Check out the YouTube video of this tutorial for a complete walkthrough and explanation of the concepts.
Most real-world credential issuance flows don’t start from scratch. They build on existing identity systems like OAuth2 servers, institutional logins, and internal APIs. Paradym is designed to sit on top of that reality, not replace it.
With authorization servers and external attribute providers, you can connect those existing systems directly into your issuance flow. The result: authenticated users, dynamic data retrieval, and zero duplication of personal data. In this guide, we’ll walk you through the setup and configuration of both.
Again, check out the YouTube video below for a complete walkthrough of the concepts by Henrique. Let’s get into it!
Why this matters
Verifiable credentials are most useful when they reflect authoritative and up-to-date data. Instead of copying user data into your issuance platform and manually issuing or verifying data, you can:
- Authenticate users via your existing OAuth2 provider
- Fetch attributes from your backend at issuance time
- Keep your system as the single source of truth
This aligns with how modern digital identity systems are evolving, especially in the context of EUDI wallets, where users authenticate and share attributes directly from trusted sources.
Before you begin
This tutorial uses Paradym, a digital identity platform for developers to issue, verify, and manage verifiable credential interactions.
If you don't have an account yet, you can start with our quick start guide. The features in this tutorial are available on the Custom tier. For more context on the features you can look at the docs on Authorization Servers and Attribute Providers.
How it works (high-level flow)
The full flow combines three components:
- The authorization server (OAuth2) handles user authentication
- The attribute provider (your backend) returns user-specific data
- The credential template (Paradym) connects everything into an issuance flow
At runtime:
- The wallet initiates issuance (via OpenID4VC)
- The user authenticates through your OAuth2 server
- Paradym receives an access token
- Paradym calls your attribute provider
- Your backend returns the credential data
- The credential is issued
No user data is stored in Paradym, everything is resolved dynamically.
Step 1: Configure an authorization server
Go to: Dashboard → Settings → Authorization Servers to create a new authorization server and provide:
- Name and identifier URL of your OAuth2 / OpenID provider
- Client authentication details you need to connect to the provider
- (optionally) A trusted wallet that you want to enforce
- (optionally) The redirect URI to ensure a return to the wallet after authentication
Just add the authorization server, and it is now configured in Paradym. This setup enables the authorization code flow, where the wallet handles redirects and login. At this point, Paradym is able to delegate authentication entirely to your existing identity system.
Step 2: Configure an external attribute provider
Next, go to: Settings → Attribute Providers, to create a new provider with:
- Name (e.g. “University Integration API”) and endpoint URL of the attribute provider that will be used to get user attributes during issuance.
- API key (sent as header) in order to authenticate
During issuance, Paradym sends a request to this endpoint that includes the OAuth2 access token, and your backend returns the credential attributes. This keeps your backend fully in control of what gets issued, and when.
Step 3: Connect both to a credential template
Now you can create a credential template used to issue credentials, or update one you already have to include the authentication server and attribute provider.
In: Templates → Edit template, go to the external integrations section:
- Select your attribute provider
- Set Authorization type = OAuth2
- Select your authorization server
- Define required scopes (e.g. email)
From this point on, every issuance using this template requires authentication, and the attributes are fetched dynamically per user.
Step 4: Trigger issuance from your application
Issuance is typically triggered via your backend using the API. For example, you create an issuance offer:
- Your app calls Paradym’s API
- A QR code or deep link is returned
- The user scans it with their wallet to continue the user flow
The Paradym API is designed for exactly this type of integration, programmatically creating templates, issuing credentials, and verifying presentations. Once the user scans the QR code, they will now be redirected to the configured authentication server. The actual credential they get issued is filled based on the data in the attribute provider backend.
Step 5: Done! 🚀
That's it! A complete end-to-end integrated flow, where Paradym does not store any of the personal data you want to issue.
This feature of authorization servers and attribute providers turns Paradym into a thin orchestration layer on top of your existing infrastructure. You keep your identity system, your data models, and your business logic.
Paradym adds:
- Standards-based issuance (OpenID4VC, SD-JWT, etc.)
- Wallet interoperability
- A clean API and dashboard for orchestration
The result is an integrated architecture where you can join the EUDI ecosystem with the system you already have.
Continue building 🚀
We’ve connected OAuth2 authentication and external attribute providers to our issuance flow, integrated everything into our application, and turned our existing systems into a fully dynamic credential engine. Now you can continue building the rest of your solution!
Don’t forget to join the Paradym Community Slack and show us all of the awesome things you’re building (or ask us any questions).
