The createSdJwtCredential function is an asynchronous method that generates a Signed Selective Disclosure JSON Web Token (SD-JWT) credential.

Function Signature

TypeScript
export type SdJwtSignerAlgorithm = 'RS256' | 'ES256K';
export type SdJwtHashAlgorithm = 'sha-256';

export interface CreateSdJwtCredential {
  privateKey: string;
  issuer: string;
  claims: Record<string, unknown>;
  vct: string;
  disclosureFrame?: string[];
  signAlg?: SdJwtSignerAlgorithm;
  hashAlg?: SdJwtHashAlgorithm;
  hasher?: (...args: any[]) => Uint8Array;
  saltGenerator?: (...args: any[]) => string;
};

Parameters

  • privateKey (string): is an RSA PEM key in String format, or a secp256k1 key in hex string.
  • issuer (string): is a URL that contains the Issuer’s Public key for verifying the VC’s signature (e.g., https://static.terminal3.io/jwks.json), or the Issuer’s DID (e.g., did:key:<issuer_public_key>).
  • claims (object): is an object that contains any information related to the user (e.g., { first_name: "Joey" }).
  • vct (string): is the Verifiable Credential Type, and it should be a single name (e.g., KycCredential).
  • disclosureFrame (string[], optional): is used to specify which claim attributes the Issuers want to disclose. The list of attributes must be from claims. (e.g., ["first_name"]).
  • signAlg (SdJwtSignerAlgorithm, optional): specify the algorithm for signing the VC, the current supported algorithms are RSA or ES256K.
  • hashAlg (SdJwtHashAlgorithm, optional): specify the algorithm for hashing Disclosures, the current supported algorithm is sha-256.
  • hasher (Function, optional): to customize the hashing function, the default is using SHA-256.
  • saltGenerator (Function, optional): to customize the salt generator function, default is using randomBytes(length = 16).toString(‘hex’) from the crypto package.

Returns

Promise<string>: A promise that resolves to an string representing the signed credential. This string contains JWT tokens as follows: 
<Header.Payload.Signature>~<Disclosure 1>~<Disclosure 2>~...~<Disclosure N>~<Key Binding JWT (optional)>

Exceptions

Throws an error if the signature type is unsupported or if the issuer’s identity type does not match the required type for the specified signature method (e.g., an issuer must be a DID for ES256K, and URL for RSA).

Examples

TypeScript
import { generateKeyPairSync } from 'crypto';

const { privateKey } = generateKeyPairSync('rsa', {
  modulusLength: 2048,
});
const privateKeyPem = privateKey.export({ type: 'pkcs8', format: 'pem' }).toString();

const issuer = 'https://terminal3.io/issuer';
const claims = {
  name: 'Alice',
  age: 30,
  country: 'Wonderland',
};
const vct = 'PersonCredential';

const credential = await createSdJwtCredential({
  privateKey: privateKeyPem,
  issuer,
  claims,
  vct,
  disclosureFrame: ['name', 'age'],
});

console.log(credential);