In the default setup, issuers sign credentials with the wallet associated with their developer account. If an issuer wants to sign credentials with their own wallet, they can do so by providing a signing endpoint.

Warning: Delegated signature and encryption are not concurrently supported for the moment, so it is advised to also use delegated storage for sensitive data.

Template Creation

On template creation, customers can specify additional parameters:

  • Desired issuer did
  • Signing endpoint
  • Auth token for the endpoint
{
  ...standard_template_params,
  delegatedSignature: {
    issuerDid: "did:polygon:<0xADDRESS>",
    endpoint: "string",
    token: "string"
  }
}

The credential flow remains the same, with one key difference. Instead of calling wallet.signTypedData(payload) with our wallet, we hit the specified endpoint with the payload. The endpoint should just wrap signTypedData call and perform the due security checks to gate the endpoint and avoid arbitrary payloads.

Request Payload

Crossmint will POST to the given endpoint with the following payload:

{
    "issuer": "<address>",
    "domain": "ethers.TypedDataDomain",
    "types": "Record<string, Array<ethers.TypedDataField>>",
    "message": "<credential_object_to_sign>",
    "token": "<auth_token>"
}

Response Format

The endpoint should return a response with the following format:

{
    "credential": "<credential_object_to_sign>",
    "issuer": "<address>",
    "signature": "string"
}

DID

The issuer identity is represented by a DID. The DID is a string that uniquely identifies the issuer. The easiest way to provide a DID is to just send the issuer wallet address as DID:

{
    "issuer": "did:{chain}:{address}"
}

Web DID

Crossmint also supports Web DID. This allows the issuer to be identified by a domain name.

{
    "issuer": "did:web:issuer.com"
}

The issuer must have a DID Document hosted at https://issuer.com/.well-known/did.json. The did document needs to contaim the following service stating the issuer wallet: The issuer wallet is the wallet that will be used to sign the credential.

{
    "id": "did:web:myissuer.com",
    "service": [
        {
            "id": "did:web:myissuer.com#wallet",
            "type": "wallet",
            "serviceEndpoint": "chain:<0xADDRESS>"
        }
    ]
    // ... other properties like verificationMethod, authentication, etc.
}