Oliu™-managed keys
Oliu™ generates and manages your organization's signing keys in a hardened key management service. Your team does not handle the key directly. Rotation and recovery are handled by Oliu™ under documented procedures.
For issuers · Technical
Integrate Oliu™ into the systems your team already uses.
Oliu™ exposes a REST API for credential issuance, lifecycle management, and verification activity. This page describes the architecture at a level your technical team can evaluate — not the full specification. For implementation detail, Oliu™ delivers complete technical documentation during integration onboarding.
Architecture
Five components, one API
Five components work together in the Oliu™ network. Your integration connects to the first of them — the Oliu™ API.
Your issuing system
The system at your organization that originates credentials — a learning management system, credential management system, registration system, or custom platform. Your system calls the Oliu™ API when it needs a credential issued, updated, or revoked.
The Oliu™ API
A REST API, JSON over HTTPS, OAuth 2.0 authenticated. Your organization's system integrates here. Every operation — issue, revoke, query, receive lifecycle events — runs through the API.
The trust registry
Oliu™'s public trust layer. Holds the public keys of accredited issuers and the revocation status of credentials. Verifiers check against the registry; it does not store the content of credentials.
The Oliu™ Wallet
The holder's device. Credentials are delivered here at issuance and presented from here at verification. Your system does not communicate with the wallet directly — delivery and presentation are orchestrated through the Oliu™ API and the trust registry.
The verifier
The party confirming a credential — an employer's hiring platform, a regulator's inspection tool, a site-access system. Verifiers interact with the holder's wallet (to receive the presentation) and with the trust registry (to confirm the cryptographic signature). Your organization does not communicate with verifiers once credentials are issued.
Data model
W3C Verifiable Credentials, as JSON-LD
Credentials on Oliu™ follow the W3C Verifiable Credentials Data Model v2.0, as JSON-LD documents. Your organization is identified by a did:web Decentralized Identifier resolvable through a standard web address under your own domain. Each credential is cryptographically signed by your organization's key, following standard cryptographic suites aligned to the W3C specification.
A typical issued credential, simplified:
{ "@context": [ "https://www.w3.org/ns/credentials/v2", "https://schemas.oliu.ca/v1/workplace-safety" ], "type": ["VerifiableCredential", "WorkplaceSafetyTicket"], "issuer": "did:web:example-regulator.ca", "validFrom": "2026-04-15T00:00:00Z", "validUntil": "2029-04-15T00:00:00Z", "credentialSubject": { "id": "did:key:z6Mk...", "qualificationType": "Workplace Safety", "qualificationLevel": "Level 2", "completedOn": "2026-04-12" }, "proof": { "type": "DataIntegrityProof", "cryptosuite": "eddsa-rdfc-2022", "verificationMethod": "did:web:example-regulator.ca#key-1", "proofValue": "..." } }
Credentials validate against the schema your organization registered during Stage 2 of onboarding. The schema is its own JSON-LD document, published under a stable URL; credentials reference the schema via @context, so any verifier can interpret the credential's fields consistently.
Authentication
OAuth 2.0, with a choice on signing keys
The Oliu™ API uses OAuth 2.0 client credentials. Your organization receives a client ID and client secret at onboarding, scoped to your organization's issuer account. Every API request carries a bearer token obtained through standard OAuth 2.0 client-credentials flow. Tokens expire and refresh on a conventional schedule.
For credential signing, your organization's private signing key can be managed in one of two ways:
Issuer-managed keys
Your organization generates and manages its own signing keys, following Oliu™'s documented requirements. This option suits organizations with existing key management infrastructure and security policies that require it. Oliu™ provides tooling and procedures for key rotation, recovery, and retirement.
Both options are supported at launch. The choice is made during accreditation, based on your organization's security posture and preference.
API operations
Four categories of operation
The API covers four categories of operation. Each is documented fully in the technical reference delivered with onboarding.
Issue a credential
Your system sends credential data to the API, referencing the schema you've registered. The API signs the credential with your organization's key, registers it on the network, and delivers it to the holder's wallet.
Update or revoke a credential
Credentials can be renewed, updated, or revoked through the API. Revocation takes effect immediately and is visible to any verifier running a check from that point forward.
Query credential status
Your system can query the status of any credential your organization has issued — active, renewed, revoked, expired — and retrieve issuance metadata for audit and reporting purposes.
Receive lifecycle events
Oliu™ delivers lifecycle and operational events to your organization's webhook endpoints. See the next section for the categories.
Webhooks
Three categories of event
Oliu™ sends webhook events to your organization so your systems stay in sync with the network. Three categories are delivered.
Issuance confirmation
When a credential your organization issued is successfully delivered to the holder's wallet, your system receives a confirmation event. This closes the loop between your issuance request and the credential landing in the holder's possession.
Lifecycle events
When a credential your organization issued is updated, renewed, revoked, expires, or the holder takes an action affecting its state (e.g., wallet recovery), your system receives a corresponding event.
Aggregate verification events
Oliu™ delivers aggregate data about how credentials your organization issued are being verified — volume, timing, geographic distribution. Not who verified what specific credential, but the patterns of how your credentials are being used across the network. Privacy is preserved at the holder level; operational visibility is preserved at the issuer level.
Security & compliance
Canadian residency, standards-aligned, certified
The Oliu™ platform is built and hosted 100% in Canada. Data residency, jurisdictional alignment, and operational presence are all Canadian. The platform aligns with W3C Verifiable Credentials, the DIACC Pan-Canadian Trust Framework, and Digital Governance Standards Institute guidance, and is DIACC PCTF certified.
Every API request is encrypted in transit over TLS. Credentials are signed at the moment of issuance with cryptographic keys that only your organization (or Oliu™ on your organization's behalf) controls. The integrity of every credential is mathematically verifiable without contact with your organization's systems after issuance.
Full detail on the security model — including authentication, key management, encryption at rest, operational security posture, and audit procedures — is delivered with onboarding documentation and reviewed during accreditation.
Read about standards and privacy
Getting access
The integration path opens at accreditation
API access is provided to accredited issuers. Your organization becomes an accredited issuer through Oliu™'s accreditation review — the first stage of onboarding. Technical documentation, API credentials, and the integration path are provided to your team once accreditation is complete.
Development environments — for testing integration against the API before issuing live credentials — are part of the onboarding package.
Continue