Issuing Credentials

The issuer is the entity responsible for creating and issuing credentials within the AIR Credential ecosystem. It defines schemas, issues Verifiable Credentials, and manages the lifecycle of credentials.

As an Issuer, you are responsible for issuing Verifiable Credentials to users. Follow these steps to integrate and manage the credential issuance process.

Backend API Alternative

For server-side credential issuance without client interaction, see Issue Credentials on Behalf. That API allows you to issue credentials directly from your server.

Issuing Credentials (SDK)

Step 1: Set Up an Issuance Program

Use the Developer Dashboard to create an issuance program (Issuer -> Programs).
While creating the program, search for the schema for the credentials you intend to issue, and check the attributes to be included (e.g., name, age, nationality, etc.). It is highly recommended to search for an existing schema so that credentials are interoperable across platforms and can be recognized, displayed, or verified by any verifier. If there are no suitable schemas available, please contact us, or you may create your own schema.
Publish the program and take note of the program ID.

Step 2: Collect User Data

Securely authenticate and retrieve your user's data within your existing application.

Step 3: Generate Auth Token

Generate a Partner JWT securely with your backend server, and include scope=issue to limit its scope.

Step 4: Issue Credentials

To encrypt the user's data and create a verified credential on-chain, simply call the issueCredential() function in AIR Kit.

jsx

public async issueCredential({
    authToken,
    issuerDid,
    credentialId,
    credentialSubject,
    curve,
}: {
    authToken: string;
    issuerDid: string;
    credentialId: string;
    credentialSubject: Record<string, unknown>;
    curve?: "secp256r1" | "secp256k1";
}): Promise<{ cakPublicKey?: string }>

Parameter	Type	Description
`authToken`	`string`	Your signed Partner JWT, with scope=issue.
`issuerDid`	`string`	Your Issuer DID.
`credentialId`	`string`	Program ID for the credential being issued.
`credentialSubject`	`Record<string, unknown>`	Object containing the credential's claims and attributes for the subject.
`curve`	`"secp256r1" \| "secp256k1"`	Optional. Elliptic curve for compliance encryption key generation. Defaults to `secp256r1` (P-256).

Response: Returns an object with cakPublicKey (Compliance Encryption User Public Key) if compliance encryption is enabled for the issuance program. The public key is deterministically derived from [User – Issuer – Schema] and can be used to encrypt compliance data before issuance. Throws an error if issuance fails.

Under the hood, AIR Kit generates a Verifiable Credential based on the issuance program and schema, pushes the VC on-chain, and stores the encrypted data in decentralized storage. During this process, the raw user data and private keys stay on the client side and are not exposed to Moca's servers.

Compliance Encryption Public Key

When compliance encryption is enabled for your issuance program (configured in the Developer Dashboard), the issueCredential function returns a cakPublicKey (Compliance Encryption User Public Key) in the response. This feature allows issuers to:

Obtain a user-specific public key before credential issuance
Encrypt additional compliance data for regulated disclosure or threshold decryption workflows
Use a deterministic key that is tied to the [User – Issuer – Schema] composite identifier

The public key is derived from the user's Identity Wallet by signing EIP-712 structured data. You can specify the elliptic curve using the optional curve parameter:

secp256r1 (P-256) - Default, recommended for most use cases
secp256k1 - Alternative curve option

The same public key will be returned for the same user, issuer, and schema combination, allowing you to retrieve it without first issuing a credential if needed.

Tips

Use the Developer Dashboard to view and manage issued credentials (Issuer -> Records). In cases where credentials need to be invalidated, use the Revoke function in the Dashboard.
Use the Chain Explorer to find the record of the on-chain transaction related to issuance (Credentials -> Issuance)

Best Practices for Issuers (SDK)

Only issue credentials after thorough validation of submitted evidence or claims.
Minimize inclusion of personally identifiable information—issue privacy-preserving credentials whenever possible.
Adopt open, standardized schemas to maximize compatibility and reduce verification friction across apps.
Implement robust expiry and revocation processes, and ensure that holders and verifiers are informed of credential status.
Respect user sovereignty at all stages; credentials should be under full user control and portable across the ecosystem.

Issuing Credentials ​

Issuing Credentials (SDK) ​

Step 1: Set Up an Issuance Program ​

Step 2: Collect User Data ​

Step 3: Generate Auth Token ​

Step 4: Issue Credentials ​

Compliance Encryption Public Key ​

Best Practices for Issuers (SDK) ​