User Credentials
Use the User Credentials service to create a user credential and get the credential status. To issue the credential to the user you must first create a credential type (automated) or create a credential type (managed). After you create a credential type, you can issue credentials to users two ways depending on the management.mode of the credential type:
-
If
management.modeisAUTOMATIC, you create a credential issuance rule and the service issues the credential to all users who match the rule. -
if
management.modeisMANAGED, you create a user credential or update a user credential and the service issues the credential to that user.
Regardless of management.mode, you can revoke a user credential, read all user credentials, read one user credential, or read one user credential wallets.
Assigning admin roles and permissions to this service
Admin role assignments determine access to PingOne APIs. When assigning admin roles to this service, refer to PingOne Permissions by Service for the service-specific permissions.
You can also choose to assign admin roles based on particular service resources. Refer to PingOne Permissions by Resource when assigning admin roles per service resources.
Admin assignments to roles are set by:
Refer to Roles Management for more information.
User Credentials data model
| Property | Type | Required | Mutable | Description |
|---|---|---|---|---|
|
DateTime |
N/A |
Read-only |
Date and time the user credential was created. |
|
String |
Required |
Immutable |
Identifier of the credential type. |
|
Object |
Optional |
Mutable |
Fields submitted for the credential. |
|
String |
Required/Optional |
Mutable |
Fields for user data. Refer to data object data model. |
|
Object |
Optional |
Immutable |
Object with flags related to storing credential data. Refer to demoDataStorage object data model. |
|
Boolean |
Optional |
Immutable |
Whether or not the credential |
|
Boolean |
N/A |
Read-only |
Whether or not the credential |
|
String |
N/A |
Read-only |
Identifier (UUID) of the environment associated with the user. |
|
DateTime |
Optional |
Mutable |
The date that the user credential expires. If this value is null, the credential never expires. |
|
String |
N/A |
Read-only |
Identifier (UUID) of the user credential. |
|
Object |
Optional |
Immutable |
Contains notification information. When this property is supplied, the information within is used to create a custom notification. |
|
String[] |
Optional |
Immutable |
Array of methods for notifying the user. Can be |
|
Object |
N/A |
Read-only |
Contains the results of attempts to notify the user. |
|
Object |
N/A |
Read-only |
Contains information regarding why a notification failed to send. |
|
String |
N/A |
Read-only |
Method used in the attempt to notify the user. Can be |
|
String |
N/A |
Read-only |
Identifier (UUID) of the notification that was sent. |
|
Boolean |
N/A |
Read-only |
Whether the notification was successfully sent. |
|
Object |
Optional |
Immutable |
Contains template parameters. |
|
String |
Optional |
Immutable |
The ISO 2-character language code used for the notification, for example: |
|
Object[] |
Required/Optional |
Immutable |
An object of name-value pairs that defines the dynamic variables used by the content variant. Required if the template requires variables, otherwise ignored. For more information on dynamic variables, refer to Dynamic variables. |
|
String |
Required |
Immutable |
The unique user-defined name for the content variant that contains the message text used for the notification. For more information on variants, refer to Creating custom contents. |
|
String |
N/A |
Read-only |
Status of the user credential. Can be |
|
String |
N/A |
Read-only |
Returned as defined in the credential type. |
|
DateTime |
N/A |
Read-only |
Date and time the credential type was last updated. Can be null. |
|
String |
Required |
Immutable |
Identifier (UUID) of the user. Supplied in the endpoint. |
The one notification.template object applies a variant and locale to all three credential notification templates: credential_issued, credential_updated, and credential_revoked. When adding a variant or locale to any of the three notification templates, consider adding the same variant or locale to the other notification templates. If a requested variant is not defined, the notification uses the default notification template. If a requested locale is not defined, the notification uses the user’s preferred language or, if the user has no preferred language, the default language of the environment.
Although notification.template is immutable, Update a User Credential can change notification.template on a specific credential for its life span.
data object data model
|
The Because the For non-production use, this rule has an exception as discussed in demoDataStorage object data model. |
The data object can only be used for Credential Types where its management.mode is MANAGED. Individual fields in data can only be used where the corresponding credential type’s metadata.fields.type is Alphanumeric Text. If the corresponding credential type’s metadata.fields.value is valued, that value represents a default for the field and can be overridden in Create a User Credential or Update a User Credential API requests.
The data object contains any number of keys, where the key is the title in metadata.fields that represents a specific attribute of the credential type required by the issuer. For example, an insurance company might have a metadata.fields.title of Endorsements and the corresponding data key would be Endorsements. These data fields must match the metadata.fields defined for the credential type in credentialType.id. For more information on fields, refer to the fields object in metadata object data model and the data types in fields.type types.
Whether any given data.<field> is required or optional depends on the corresponding fields.required and fields.value in the metadata object of the credential type. A data.<field> is required when fields.required is true and no fields.value exists and optional when fields.required is false or when fields.value has a value.
demoDataStorage object data model
When you create a user credential for a managed credential type, the request body can provide values for fields in data that are not extracted from directory attributes. The service applies the provided data to the credential but never stores that data. This means that the user must already have a paired digital wallet that the new credential can be provisioned to. If the user pairs a digital wallet after the user credential was created, or if the user wants to use a OID4VCI wallet, they cannot receive the credential because the service no longer has the data.
When demoDataStorage.storeUntilIssued is true, the service stores data until used when issuing the credential. The data object is discarded after the credential is issued. This allows for testing of the user credentials API without permanently storing data, which is ideal for testing non-production environments or for testing OID4VCI credential issuance.
|
Until the credential is issued and discarded, Therefore, |
Provisioned Credentials data model (credential)
This object is shared with digital wallets. It is returned only with Read One User Credential Wallets and Read One Digital Wallet Credentials. The former returns all digital wallets associated with the specified user credential, the latter returns all user credentials associated with the specified digital wallet.
| Property | Type | Required | Mutable | Description |
|---|---|---|---|---|
|
Object |
N/A |
Read-only |
The serialized JSON object used to create the ClaimReference object returned. This is needed to revoke an issued credential. |
|
DateTime |
N/A |
Read-only |
Date and time the credential was provisioned. |
|
String |
N/A |
Read-only |
Identifier (UUID) of the user credential associated with the provisioned credential. |
|
String |
N/A |
Read-only |
Identifier (UUID) of the digital wallet associated with the provisioned credential. |
|
String[] |
N/A |
Read-only |
Array of protocols used to retrieve the provisioned credential. Can be |
|
String |
N/A |
Read-only |
Identifier (UUID) of the environment associated with the provisioned credential. |
|
Date |
N/A |
Read-only |
The date that the provisioned credential expires. If this value is null, the provisioned credential never expires. |
|
String[] |
N/A |
Read-only |
Array of protocols used to retrieve the provisioned credential. Can be |
|
String |
N/A |
Read-only |
Identifier (UUID) of the provisioned credential. |
|
Object |
N/A |
Read-only |
Information about the wallet that used OpenID4VCI. |
|
String |
N/A |
Read-only |
Client identifier provided by the wallet that used OpenID4VCI. |
|
String |
N/A |
Read-only |
Decentralized identifier (DID) provided in the proof JWT during OpenID4VCI issuance used to identify the wallet instance. |
|
String |
N/A |
Read-only |
Protocol used to retrieve the provisioned credential. Can be |
|
String |
N/A |
Read-only |
Status of the provisioned credential. Can be |
|
String |
N/A |
Read-only |
Identifier (UUID) of the user associated with the provisioned credential. |
|
Object[] |
N/A |
Read-only |
Array of actions taken regarding the provisioned credential. |
|
String |
N/A |
Read-only |
Action taken regarding the provisioned credential. Can be |
|
DateTime |
N/A |
Read-only |
Date and time that the action occurred. |