Skip to content

Credential Management

The HID Origo Credential Management API enables issuance and lifecycle management of digital credentials for access control.

A Pass concept is used to represent these digital credentials. A Pass can be thought of as a digital copy of a physical access badge, complete with credentials and visual elements such as artwork. Every Pass is based on a Pass Template that specifies the type of credential(s) to include, along with card artwork, support contact details, platform-specific settings and other metadata.

Support limited to Apple Wallet, Google Wallet and Identity Positioning

This API currently only supports Seos credentials in Apple Wallet, Google Wallet and Identity Positioning credentials. Support for other platforms, such as the HID Origo and Seos SDK may be added in future releases.

User Records

The Credential Management API does not provide any ability to create or manage user records. User resources referenced by userId are created and managed using the User Management API.

Specification

Release Notes

3.3.1

Version 3.3.1 includes the following changes:

  • HID has enhanced its support for high-resolution user photo uploads (e.g., 1242×1242 px) on wallet passes by introducing platform-specific dynamic downscaling and extended validation workflows for wallet customers. This enhancement ensures that images are automatically resized to meet each platform’s requirements, delivering optimal resolution rendering across both Apple Wallet and Google Wallet.
  • Note: Common image formats, such as PNG, JPEG, JPG can be uploaded; however, the preferred format for the wallet is PNG. If a user uploads a JPEG or JPG, the system will accept it and automatically convert it to PNG format. For all GET operations, the photo will consistently be returned in PNG format.

3.3.0

Version 3.3.0 includes the following changes:

  • HID now supports the display of declining balances for credentials provisioned via Google Wallet. This enhancement allows authorized integration partners to push real-time balance updates directly to HID, which are then reflected in the user’s Wallet pass. Currently supported for Google university customers only
  • Note: HID does not process transactions or calculate balances. Only displays the latest balance value. This functionality is only supported on mobile phones - it is not available on wearables such as smartwatches. To enable this functionality, please reach out to your Technology Partner Team for assistance and integration guidance.

3.2.9

Version 3.2.9 includes the following changes:

  • We are pleased to announce that support for CampusID customers with Google Wallet is now available.

3.2.8

Version 3.2.8 includes the following changes:

  • We are excited to announce the availability of the new Web Push Provisioning API for Apple Wallet and Google Wallet.
  • This functionality enables administrator-initiated provisioning for Apple Wallet and Google Wallet, without the need to download and install a provisioning application on the user's device.

Please note : For implementation guidance or to enable this feature for your organization, please contact your integration partner team

3.2.7

Version 3.2.7 includes the following changes:

  • Pass Design: We are excited to introduce support for pass design functionality, enabling seamless integration of SEOS credentials with
  • Google Wallet
  • Apple Wallet:
    • Note: Seamless Pass design integrations from HID Origo to Apple's Business Registry are not supported yet. Further updates will follow as support for this is extended. Please contact your HID representative to assist with manual updates required.
  • User Photo ID: User photo uploads are now supported on wallet passes. Only images with exact dimensions of 1242 X 1242 px will be accepted. The supported format for the photo is PNG.

3.2.6

Version 3.2.6 includes the following changes:

  • Google Wallet now supports storing multiple credentials in a single pass.

3.2.5

Version 3.2.5 includes the following changes:

  • Documentation fix: Scope attribute excluded from the header for PASS Delete and Update API.

3.2.4

Version 3.2.4 includes the following changes:

  • The device-limit configuration is being moved from the pass-template configuration level to the organization-level configuration. As a result, the pushProvisioningPolicy attribute is being removed from the pass-template API request and response.

3.2.3

Version 3.2.3 includes the following changes:

  • Introducing optional boolean attribute primary in the User Management API email section, indicating the user's primary email address.
  • Introduces a new API for deleting credential once it has been issued.More information can be found in the Credentials section under the Delete endpoint request.

3.2.2

Version 3.2.2 includes the following changes:

  • Introduces search user API with limited search options. Only supports externalId search.
  • For more information, see the ../.search endpoint in the User Management API.
  • Introducing the pushProvisioningPolicy attribute for creating and modifying pass-template requests, which enables support for device limit features. For more information, see the Pass Template with Device Limits section under create and patch pass-template.
  • Introducing the new field $.deviceType in Pass resources, indicating the provisioned device type for the pass.
  • Introducing $.Name fields when pass-template is created and update request, and credential template requests.
  • Added IDENTITY_POSITIONING application profile in $.profile for credential templates requests

3.2.1

Version 3.2.1 includes the following changes:

  • Added support for issuing a single Identity Positioning Credential in a Pass. Refer to the Pass Template with Identity Positioning Credentials example under the create Pass Template section.
  • Added an application profile POSITIONING_BEACON in $.profile

3.2.0

Version 3.2.0 includes the following changes:

  • Added support for Google Wallet. Usage of this feature requires adding the mandatory googleWalletConfiguration fields to an existing or new Pass Template. For more information, see all the methods of the ../pass-template endpoint. Provisioning and lifecycle management APIs are unaffected by this change.
  • Initial launch supports only one set of credentials to be stored in a Google Wallet pass.
  • Added support for displaying role on Passes in Google Wallet. This value is sourced from the roles property of the user record in the User Management API.

3.1.1

Version 3.1.1 includes the following changes:

  • Added support for configuring a default Pass Template. For more information, see the POST and PATCH methods of the ../pass-templates endpoint.

3.1.0

Version 3.1.0 includes the following changes:

  • Introduces a new set of extension APIs to support updating credential data and metadata associated with a Pass after it has been issued. Refer to the PATCH method for the ../pass/{pass_id} endpoint for details.
  • Introduces a new field $.updateStatus to Pass resources to indicate that the pass is being updated when its value is other than NONE.
  • Introduces a new field $.platformType to Credential resources to indicate the platform the credential was provisioned to. For example, APPLE_WALLET.
  • Introduces two new fields $.platform.type and $.platform.storageType to CredentialContainer resources to indicate provisioning platform and storage type.
  • For CredentialContainer resources, the attribute $.id format was changed from string($uuid) to string.

3.0.6

Version 3.0.6 introduces two new fields to Credential resources:

  • $.credentialIdentifiers[*].keyset: indicates which keyset was used for the Secure Object
  • $.profile: indicates which application profile was used for the Credential

3.0.5

Version 3.0.5 includes the following changes:

  • Added support for issuing multiple Credentials in a single Pass. Refer to the Pass Template with Multiple Credentials example under the create Pass Template section.
  • Added support for displaying an abbreviated name on Passes in Apple Wallet. This value is sourced from the displayName property of the user record in the User Management API.
  • Added ISSUED status for Credential resources.

3.0.4

Version 3.0.4 of the API includes the following changes:

  • Added CANCELLED status for Pass resources which is used when a Pass is deleted without reaching an ACTIVE state.
  • Added boundary conditions and updated required items for several schemas.
  • Corrected pagination default values.

3.0.3

Version 3.0.3 of the API includes the following changes:

  • Removed explicit Accept HTTP header parameters, since only a single version is supported.
  • Updated sample for updating Pass Template: it is now possible to update the organizationName.
  • Updated Credential Template definition to match the implementation. A metaData field is now included.
  • Removed the ../credential-container/{credential_container_id}/credential endpoint, as the same information is available on the Credential Container.

Glossary

Term Definition
Application-ID The Application Identifier is used to identify an application calling HID Origo APIs. This value is provided by HID Partner Services. Please refer to Authentication for additional details.
Credential Represents an access control credential.
Credential Container A device capable of holding one or more credentials. Includes mobile phones, smart watches, wearables and cards. The passInstances and credentials are mutually exclusive.
Issuance Token A one-time password used to retrieve provisioning instructions and data using the HID Origo SDK. The format/structure of the token is subject to change (but will remain a string).
Pass Represents a digital access card, which may contain one or more credentials.
Pass Template Defines a template for digital access cards. Controls credential types, artwork and other metadata.