Manage Status Credentials
In this walkthrough we take a look at how you can create a status credential configuration and add or update a status entry in the configured status credential. Please make sure you have created a credential status service as explained here.
For details on status validation, please refer to the credential-status policy section.
Our implementation covers examples for each of the following standards:
Create A Status Credential Configuration
The first step is to create a configuration. However, the creation of a configuration does not yet issue the actual status credential. It's only after the first status entry has been created with a configuration that the status credential based on the configuration is being issued and made available for verifiers and other parties to access.
When defining the configuration, we decide which key will sign the status credential, the DID of the issuer, and the config of the status itself. The config sets up properties the depending on the status credential standard, e.g.:
- W3C standards (BitstringStatusList, StatusList2021, RevocationList2020) -
purposeof the status, e.g. revocation, thestatusSizeand more - IETF standard (TokenStatusList)
One status credential can host up to 32.000 status list entries.
In the examples below we create a configuration for a revocation status credential.
Endpoint: /v1/{target}/credential-status-service-api/status-credential/create | API Reference
Example Request
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/credential-status-service-api/status-credential/create' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"kid": "waltid.tenant1.kms1.key1",
"did": "did:jwk:eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoiMW1rQnBEYWZqVk9ONm9XVmlIZGREZXNEYXpKaXk1R0NTYko3VDU4QkJ3cyIsIngiOiJzZ1BiZWRPQjl1WEMtVG54LUVhV1IxRmg1Y25JLUxRLU43NUV1UE8wV2VFIn0",
"config": {
"purpose": "revocation",
"type": "BitstringStatusList",
"statusSize": 1,
"statuses": [
{
"status": "0x0",
"message": "unset"
},
{
"status": "0x1",
"message": "set"
}
]
}
}'
Path Parameters
orgID: - When performing operations within an organization, it is essential to use the organization's Base URL or another valid host alias. For example, if your organization is namedtest, your default Base URL will betest.enterprise-sandbox.walt.devwhen using the sandbox environment.target: resourceIdentifier - The target indicates the organization + tenant + credential status service in which to execute the status credential creation ({organizationID}.{tenantID}.{credentialStatusServiceID}), e.g.waltid.tenant1.status-service1
Response
201- Credential Status config created successfully.
#tab2
Body
{
"kid": "waltid.tenant1.kms1.key1",
"did": "did:jwk:eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoiMW1rQnBEYWZqVk9ONm9XVmlIZGREZXNEYXpKaXk1R0NTYko3VDU4QkJ3cyIsIngiOiJzZ1BiZWRPQjl1WEMtVG54LUVhV1IxRmg1Y25JLUxRLU43NUV1UE8wV2VFIn0",
"config": {
"purpose": "revocation",
"type": "StatusList2021",
"statusSize": 1,
"statuses": [
{
"status": "0x0",
"message": "unset"
},
{
"status": "0x1",
"message": "set"
}
]
}
}
Body Parameters
Same as for BitstringStatusList, except the type should be StatusList2021.
#tab3
Body
{
"kid": "waltid.tenant1.kms1.key1",
"did": "did:jwk:eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoiMW1rQnBEYWZqVk9ONm9XVmlIZGREZXNEYXpKaXk1R0NTYko3VDU4QkJ3cyIsIngiOiJzZ1BiZWRPQjl1WEMtVG54LUVhV1IxRmg1Y25JLUxRLU43NUV1UE8wV2VFIn0",
"config": {
"purpose": "revocation",
"type": "RevocationList2020",
"statusSize": 1,
"statuses": [
{
"status": "0x0",
"message": "unset"
},
{
"status": "0x1",
"message": "set"
}
]
}
}
Body Parameters
Same as for StatusList2021,except the type should be RevocationList2020.
#tab4
Body
{
"kid": "waltid.tenant1.kms1.key1",
"did": "did:jwk:eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoiMW1rQnBEYWZqVk9ONm9XVmlIZGREZXNEYXpKaXk1R0NTYko3VDU4QkJ3cyIsIngiOiJzZ1BiZWRPQjl1WEMtVG54LUVhV1IxRmg1Y25JLUxRLU43NUV1UE8wV2VFIn0",
"config": {
"type": "TokenStatusList",
"statusSize": 1,
"statuses": [
{
"status": "0x0",
"message": "VALID"
},
{
"status": "0x1",
"message": "INVALID"
}
],
"format": "JWT"
}
}
Body Parameters
kid: resourceIdentifier - Specifies a key used for singing the status credential. The key must come from a KMS service that lives under the same tenant as the credential status service.did: String - Specifies that DID related to thekid.config: Object - Configuration details for the Status List Token:type: String - Describes the status list standard. It should beTokenStatusList.statusSize: String -Describes the size of each status entry in bits. Allowed values are 1, 2, 4, and 8. Default is 1, meaning each status is represented by a single bit. Larger values allow for more complex status messages, with the number of possible status messages equaling2^statusSize.statuses: Array - This parameter is a JSON array that defines the possible statuses for the Referenced Tokens. Each entry in the array has:status: String This indicates the bit representation of the status. It uses a hexadecimal representation (e.g., "0x0", "0x1")message: String This provides a human-readable label for the status (e.g., "VALID", "INVALID")- Important! Values from 0x0 to 0x2 are reserved and cannot have a different message than the one defined by the standard.
format: String This parameter indicates the format of the Status List Token. It must beJWT(the only format supported at the moment).
::
::
Create A Status Entry From The Issuer Service
Although we can use the credential status service to create a new status entry, it's quite a cumbersome process. That's why the issuer service was built to directly communicate & use the credential status service. This way when you make a credential issuance request, you can reference a credential status service config + the initial status in the body of the request. The issuer service then makes the same call we just made above to create a new status entry and the result of the call then gets directly embedded into the credential.
Example Issuance Request Body With Status
Notice the credentialData represents a W3C VCDM1.1 or VCMD2.0 credential.
{
"issuerKeyId": "waltid.tenant1.kms1.key1",
"issuerDid": "did:key:z6MkjoRhq1jSNJdLiruSXrFFxagqrztZaXHqHGUTKJbcNywp",
"authenticationMethod": "PRE_AUTHORIZED",
"credentialConfigurationId": "UniversityDegree_jwt_vc_json",
"credentialData": {
"@context": [
"https://www.w3.org/2018/credentials/v1",
"https://www.w3.org/2018/credentials/examples/v1"
],
"id": "http://example.gov/credentials/3732",
"type": [
"VerifiableCredential",
"UniversityDegree"
],
"issuer": {
"id": "did:web:vc.transmute.world"
},
"issuanceDate": "2020-03-10T04:24:12.164Z",
"credentialSubject": {
"id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
"degree": {
"type": "BachelorDegree",
"name": "Bachelor of Science and Arts"
}
}
},
// STATUS
"status": {
"statusCredentialConfig": "waltid.tenant1.credential-status-service1.config1",
"initialStatus": "0x0"
},
//
"mapping": {
"id": "<uuid>",
"issuer": {
"id": "<issuerDid>"
},
"credentialSubject": {
"id": "<subjectDid>"
},
"issuanceDate": "<timestamp>",
"expirationDate": "<timestamp-in:365d>"
}
}
To learn about the issuance requests + the other parameters, please go here.
Body Parameters
status- Object defining the status service config + initial statusstatusCredentialConfig: The ID of the status credential config, e.g.waltid.tenant1.credential-status-service1.config1.initialStatus: The string representing the hexadecimal value of the status, e.g.0x0.
Note! To ensure compatibility with the issued holder credential, the provided status credential configuration and the requested holder credential must reference the same standard. Providing any other status credential reference will cause an error due to incompatibility between the holder and status credential formats.
Click to expand and see an example of how to manually create a status entry
Create A Status Entry
We do not recommend manually creating status entries, as you will not be able to update the status later through our stack.
With our Status Credential configuration we can now create a status entry. With the following call we will allocate an index within the status credential encoded list for a credential we want to issue with status. The response will return a JSON structure representing the status-entry we can use in the VC issuance request.
Endpoint: /v1/{target}/credential-status-service-api/status-credential/status/create | API Reference
Example Request
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/credential-status-service-api/status-credential/status/create' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"initialStatus": "0x0"
}'
Path Parameters
orgID: - When performing operations within an organization, it is essential to use the organization's Base URL or another valid host alias. For example, if your organization is namedtest, your default Base URL will betest.enterprise-sandbox.walt.devwhen using the sandbox environment.target: resourceIdentifier - The target indicates the organization + tenant + credential status service + credential status config ID in which to create a new status list entry.{organizationID}.{tenantID}.{credentialStatusServiceID}.{statusCredentialConfigID}), e.g.waltid.tenant1.status-service1.revocation-config
Update A Credential Status
Endpoint: /v1/{target}/credential-status-service-api/status-credential/status/update | API Reference
Example Request
curl -X 'PUT' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/credential-status-service-api/status-credential/status/update' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"session": "waltid.tenant1.issuer-service.session1",
"status": "0x1"
}'
Path Parameters
orgID: - When performing operations within an organization, it is essential to use the organization's Base URL or another valid host alias. For example, if your organization is namedtest, your default Base URL will betest.enterprise-sandbox.walt.devwhen using the sandbox environment.target: resourceIdentifier - The target indicates the organization + tenant + credential status service + credential status config ID in which to create a new status list entry.{organizationID}.{tenantID}.{credentialStatusServiceID}.{statusCredentialConfigID}), e.g.waltid.tenant1.status-service1.revocation-config
Body
{
"session": "waltid.tenant1.issuer-service.session1",
"status": "0x1"
}
Body Parameters
session: The full path of the issuance session corresponding to the credential-offer-url, e.g.waltid.tenant1.issuer-service.session1.status: The string representing the hexadecimal value of the updated status, e.g.0x1.
The session id is available:
- at issuance (by parsing the credential offer URL)
- during issuance (via callback mechanism)
- post-issuance by retrieving it from the list of events through the /v1/events/query endpoint.
Updating Multiple Status Lists
When a credential has multiple status lists (only supported for BitstringStatusList), you can update any of the status lists associated with the credential by specifying the target status list in the target path parameter. The target should be the resource identifier of the specific status list you want to update (e.g. waltid.tenant1.credential-status-service1.config1).
Each status list can be updated independently using the same session ID, allowing you to manage different status purposes (such as revocation and suspension) separately.