necessarily reflect the position or the policy of the U.S. Government and no official endorsement should be inferred.

Development of this specification has also been supported by the W3C Credentials Community Group , chaired by Kim Hamilton Duffy, Heather Vescent, and Wayne Chang.

D. References

D.1 Normative references

[RFC2119]
Key words for use in RFCs to Indicate Requirement Levels . S. Bradner. IETF. March 1997. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc2119
[RFC8174]
Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words . B. Leiba. IETF. May 2017. Best Current Practice. URL: https://www.rfc-editor.org/rfc/rfc8174

D.2 Informative references

[RFC3986]
Uniform Resource Identifier (URI): Generic Syntax . T. Berners-Lee; R. Fielding; L. Masinter. IETF. January 2005. Internet Standard. URL: https://www.rfc-editor.org/rfc/rfc3986
[RFC4122]
A Universally Unique IDentifier (UUID) URN Namespace . P. Leach; M. Mealling; R. Salz. IETF. July 2005. Proposed Standard. URL: https://www.rfc-editor.org/rfc/rfc4122
[VC-DATA-MODEL]
Verifiable Credentials Data Model 1.0 . Manu Sporny; Grant Noble; Dave Longley; Daniel Burnett; Brent Zundel. W3C. 2019-11-19. W3C Recommendation. URL: https://www.w3.org/TR/vc-data-model/