A robust microservice designed for creating, managing, and verifying W3C-compliant Verifiable Credentials (VCs). This service allows organizations to issue credentials, link them to Decentralized Identifiers (DIDs), and enable secure, privacy-preserving verification across multiple platforms.
- Verifiable Credentials: Issue credentials for a wide range of use cases, including identity verification, employment, education, and more, with full compliance to W3C standards.
- Decentralized Identifiers (DIDs): Associate VCs with DIDs, enabling portable and self-sovereign identities that users control.
- Interoperability & Portability: Supports cross-industry use, allowing credentials to be reused and verified across different platforms without re-registration or data duplication.
- Privacy by Design: Minimal disclosure and secure storage, ensuring that only necessary information is shared during verifications.
- Revocation Support: Includes mechanisms to revoke credentials, ensuring that only valid credentials can be verified.
- Verifiable Presentations: Generate and verify presentations of credentials to prove claims in a trusted and decentralized manner.
- Microservice Architecture: Built as part of a modular and containerized microservice ecosystem, easily integratable into broader decentralized identity solutions.
- Issuer, Holder, Verifier Roles: The service supports a complete lifecycle of identity management by addressing the needs of issuers, credential holders, and verifiers.
- Create Verifiable Credentials: Issue credentials with unique IDs, expiration dates, and digital signatures.
- Manage DIDs: Integrate with the DID management service to use existing DIDs as issuers.
- Dynamic Payloads: Include issuer DID and subject details in the POST request payload.
- REST API: Expose endpoints for creating, retrieving, and revoking credentials.
Sequence Diagram:
sequenceDiagram
participant Issuer
participant DIDService
participant IssuerService
participant Holder
participant PresentationService
participant Verifier
participant VerificationService
Issuer->>DIDService: POST /dids (Create DID for Holder)
DIDService-->>Issuer: Return DID
Issuer->>IssuerService: POST /credentials (Issue Credential with Holder DID)
IssuerService-->>Issuer: Return Credential
Issuer->>Holder: Send Credential
Holder->>PresentationService: POST /presentations (Create Presentation with Credential)
PresentationService-->>Holder: Return Presentation ID
Holder->>Verifier: Send Presentation ID
Verifier->>VerificationService: GET /presentations/{id} (Request Presentation)
VerificationService->>PresentationService: Fetch Presentation Data
PresentationService-->>VerificationService: Return Presentation Data
VerificationService->>DIDService: GET /dids/resolver (Resolve DID)
DIDService-->>VerificationService: Return DID Document
VerificationService->>VerificationService: Verify Presentation
VerificationService-->>Verifier: Return Verification Result
Verifier->>Holder: Return Verification Status
Data Flow Diagram:
graph TD
IssuerService["Issuer Service"]
HolderService["Holder Service"]
VerifierService["Verifier Service"]
ResolverService["Resolver Service"]
DIDService["DID Service"]
subgraph DID Creation
IssuerService -->|Creates DID| DIDService
end
subgraph Credential Issuance
IssuerService -->|Issues Credential| HolderService
end
subgraph Credential Verification
HolderService -->|Presents Credential| VerifierService
end
VerifierService -->|Queries| ResolverService
IssuerService -->|Queries| ResolverService
DIDService -->|Stores DID Document| ResolverService
ResolverService -->|Resolves DID| IssuerService
ResolverService -->|Resolves DID| VerifierService
- Go 1.19 or higher
- PostgreSQL 12+
- Docker 20+
Step-by-step instructions on how to install the project.
- Clone the repository:
git clone https://github.com/tumy-tech-labs/credential-service.git
cd credential-service- Start up in Docker
docker compose up -d --buildThis is currently limited to creating a DID for Issuers. When creating the DID it will generate a private and public key and store the private key in a hashicorp vault.
TODO: Create DID's for Holders and Verifiers as well.
Request:
curl -X POST http://localhost:8080/v1/dids \
-H "Content-Type: application/json" \
-d '{
"organization_id": "org123"
}'Response:
{
"@context": "https://www.w3.org/ns/did/v1",
"id": "did:key:z6M52fX64ItBn_w-GybPu9P6U3-kOO1F5MSpCfHrheKb0k",
"publicKey": [
{
"id": "did:key:z6M52fX64ItBn_w-GybPu9P6U3-kOO1F5MSpCfHrheKb0k#keys-1",
"type": "Ed25519VerificationKey2018",
"controller": "did:key:z6M52fX64ItBn_w-GybPu9P6U3-kOO1F5MSpCfHrheKb0k",
"publicKeyBase58": "52fX64ItBn_w-GybPu9P6U3-kOO1F5MSpCfHrheKb0k"
}
],
"createdAt": "2024-10-07T22:47:10Z",
"organization_id": "orgABC"
}Request:
curl -X GET http://localhost:8080/v1/dids/resolver?did=did:key:z6MnewDIDhereResponse:
{
"did": "did:key:z6MnewDIDhere",
"document": { ... } // DID Document details
}When Issuing the credentials, provide the DID that you created in the previous steps.
Request Payload:
{
"issuerDid": "did:key:z6MyourIssuerDIDhere",
"subject": {
"name": "Jane Doe",
"email": "[email protected]",
"phone": "+3214567890"
}
}Example Request:
curl -X POST http://localhost:8080/v1/credentials \
-H "Content-Type: application/json" \
-d '{
"issuerDid": "did:key:z6MyourIssuerDIDhere",
"subject": {
"name": "Jane Doe",
"email": "[email protected]",
"phone": "+3214567890"
}
}'Response:
{
"@context": "https://www.w3.org/2018/credentials/v1",
"id": "credential-id",
"type": ["VerifiableCredential", "EmploymentCredential"],
"issuer": "did:key:z6MyourIssuerDIDhere",
"issuanceDate": "2024-09-05T00:00:00Z",
"expirationDate": "2025-09-05T00:00:00Z",
"credentialSubject": {
"id": "did:key:z6MsubjectDIDhere",
"name": "Jane Doe",
"email": "[email protected]",
"phone": "+3214567890"
},
"signature": "i9CASyhzQD1nDL/gpzacq0etT5jCAuH7MPHYU9WA7p/0yrirtD2Y4Mdg8G8dEr6kMgqenpWt5MP/5MaYkhUtDg=="
}This is currently not working.
Request:
curl -X GET http://localhost:8080/v1/credentialsResponse:
[
{
"id": "credential-id",
"issuer": "did:key:z6MyourIssuerDIDhere",
"subject": { ... },
"issuanceDate": "2024-09-05T00:00:00Z",
"expirationDate": "2025-09-05T00:00:00Z",
"signature": "signature-value"
},
...
]Request:
curl -X DELETE http://localhost:8080/v1/credentials/credential-idResponse:
{
"message": "Credential revoked successfully."
}Request:
curl -X POST http://localhost:8080/v1/presentations \
-H "Content-Type: application/json" \
-d '{
"holderDid": "did:key:z6MholderDIDhere",
"credentials": ["credential-id"]
}'Response:
{
"presentationId": "presentation-id"
}Request:
curl -X GET http://localhost:8080/v1/presentations/presentation-idResponse:
{
"presentationId": "presentation-id",
"credentials": [ ... ]
}Request:
curl -X GET http://localhost:8080/v1/verifications/presentation-idResponse:
{
"presentationId": "presentation-id",
"verificationStatus": "verified"
}To test the connection to Vault, you can run the following command inside your Docker container:
curl -X GET http://localhost:8200/v1/sys/health \
-H "X-Vault-Token: your-vault-token"Replace your-vault-token with your actual Vault token. A successful response will confirm that the Vault service is healthy.
Details about any configuration options (e.g., environment variables, config files).
Environment Variables:
DATABASE_URL=postgres://cred-service:cred-service-1@postgres:5432/credential-service
PORT=8080
VAULT_ADDR=http://vault:8200
VAULT_TOKEN=your-vault-tokenThe Holder Service is a microservice responsible for receiving, storing, and presenting verifiable credentials issued by the Issuer Service. It ensures compliance with W3C standards and provides an API for interaction with the credentials.
- Receive Credentials: Accepts verifiable credentials from the Issuer Service and stores them in memory.
- Present Credentials: Allows users to present stored credentials for verification to third parties.
- Validation: Validates incoming credentials to ensure they meet required standards.
-
Endpoint:
/v1/holder/receive -
Method:
POST -
Description: Receives a verifiable credential and stores it in memory.
-
Request Body:
{ "@context": [ "https://www.w3.org/2018/credentials/v1" ], "type": [ "VerifiableCredential" ], "id": "string", "issuer": "string", "issuanceDate": "string", "expirationDate": "string", "credentialSubject": { "email": "string", "id": "string", "name": "string", "phone": "string" }, "proof": { "type": "string", "created": "string", "proofValue": "string", "proofPurpose": "string", "verificationMethod": "string" } }
- Endpoint:
/v1/holder/present - Method:
GET - Description: Presents all stored credentials for verification.
- Response:
- Returns an array of stored credentials.
-
Run the Holder Service: Ensure Docker is running and use the following command to start the service:
docker-compose up --build
-
Test the API: Use tools like
curlor Postman to interact with the API:
-
To receive a credential:
curl -X POST http://localhost:8082/v1/holder/receive -d '{"your":"data"}' -H "Content-Type: application/json"
-
To present stored credentials:
curl -X GET http://localhost:8082/v1/holder/present
- The Holder Service currently stores credentials in memory for simplicity. Future implementations may include persistent storage.
- Ensure that the service adheres to W3C standards for verifiable credentials.
Instructions for running tests, if applicable.
Example:
go test ./...Here's an updated section for the README.md that covers the new Verifier service:
The Verifier Service is responsible for validating Verifiable Presentations (VPs) received from the Holder Service. It ensures the authenticity and integrity of the Verifiable Credentials (VCs) within the VP and verifies the proofs attached by both the issuer and the holder. This service adheres to the W3C standards for Verifiable Credentials and Verifiable Presentations.
- Accepts Verifiable Presentations (VPs) from the Holder.
- Validates the signature (proof) from both the holder and issuer.
- Checks the integrity of the Verifiable Credential (VC), including expiration and issuer authenticity.
- Built as a microservice to integrate into the credential verification ecosystem.
This endpoint receives a Verifiable Presentation (VP) from the Holder service and validates the included Verifiable Credentials.
-
Request The payload is a JSON object containing a Verifiable Presentation (VP). The VP includes one or more Verifiable Credentials (VCs) issued by an issuer and presented by the holder.
Example Request Payload:
{ "@context": ["https://www.w3.org/2018/credentials/v1"], "type": ["VerifiablePresentation"], "verifiableCredential": [ { "@context": ["https://www.w3.org/2018/credentials/v1"], "type": ["VerifiableCredential"], "id": "977a9b78-f48b-4d50-a847-10b33b802877", "issuer": "did:key:z6MsjAXl18xWy-kgyxn2OJiu3EhSCd6-mnWWztrxhD_1w4", "issuanceDate": "2024-09-21T21:57:25Z", "expirationDate": "2025-09-21T21:57:25Z", "credentialSubject": { "id": "did:example:1dab09d7-9dee-4013-8812-fc401794c672", "email": "[email protected]", "name": "John Doe", "phone": "+1234567890" }, "proof": { "type": "Ed25519Signature2018", "created": "2024-09-21T21:57:25Z", "proofValue": "U0lHTkFUVVJF", "proofPurpose": "assertionMethod", "verificationMethod": "did:key:z6MsjAXl18xWy-kgyxn2OJiu3EhSCd6-mnWWztrxhD_1w4#keys-1" } } ], "holder": "did:key:z6MsjAXl18xWy-kgyxn2OJiu3EhSCd6-mnWWztrxhD_1w4", "proof": { "type": "Ed25519Signature2018", "created": "2024-09-21T22:05:30Z", "proofPurpose": "authentication", "verificationMethod": "did:key:z6MsjAXl18xWy-kgyxn2OJiu3EhSCd6-mnWWztrxhD_1w4#keys-1", "proofValue": "SOME_PROOF_SIGNATURE" } } -
Response: The response will indicate whether the presentation and credentials were successfully verified or not.
Example Success Response:
{ "status": "success", "message": "Verifiable Presentation and Credentials are valid." }Example Failure Response:
{ "status": "error", "message": "Invalid signature or credential." }
-
Starting the Service: You can start the verifier service using Docker by building the container as specified in the
docker-compose.ymlfile. The service listens on port8083by default. -
Sending a Verification Request: To send a Verifiable Presentation for verification, you can use
curlor any HTTP client:curl -X POST http://localhost:8083/v1/verifier/verify \ -H "Content-Type: application/json" \ -d '{ "@context": ["https://www.w3.org/2018/credentials/v1"], "type": ["VerifiablePresentation"], "verifiableCredential": [ ... ], "holder": "did:key:holderDID", "proof": { ... } }'
-
Debugging:
The verifier service includes basic logging for tracking verification attempts and their outcomes. Use the logs to troubleshoot failed verifications.
The Verifier Service is designed in compliance with the W3C Verifiable Credentials and Verifiable Presentations standards.
How others can contribute to the project.
- Fork the repository.
- Create a new branch (git checkout -b feature-branch).
- Commit your changes (git commit -am 'Add new feature').
- Push the branch (git push origin feature-branch).
- Open a Pull Request.
This project is licensed under the Apache2 License - see the LICENSE file for details.
How to connect for support or issues.
Email: [email protected]
GitHub: tumy-tech-labs