Skip to main content

Overview

Sometimes a credential needs to be invalidated before it would naturally expire (an employee leaves, a licence is suspended, an enrolment ends). Revocation marks the credential as invalid, so any verifier checking it from that point on sees it as revoked.
Revocation is only supported for sd-jwt credentials today. mdoc credentials don’t currently support revocation through this API. If your use case needs revocation, issue with the sd-jwt format.

You need the credential id

Revocation acts on a credential, not on an issuance — so the id you pass is the credential id, not the issuance id. If that distinction isn’t second-nature yet, read Issuance vs credential first; it covers the resource split, the lifecycles, and how to look ids up later.

Revoke a single credential

HTTP 204 No Content on success. There’s no response body.

Revoke a batch

When you need to revoke many credentials at once, send the ids in one call:
HTTP 204 No Content on success.

What the holder and verifier see

  • In the holder’s wallet. The credential continues to exist but is marked as revoked. The holder can no longer use it to satisfy presentation requests.
  • At verification time. When a verifier checks a presented credential, the platform consults the revocation status as part of the standard verification chain. A revoked credential fails verification, the same as an expired or invalidly signed one.
Revocation is one-way: once revoked, a credential stays revoked. If the user needs an equivalent, issue a fresh credential.