Workday Credentials & WayTo™ by Workday

Workday Credentials & WayTo by Workday leverage innovative blockchain technology to securely issue and verify credentials, offering a frictionless way to automate verification of data. And now, individuals can personally manage their own profile of verified credentials with WayTo by Workday to easily prove their qualifications.

Workday Credentials & WayTo by Workday are a set of services and utilities that support two main flows:

Issuers offer verifiable credentials to users

An issuer is any entity that wishes to relinqiush and publicly attest to the veracity of data pertaining to a user. Public attestation comes in the form of a digital signature. When an issuer offers a credential to a user, Workday Credentials cryptographically signs the data in each credential with the issuer's private key before offering it to the user. The signing key's corresponding public key is written to a public ledger and is declared as belonging to the issuer, so that anyone can use that public key to verify the signature embedded in a user's digital credentials and establish trust in a credential's authenticity. overview issuance

While in a user's possession, all verifiable credentials are stored encrypted, using a user's personal encryption key, which is accessible only after direct authentication by a user. This approach to storing user data acts a bit like a safety deposit box. The user must explicitly allow access to the data each time by unlocking their decryption key.

Verifiers request verified credentials from users

Once users are in posession of verifiable credentials, they may share them with Verifiers that request them. Workday Credentials provides tools and APIs that allow application developers to request verifiable credentials. overview verification

Requesting verifiable data from users begins with the Verifier registering a Proof Request for their app. The proof request defines the set of information that the verifier is requesting from the user. A single Proof Request can contain requests for information from many schemas (e.g. name, email and last 3 jobs), each with its own set of trusted issuers.

Organizations

What is an Org?

If you're considering building an application using Workday Credentials, the first thing you'll need to do is establish your organization. This is a manual process.

Once your organization is setup, you can navigate to Credential Administrator with a URL like so:

https://credentials.workday.com/[org]

Structure of an Org

Organizations in Cred Admin are modeled to support the 2 primary application flows: issuance & verification, as well as a layer of authentication.

org model2

Authentication keys are managed at the Application level. After creating an Application in Cred Admin, you must download the secrets that let you authenticate as that application. (Most notably a client ID and private key for use in producing a signed JWT token. See Authentication for more details.).

Once an application exists, Issuers and Verifiers can be created and associated with the application. When the APIs for issuance or verification are invoked, authentication is performed using the associated Application's secrets. In turn, Credentials are the input of the Offer API and Proof Requests the input of the Verification APIs.