Organization creation workflow
Create the organization
A user calls
POST /orgs with a name, optional logo, and other metadata. The authenticated user is automatically assigned the owner role for the new organization.Provision an agent
After creation, the owner provisions a dedicated or shared agent for the organization. The agent spin-up process creates a wallet and registers a DID on the chosen ledger.
Invite members
The owner or admin sends invitations via
POST /orgs/:orgId/invitations. Each invitation specifies the invitee’s email address and their intended role.Invitee accepts
The invitee receives an email and accepts the invitation. Their invitation status transitions from
pending → accepted. Rejection is also possible (rejected), and accepted and rejected states are terminal.Organization roles
CREDEBL uses role-based access control (RBAC) defined by theOrgRoles enum. Each role grants specific permissions within an organization.
| Role | Value | Description |
|---|---|---|
owner | owner | Full control of the organization. Can manage all members, roles, agents, and credentials. Can delete the organization. |
admin | admin | Manages members and roles. Can create schemas and credential definitions. Cannot delete the organization. |
issuer | issuer | Can issue credentials to holders and manage issuance records. |
verifier | verifier | Can send proof requests and verify presentations. |
member | member | Read-only access to organization resources (dashboard, credentials, proofs). |
holder | holder | Can view issued credentials for the organization. |
super_admin | super_admin | Elevated admin privileges within the organization. |
platform_admin | platform_admin | Platform-level administrator. Can register and map all organizations. |
Ecosystem Lead | Ecosystem Lead | Governs an ecosystem. Can invite and manage ecosystem member organizations. |
Ecosystem Member | Ecosystem Member | Participates in an ecosystem as a member organization. |
Role capabilities in detail
Owner
- Create, update, and delete the organization
- Invite and remove members
- Update member roles
- Access organization dashboard, users, DIDs, and invitations
- Manage agent and wallet configuration
- Create and delete client credentials
- Delete issuance and verification records
- Access activity count and all platform organisations (when Ecosystem Lead)
Admin
- Invite and remove members
- Update member roles
- Create schemas and credential definitions
- Access organization dashboard, users, DIDs, and invitations
- Update organization details
Issuer
- Create credential offers (including OOB offers via email)
- Upload CSV files for bulk issuance
- Download and manage bulk issuance templates
- Access issued credentials and file upload records
- Fetch organization schemas and credential definitions
Verifier
- Send proof requests to connections
- Send out-of-band proof requests
- Verify presented proofs
- Access proof presentation records
- Fetch schemas and credential definitions
Member
- View organization dashboard
- View schemas, credential definitions, credentials, and proofs
- Read-only access — no issuance or verification actions
Ecosystem Lead
- Create and manage an ecosystem
- Invite organizations to the ecosystem
- Remove ecosystem members
- Update ecosystem member status (ACTIVE / INACTIVE)
- Access all platform organizations for ecosystem management
Permissions by endpoint
Key endpoints and which roles can access them:| Endpoint | Allowed Roles |
|---|---|
GET /orgs/:orgId | owner, admin, issuer, verifier, member |
PUT /orgs/:orgId | owner, admin |
DELETE /orgs/:orgId | owner |
GET /orgs/:orgId/roles | owner, admin |
POST /orgs/:orgId/invitations | owner, super_admin, admin |
PUT /orgs/:orgId/user-roles/:userId | owner, admin |
GET /orgs/:orgId/dids | owner, admin, issuer, member |
PUT /orgs/:orgId/primary-did | owner, admin, issuer, verifier, member |
POST /orgs/:orgId/client_credentials | owner |
POST /orgs/:orgId/credentials/offer | owner, admin, issuer |
POST /orgs/:orgId/proofs | owner, admin, verifier |
POST /orgs/:orgId/proofs/:proofId/verify | owner, admin, verifier |
Public vs. private organizations
Organizations can expose a public profile accessible without authentication viaGET /orgs/public-profiles/:orgSlug and GET /orgs/public-profile (paginated list). Public profiles allow external parties to discover and learn about an organization without requiring membership.
The private organization detail endpoint GET /orgs/:orgId requires authentication and an appropriate role within that organization.
Client credentials for machine-to-machine access
For automated or server-to-server API access, CREDEBL supports OAuth 2.0 client credentials. This allows a backend application to authenticate as an organization without a user session.Creating client credentials
Only the organizationowner can create client credentials:
clientId and clientSecret. Store the secret securely — it cannot be retrieved again.
Obtaining an access token
Exchange the client credentials for a bearer token:session_id cookie. Use the token as a Bearer token in subsequent API calls.
Fetching existing credentials
Members withowner, admin, issuer, verifier, or member roles can retrieve the current client ID (but not the secret) via:
Client credentials are scoped to a single organization. Each organization has at most one client credential pair. Deleting and recreating credentials invalidates the previous secret.
Inviting members
Invitations are sent in bulk by posting an array of email addresses with their intended roles:GET /orgs/:orgId/invitations and deleted with DELETE /orgs/:orgId/invitations/:invitationId. Only owner, super_admin, and admin roles can send invitations.