Identifiers

Learn how to work with identifiers.

No matter your role in a credential-based interaction, you need an identifier. This page explains how the system uses identifiers and how to create the identifiers you need for your use cases.

Identifiers in Procivis One

The type of identifier you need is likely determined by the ecosystem in which you interact, for example: did:webvh for Swiss E-ID, X.509 certificates for ISO mdoc, and DIDs and keys for IETF SD-JWT VC.

To enable you to work flexibly across different ecosystems, Procivis One uses "identifier" as an abstraction. Create the identifiers you need. When you engage in an interaction, use the identifier appropriate to that interaction.

Identifier creation workflow

Use identifiers to represent your organization:

For issuers and verifiers with complex, multi-tenant organizations working across international borders and identity ecosystems, this could entail creating multiple identifiers of different types, for many different organizations. You can create as many identifiers for as many different organizations as you need.

For holders: the simplest setup is to create one identifier of each type needed. For example, if you are receiving credentials in an ecosystem that uses DIDs and keys, initialize the wallet with a DID and a key pair for signing.

Choosing types of identifiers

Your required identifiers depend on the ecosystem in which you operate. As a shortcut, identify the credential format you will use. Retrieve the configuration through the API and check that format's capabilities.

For example, suppose you know you will be working with IETF SD-JWT VC and your configuration includes this:

"format": {
  "SD_JWT_VC": {
      "type": "SD_JWT_VC",
      "display": "format.sdjwt_vc",
      "order": 200,
      "capabilities": {
        "issuanceIdentifierTypes": [        // List of compatible identifier types for issuing this format
          "KEY",
          "DID"
        ],
        "verificationIdentifierTypes": [    // List of compatible identifier types for verifying this format
          "KEY",
          "DID"
        ],
      },
    },
},

Then you know you can use keys or DIDs as an identifier, or both, but not certificates.

Identifiers and trust management

Trust management is an important layer of any digital identity ecosystem. Mechanisms of trust management are still in development for most ecosystems, but generally it involves a registry of identifiers for trusted ecosystem participants.

You can add your identifiers to the Procivis Trust Registry now. As ecosystems harden, new trust management solutions will be added.

Related guide: Trust management

Supported identifiers

All identifiers in the system are one of the following type.

Keys

Keys can be used:

• To create DIDs
• To create certificates
• Independently, as an identifier for certain credential models

Because keys can be used in different ways, use the api/key/v1 endpoint to create and manage keys. When you want to use a key as an identifier, create an identifier with the /api/identifier/v1 endpoint, referencing an existing key with the POST call.

Related guide: Keys

DIDs

Decentralized Identifiers (DIDs) are a commonly used identifier for credential models. Use the /api/identifier/v1 endpoint to create and manage DIDs as an identifier.

Alternatively, the system has legacy DID endpoints at /api/did/v1 that can be used to create and manage DIDs. When you use the POST method on the DID endpoint, the system automatically creates an identifier.

Related guide: DIDs

Certificates

IN DEVELOPMENT

While currently you must create a DID to use a certificate (for example, a did:mdl for ISO mdoc issuance), soon you can use certificates as identifiers.

Create an identifier

An identifier consists of:

• Identifier name
• Organization
• Choice of identifier

The identifier name must be unique within the organization.

Choose the identifier

When you create an identifier, choose one and only one identifier type. The request body varies by the type of identifier you are creating. See the request body examples for each type of identifier:

Use a DID

{
  "name": "Example Identifier", // Mandatory identifier name
  "organisationId": "{{ORG-UUID}}", // Not required if using the Desk API
  "did": {
    "method": "WEB", // Reference the configured instance of your chosen DID method
    "name": "DID name", // Optional DID name
    "keys": {
      "authentication": ["{{KEY-UUID}}"],
      "assertionMethod": ["{{KEY-UUID}}"],
      "keyAgreement": ["{{KEY-UUID}}"],
      "capabilityInvocation": ["{{KEY-UUID}}"],
      "capabilityDelegation": ["{{KEY-UUID}}"]
    }
  }
}

Use a key

{
  "name": "Example Identifier", // Mandatory identifier name
  "organisationId": "{{ORG-UUID}}", // Not required if using the Desk API
  "keyId": "{{KEY-UUID}}" // Choose a key to use
}

Use an identifier

When you engage in an interaction, use the identifier appropriate to that interaction. You select your identifier at a different stage of interactions according to your role:

Issuing

Reference your chosen identifier when you create a credential. When you issue that credential, your identifier will help the wallet holder know who you are via the trust management layer, and your identifier will be directly referenced in the issued credential.

Verifying

Reference your chosen identifier when you create a proof request. When you share that request, your identifier will help the wallet holder know who you are via the trust management layer.

Holding

Choose your identifier when you:

• Accept issuance of a credential. Your identifier will be listed as the subject of the issued credential.
• Submit a presentation to a verifier. Your identifier must match the subject of the credentials being shared.