Getting Started With the SDKs
Last updated
Last updated
Get and its dependencies with pnpm or the equivalent of your package manager of choice:
Only add ethers or near-api-js in accordance with the chains your dApp uses.
💡 Tip
If you use
near-api-js, make sure you have aBufferpolyfill. See .
Create a container anywhere on your page, and ensure it's displayed when assigned the visible class.
Import the SDK and initialize it with a selector for the container:
Get your user's address and confirm they have an idOS profile. If not, redirect them to your Issuer.
Connect your user's signer to complete the setup.
You're all set!
💡 Tip
For more examples and data queries, see:
🛟 Help available
#idos-containerAfter importing the SDK, you initialize it with a selector string for a DOM node. Make sure to add it to your page:
To avoid surprising your UI, the SDK doesn't make itself visible and sets no CSS properties. Instead, it toggles the visible class on this container. This means you retain control over your UI, and need to define what "visible" means, for example:
This barebones setup is enough to get you started, but you can naturally style and animate the container as you like, for example within a toast component.
The main reason the SDK controls this HTML element is to remove the burden of opening up a new top-level window without being blocked by the browser because it was identified as an unwanted pop-up. Since all SDK users would need to go through the delicate process of getting these details right, we implemented it in the SDK.
The enclaveOptions's container is the only required option, but there are a few other aspects of the SDK you're able to control during initialization.
nodeUrl
The most obvious one is to which network to connect: production, or playground. These can be found, respectively, at:
Here's an example of using the playground network:
enclaveOptions
So far, we've only used container from enclaveOptions. There are a few more fields that you can set:
theme?: "light" | "dark": Forces a specific theme for the enclave pop-up. By default, this is discovered through the media query prefers-color-scheme.
mode?: "new" | "existing": Forces a specific verbiage to be shown on the enclave pop-up. The default is existing, but issuers can set it to new to show messages that are more helpful for new users. Unless you're an issuer, this should not be supplied.
url?: string: URL of the enclave pop-up. Unless you're developing your own enclave, this should not be supplied.
throwOnUserCancelUnlock?: boolean: Controls the SDK's reaction to the user closing the enclave pop-up. The default, false, keeps the 🔓 Unlock idOS button visible so the user can click it again and finish the unlocking process. If this value is true, the SDK will hide the button and raise whatever error it got from the enclave pop-up.
hasProfileYou can check if your user has an idOS profile associated with their address by using await idos.hasProfile(address). This can be done without a signature, and confirms that calls to setSigner should succeed.
If your user does not have an idOS profile, you'll have to first redirect them to your credential provider. Here's an example:
setSigner flow and supported walletsBesides hasProfile, all other queries to idOS nodes require a valid signature. These are performed by your user's wallet, whose signer must be passed to the SDK via the setSigner method. Your user's wallet might need to be triggered, so you should be mindful of when in your user's journey you call this method.
🛈 Note about NEAR
Because idOS thinks in terms of signing keys, but NEAR thinks in terms of accounts that can be controlled by multiple signing keys, the SDK needs to discover the signing key that's currently being used. This requires a signed message from the user.
Here's an example of what that looks like with Meteor:
Here's an example of what signing a SIWE message looks like with Metamask:
During this whole process, the SDK tries to use the browser's local storage to remember this signer's address (and public key, for NEAR signers) to avoid repeating this process unless necessary.
The idOS currently supports two classes of signers:
Now that we're successfully authenticated on idOS, we can now perform operations on user data. The entities that a user controls are:
Wallets: the wallets that the user has declared as being able to control their idOS profile.
Credentials: the credentials of a user. Their contents are encrypted (for the user's encryption key), but it also has some public fields for inspection.
Attributes: free form key-value entries. You can use this to store public attribute about the user.
All of these can be created, retrieved, updated, or deleted. The only notable exceptions is deleting shared credentials with timelocks still active (more on this when we explain Access Grants).
Here's an example of listing a user's credentials:
⚠️ Warning
If the user hasn't granted you an Access Grant, the user hasn't consented to you getting a copy of the data. We'll be covering Access Grant in a following section.
For now, please use idOS responsibly and respect the user's will and data sovereignty. In order to protect the user, we're planning on changing how this admin-like access works in the near future, so please don't rely on it.
Today, as a shortcut, we decrypt the credential's content on get:
The manual version on this shortcut looks like this:
This call needs to operate with the user's encryption key. This is a responsibility of the Enclave, which we'll explain in the next section.
This function always returns true or raises an Error detailing what went wrong with the verification process.
Since the SDK does not have access to this key, it delegates decryption workloads to the enclave when responding to data requests involving encryption/decryption. This happens transparently when you use the SDK to read encrypted data from the idOS.
After the user clicks the 🔓 Unlock idOS button, a secure dialog opens for the user to choose their preferred unlocking method.
The unlock dialog
If the user chooses Password, they'll be prompted to enter it.
The password dialog
A passkey dialog
The selected auth method will not have a bearing on the encryption capabilities.
Like mentioned before, in order to lawfully obtain a copy of the user's credentials, the user must grant you an Access Grant. We'll expand on that concept next, but first you need to have some preparation measures in place.
There are two things that a dApp needs to have setup:
A consumer: a key for a chain account you control. It's used both to identify you as the recipient of an Access Grant and to authenticate you when making calls to idOS nodes. On EVM chains, this is an EOA (Externally-Owned Account, controlled by anyone with its private key), and on NEAR this is a full access public key. For now, the idOS doesn't support having contract wallets as consumers.
🛑 DANGER 🛑
Make sure you don't lose access to either secret keys. Otherwise, you won't be able to authenticate or decrypt credential contents. The idOS team won't be able to help you.
An Access Grant means: I, owner (the user), have given you, consumer (the dApp), access to the record identified by dataId, and I understand I won't be able to revoke said access before lockedUntil has passed. The contents of dataId are a copy of the credential/attribute that has its contents encrypted to the encryption key provided (by the dApp) during its creation.
By acquiring an Access Grant, a dApp ensures that it'll have a copy of the user's data (either a credential or an attribute) until the UNIX timestamp on lockedUntil has passed. This is especially relevant to be able to fulfill compliance obligations.
To avoid any doubts, let's go over the Access Grant fields:
ownerUserId: the grant owner idOS id.
consumerAddress: on EVM chains this is the dApp's consumer address (like explained in the previous section), and on NEAR this is a full access public key.
dataId: the id of the record copy (either a credential or an attribute) that is going to be shared.
lockedUntil: the earliest UNIX timestamp when the contract will allow the Access Grant to be revoked. Any timestamp in the past, notably "0", means it's revocable at any time.
One common problem about credentials is: if the dApp can only access a credential's contents after it has an Access Grant for it, how does the dApp know which credential will fulfill its compliance needs?
idos.enclave.filterCredentials is a function that allows you to ask the user's enclave to filter all the user's credentials to only return the ones your dApp is interested in asking an Access Grant for. A filtering criteria for pick and omit should be passed. This should be the paths of the private fields by which a credential should be matched. pick requires the path to have the provided value, omit requires the path to not have the provided value.
In this example, entries will be a list of credentials where the "credentialSubject.identification_document_country" is "DE" and "credentialSubject.identification_document_type" is not "passport".
By now, we have used the idOS to secure a copy of the data we need to operate.
💡 Tip
A delegated Access Grant (dAG) is a way of creating / revoking an Access Grant by somebody else other than the user. This is especially relevant for dApps who want to subsidize the cost of transaction necessary to create an AG.
Here's a diagram comparing the two cases side-by-side:
setSignerRevoke an Existing Access Grant
List All Grants You Granted to Other Consumers
List All Grants Granted to You by Grantors
Check if a Grant is Still Locked
Create an .env.development.local file in the root folder of the SDK package and add the needed environment variables (you can reference .env for the variable names). The SDK will use these variables for the development environment.
Run:
This will run the compiler in watch mode that will rebuild every time any of the source files are changed.
You can also create a production build by running the following command in the root folder of the SDK package:
This will create a PRODUCTION build of the SDK using the .env file.
🛑 DANGER 🛑
Make sure you don't lose access to either secret keys. Otherwise, you won't be able to authenticate or decrypt credential contents. The idOS team won't be able to help you.
You'll need:
recipientEncryptionPrivateKey: base64-encoded nacl.BoxKeyPair secret key. It'll be used to decode the credential copies that the owners (users) share with you by creating access grants.
consumerSigner: this can be a NEAR KeyPair, a nacl.SignKeyPair, or an ethers.Wallet. This will be used to sign RPC calls to the idOS nodes.
Import and initialization
List grants
Here's how you can paginate through all the grants that all users have granted you.
TODO: I should be able to filter by owner, at least.
Get grants total count
Here's how you can count all the grants that all users have granted you. Especially useful for pagination.
TODO: I should be able to filter by owner, at least.
Get the shared credential with a consumer (encrypted content)
Here's how you can get a credential you have access to (with the content still encrypted) by its id.
TODO signature feels iffy. I should get into it and make sure that it returns something like a Result<Maybe<IdosCredential>, Error>. Either:
The target credential
null when we don't find anything
raise an exception on network errors and such
Get the decrypted shared credential's content
Here's how you can get a credential's contents you have access to by its credential id.
Get the credential id using grant hash
Here's how you can get a credential's id you have access to by its content hash.
Get the Access Grant that gave access to a credential
Get the reusable credential compliantly
Create an issuer config with your secret key. This config will be used to interact with the idOS.
To create a user profile in idOS, you need:
A wallet address associated with the user.
A public encryption key derived from either a password or a passkey chosen by the user in the idOS enclave app.
Step 1: Decide on a user id
Step 2: Derive the Public Key
Use the idos.discoverUserEncryptionPublicKey function to derive a public key for the user. This key will be used to encrypt and decrypt user's credential content.
Step 3: Creating a User Profile
Once the public key is derived, you can create the user profile in idOS by passing it to the createUser function alongside with user id and the wallet the user's going to use to drive their idOS profile.
In order to write a credential to idOS, the issuer needs to obtain permission from the user. This can be done in two ways: using Delegated Write Grant (DWG), or using Permissioned Credential Creation. Below are the two methods for writing credentials.
First option is to build credentials (and sign) manually:
Secondly you can use a credentials-builder, which help you to create a proper VerifiableCredentials object:
The first method involves getting permission from the user via a Delegated Write Grant
A Delegated Write Grant (DWG) is a permission given by the user that allows a specific issuer to create a credential and it's copy for the issuer itself on the user's behalf. This is particularly relevant to not require the user to come back to your website if you want to add data to their profile. A DWG is a ERC-191 message that the user signs. The message contains fields:
operation: delegatedWriteGrant
owner: user_wallet_identifier
consumer: grantee_wallet_identifier
issuer public key: ed25519_public_key_hex_encoded
id: _DWG_identifier
access grant timelock: RFC3339_date_time_till_access_grant_will_be_locked
not usable before: RFC3339_date_time_DWG_can_not_be_used_before
not usable after: RFC3339_date_time_DWG_can_not_be_used_after
To do this, you must first to ask a user to sign DWG message:
Be sure you have the DWG message parameters and it's signature kept. You need to use them on server side later.
Now that the user has created a DWG for us, the issuer, we can create a credential for the user and the credential copy to ourselves:
This will create a credential for user in the idOS and copy for the issuer.
⚠️ Notice
The credential content should be passed as is. It will be encrypted for the recipient before being stored on the idOS.
For this method, use the createCredentialPermissioned function to write the credential with the necessary encryption.
Example:
The SDK provides issuer to share credentials with other consumers. This function is called shareCredentialByGrant.
The editCredential function allows issuers to update the public notes associated with a credential in the idOS. This is useful for actions like marking credentials as revoked or updating metadata.
In order for editCredential to work, the credential's public_notes field needs to be a valid JSON object with an id field, and the public_notes_id argument needs to have that value.
⚠️ Warning
If the new
public_notesvalue doesn't have anidfield, you'll stop being able to edit that credential.
A previously created credential can be revoked by the issuer by calling the editCredential function. When creating a credential, the publicNotes field needs to have an id field that will be used to identify the credential to be revoked. Pass this id to the editCredential function to revoke the credential.
Run:
This will start the compiler in watch mode that will rebuild every time any of the source files are changed.
You can also create a production build by running the following command in the root folder of the SDK package:
the below
for a simple implementation
for a thorough example
Would you benefit from support or clarification from our team? Please follow .
This container will be used by the SDK to load the idOS secure enclave during initialization. The is a sandboxed browser context, used to safekeep a keyring for cryptographic operations users need to perform. When the enclave requires user interaction, it uses this container to render UI such as the 🔓 Unlock idOS button.
Our shows an example of blending this into a UI. It wraps the container and floats it over the page, and animates its opacity when the visible class is applied. You can see it below (pulsating forcefully to illustrate the point):
(default)
When called, setSigner will try to connect to the idOS nodes, sign a (SIWE) message for authentication, and make a call to get some basic information about the user.
Ethereum/EVM wallets (like MetaMask or Trust Wallet) producing secp256k1 signatures (aka personal_sign)
NEAR/NVM wallets (like MyNearWallet or Meteor) producing ed25519 signatures (aka signMessage)
This is only meant to be used on admin-like dApps (like ).
Now you have access to the decrypted credential contents. If it's a , you can check it's authenticity with:
Credential contents stored in the idOS are encrypted such that only its owner (your user) can make sense of it. Since key management is neither a common nor an expectable practice among non-technical folks, this key is derived from the user's password/passkey. The key derivation process is handled by the idOS secure enclave to enable users to perform .
If they choose Passkey, we'll use their platform authenticator (you can learn more about passkeys ).
An encryptionPublicKey: a key you control that'll be used to decrypt credential contents shared with you. This should be a .
If you wish to consult it, you'll need to use the consumer and we've prepared before. Because these are secret, we need call some code in a private place (i.e., a backend, or maybe scripts you run locally).
Here's an example of how you could achieve that with for an EVM consumer:
See a working example backend on . It has two flavors:
This is accomplished by sharing the user's credential using shareCredentialByGrant which is described in detail in this .
Sharing a credential will create an Access Grant for the passed consumer. We're using some variables from createCredentialByGrant example. so make sure to check it out at
The idOS Consumer Server SDK is designed for application developers who need to access user credentials through access grants and verify them. This package caters specifically to backend needs. It provides an implementation for decrypting and processing credentials, managing access grants, and implementing -compliant credential sharing workflows.
Get and its dependencies with pnpm (or your package manager of choice):
This is used in .
This function enables other obligated entities (see ) to have access to credential after owner approves sharing their credential with you.
Get and its dependencies with pnpm or the equivalent of your package manager of choice:
When using this package, you're going to need to be familiar with how a dApp works with the idOS. Make sure you read before you proceed.
This procedure can only be done by a Permissioned Issuer. Get in touch with us at if you're interested in being one.
Deciding on a user id for a user is an issuer decision. You can use whichever you want, as long as it's an .
The second method allows the issuer, by virtue of being a Permissioned Issuer, to create a credential without a Write Grant. Get in touch with us at if you're interested in being one.
