Skip to main content

Issue Credential

In this walkthrough, John Doe adds his Wayfinder Sky Pass to his mobile wallet. Wayfinder acts as the issuer: it shows John a credential offer, his wallet runs the OpenID4VCI flow, and John signs in to authorize. The pass then lands in the wallet, carrying his tier, name, and member ID.

Prerequisites

Complete Set Up Your Environment before starting this walkthrough.

Background

The Decentralized Identity overview covers the issuer–holder–verifier trust triangle behind this use case.

Try the Use Case

  1. Open http://localhost:5173 and select Sign in. Sign in as John (john.doe / john.doe).
  2. Open the account menu and select Profile. The Wayfinder Sky Pass panel shows John's pass — tier Gold, John Doe, member ID WF-100245 — and a QR code.
  3. Open your wallet (Heidi or Lissi) and scan the QR. The wallet reads the credential offer from ThunderID and starts the issuance flow. The wallet may warn that the issuer is unverified — this is expected for a local development setup using a self-signed certificate. Proceed past the warning.
  4. When the wallet prompts you to sign in to authorize, sign in again as John (john.doe / john.doe) on the ThunderID login page rendered in the wallet.
  5. Approve the request. The wallet receives and stores the Sky Pass. John now holds a verifiable credential issued by Wayfinder.

What happened

  • The offer QR encodes a credential_offer_uri pointing at ThunderID. The wallet fetched the issuer metadata, ran an authorization_code flow (PAR → authorize → token) scoped to wayfinder-skypass, then called the credential endpoint.
  • ThunderID minted an SD-JWT VC: the claims (tier, full_name, member_id, given_name, family_name, email) come straight from John's profile, and each is individually disclosable — the wallet decides what to reveal later.
  • The credential is bound to a holder key the wallet generated (cnf), so only that wallet can present it.

Try a Variant

  • Change John's tier to Silver on his profile (or in the Console) and re-add the pass — the card and the issued credential update to match.
  • Issue to a second wallet. Each wallet gets its own holder-key-bound copy of the same pass.
  • Skip the Wayfinder app entirely: in the Console go to Verifiable CredentialsTemplates, click Generate offer next to the Wayfinder Sky Pass, and scan the QR that appears. The same OpenID4VCI flow runs — the wallet still authenticates John and receives the credential — but the offer comes straight from ThunderID rather than through the app.

Going Deeper

ThunderID LogoThunderID Logo

Product

DocsAPIsSDKs
© WSO2 LLC. All rights reserved.Privacy PolicyCookie Policy