Aries Cloud Agent Python (ACA-Py) serves as a foundational tool for developing Verifiable Credential (VC) ecosystems. It functions at the second and third layers of the Trust Over IP framework and supports multiple credential formats and protocols. As part of the Open Wallet Foundation, ACA-Py's capabilities can be expanded with runtime-loaded plug-ins. Explore a diverse range of plug-ins in the ACA-Py Plugins repository.

ACA-Py now includes support for the Cheqd DID method, facilitating integration with Cheqd's decentralized identity ecosystem. Developers can utilize Cheqd for DID creation, resolution, and operations like issuing and verifying AnonCreds credentials. This offers an easy transition from the decommissioned Sovrin network to a modern, scalable alternative without disrupting existing workflows. Cheqd is fully supported in ACA-Py for issuing Verifiable Credentials, creating Credential Schemas, and Credential Definitions.

AnonCreds using cheqd are facilitated using the cheqd AnonCreds Object Method.

Get started

Pre-requisites

Before you begin, ensure you have a DID registrar and resolver running.

• For testnet, you can use the cheqd DID registrar and resolver.

• For mainnet, you can run your own cheqd DID registrar with the correct mnemonic configuration. For details check here.

Configuration

• The DID Registrar and the DID Resolver URL can be passed via a plugin-config.yml.

• The plugin works only with askar-anoncreds wallet type.

• Using a Postgres DB as wallet storage type is also recommended.

Build the Agent and deploy

Build the ACA-Py Agent docker image with the plugin, and then deploy on your choice of infrastructure.

Example Dockerfile:

FROM ghcr.io/openwallet-foundation/acapy:py3.12-1.1.0

USER root

# install plugins as binaries
RUN pip install git+https://github.com/openwallet-foundation/acapy-plugins@main#subdirectory=cheqd

USER $user
COPY ./configs configs

ENTRYPOINT ["aca-py"]

Sample configs are available here.

Next steps

Now that your ACA-Py agent is successfully set up to work with cheqd, try following our tutorials for creating a new DID or issuing Verifiable Credentials.

"DID-Linked Resources" are identified with a did:cheqd Decentralized Identifier with a Universally Unique Identifier (UUID) that acts as a permanently-accessible link to fetch the resources from the cheqd ledger. We refer to this as the "resource ID". Through the "resource ID" or a set of DID URL query parameters, applications are able to persistently access a digital resource on the cheqd network.

Get started

To issue Verifiable Credentials, the issuer will have to first create a Schema and then a Credential Definition.

Create Schema

The request body must contain the schema object, which defines the attributes, name and version of the Schema. This will create a DID-Linked Resource of type anonCredsSchema.

Request Body

Check the new Schema

Follow these instructions to deactivate a did:cheqd DID from ACA-Py Agent.

⚠️ Important...

Your wallet must have the key(s) which were generated when the DID was created, without them signing will fail.

Deactivate DID

To deactivate an active DID, pass the didid in the request body, with any additional optionsthat you may have configured.

A Decentralized Identifier "DID" is a globally unique identifier that does not require a centralized registration authority because it is registered with distributed ledger technology or other form of decentralized network.

Get started

Alternatives

Below are a list of alternatives for creating cheqd DIDs.

Get started

Alternatives

Below are a list of alternatives for using Credentials with cheqd support. Each offers a different set of protocols and underlying technical capabilities.

Create Credential Definition

The request body must contain the credential_definition object with the Issuer DID and the Schema ID created in the previous steps.

To enable revocation, the options must contain the revocation flag, and the size of the revocation registry. Also, ensure that a Tails Server is configured for the issuer.

Request Body

Check the new Credential Definition

Using the /issue-credential-2.0 API endpoints, it is possible to issue Verifiable Credentials, signed by a cheqd DID, in a few clicks or lines of code. By following the following steps, you can effectively issue verifiable credentials using ACA-Py integrated with the cheqd ecosystem.

Step 1: Create a Connection with Holder

Use any supported method to create a connection with the Holder of the credential. Automated out-of-band protocol is recommended.

1a: Issuer Creates Connection Invite

The Issuer agent will create a new connection invite for the Holder. This is needed to securely communicate between the Issuer and the Holder agents.

Parameters and Request Body

For automated acceptance, pass the following parameters:

A simple request body is below:

{
    "alias": "Holder",
    "handshake_protocols": ["https://didcomm.org/didexchange/1.0"],
    "use_public_did": false,
    "my_label": "Invitation to Holder"
}

1b: Holder receives invitation

The above request will have an invitation in the response. Holder will have to copy that inivitation and pass in the body of the following API call.

Parameters and Request Body

The request body should be the invitation value from the /create-invitation call by the Issuer.

Step 2: Prepare Credential Offer

Generate a credential offer using the /issue-credential-2.0/send-offer API. This offer is sent to the holder, informing them about the available credential and its attributes.

Step 3: Holder accepts credential offer

The Holder has to retrieve the credential exchange id, and call this API to accept the offer.

Step 4: Issue Credential

Once the credential request is received and validated, issue the credential using the /issue-credential-2.0/records/<exchange-id>/issue API endpoint.

Step 5: Holder stores Credential

The Holder has to store the issued credential into their wallet using the following API.

Follow these instructions to create a new DID from ACA-Py Agent and publish the associated DID Document on cheqd ledger.

⚠️ Before you begin...

Make sure you've correctly for ACA-Py.

For wallet storage, utilise a Postgres database to ensure key persistence, enabling future updates to the DID.

Create DID

Populate the various optionsand featuresin the JSON request body and call the API to create the DID.

Request Body

These are the variables that can be passed in the Body:

List DIDs associated with your wallet

After creating a DID or multiple DIDs, users can list all the created DIDs associated with their wallet. Using the /wallet/did API.

Follow these instructions to update a did:cheqd DID from ACA-Py Agent.

⚠️ Important...

Your wallet must have the key(s) which were generated when the DID was created, without them signing will fail.

Update DID

To update an existing DID, you must pass the did id and the complete didDocumentin the request body. The main field that is updated using this method os the service object of the DID.

Revoking credentials is crucial for maintaining control over issued credentials and preventing misuse in the cheqd ecosystem. To revoke credentials within the ACA-Py framework, follow these steps:

Step 1: Issuer identifies Credential to be revoked

The Issuer must determine the credential that needs to be revoked by getting the list of issued credentials and the connection id.

Step 2: Revoke Credential

Initiate the credential revocation process by supplying the necessary credential identifiers like the connection id and the credential exchange id.

Sample Request Body

{
    "comment": "Revoke issued credential",
    "connection_id": "<issuer--to-holder-conn-id>",
    "cred_ex_id": "<issuer-cred-exchange-id>",
    "notify": true,
    "publish": true
}

Step 3: Verify Revocation

Follow the steps to Present a Verifiable Credential to verify that the credential has been successfully revoked. The response should have verified: false.

Using the /present-proof-2.0 API endpoints, it is possible to present Verifiable Credentials, signed by a cheqd DID, in a few clicks or lines of code. This process enables secure and trustworthy sharing of verifiable credentials within the ACA-Py framework and cheqd ecosystem.

Step 1: Create a Connection with Holder

Use any supported method to create a connection with the Holder. Automated out-of-band protocol is recommended. You can follow the same steps as described in Issue a Verifiable Credential.

Step 2: Send Proof Request

After connection is established, the Verifier can send a proof request to the Holder.

Sample Request Body

The request body will depend on the credential, but here is a sample.

{
  "connection_id": "<verifier-to-holder-conn-id>",
  "auto_verify": false,
  "auto_remove": false,
  "comment": "Presentation request from Issuer",
  "presentation_request": {
    "anoncreds": {
        "name": "proof",
        "version": "1.0",
        "requested_predicates": {
            "additionalProp1": {
                "name": "score",
                "p_value": 40,
                "p_type": ">",
                "restrictions": [{"cred_def_id": "<cred-def-id>"}]
            }
        },
        "requested_attributes": {},
        "non_revoked": {"to": <some-time-in-future>}
    }
  },
  "trace": false
}

Step 3: Holder sends Presentation Proof

Holder can get the stored credentials from own wallet and format a proof to send to the Verifier.

Step 4: Verifier verifies Presentation

Verifier receives the presentation via the connection, and can use the following API to verify. The response must have verified: true .