Caro logo

Credential Access

Public access to a wallet's credentials from the credential registry or the DPP page can be restricted to specific users or to users who fulfill certain conditions. This is done by creating access rules and associating them with the wallet.

Access Rules

Access rules define the conditions under which a user can access a credential. They are evaluated when a user tries to access the credential-registry. If the user fulfills the conditions defined in the access rule, they can access the credential.

Creating an access rule is done by sending a POST request to the following endpoint:


POST {{host}}/access-rules?organizationId={{organization_id}}

DATA
{
    "slug": "<string - a unique human readable identifier for the access rule>",
    "templateId": "<uuid - credential template affected by the rule>",
    "type": "<enum: Internal, OAuth2 - access Rule type>",
    "properties": "<object - additional access properties>"
}

NOTE: If multiple access rules are defined for a template, the user has to fulfill the conditions of only one of the access rules to access the credential.

Assigning Access Rules

Access rules have to be assigned in order to be active. This can be done during the creating of the wallet, either using the POST /wallets endpoint or the POST /dpp endpoint or by updating the wallet using the PUT /wallets/{{wallet_id}} endpoint.

POST {{host}}/dpp?organizationId?{{organizationId}}
{
    "createWalletParams": {
        "profileId": "{{dpp-profile-id}}",
        "name": "product-x",
        "tags": [ ... ],
        "settings": { ... },
        "additionalProperties": { ... },
        "assignAccessRules": [
            {
                "slug": "<first access rule slug>"
            },
            {
                "slug": "<second access rule slug>"
            },
        ]
    },
    "createDPPCredentialsParams": [ ... ]
}

Internal Access Rule

Internal access rules restrict access to organization members only. A user has to be authenticated against VERA's auth server and have a membership in the organization that owns the wallet with one of the following roles: Admin, Member and Auditor.

POST {{host}}/access-rules?organizationId={{organization_id}}

DATA
{
    "slug": "<string - a unique human readable identifier for the access rule>",
    "templateId": "<uuid - credential template affected by the rule>",
    "type": "Internal",
    "properties": {} // empty object
}

NOTE: To read more on user Invitations, see the User Roles section.

OAuth2 Access Rule

OAuth2 access rules offer a more granural control over the allowed users, based on their given bearer token. Access is granted to users that have a valid token and fulfill the conditions defined in the access rule properties:

POST {{host}}/access-rules?organizationId={{organization_id}}

DATA
{
    "slug": "<string - a unique human readable identifier for the access rule>",
    "templateId": "<uuid - credential template affected by the rule>",
    "type": "OAuth2",
    "properties": {
        "email": "<string[], optional - array of emails that will be granted access>",
        "sub": "<string[], optional - array of userIds that will be granted access>",
    }
}

The requests bearer token is parsed and validated against VERA's auth server only. If the token is valid and the user is authenticated, the user is granted access to the credential if the email or sub claim matches the values defined in the access rule properties.

NOTE: The only allowed auth server at the moment is VERA's auth server.

Was this page helpful?