Revoke a claimed email credential

Understanding the need for revocation

Revocation is a critical feature for managing the lifecycle of credentials. It ensures that invalid or compromised credentials are no longer accepted. Common scenarios requiring revocation include:

• The credential has expired or is no longer valid.

• There has been a security issue (e.g., compromised credential data).

• The subject no longer satisfies the conditions of the credential (e.g., a license has been rescinded).

• Issuers need to maintain trust by ensuring revoked credentials cannot be misused.

Prepare a valid claimed credential

Before revoking a credential, ensure you have the following:

1. Credential ID. Obtain the unique identifier for the credential. This ID was generated when the credential was created.

   • If the ID is lost, use the "Credential Offer Pagination" endpoint to retrieve a paginated list of all credentials.

$API_KEY=INSERT_YOUR_API_KEY_HERE
$IDENTITY_ENV_ID=426f1ce15bf3df70
$ISSUER_API_BASE_URL=https://identity.nchainplatform.com/products/web/$IDENTITY_ENV_ID/issuer/api
curl --location '$ISSUER_API_BASE_URL/private/credential-offers' \
--header 'X-API-KEY: $API_KEY'

• Claim Status: Verify that the credential has been claimed by a holder before proceeding with revocation. Use the "Retrieve Credential Offer" endpoint to fetch the credential's details. Check the status field to confirm that the credential has been claimed.

curl --location 'ISSUER_API_BASE_URL/private/credential-offers/<CREDENTIAL_ID>' \
--header 'X-API-KEY: $API_KEY'

Revoke the credential

Using the Issuer API, you can revoke a credential by calling the Revoke endpoint. Provide the Credential ID and, optionally, a revocation reason for better tracking and auditing.

The endpoint also supports bulk actions, allowing you to revoke multiple credentials in a single request, making it efficient for managing large-scale revocations.

curl --location --request PATCH '$ISSUER_API_BASE_URL/private/credential-offers/revoke' \
--header 'X-API-KEY: $API_KEY' \
--header 'Content-Type: application/json' \
--data '{
    "revoke": [
        {
            "id": "<CREDENTIAL_ID>",
            "revocationReason": "email compromised"
        }
    ]
}'

Replace the placeholder values in $ISSUER_API_BASE_URL and $API_KEY with the actual values for your setup. For the revocation data, provide the real UUID value for <CREDENTIAL_ID> and include a revocation reason if applicable (the revocationReason field is optional).

Upon a successful response, the revoked credential data will be included in the revocations array. Check the status field in the response, which should display revoked. You can also verify the credential's status using the "Retrieve Credential Offer" endpoint.