/discovery
Discovery document for standards-aware clients.
OB3 reference
Wallet Import & Credential Exchange
Reference for wallet import flows using OpenID4VCI, public badge offers, and browser wallet actions.
- OAuth 2.0 with PKCE
- OpenAPI schema
- Credential and profile routes
Reference Key routes
/credentials
Credential read access for the authenticated subject.
/profile
Profile synchronization for issuer-managed records.
OpenID4VCI
Pre-authorized code flow for wallet retrieval without requiring the learner to manage OAuth clients.
Badge page action
Compatible browser wallet flows can begin directly from the public badge experience.
/badges/:badgeIdentifier
Every exchange begins from the public badge URL and the signed credential record behind it.
Learner actions on badge pages
Section titled “Learner actions on badge pages”Scan or deep-link into a wallet
Learners can scan the credential-offer QR code or open a mobile deep link using the
openid-credential-offer:// scheme.
Use browser wallet actions or manual import
Compatible browsers can use wallet buttons directly, and JSON-LD downloads remain available for controlled manual import.
Endpoints
Section titled “Endpoints”/.well-known/openid-credential-issuer
Issuer discovery document exposed for wallet and exchange clients.
/credentials/offer
Creates a new credential offer from a public badge identifier.
/credentials/v1/offers/:badgeIdentifier
Returns the offer payload associated with the public badge record.
/credentials/v1/token
Exchanges a pre-authorized code for a short-lived wallet access token.
/credentials/v1/credentials
Returns the signed Open Badges 3.0 credential response body to the wallet client.
/badges/:badgeIdentifier/jsonld
Provides human-readable alias access to the JSON-LD credential for supported manual import flows.
Security model
Section titled “Security model”Security guardrails
Short-lived, single-use exchange primitives keep learner delivery constrained.
- Pre-authorized codes are single-use.
- Pre-authorized codes expire in 10 minutes.
- OID4VCI access tokens expire in 10 minutes.
- Credential responses are
Cache-Control: no-store.
Exchange sequence
Section titled “Exchange sequence”Create an offer. Generate the credential offer from a public badge identifier that resolves to an issued record.
Exchange the pre-authorized code. Wallet clients redeem the code for a short-lived access token.
Fetch the credential payload. The wallet requests the credential in
ldp_vcformat and stores the DataIntegrityProof-signed JSON-LD artifact locally.
End-to-end example
Section titled “End-to-end example”curl -sS https://credtrail.org/credentials/offer \ -H "content-type: application/json" \ -d '{"badgeIdentifier":"40a6dc92-85ec-4cb0-8a50-afb2ae700e22"}' | jqcurl -sS https://credtrail.org/credentials/v1/token \ -H "content-type: application/x-www-form-urlencoded" \ -d "grant_type=urn:ietf:params:oauth:grant-type:pre-authorized_code&pre-authorized_code=$PRE_AUTH_CODE" | jqcurl -sS https://credtrail.org/credentials/v1/credentials \ -H "Authorization: Bearer $OID4VCI_ACCESS_TOKEN" \ -H "content-type: application/json" \ -d '{"format":"ldp_vc"}' | jqRelated docs
Section titled “Related docs”Institution automationSee how institutional systems create and revoke the credential records that wallets later retrieve.Public verification and downloadsReview the shareable badge URLs and verification payloads that sit alongside wallet actions.Open Badges 3.0 APIReview discovery, OAuth, credential, and profile endpoints that back the same record system.