Delegated Signature
In the default setup, issuers sign credentials with the wallet associated with their developer account. If an issuer wants to sign credentials with their own wallet, they can do so by providing a signing endpoint.
Warning: Delegated signature and encryption are not concurrently supported for the moment, so it is advised to also use delegated storage for sensitive data.
Template Creation
On template creation, customers can specify additional parameters:
- Desired issuer did
- Signing endpoint
- Auth token for the endpoint
{
...standard_template_params,
delegatedSignature: {
issuerDid: "did:polygon:<0xADDRESS>",
endpoint: "string",
token: "string"
}
}
The credential flow remains the same, with one key difference. Instead of calling wallet.signTypedData(payload)
with our wallet, we hit the specified endpoint with the payload. The endpoint should just wrap signTypedData
call and perform the due security checks to gate the endpoint and avoid arbitrary payloads.
Request Payload
Crossmint will POST to the given endpoint with the following payload:
{
"issuer": "<address>",
"domain": "ethers.TypedDataDomain",
"types": "Record<string, Array<ethers.TypedDataField>>",
"message": "<credential_object_to_sign>",
"token": "<auth_token>"
}
Response Format
The endpoint should return a response with the following format:
{
"credential": "<credential_object_to_sign>",
"issuer": "<address>",
"signature": "string"
}
DID
The issuer identity is represented by a DID. The DID is a string that uniquely identifies the issuer. The easiest way to provide a DID is to just send the issuer wallet address as DID:
{
"issuer": "did:{chain}:{address}"
}
Web DID
Crossmint also supports Web DID. This allows the issuer to be identified by a domain name.
{
"issuer": "did:web:issuer.com"
}
The issuer must have a DID Document hosted at https://issuer.com/.well-known/did.json
.
The did document needs to contaim the following service
stating the issuer wallet:
The issuer wallet is the wallet that will be used to sign the credential.
{
"id": "did:web:myissuer.com",
"service": [
{
"id": "did:web:myissuer.com#wallet",
"type": "wallet",
"serviceEndpoint": "chain:<0xADDRESS>"
}
]
// ... other properties like verificationMethod, authentication, etc.
}