Overview

Before a wallet can receive a credential, the issuer creates a credential offer from a credential profile. The Issuer2 API exposes endpoints for creating and managing these offers, which generate an OID4VCI credential offer URL that any compliant wallet can claim.

What is a Credential Offer?

A credential offer is a one-time or limited-use invitation for a wallet to receive a credential. When you create an offer, you specify:

  • Profile – The credential profile to use as the base configuration
  • Authentication Method – Pre-authorized or authorization code flow
  • Delivery Mode – Credential offer by reference or by value
  • Expiration – How long the offer remains valid
  • Runtime Overrides – Any profile values to override for this specific offer

Offer Flow

  1. Create Offer – Call the offers endpoint with a profile ID
  2. Share URL – Send the credential offer URL to the user (QR code, deep link, etc.)
  3. Wallet Claims – User's wallet resolves the offer and receives the credential

Authentication Methods

MethodDescriptionUse Case
PRE_AUTHORIZEDNo user authentication requiredKnown users, pre-verified data
AUTHORIZEDUser must authenticate via IdPUnknown users, dynamic data collection

See Protocol Flows for the full sequence diagrams and a more detailed breakdown of when to use each.

Offer Delivery Modes

ModeDescription
BY_REFERENCEOffer URL contains a reference; wallet fetches full offer from issuer (default)
BY_VALUEFull credential offer is embedded in the URL

BY_REFERENCE is recommended for most use cases as it keeps URLs shorter and allows the issuer to track when offers are resolved.

API Endpoints

Create a Credential Offer

curl -X POST 'http://localhost:7002/issuer2/credential-offers' \
  -H 'Content-Type: application/json' \
  -d '{
    "profileId": "universityDegree",
    "authMethod": "PRE_AUTHORIZED"
  }'

Response:

{
  "offerId": "abc123-def456-ghi789",
  "profileId": "universityDegree",
  "authMethod": "PRE_AUTHORIZED",
  "expiresAt": 1704067500000,
  "credentialOffer": "openid-credential-offer://?credential_offer_uri=http%3A%2F%2Flocalhost%3A7002%2Fopenid4vci%2Fcredential-offer%3Fid%3Dabc123-def456-ghi789"
}

List Sessions

curl -X GET 'http://localhost:7002/issuer2/sessions'

Get Session Details

curl -X GET 'http://localhost:7002/issuer2/sessions/{sessionId}'

Using the Credential Offer

The credentialOffer URL in the response can be:

  1. Displayed as QR Code – User scans with their wallet app
  2. Sent as Deep Link – User clicks link on mobile device
  3. Embedded in Email/Message – User clicks to open in wallet

When the wallet resolves this URL, it will:

  1. Fetch the full credential offer from the issuer
  2. Display the credential details to the user
  3. Request the credential using the appropriate flow

Next Steps

Last updated on July 1, 2026