# Issuer

The Issuer Service is a foundational component of the Self-Sovereign Identity (SSI) ecosystem, enabling the creation, issuance, and management of Verifiable Credentials (VCs). Each instance represents a single issuer entity, deployed independently via the One-Click Deployment Portal, and integrated with the EMPE Blockchain and interoperable wallets.

**Key Highlights:**

* **Verifiable Credentials on the EMPE Blockchain** Registers and manages Decentralized Identifiers (DIDs) on the EMPE Blockchain, issuing W3C-compliant VCs. Issued credentials include a `credentialStatus` field of type `StatusList2021Entry`, referencing an on-chain Status List VC and an index in a compressed bitstring for revocation status.
* **Schema Management and Versioning** The Schema Management Engine handles credential schemas as JSON-based templates, ensuring consistent credential structures. It supports versioning and iterative updates, allowing evolving credential definitions.
* **Flexible Credential Offerings** Supports both **Targeted Offerings** (tied to a specific recipient DID) and **Open Offerings** (accessible by anyone scanning the QR code). Targeted offerings require the wallet to prove DID ownership before claiming.
* **Secure, Standards-Based Wallet Interactions** Wallets claim credentials through OAuth2-like authorization code flows. For targeted offerings, wallets submit Verifiable Presentations to prove DID ownership. Access tokens (JWTs) are issued for secure credential retrieval.
* **Lifecycle Management** Beyond issuance, the service lists, revokes (via an on-chain revocation list), and deletes credentials. Revocation flips a bit in the compressed bitstring and republishes the updated Status List VC to the EMPE Blockchain, ensuring verifiers can reliably determine credential status at verification time.
* **Architecture Overview**
  * **Issuer Service Instance** Runs as a standalone server with isolated data per issuer. Deployed via the One-Click Deployment Portal, which automates DID registration and initial configuration.
  * **EMPE Blockchain Integration** Automatically registers and updates the issuer’s DID Document on-chain, ensuring resolvability and trust. Revocation lists are published as Verifiable Credentials conforming to W3C Status List 2021, anchored on the EMPE Blockchain for tamper-evident proofs.
  * **Credential Issuance and Storage** Issues credentials upon request, stores them, and supports listing, revoking, and deleting. Each credential includes a `credentialStatus` field referencing the on-chain Status List VC.
  * **Wallet Interaction Layer** Implements QR code–based flows and OAuth2-like authorization code flows for secure credential claiming.
  * **Security and Access Controls** Enforces HTTPS for all endpoints, cryptographic signing and verification of credentials, and access controls using `x-client-secret` and bearer tokens.