Credential Offer
The Credential Offer is the starting point for issuer-initiated issuance. It tells the wallet what credentials are available and how to get them.
Offer Structure
A Credential Offer is a JSON object that identifies the issuer, lists available credentials, and specifies how the wallet should obtain them.
{
"credential_issuer": "https://issuer.example.com",
"credential_configuration_ids": [
"UniversityDegreeCredential"
],
"grants": {
"urn:ietf:params:oauth:grant-type:pre-authorized_code": {
"pre-authorized_code": "adhjhdjajkdkhjhdj",
"tx_code": {
"input_mode": "numeric",
"length": 6,
"description": "Enter the 6-digit code sent to your phone"
}
}
}
}{
"credential_issuer": "https://issuer.example.com",
"credential_configuration_ids": [
"DriverLicenseCredential",
"InsuranceCredential"
],
"grants": {
"authorization_code": {
"issuer_state": "eyJhbGciOiJSU0Et..."
}
}
}Offer Properties
| Property | Type | Required | Description |
|---|---|---|---|
| credential_issuer | string (URL) | Required | URL identifying the Credential Issuer. Used to fetch metadata. |
| credential_configuration_ids | Array<string> | Required | IDs of credentials being offered, matching keys in issuer metadata. |
| grants | object | Optional | Specifies which grant types can be used. If omitted, authorization_code is assumed. |
credential_issuerRequiredstring (URL)URL identifying the Credential Issuer. Used to fetch metadata.
credential_configuration_idsRequiredArray<string>IDs of credentials being offered, matching keys in issuer metadata.
grantsOptionalobjectSpecifies which grant types can be used. If omitted, authorization_code is assumed.
Grant Configuration
The grants object specifies which OAuth grant types can be used and provides necessary parameters for each.
| Property | Type | Required | Description |
|---|---|---|---|
| authorization_code.issuer_state | string | Optional | State to include in authorization request. Helps issuer correlate requests. |
| authorization_code.authorization_server | string | Optional | URL of authorization server if different from default. |
| pre-authorized_code.pre-authorized_code | string | Required | The pre-authorized code to exchange for tokens. |
| pre-authorized_code.tx_code | object | Optional | Describes expected transaction code format. |
authorization_code.issuer_stateOptionalstringState to include in authorization request. Helps issuer correlate requests.
authorization_code.authorization_serverOptionalstringURL of authorization server if different from default.
pre-authorized_code.pre-authorized_codeRequiredstringThe pre-authorized code to exchange for tokens.
pre-authorized_code.tx_codeOptionalobjectDescribes expected transaction code format.
When present, the wallet must prompt the user for a PIN/code sent via separate channel.
"tx_code": {
"input_mode": "numeric", // "numeric" or "text"
"length": 6, // expected length
"description": "Enter the code from your SMS" // user-facing (max 300 chars)
}Transmission Methods
The Credential Offer can be transmitted by value (embedded) or by reference (URL).
By Value
The entire offer is URL-encoded in the credential_offer parameter.
openid-credential-offer://?
credential_offer=undefinedBy Reference
A URL points to the offer JSON. The wallet fetches it.
openid-credential-offer://?
credential_offer_uri=https://issuer.example.com/offers/abc123QR Code
Encode the offer URI as a QR code. User scans with wallet app. Best for in-person scenarios (kiosk, printed material).
Deep Link
Use openid-credential-offer:// scheme for mobile deep linking. Alternatively use HTTPS with universal links.
Same-Device Flow
If wallet and browser are on same device, use HTTPS redirect. The wallet intercepts the URL via app link handling.