Verifiable Credentials (VC) can be used to store sensitive information. In such cases, it’s crucial to use encrypted credentials to ensure data privacy and security.

The encryption process is designed so that only the credential subject and the credential issuer have the ability to decrypt the credential. This ensures that sensitive information is only accessible to the relevant parties.

Once the credential is decrypted, it can be verified by anyone. This allows for the credential’s authenticity to be confirmed while still maintaining the privacy of its content.

The process of encryption and decryption can be automated using the Crossmint API and SDK. This provides a seamless and secure way to handle sensitive information within Verifiable Credentials.

Create an encrypted credential collection

To issue encrypted credentials, simply add the encrypted field to the collection creation request.

{
  "metadata": {
    "name": "Collection Name",
    "description": "Encrypted credentials collection"
  },
  "chain": "polygon",
  "credentials": {
    "type": "MyCustomType",
    "encryption": true
  }
}

Credentials issued from this collection will be encrypted by default.

Encrypted credential object

An encrypted credential consists of a ‘credentialId’ and a base64 encoded encrypted payload.

{
  "credentialId": "urn:uuid:<credential_id>",
  "payload": "base64_encoded_cipher_text"
}

Retrieve an encrypted credential

Certain endpoints for retrieving a clear credential will not be available for encrypted credentials. Crossmint cannot access the content of an encrypted credential, so retrieval by NFT will be unavailable.

GET https://staging.crossmint.com/api/unstable/credentials/{credentialId}

The response object will be:

{
  "encryptedCredential": {
    "credentialId": "urn:uuid:<credential_id>",
    "payload": "base64_encoded_cipher_text"
  },
  "decryptedCredential": "<CREDENTIAL_OBJ> | error_msg"
}

GET https://staging.crossmint.com/api/unstable/collections/{collectionId}/nfts/{requestId}/credentials
GET https://staging.crossmint.com/api/unstable/nfts/{nftLocator}/credentials

Decrypt a credential

It is possible to seamlessly decrypt a credential using the @crossmint/client-sdk-verifiable-credentials SDK. Only the credential subject and the credential issuer wallets can decrypt the credential.

NOTE: Hitting the GET credentials/{credentialId} endpoint as the issuer will automatically decrypt the credential for you and return both the clear and chipertext

Encryption Details

Encryption and decryption are performed leveraging the LIT protocol.

This allows for attribute-based encryption and decryption. During credential creation, the Crossmint API encrypts the credential and sets an access rule that only the credential subject and the credential issuer can decrypt the credential. The Crossmint SDK wraps the LIT protocol to provide a seamless decryption experience. It uses the user’s wallet to authenticate itself to the LIT protocol and then decrypts the credential.