Developer guide for running the Credential Service
If you want to run the application without any external databases or dependent services, we provide a Docker Compose file to spin up a standalone service.
This standalone service uses an in-memory database with no persistence, and therefore is recommended only if you're managing key/secret storage separately.
The no-db.env
file in the same folder contains all the environment variables necessary to configure the service. (See section Configuration above.)
Construct the postgres URL and configure the env variables mentioned above.
Spinning up a Docker container from the pre-built credential-service Docker image on Github is as simple as the command below:
Configure the environment variables in the postgres.env
file:
POSTGRES_USER
: Username for Postgres database
POSTGRES_PASSWORD
: Password for Postgres database
POSTGRES_MULTIPLE_DATABASES
: Database names for multiple databases in the same cluster, e.g.: "app,logto"
. This sets up multiple databases in the same cluster, which can be used independently for External Veramo KMS or LogTo service.
Then, make the Postgres initialisation scripts executable:
Configure the environment variables in the logto.env
file with the settings described in section above.
Then, run the LogTo service to configure the LogTo application API resources, applications, sign-in experiences, roles etc using Docker Compose:
Configuring LogTo is outside the scope of this guide, and we recommend reading LogTo documentation to familiarise yourself.
Configure the environment variables in the with-db.env
file with the settings described in section above. Depending on whether you are using external Veramo KMS only, LogTo only, or both you will need to have previously provisioned these services as there are environment variables in this file that originate from Postgres/LogTo.
Then, start the service using Docker Compose:
When upgrading either the external Veramo KMS or LogTo, you might need to run migrations for the underlying databases.
You can run just the migration scripts using Docker Compose profiles defined in the Compose file.
For example, to run Credential Service app migrations on an existing Postgres database (for external Veramo KMS):
Or to run LogTo migrations on an existing Postgres database:
To build your own image using Docker, use the Dockerfile provided.
Understanding cheqd's Credentials-as-a-Service product offering
The Credential Service is a set of REST APIs for using cheqd's identity functionality in a lightweight and highly efficient way.
With these APIs, it simplifies the developer experience, helping customers build Trusted Data Markets from the ground up, with zero prior knowledge of the technology under the hood. All of cheqd’s existing open-source libraries remain available, and the Credential Service does not necessitate developers to switch their SSI stack in their entirety, but allows them to build into their existing tooling, for example alongside APIs such as the Universal Resolver.
The Credential Service directly leverages our Veramo SDK Plugin, making a wide array of features available from launch, including:
With Credential Service, there are multiple ways it can be deployed and hosted to support clients with different requirements.
This mode is the most simple for users, allowing cheqd to custody both Cosmos AND Identity keys in Veramo KMS. This means that manages both ledger-writes and signing identity transactions on behalf of the customer.
To ensure this is highly secure, we have deployed an instance of a Veramo Key Management Store (KMS) which uses a Postgress DB (TypeOrm) to store Cosmos AND identity keys in one encrypted table, so it cannot be read in plaintext. This design allows us to segment different customers' keys securely and efficiently.
We use similar techniques to Password Managers such as 1Password and Bitwarden to ensure that even if the database were to be compromised, the keys would remain encrypted and unusable.
Within Custodian mode, we also enable clients to toggle
Client-managed mode gives the Credential Service user the ability to utilise their own identity keys for signing identity transactions, while still allowing the Credential Service to manage the CHEQ account keys for writing to the cheqd network. This mode is intended to be used for more production environments where the user signs each identity transaction independently, affording a greater level of security and control to the client.
Full client-managed mode is still in development and we will update this documentation as and when it becomes available
Under the hood, the Credential Service leverages our Veramo SDK Plugin for its identity functionality. Check out our guide on supported SDKs to understand how Credential Service fits together with our other Open Source packages.
Below are a list of alternatives for integrating with cheqd. Each offers a different set of protocols and underlying technical capabilities.
Category | Feature | Status |
---|---|---|
Verifiable Credentials (VCs)
Issue Credential
✅
Verify Credential
✅
Revoke Credential
✅
Suspend Credential
✅
Unsuspend Credential
✅
Verifiable Presentations (VPs)
Verify Presentation
✅
Credential Payments
Create payment-gated resource
✅
Update payment-gated resource
✅
Pay-to-verify credential status
✅
Decentralised Identifiers (DIDs)
Create DID and DID Document
✅
Update DID Document
✅
Resolve DID
✅
Deactivate DID
✅
List DIDs
✅
Identity keys
Create identity keys
✅
Fetch identity keys
✅
Status Lists
Create status list
✅
Publish status list
✅
Update status list
✅
Check status list
✅
Search status lists
✅
DID-Linked Resources (DLRs)
Create DID-Linked Resource
✅
Search DID-Linked Resources
✅
Account
Create new account
✅
Fetch account details
✅
Sign in / Sign up
Head to our Credential Service and click Log In to create an account and get started.
Issue a Credential
Issue W3C conformant Verifiable Credentials easily over REST API.
Advanced config options
Run the Credential Service yourself or utilise your own external database.
Veramo
The Veramo SDK Plugin is an extension of the Veramo SDK, a JavaScript framework for Trusted Data, adding support for cheqd functionality.
Credo
Credo is an SDK which supports ZKCreds (AnonCreds) and regular Verifiable Credentials natively with cheqd support.
Walt.id SSI Kit
Walt.id SSI Kit is an SDK that supports the European Architecture and Reference Framework (ARF) standards for identity, with full cheqd support.