Breyta

Call the Request Service REST API

  • Grein

Microsoft Entra Verified ID includes the Request Service REST API. This API allows you to issue and verify credentials. This article shows you how to start using the Request Service REST API.

API access token

Your application needs to include a valid access token with the required permissions so that it can access the Request Service REST API. Access tokens issued by the Microsoft identity platform contain information (scopes) that the Request Service REST API uses to validate the caller. An access token ensures that the caller has the proper permissions to perform the operation they're requesting.

To get an access token, your app must be registered with the Microsoft identity platform and be authorized by an administrator for access to the Request Service REST API. If you haven't registered the verifiable-credentials-app application, see how to register the app and then generate an application secret.

Get an access token

Use the OAuth 2.0 client credentials grant flow to acquire the access token by using the Microsoft identity platform. Use a trusted library for this purpose. In this tutorial, we use the Microsoft Authentication Library (MSAL). MSAL simplifies adding authentication and authorization to an app that can call a secure web API.

POST /{tenant}/oauth2/v2.0/token HTTP/1.1           //Line breaks for clarity
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
&scope=3db474b9-6a0c-4840-96ac-1fceb342124f/.default
&client_secret=sampleCredentia1s
&grant_type=client_credentials

In the preceding code, provide the following parameters:

Parameter Condition Description
Authority Required The directory tenant the application plans to operate against. For example: https://login.microsoftonline.com/{your-tenant}. (Replace your-tenant with your tenant ID or name.)
Client ID Required The application ID that's assigned to your app. You can find this information in the Azure portal, where you registered your app.
Client secret Required The client secret that you generated for your app.
Scopes Required Must be set to 3db474b9-6a0c-4840-96ac-1fceb342124f/.default. This setting produces an access token with a roles claim of VerifiableCredential.Create.All.

For more information about how to get an access token by using a console app's identity, see one of the following articles:

You can also access a token request with a certificate instead of a client secret.

POST /{tenant}/oauth2/v2.0/token HTTP/1.1   //Line breaks for clarity
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=12345678-0000-0000-00000000000000000
&scope=3db474b9-6a0c-4840-96ac-1fceb342124f/.default
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=eyJhbGciOiJSUzI1NiIsIng1dCI6Imd4OHRHeXN5amNScUtqRlBuZDdSRnd2d1pJMCJ9.eyJ{a lot of characters here}M8U3bSUKKJDEg
&grant_type=client_credentials

Call the API

To issue or verify a verifiable credential:

  1. Construct an HTTP POST request to the Request Service REST API. The tenant ID isn't needed in the URL anymore because it's present as a claim in the access token.

    Issue

    POST https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/createIssuanceRequest

    Verify

    POST https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/createPresentationRequest

  2. Attach the access token as a bearer token to the authorization header in an HTTP request.

    Authorization: Bearer <token>

  3. Set the Content-Type header to Application/json.

  4. Prepare and attach the issuance or presentation request payload to the request body.

  5. Submit the request to the Request Service REST API.

The Request Service API returns an HTTP Status Code 201 Created on a successful call. If the API call returns an error, check the error reference documentation.

Issuance request example

The following example demonstrates a verifiable credentials issuance request. For information about the payload, see Request Service REST API issuance specification.

POST https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/createIssuanceRequest
Content-Type: application/json
Authorization: Bearer  <token>

{...JSON payload...}

Issuance request using the idTokenHint attestation flow:

{
    "includeQRCode": false,
    "callback": {
        "url": "https://contoso.com/api/issuer/issuanceCallback",
        "state": "de19cb6b-36c1-45fe-9409-909a51292a9c",
        "headers": {
            "api-key": "OPTIONAL API-KEY for CALLBACK EVENTS"
        }
    },
    "authority": "did:web:verifiedid.contoso.com",
    "registration": {
        "clientName": "Verifiable Credential Expert Sample"
    },
    "type": "VerifiedCredentialExpert",
    "manifestUrl": "https://verifiedid.did.msidentity.com/v1.0/12345678-0000-0000-0000-000000000000/verifiableCredentials/contracts/VerifiedCredentialExpert1",
    "pin": {
        "value": "3539",
        "length": 4
    },
    "claims": {
        "given_name": "Megan",
        "family_name": "Bowen"
    }
}

For the complete code, see one of the following code samples:

Presentation request example

The following example demonstrates a verifiable credentials presentation request. For information about the payload, see Request Service REST API presentation specification.

POST https://verifiedid.did.msidentity.com/v1.0/verifiableCredentials/createPresentationRequest
Content-Type: application/json
Authorization: Bearer  <token>

{...JSON payload...}

Presentation request for a credential with a certain type and issuer:

{
  "includeQRCode": true,
  "callback": {
    "url": "https://contoso.com/api/verifier/presentationCallback",
    "state": "92d076dd-450a-4247-aa5b-d2e75a1a5d58",
    "headers": {
      "api-key": "OPTIONAL API-KEY for CALLBACK EVENTS"
    }
  },
  "authority": "did:web:verifiedid.contoso.com",
  "registration": {
    "clientName": "Veritable Credential Expert Verifier"
  },
  "includeReceipt": true,
  "requestedCredentials": [
    {
      "type": "VerifiedCredentialExpert",
      "purpose": "So we can see that you a veritable credentials expert",
      "acceptedIssuers": [
        "did:web:verifiedid.contoso.com"
      ],
      "configuration": {
        "validation": {
          "allowRevoked": true,
          "validateLinkedDomain": true
        }
      }
    }
  ]
}

For the complete code, see one of the following code samples:

Callback events

The request payload contains the issuance and presentation callback endpoint. The endpoint is part of your web application and should be publicly available via the HTTPS protocol. The Request Service API calls your endpoint to inform your app on certain events. For example, such events might be when a user scans the QR code, uses the deep link to the authenticator app, or finishes the presentation process.

The following diagram describes the call your app makes to the Request Service REST API and the callbacks to your application.

Diagram that shows the call to the API and the callback events.

Configure your endpoint to listen to incoming HTTP POST requests. The following code snippet demonstrates how to handle the issuance callback HTTP request and how to update the UI accordingly:

Not applicable. Choose one of the other programming languages.

Next steps

Learn more about these specifications: