Issuer Architecture

Within Decentralized Identities systems, the issuer provides holders with verifiable credentials (VCs). This article provides an overview of the issuer component, detailing its internal structure, its relations to other components of the system, and the steps involved in a Verifiable Credential (VC) issuance flow.

The Parts of the Issuer Component

The issuer component is responsible for generating and issuing verifiable credentials (VCs) to a holder's wallet. It ensures proper authentication, authorization, and compliance with security measures before issuing credentials.

The issuer application, typically a website, is the first point of contact for holders seeking a credential. The authentication server, managed by the issuer, uses OAuth2 to confirm the holder’s identity before authorizing the credential issuance service to issue credentials.

The credential issuance service processes credential requests, verifying identity and authorization with the authentication server before issuing the credential to the holder's wallet. A wallet is typically a third-party app that securely stores and manages verifiable credentials. During issuance, it interacts with the issuer via a pre-authorized code, enabling the holder to receive, organize, and present credentials.

The registry stores issuer data and tracks credential revocations, allowing verifiers to confirm a credential’s validity over time.

The issuer component consists of:

• Application: Usually a website deployed by an organization that issues credentials. Holders first interact with the application with the goal of obtaining a specific credential. It triggers the verification of the holder's identify via the authentication server and triggering the issuance process through the credential issuance service.
• Authentication server: Deployed by the issuing organization. It is responsible for verifying the holder's identity using the OAUth2 standard, the authentication server ensures that the holder has undergone the necessary authentication process before allowing the credential issuance service to issue a credential.
• Credential Issuance Service: This service processes credential requests and issues credentials. It verifies the identity and authorization status of the credential holder before issuance, by checking with the authentication server before proceeding.

Issuance Flow

This sequence diagram illustrates the end-to-end process of authenticating a credential holder and securely issuing a credential to their wallet. It presents the required interactions between the issuer application, authentication server, credential issuance service, and the holder’s wallet in the order they occur.

1. The credential holder logs in to the issuer application and begins authentication process.

2. The application prompts the holder to authenticate via the authentication server, ensuring the holder’s identity is verified.

3. The authentication server passes the authentication result back to the application.

4. After the holder is successfully authenticated, the application notifies the user that they can now begin the issuance process.

5. The holder requests a credential from the application, which is forwarded to the credential issuance service.

6. The credential issuance service prepares a Credential Offer, which includes metadata about the credential and a Pre-Authorized Code.

7. The Credential Offer is sent to the holder’s wallet, either as a QR code or a URI.

8. After the holder accepts the credential offer, the credential issuance service executes a sequence of communication exchanges—detailed in the OID4VCI issuance protocol—involving the user wallet, the credential issuance service, and the authentication server, resulting in the credential's delivery to the user wallet.

9. As an optional step, you can configure the credential issuance service to share the credential to the Application.