Issuance
Issue a Microsoft Entra Verified ID verifiable credential using the walt.id Issuer API. The credential will be issued using the OID4VC standard and can be received by any compliant wallet (walt.id web wallet, Microsoft Authenticator App).
The holder must use a did:web based on secp256k1 or Ed25519, a did:jwk using Ed25519, or secp256r1, or a did:ion.
Before we can issue credentials, we need to have the following in place.
- Azure account with Microsoft Verified ID enabled.
- Credential To Issue - A registered credential (manifest) in Microsoft Verified ID.
- Azure App - An Azure App to authenticate against the Microsoft APIs.
Now we will be using the walt.id issuer API to generate an OID4VC credential offer URL which can be rendered as a QR or provided as link for compliant wallets to scan or use.
Request
Endpoint: /entra/issue
Example Request
curl -X 'POST' \
'https://issuer.portal.walt.id/entra/issue' \
-H 'accept: */*' \
-H 'Content-Type: application/json' \
-d '{
"authorization": {
"clientId": "<clientId>",
"clientSecret": "<clientSecret>",
"tenantId": "<tenantId>",
"scope": "3db474b9-6a0c-4840-96ac-1fceb342124f/.default"
},
"data": {
"authority": "<IssuerDID>",
"claims": {
"firstName": "Max",
"lastName": "Mustermann",
"jobTitle": "Manager"
},
"manifest": "https://verifiedid.did.msidentity.com/v1.0/tenants/a8671fa1-780f-4af1-8341-cd431da2c46d/verifiableCredentials/contracts/810b31c3-af84-ea32-4f81-237924b396ea/manifest",
"type": "VerifiableCredential, VerifiedCredentialEmployeeID"
}
}
'
Body
{
"authorization": {
"clientId": "<clientId>",
"clientSecret": "<clientSecret>",
"tenantId": "<tenantId>",
"scope": "3db474b9-6a0c-4840-96ac-1fceb342124f/.default"
},
"data": {
"authority": "<IssuerDID>",
"claims": {
"firstName": "Max",
"lastName": "Mustermann",
"jobTitle": "Manager"
},
"manifest": "https://verifiedid.did.msidentity.com/v1.0/tenants/a8671fa1-780f-4af1-8341-cd431da2c46d/verifiableCredentials/contracts/810b31c3-af84-ea32-4f81-237924b396ea/manifest",
"type": "VerifiableCredential, VerifiedCredentialEmployeeID"
}
}
Body Parameters
authorization
- Authentication parameters needed by the Issuer API to interact with Microsoft's APIs.
clientId
- Found on overview page of you registered App in Microsoft Azure. Guide.clientSecret
- Found on the Certificate & Secrets section in the registered app. Guide.tenantId
- Found under "Organization Settings" when visiting Verified ID overview page in Azure. Link.scope
- hardcoded value3db474b9-6a0c-4840-96ac-1fceb342124f/.default
data
- data and config for credential to issue
authority
- The DID of the issuer. Must be a did that your Azure account manages. Default DID can be found under " Organization Settings" when visiting Verified ID overview page in Azure. Link.claims
- an object containing key value pairs of the claims that can be included in the credential based on the credential manifest rules definition. See example below. IMPORTANT: The key you provide in theclaims
object should match theinputClaim
value in the rules definition.manifest
- This holds theManifest URL
of the credential to be issued. You can find it on the "Details" page of the credential in your Verified ID account overview.type
- It will always hold the following structure "VerifiableCredential, <TheTypeOfYourCredential>". E.g., based on the Example Rules below it would be "VerifiableCredential, VerifiedCredentialEmployeeID"
Example Rules Definition
{
"attestations": {
"idTokenHints": [
{
"mapping": [
{
"outputClaim": "firstName",
"required": false,
"inputClaim": "firstName",
"indexed": false
},
{
"outputClaim": "lastName",
"required": false,
"inputClaim": "lastName",
"indexed": false
},
{
"outputClaim": "jobTitle",
"required": false,
"inputClaim": "jobTitle",
"indexed": false
}
],
"required": false
}
]
},
"validityInterval": 2592000,
"vc": {
"type": [
"VerifiedCredentialEmployeeID"
]
}
}
Example Response
The API will respond with an OpenID Offer URL, which can be rendered as QR code or a link to supported wallets. You can receive all credentials via the walt.id web-wallet or the Microsoft Authenticator App.
openid-vc://?request_uri=https://verifiedid.did.msidentity.com/v1.0/tenants/a8671fa1-780f-4af1-8341-cd431da2c46d/verifiableCredentials/issuanceRequests/8b777f76-51fb-4f9c-8892-d4e00b0f8f8d