1 of 8

Verification Policies

For verification of verifiable credentials, the SSI-Kit offers a wide range of predefined static and parameterized verification policies, which are ready-to-use and are designed for common use cases. For more complex verification, the creation of custom policies using a policy execution engine such as the Open Policy Agent can be used.

Static Verification Policies

Predefined and covering a variety of common use cases, enabling developers to verify credentials without having to dive into dynamic or custom policy creation and scripting languages. Some of these policies include SignaturePolicy, JsonSchemaPolicy, ValidFromBeforePolicy, ExpirationDateAfterPolicy, and more.

Learn more about Static Verification Policies.

Parameterized Verification Policies

Parameterized policies are a type of policy that requires certain parameters or arguments for their execution.

Learn more about Parameterized Verification Polices.

Dynamic Verification Policies

Dynamic policies offer a more customized approach to credential verification, enabling even the most complex of use-cases. Policies can be created based on different policy engine languages.

Learn more about Dynamic Verification Policies.

Static Policies

Static verification policies are predefined for verifying credentials in standard use cases. The following lists out supported static policies by SSI-Kit along with their arguments

General policies

Name

Description

Argument

SignaturePolicy

Verifies the signature of the W3C Verifiable credential.

None

JsonSchemaPolicy

Verifies against the associated JSON schema. Note that the attribute credentialSchema must be set and the JSON schema must be accessible by the http URL.

None

ValidFromBeforePolicy

Verifies the credentials based on their valid-from date

None

ExpirationDateAfterPolicy

Verifies the credentials based on their expiration date

None

ChallengePolicy

Verifies challenge

ChallengePolicyArg, which contains specific challenges to check against.

VpTokenClaimPolicy

Verify verifiable presentation by OIDC/SIOPv2 VP token claim.

VpTokenClaim

CredentialStatusPolicy

Verifies credentials based on their status

None

EBIS/ESSIF Specific Policies

Name

Description

Argument

EbsiTrustedSchemaRegistryPolicy

Verify by EBSI Trusted Schema Registry. Checks performed:

credential schema id has the correct format

None

EbsiTrustedIssuerDidPolicy

Verify by trusted issuer did. Checks performed:

issuer did is resolvable against EBSI

None

EbsiTrustedIssuerRegistryPolicy

Verify by EBSI Trusted Issuer Registry record. Checks performed:

issuer has any record on trusted registry having an authorization claim matching the VC schema

issuer's TIR record contains a VerifiableId credential

the authorized claim record (from p.1) has the type provided as argument to the policy

issuer's accreditation is valid - verifies against EbsiTrustedIssuerAccreditationPolicy

EbsiTrustedIssuerRegistryPolicyArg

EbsiTrustedSubjectDidPolicy

Verify by trusted subject did. Checks performed:

subject did is resolvable against EBSI

None

EbsiTrustedIssuerAccreditationPolicy

Verify by issuer's authorized claims. Checks performed:

fetches the attribute specified by the termsOfUse property

checks whether the credential stored as the attribute body has the required accreditation claims to match the current VC schema

None

IssuedDateBeforePolicy

Verify by issuance date.

None

GAIA-X specific policies

Name

Description

Argument

GaiaxTrustedPolicy

Verify Gaiax trusted fields.

None

GaiaxSDPolicy

Verify Gaiax SD fields.

None

Parameterized Policies

Some policies may require a parameter or argument for execution. The parameter is indicated in the policy list output, together with the expected data type.

Using A Parameterized Policy

Please refer to the SSI-Kit setup section to exectute the command successfully. Let's verify a credential using the parameterless SignaturePolicy and ChallengePolicy which taks a paramter.

ssikit vc verify \
-p SignaturePolicy \
-p ChallengePolicy='{"challenges": ["362df5ec-37ab-46a7-aa71-767d8f277b69"]}' \
src/test/resources/rego/VerifiableId.json

Flags

-p, --policy: Verification policy. Can be specified multiple times. By default, SignaturePolicy is used. To specify a policy argument (if required), use the format PolicyName='{"myParam": "myValue", ...}', to specify the JSON object directly, or PolicyName=path/to/arg.json, to read the argument from a JSON file.

The Challange Policy

It checks that the challenge of the credential is one of the challenges given in the ChallengePolicyArg argument.

Please refer to the SSI-Kit setup section to serve the API. Using the /v1/verify enpoint in the Auditor API to verify a credential

curl -X 'POST' \
  'http://127.0.0.1:7003/v1/verify' \
  -H 'accept: application/json' \
  -H 'Content-Type: text/plain' \
  -d '{
  "policies": [
    {
      "policy": "SignaturePolicy"
    }, 
    {
      "policy": "ChallengePolicy",
      "argument": {
        "challenges": [ "362df5ec-37ab-46a7-aa71-767d8f277b69" ]
      }
    }
  ],
  "credentials": [
     {
      "@context" : [ "https://www.w3.org/2018/credentials/v1" ],
      [...]
    }
  ]
}'

Body

{
  "policies": [
    {
      "policy": "SignaturePolicy"
    }, 
    {
      "policy": "ChallengePolicy",
      "argument": {
        "challenges": [ "362df5ec-37ab-46a7-aa71-767d8f277b69" ]
      }
    }
  ],
  "credentials": [
     {
      "@context" : [ "https://www.w3.org/2018/credentials/v1" ],
      [...]
    }
  ]
}

policies: [array] A list of policy definitions to verify against
- policy: [string] The name/id of the policy
- argument: [JSON] The argument needed by the policy (if required)
credentials: [array] An array of credentials in JWT, or LD_PROOF format

Dynamic/Custom Policies

SSI Kit supports custom policies, written in any of the supported policy engine languages. A dynamic policy can either be executed on the fly (if all required parameters are provided) or saved under a specific name for later reference in the verify command or REST API.

Note: To use dynamic policies with Open Policy Agent, setup of the OPA Engine is required. Refer to the OPA Engine configuration for more details.

Getting Started

Create a dynamic policy - Learn how to create a dynamic policy via CLI or REST
Use a dynamic policy - Learn how to verify a VC using a dynamic policy via CLI or REST
Remove a dynamic policy - Learn how to remove a dynamic policy via CLI or REST
Data classes - Examine data classes used internally.

Creating Dynamic Policies

Example of a Rego policy

Creating a Sample Policy using

A simple Rego policy that takes a credential subject as input and verifies the subject DID against a given parameter would look like this:

This policy file is located in the SSIKit test resources: src/test/resources/rego/subject-policy.rego

Executing a Policy On-The-Fly

Please refer to the to exectute the command successfully.

Saving a Dynamic Policy

You can save the policy by name, which simplifies its usage in future verifications.

Please refer to the to exectute the command successfully. Example

Flags:

-n, --name: Policy name, must not conflict with existing policies
-D, --description: Optional policy description
-p, --policy: Path or URL to policy definition. e.g.: rego file for OPA policy engine
-i, --input: Input JSON object for rego query, which can be overridden/extended on verification. Can be a JSON string or JSON file
-d, --data-path: JSON path to the data in the credential which should be verified, default: "$" (whole credential object)
-s, --save-policy: Downloads and/or saves the policy definition locally, rather than keeping the reference to the original URL
-f, --force: Override existing policy with that name (static policies cannot be overridden!)
-e, --policy-engine: Policy engine type, default: OPA. Options, OPA
--vc / --no-vc: Apply/Don't apply to verifiable credentials (default: apply)
--vp / --no-vp: Apply/Don't apply to verifiable presentations (default: don't apply)

Please refer to the to serve the API.

Path parameters:

policyName: [string] Name of the policy, e.g. MyCustomPolicy

Query parameters:

update: [boolean] Specifies if existing policy with same name should be overridden (if mutable)
downloadPolicy: [boolean] When using an URL to reference the to created policy. Downloads and/or saves the policy definition locally, rather than keeping the reference to the original URL

Body

name: [string] Policy name, must not conflict with existing policies
description: [string] Optional policy description
input: [JSON] Input JSON object for rego query, which can be overridden/extended on verification. Can be a JSON string or JSON file
policy: [URL, REGO] Whole Policy or URL to policy definition.
dataPath: [JSON path] JSON path to the data in the credential which should be verified, default: "$" (whole credential object)
policyQuery: [string] The query string in the policy engine language. Defaults to "data.system.main".
policyEngine: [string] Policy engine type, default: OPA. Options, OPA
applyToVC: [boolean] Apply/Don't apply to verifiable credentials (default: apply)
applyToVP: [boolean] Apply/Don't apply to verifiable presentaion (default: don't apply)

Using Dynamic Policies

Verification with a Dynamic Policy

Once a dynamic policy has been saved with a specific name, as explained in the previous section, you can use it to verify Verifiable Credentials.

Please refer to the SSI-Kit setup section to exectute the command successfully.

ssikit vc verify \
  -p SubjectPolicy='{ "user": "did:key:z6MkgERd8hghGSBndxduiXtUdbYmtbcX9TeNdAL2BAhvXoAp" }' \
  src/test/resources/rego/VerifiableId.json

-p, --policy: Verification policy. Can be specified multiple times. By default, SignaturePolicy is used. To specify a policy argument (if required), use the format PolicyName='{"myParam": "myValue", ...}', to specify the JSON object directly, or PolicyName=path/to/arg.json, to read the argument from a JSON file.

We can verify a credential with the SubjectPolicy and VerifiableId located in src/test/resources/rego/VerifiableId.json, which are provided when cloning the project, so no setup is needed.

Please refer to the SSI-Kit setup section to serve the API.

curl -X 'POST' \
  'http://127.0.0.1:7003/v1/verify' \
  -H 'accept: application/json' \
  -H 'Content-Type: text/plain' \
  -d '{
    "policies": [
        {
            "policy": "MyCustomPolicy",
            "argument": {
                "user": "did:key:z6MkrFtzYS5RW748vvAjARZ4CYjBMveV9LYfSAFov439Bm8Z"
            }
        }
    ],
    "credentials": [
        "eyJraWQiOiJkaWQ6a2V5Ono2TWtyRnR6WVM1Ulc3NDh2dkFqQVJaNENZakJNdmVWOUxZZlNBRm92NDM5Qm04WiN6Nk1rckZ0ellTNVJXNzQ4dnZBakFSWjRDWWpCTXZlVjlMWWZTQUZvdjQzOUJtOFoiLCJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSJ9.eyJzdWIiOiJkaWQ6a2V5Ono2TWtyRnR6WVM1Ulc3NDh2dkFqQVJaNENZakJNdmVWOUxZZlNBRm92NDM5Qm04WiIsIm5iZiI6MTY4Nzg2NDU2NCwiaXNzIjoiZGlkOmtleTp6Nk1rckZ0ellTNVJXNzQ4dnZBakFSWjRDWWpCTXZlVjlMWWZTQUZvdjQzOUJtOFoiLCJpYXQiOjE2ODc4NjQ1NjQsInZjIjp7InR5cGUiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiLCJWZXJpZmlhYmxlQXR0ZXN0YXRpb24iLCJWZXJpZmlhYmxlSWQiXSwiQGNvbnRleHQiOlsiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiXSwiaWQiOiJ1cm46dXVpZDplMDY3ZDVmYy0zNWFlLTRkMGUtYTk1ZS03MzdmMGUwYzIzM2IiLCJpc3N1ZXIiOiJkaWQ6a2V5Ono2TWtyRnR6WVM1Ulc3NDh2dkFqQVJaNENZakJNdmVWOUxZZlNBRm92NDM5Qm04WiIsImlzc3VhbmNlRGF0ZSI6IjIwMjMtMDYtMjdUMTE6MTY6MDRaIiwiaXNzdWVkIjoiMjAyMy0wNi0yN1QxMToxNjowNFoiLCJ2YWxpZEZyb20iOiIyMDIzLTA2LTI3VDExOjE2OjA0WiIsImNyZWRlbnRpYWxTY2hlbWEiOnsiaWQiOiJodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vd2FsdC1pZC93YWx0aWQtc3Npa2l0LXZjbGliL21hc3Rlci9zcmMvdGVzdC9yZXNvdXJjZXMvc2NoZW1hcy9WZXJpZmlhYmxlSWQuanNvbiIsInR5cGUiOiJGdWxsSnNvblNjaGVtYVZhbGlkYXRvcjIwMjEifSwiY3JlZGVudGlhbFN1YmplY3QiOnsiaWQiOiJkaWQ6a2V5Ono2TWtyRnR6WVM1Ulc3NDh2dkFqQVJaNENZakJNdmVWOUxZZlNBRm92NDM5Qm04WiIsImN1cnJlbnRBZGRyZXNzIjpbIjEgQm91bGV2YXJkIGRlIGxhIExpYmVydMOpLCA1OTgwMCBMaWxsZSJdLCJkYXRlT2ZCaXJ0aCI6IjE5OTMtMDQtMDgiLCJmYW1pbHlOYW1lIjoiRE9FIiwiZmlyc3ROYW1lIjoiVGFtaW5vIiwiZ2VuZGVyIjoiRkVNQUxFIiwibmFtZUFuZEZhbWlseU5hbWVBdEJpcnRoIjoiSmFuZSBET0UiLCJwZXJzb25hbElkZW50aWZpZXIiOiIwOTA0MDA4MDg0SCIsInBsYWNlT2ZCaXJ0aCI6IkxJTExFLCBGUkFOQ0UifSwiZXZpZGVuY2UiOlt7ImRvY3VtZW50UHJlc2VuY2UiOlsiUGh5c2ljYWwiXSwiZXZpZGVuY2VEb2N1bWVudCI6WyJQYXNzcG9ydCJdLCJzdWJqZWN0UHJlc2VuY2UiOiJQaHlzaWNhbCIsInR5cGUiOlsiRG9jdW1lbnRWZXJpZmljYXRpb24iXSwidmVyaWZpZXIiOiJkaWQ6ZWJzaToyQTlCWjlTVWU2QmF0YWNTcHZzMVY1Q2RqSHZMcFE3YkVzaTJKYjZMZEhLblF4YU4ifV19LCJqdGkiOiJ1cm46dXVpZDplMDY3ZDVmYy0zNWFlLTRkMGUtYTk1ZS03MzdmMGUwYzIzM2IifQ.tyLqPczrzyRQQNBoR1z5fR9oA50XiT8IX9OpQY_1qLA71eInI71fFOulDsS9WuwfT2FjN5ugjihLaiRVx7OcAg"
    ]
}'

Body

{
    "policies": [
        {
            "policy": "MyCustomPolicy",
            "argument": {
                "user": "did:key:z6MkrFtzYS5RW748vvAjARZ4CYjBMveV9LYfSAFov439Bm8Z"
            }
        }
    ],
    "credentials": [
        "eyJraWQiOiJkaWQ6a2V5Ono2TWtyRnR6WVM1Ulc3NDh2dkFqQVJaNENZakJNdmVWOUxZZlNBRm92NDM5Qm04WiN6Nk1rckZ0ellTNVJXNzQ4dnZBakFSWjRDWWpCTXZlVjlMWWZTQUZvdjQzOUJtOFoiLCJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSJ9.eyJzdWIiOiJkaWQ6a2V5Ono2TWtyRnR6WVM1Ulc3NDh2dkFqQVJaNENZakJNdmVWOUxZZlNBRm92NDM5Qm04WiIsIm5iZiI6MTY4Nzg2NDU2NCwiaXNzIjoiZGlkOmtleTp6Nk1rckZ0ellTNVJXNzQ4dnZBakFSWjRDWWpCTXZlVjlMWWZTQUZvdjQzOUJtOFoiLCJpYXQiOjE2ODc4NjQ1NjQsInZjIjp7InR5cGUiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiLCJWZXJpZmlhYmxlQXR0ZXN0YXRpb24iLCJWZXJpZmlhYmxlSWQiXSwiQGNvbnRleHQiOlsiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiXSwiaWQiOiJ1cm46dXVpZDplMDY3ZDVmYy0zNWFlLTRkMGUtYTk1ZS03MzdmMGUwYzIzM2IiLCJpc3N1ZXIiOiJkaWQ6a2V5Ono2TWtyRnR6WVM1Ulc3NDh2dkFqQVJaNENZakJNdmVWOUxZZlNBRm92NDM5Qm04WiIsImlzc3VhbmNlRGF0ZSI6IjIwMjMtMDYtMjdUMTE6MTY6MDRaIiwiaXNzdWVkIjoiMjAyMy0wNi0yN1QxMToxNjowNFoiLCJ2YWxpZEZyb20iOiIyMDIzLTA2LTI3VDExOjE2OjA0WiIsImNyZWRlbnRpYWxTY2hlbWEiOnsiaWQiOiJodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vd2FsdC1pZC93YWx0aWQtc3Npa2l0LXZjbGliL21hc3Rlci9zcmMvdGVzdC9yZXNvdXJjZXMvc2NoZW1hcy9WZXJpZmlhYmxlSWQuanNvbiIsInR5cGUiOiJGdWxsSnNvblNjaGVtYVZhbGlkYXRvcjIwMjEifSwiY3JlZGVudGlhbFN1YmplY3QiOnsiaWQiOiJkaWQ6a2V5Ono2TWtyRnR6WVM1Ulc3NDh2dkFqQVJaNENZakJNdmVWOUxZZlNBRm92NDM5Qm04WiIsImN1cnJlbnRBZGRyZXNzIjpbIjEgQm91bGV2YXJkIGRlIGxhIExpYmVydMOpLCA1OTgwMCBMaWxsZSJdLCJkYXRlT2ZCaXJ0aCI6IjE5OTMtMDQtMDgiLCJmYW1pbHlOYW1lIjoiRE9FIiwiZmlyc3ROYW1lIjoiVGFtaW5vIiwiZ2VuZGVyIjoiRkVNQUxFIiwibmFtZUFuZEZhbWlseU5hbWVBdEJpcnRoIjoiSmFuZSBET0UiLCJwZXJzb25hbElkZW50aWZpZXIiOiIwOTA0MDA4MDg0SCIsInBsYWNlT2ZCaXJ0aCI6IkxJTExFLCBGUkFOQ0UifSwiZXZpZGVuY2UiOlt7ImRvY3VtZW50UHJlc2VuY2UiOlsiUGh5c2ljYWwiXSwiZXZpZGVuY2VEb2N1bWVudCI6WyJQYXNzcG9ydCJdLCJzdWJqZWN0UHJlc2VuY2UiOiJQaHlzaWNhbCIsInR5cGUiOlsiRG9jdW1lbnRWZXJpZmljYXRpb24iXSwidmVyaWZpZXIiOiJkaWQ6ZWJzaToyQTlCWjlTVWU2QmF0YWNTcHZzMVY1Q2RqSHZMcFE3YkVzaTJKYjZMZEhLblF4YU4ifV19LCJqdGkiOiJ1cm46dXVpZDplMDY3ZDVmYy0zNWFlLTRkMGUtYTk1ZS03MzdmMGUwYzIzM2IifQ.tyLqPczrzyRQQNBoR1z5fR9oA50XiT8IX9OpQY_1qLA71eInI71fFOulDsS9WuwfT2FjN5ugjihLaiRVx7OcAg",
        "{\n  \"type\" : [ \"VerifiableCredential\", \"VerifiableAttestation\", \"VerifiableId\" ],\n  \"@context\" : [ \"https://www.w3.org/2018/credentials/v1\", \"https://w3id.org/security/suites/jws-2020/v1\" ],\n  \"id\" : \"urn:uuid:ed0de88b-4df7-458d-9ed6-8caa07a02e2d\",\n  \"issuer\" : \"did:key:z6MkrFtzYS5RW748vvAjARZ4CYjBMveV9LYfSAFov439Bm8Z\",\n  \"issuanceDate\" : \"2023-06-27T11:32:36Z\",\n  \"issued\" : \"2023-06-27T11:32:36Z\",\n  \"validFrom\" : \"2023-06-27T11:32:36Z\",\n  \"credentialSchema\" : {\n    \"id\" : \"https://raw.githubusercontent.com/walt-id/waltid-ssikit-vclib/master/src/test/resources/schemas/VerifiableId.json\",\n    \"type\" : \"FullJsonSchemaValidator2021\"\n  },\n  \"credentialSubject\" : {\n    \"id\" : \"did:key:z6MkrFtzYS5RW748vvAjARZ4CYjBMveV9LYfSAFov439Bm8Z\",\n    \"currentAddress\" : [ \"1 Boulevard de la Liberté, 59800 Lille\" ],\n    \"dateOfBirth\" : \"1993-04-08\",\n    \"familyName\" : \"DOE\",\n    \"firstName\" : \"Tamino\",\n    \"gender\" : \"FEMALE\",\n    \"nameAndFamilyNameAtBirth\" : \"Jane DOE\",\n    \"personalIdentifier\" : \"0904008084H\",\n    \"placeOfBirth\" : \"LILLE, FRANCE\"\n  },\n  \"evidence\" : [ {\n    \"documentPresence\" : [ \"Physical\" ],\n    \"evidenceDocument\" : [ \"Passport\" ],\n    \"subjectPresence\" : \"Physical\",\n    \"type\" : [ \"DocumentVerification\" ],\n    \"verifier\" : \"did:ebsi:2A9BZ9SUe6BatacSpvs1V5CdjHvLpQ7bEsi2Jb6LdHKnQxaN\"\n  } ],\n  \"proof\" : {\n    \"type\" : \"JsonWebSignature2020\",\n    \"created\" : \"2023-06-27T11:32:36Z\",\n    \"verificationMethod\" : \"did:key:z6MkrFtzYS5RW748vvAjARZ4CYjBMveV9LYfSAFov439Bm8Z#z6MkrFtzYS5RW748vvAjARZ4CYjBMveV9LYfSAFov439Bm8Z\",\n    \"jws\" : \"eyJiNjQiOmZhbHNlLCJjcml0IjpbImI2NCJdLCJhbGciOiJFZERTQSJ9..P_CJAzsdjsVzL5Zx2hnH3riuq5nhmlIYt8yRc21r1ZiuTMMWQ0Ugo0Ep85gtYjDwCDdS3FNVbDudz-fPqhXMAw\"\n  }\n}"
    ]
}

policies: [array] A list of policy definitions to verify against
- policy: [string] The name/id of the policy
- argument: [JSON] The argument needed by the policy (optional)
credentials: [array] An array of credentials in JWT, or LD_PROOF format

Removing Dynamic Policies

Removing a Dynamic Policy

Please refer to the to exectute the command successfully.

-n, --name: name of the dynamic policy to remove

Please refer to the to serve the API.

Path parameters:

policyName: [string] Name of the policy to delete

Dynamic Policies | Data Classes

Dynamic Policy Argument

A dynamic policy requires an argument of the DynamicPolicyArg type, defined as follows:

data class DynamicPolicyArg (
    val name: String = "DynamicPolicy",
    val description: String? = null,
    val input: Map<String, Any?>,
    val policy: String,
    val dataPath: String = "\$",
    val policyQuery: String = "data.system.main",
    val policyEngine: PolicyEngineType = PolicyEngineType.OPA,
    val applyToVC: Boolean = true,
    val applyToVP: Boolean = false
)

The properties are as follows:

name: The policy name. Defaults to "DynamicPolicy".
description: An optional description of the policy.
input: A generic map (JSON object) holding the input data required by the policy. If no input is required, this can be an empty map.
policy: The policy definition. Can be a file path, URL, JSON Path (if policy is defined in a credential property), or the policy script directly.
dataPath: The path to the credential data to be verified. Defaults to the entire credential object ($). If you want to use only the credential subject as verification data, specify the JSON path like this: $.credentialSubject.
policyQuery: The query string in the policy engine language. Defaults to "data.system.main".
policyEngine: The engine used for policy execution. Defaults to OPA (Open Policy Agent).
applyToVC: Determines whether this policy should apply to verifiable credentials. Defaults to true.
applyToVP: Determines whether this policy should apply to verifiable presentations. Defaults to false.

Policy Execution and Input Data

The policy is executed by the specified policy engine, with the Open Policy Agent currently being the only supported engine. OPA receives an input object containing the dynamic policy's input parameter and the credential data configured in the policy argument.

The input object for the policy engine is structured as follows:

data class PolicyEngineInput(
    val credentialData: Map<String, Any?>,
    val parameter: Map<String, Any?>?
)

This structure allows the REGO policy definition to access the input properties as follows:

input.parameter: The input object defined in the DynamicPolicyArg's input property.
input.credentialData: The credential data selected by the JSON path provided in the DynamicPolicyArg's dataPath property.

Using Dynamic Policies

Verification with a Dynamic Policy

Once a dynamic policy has been saved with a specific name, as explained in the previous section, you can use it to verify Verifiable Credentials.

Please refer to the SSI-Kit setup section to exectute the command successfully.

ssikit vc verify \
  -p SubjectPolicy='{ "user": "did:key:z6MkgERd8hghGSBndxduiXtUdbYmtbcX9TeNdAL2BAhvXoAp" }' \
  src/test/resources/rego/VerifiableId.json

-p, --policy: Verification policy. Can be specified multiple times. By default, SignaturePolicy is used. To specify a policy argument (if required), use the format PolicyName='{"myParam": "myValue", ...}', to specify the JSON object directly, or PolicyName=path/to/arg.json, to read the argument from a JSON file.

We can verify a credential with the SubjectPolicy and VerifiableId located in src/test/resources/rego/VerifiableId.json, which are provided when cloning the project, so no setup is needed.

Please refer to the SSI-Kit setup section to serve the API.

curl -X 'POST' \
  'http://127.0.0.1:7003/v1/verify' \
  -H 'accept: application/json' \
  -H 'Content-Type: text/plain' \
  -d '{
    "policies": [
        {
            "policy": "MyCustomPolicy",
            "argument": {
                "user": "did:key:z6MkrFtzYS5RW748vvAjARZ4CYjBMveV9LYfSAFov439Bm8Z"
            }
        }
    ],
    "credentials": [
        "eyJraWQiOiJkaWQ6a2V5Ono2TWtyRnR6WVM1Ulc3NDh2dkFqQVJaNENZakJNdmVWOUxZZlNBRm92NDM5Qm04WiN6Nk1rckZ0ellTNVJXNzQ4dnZBakFSWjRDWWpCTXZlVjlMWWZTQUZvdjQzOUJtOFoiLCJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSJ9.eyJzdWIiOiJkaWQ6a2V5Ono2TWtyRnR6WVM1Ulc3NDh2dkFqQVJaNENZakJNdmVWOUxZZlNBRm92NDM5Qm04WiIsIm5iZiI6MTY4Nzg2NDU2NCwiaXNzIjoiZGlkOmtleTp6Nk1rckZ0ellTNVJXNzQ4dnZBakFSWjRDWWpCTXZlVjlMWWZTQUZvdjQzOUJtOFoiLCJpYXQiOjE2ODc4NjQ1NjQsInZjIjp7InR5cGUiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiLCJWZXJpZmlhYmxlQXR0ZXN0YXRpb24iLCJWZXJpZmlhYmxlSWQiXSwiQGNvbnRleHQiOlsiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiXSwiaWQiOiJ1cm46dXVpZDplMDY3ZDVmYy0zNWFlLTRkMGUtYTk1ZS03MzdmMGUwYzIzM2IiLCJpc3N1ZXIiOiJkaWQ6a2V5Ono2TWtyRnR6WVM1Ulc3NDh2dkFqQVJaNENZakJNdmVWOUxZZlNBRm92NDM5Qm04WiIsImlzc3VhbmNlRGF0ZSI6IjIwMjMtMDYtMjdUMTE6MTY6MDRaIiwiaXNzdWVkIjoiMjAyMy0wNi0yN1QxMToxNjowNFoiLCJ2YWxpZEZyb20iOiIyMDIzLTA2LTI3VDExOjE2OjA0WiIsImNyZWRlbnRpYWxTY2hlbWEiOnsiaWQiOiJodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vd2FsdC1pZC93YWx0aWQtc3Npa2l0LXZjbGliL21hc3Rlci9zcmMvdGVzdC9yZXNvdXJjZXMvc2NoZW1hcy9WZXJpZmlhYmxlSWQuanNvbiIsInR5cGUiOiJGdWxsSnNvblNjaGVtYVZhbGlkYXRvcjIwMjEifSwiY3JlZGVudGlhbFN1YmplY3QiOnsiaWQiOiJkaWQ6a2V5Ono2TWtyRnR6WVM1Ulc3NDh2dkFqQVJaNENZakJNdmVWOUxZZlNBRm92NDM5Qm04WiIsImN1cnJlbnRBZGRyZXNzIjpbIjEgQm91bGV2YXJkIGRlIGxhIExpYmVydMOpLCA1OTgwMCBMaWxsZSJdLCJkYXRlT2ZCaXJ0aCI6IjE5OTMtMDQtMDgiLCJmYW1pbHlOYW1lIjoiRE9FIiwiZmlyc3ROYW1lIjoiVGFtaW5vIiwiZ2VuZGVyIjoiRkVNQUxFIiwibmFtZUFuZEZhbWlseU5hbWVBdEJpcnRoIjoiSmFuZSBET0UiLCJwZXJzb25hbElkZW50aWZpZXIiOiIwOTA0MDA4MDg0SCIsInBsYWNlT2ZCaXJ0aCI6IkxJTExFLCBGUkFOQ0UifSwiZXZpZGVuY2UiOlt7ImRvY3VtZW50UHJlc2VuY2UiOlsiUGh5c2ljYWwiXSwiZXZpZGVuY2VEb2N1bWVudCI6WyJQYXNzcG9ydCJdLCJzdWJqZWN0UHJlc2VuY2UiOiJQaHlzaWNhbCIsInR5cGUiOlsiRG9jdW1lbnRWZXJpZmljYXRpb24iXSwidmVyaWZpZXIiOiJkaWQ6ZWJzaToyQTlCWjlTVWU2QmF0YWNTcHZzMVY1Q2RqSHZMcFE3YkVzaTJKYjZMZEhLblF4YU4ifV19LCJqdGkiOiJ1cm46dXVpZDplMDY3ZDVmYy0zNWFlLTRkMGUtYTk1ZS03MzdmMGUwYzIzM2IifQ.tyLqPczrzyRQQNBoR1z5fR9oA50XiT8IX9OpQY_1qLA71eInI71fFOulDsS9WuwfT2FjN5ugjihLaiRVx7OcAg"
    ]
}'

Body

{
    "policies": [
        {
            "policy": "MyCustomPolicy",
            "argument": {
                "user": "did:key:z6MkrFtzYS5RW748vvAjARZ4CYjBMveV9LYfSAFov439Bm8Z"
            }
        }
    ],
    "credentials": [
        "eyJraWQiOiJkaWQ6a2V5Ono2TWtyRnR6WVM1Ulc3NDh2dkFqQVJaNENZakJNdmVWOUxZZlNBRm92NDM5Qm04WiN6Nk1rckZ0ellTNVJXNzQ4dnZBakFSWjRDWWpCTXZlVjlMWWZTQUZvdjQzOUJtOFoiLCJ0eXAiOiJKV1QiLCJhbGciOiJFZERTQSJ9.eyJzdWIiOiJkaWQ6a2V5Ono2TWtyRnR6WVM1Ulc3NDh2dkFqQVJaNENZakJNdmVWOUxZZlNBRm92NDM5Qm04WiIsIm5iZiI6MTY4Nzg2NDU2NCwiaXNzIjoiZGlkOmtleTp6Nk1rckZ0ellTNVJXNzQ4dnZBakFSWjRDWWpCTXZlVjlMWWZTQUZvdjQzOUJtOFoiLCJpYXQiOjE2ODc4NjQ1NjQsInZjIjp7InR5cGUiOlsiVmVyaWZpYWJsZUNyZWRlbnRpYWwiLCJWZXJpZmlhYmxlQXR0ZXN0YXRpb24iLCJWZXJpZmlhYmxlSWQiXSwiQGNvbnRleHQiOlsiaHR0cHM6Ly93d3cudzMub3JnLzIwMTgvY3JlZGVudGlhbHMvdjEiXSwiaWQiOiJ1cm46dXVpZDplMDY3ZDVmYy0zNWFlLTRkMGUtYTk1ZS03MzdmMGUwYzIzM2IiLCJpc3N1ZXIiOiJkaWQ6a2V5Ono2TWtyRnR6WVM1Ulc3NDh2dkFqQVJaNENZakJNdmVWOUxZZlNBRm92NDM5Qm04WiIsImlzc3VhbmNlRGF0ZSI6IjIwMjMtMDYtMjdUMTE6MTY6MDRaIiwiaXNzdWVkIjoiMjAyMy0wNi0yN1QxMToxNjowNFoiLCJ2YWxpZEZyb20iOiIyMDIzLTA2LTI3VDExOjE2OjA0WiIsImNyZWRlbnRpYWxTY2hlbWEiOnsiaWQiOiJodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vd2FsdC1pZC93YWx0aWQtc3Npa2l0LXZjbGliL21hc3Rlci9zcmMvdGVzdC9yZXNvdXJjZXMvc2NoZW1hcy9WZXJpZmlhYmxlSWQuanNvbiIsInR5cGUiOiJGdWxsSnNvblNjaGVtYVZhbGlkYXRvcjIwMjEifSwiY3JlZGVudGlhbFN1YmplY3QiOnsiaWQiOiJkaWQ6a2V5Ono2TWtyRnR6WVM1Ulc3NDh2dkFqQVJaNENZakJNdmVWOUxZZlNBRm92NDM5Qm04WiIsImN1cnJlbnRBZGRyZXNzIjpbIjEgQm91bGV2YXJkIGRlIGxhIExpYmVydMOpLCA1OTgwMCBMaWxsZSJdLCJkYXRlT2ZCaXJ0aCI6IjE5OTMtMDQtMDgiLCJmYW1pbHlOYW1lIjoiRE9FIiwiZmlyc3ROYW1lIjoiVGFtaW5vIiwiZ2VuZGVyIjoiRkVNQUxFIiwibmFtZUFuZEZhbWlseU5hbWVBdEJpcnRoIjoiSmFuZSBET0UiLCJwZXJzb25hbElkZW50aWZpZXIiOiIwOTA0MDA4MDg0SCIsInBsYWNlT2ZCaXJ0aCI6IkxJTExFLCBGUkFOQ0UifSwiZXZpZGVuY2UiOlt7ImRvY3VtZW50UHJlc2VuY2UiOlsiUGh5c2ljYWwiXSwiZXZpZGVuY2VEb2N1bWVudCI6WyJQYXNzcG9ydCJdLCJzdWJqZWN0UHJlc2VuY2UiOiJQaHlzaWNhbCIsInR5cGUiOlsiRG9jdW1lbnRWZXJpZmljYXRpb24iXSwidmVyaWZpZXIiOiJkaWQ6ZWJzaToyQTlCWjlTVWU2QmF0YWNTcHZzMVY1Q2RqSHZMcFE3YkVzaTJKYjZMZEhLblF4YU4ifV19LCJqdGkiOiJ1cm46dXVpZDplMDY3ZDVmYy0zNWFlLTRkMGUtYTk1ZS03MzdmMGUwYzIzM2IifQ.tyLqPczrzyRQQNBoR1z5fR9oA50XiT8IX9OpQY_1qLA71eInI71fFOulDsS9WuwfT2FjN5ugjihLaiRVx7OcAg",
        "{\n  \"type\" : [ \"VerifiableCredential\", \"VerifiableAttestation\", \"VerifiableId\" ],\n  \"@context\" : [ \"https://www.w3.org/2018/credentials/v1\", \"https://w3id.org/security/suites/jws-2020/v1\" ],\n  \"id\" : \"urn:uuid:ed0de88b-4df7-458d-9ed6-8caa07a02e2d\",\n  \"issuer\" : \"did:key:z6MkrFtzYS5RW748vvAjARZ4CYjBMveV9LYfSAFov439Bm8Z\",\n  \"issuanceDate\" : \"2023-06-27T11:32:36Z\",\n  \"issued\" : \"2023-06-27T11:32:36Z\",\n  \"validFrom\" : \"2023-06-27T11:32:36Z\",\n  \"credentialSchema\" : {\n    \"id\" : \"https://raw.githubusercontent.com/walt-id/waltid-ssikit-vclib/master/src/test/resources/schemas/VerifiableId.json\",\n    \"type\" : \"FullJsonSchemaValidator2021\"\n  },\n  \"credentialSubject\" : {\n    \"id\" : \"did:key:z6MkrFtzYS5RW748vvAjARZ4CYjBMveV9LYfSAFov439Bm8Z\",\n    \"currentAddress\" : [ \"1 Boulevard de la Liberté, 59800 Lille\" ],\n    \"dateOfBirth\" : \"1993-04-08\",\n    \"familyName\" : \"DOE\",\n    \"firstName\" : \"Tamino\",\n    \"gender\" : \"FEMALE\",\n    \"nameAndFamilyNameAtBirth\" : \"Jane DOE\",\n    \"personalIdentifier\" : \"0904008084H\",\n    \"placeOfBirth\" : \"LILLE, FRANCE\"\n  },\n  \"evidence\" : [ {\n    \"documentPresence\" : [ \"Physical\" ],\n    \"evidenceDocument\" : [ \"Passport\" ],\n    \"subjectPresence\" : \"Physical\",\n    \"type\" : [ \"DocumentVerification\" ],\n    \"verifier\" : \"did:ebsi:2A9BZ9SUe6BatacSpvs1V5CdjHvLpQ7bEsi2Jb6LdHKnQxaN\"\n  } ],\n  \"proof\" : {\n    \"type\" : \"JsonWebSignature2020\",\n    \"created\" : \"2023-06-27T11:32:36Z\",\n    \"verificationMethod\" : \"did:key:z6MkrFtzYS5RW748vvAjARZ4CYjBMveV9LYfSAFov439Bm8Z#z6MkrFtzYS5RW748vvAjARZ4CYjBMveV9LYfSAFov439Bm8Z\",\n    \"jws\" : \"eyJiNjQiOmZhbHNlLCJjcml0IjpbImI2NCJdLCJhbGciOiJFZERTQSJ9..P_CJAzsdjsVzL5Zx2hnH3riuq5nhmlIYt8yRc21r1ZiuTMMWQ0Ugo0Ep85gtYjDwCDdS3FNVbDudz-fPqhXMAw\"\n  }\n}"
    ]
}

policies: [array] A list of policy definitions to verify against
- policy: [string] The name/id of the policy
- argument: [JSON] The argument needed by the policy (optional)
credentials: [array] An array of credentials in JWT, or LD_PROOF format