You want to start developing with Hyperledger Aries and Aries Cloud Agent Python (ACA-py), but you think the documentation is scattered, and the examples are unclear. Then this guide is for you. We are getting started from step 0. In this step-by-step guide I will explain how to set up your local development environment, run two ACA-py instances that create a connection between them, and issue a credential from one to the other.
VON-network
Before we can issue a credential, we need to create a credential definition, and before we can create a credential definition we need a schema. Both the schema and the credential definition are recorded on a Hyperledger Indy ledger. You can connect ACA-py to an existing hosted ledger, but in this guide we are going to connect to a locally running ledger. The locally running ledger has the advantage that you have full control over what is happening, which makes debugging a lot easier.
The von-network repository makes running a Hyperledger Indy network on your machine a breeze. To run a VON-network on your machine, you need to have the docker and docker-compose command available on your machine.
Make a checkout of VON-network:
1
$ git clone https://github.com/bcgov/von-network
Run the VON-network:
1
2
$ cd von-network
$ ./manage start --logs
This will start 4 Indy nodes and one webserver. It will show the log output of all of them. You can stop watching the logs by pressing Ctrl-C, but it will not stop the nodes and webserver. You can see they are still running by running docker ps. To stop the VON-network, you can run:
There are two important things to know about the Indy ledger. First, to connect to a ledger, you need to get its genesis file/transaction. With VON-network you can use the URL to the genesis file directly localhost:9000/genesis. With other ledgers it might work differently. The second thing to know is that to create a schema and credential definition, you need to have a DID registered on the ledger. This is where you can use the “Authenticate a New DID” part for.
With the VON-network running, it is time to set up ACA-py.
ACA-py
There are different ways of running ACA-py. You can run it as a stand-alone application, and you can run it in a docker container.
Stand-alone
ACA-py is a Python application (duh!) that can be run as a command-line application. It is available as a Python package:
1
$ pip3 install aries-cloudagent
Or you can install the latest version from the repository:
Either way, both of them depend on the python3-indy dependency. python3-indy is a client library to communicate with libindy. libindy is an Ubuntu package (written in Rust) which can create and manage a wallet. The wallet will store information like connection records, credential exchange records and the credentials themselves.
If the installation of both ACA-py and libindy succeeded, you should be able to run:
1
2
3
4
5
6
7
8
9
10
11
$ aca-py --help
usage: aca-py [-h][-v]{provision,start} ...
positional arguments:
{provision,start} provision Provision an agent
start Start a new agent process
optional arguments:
-h, --help show this help message and exit -v, --version print application version and exit
Docker
If you don’t want to install all of this on your machine, you can also run ACA-py in a docker container. There are ready-made images available at hub.docker.com/r/bcgovimages/aries-cloudagent which contain ACA-py and all the necessary dependencies. You can run it like:
1
2
3
4
5
6
7
8
9
10
11
$ docker run --net=host bcgovimages/aries-cloudagent:py36-1.16-0_0.6.0 --help
usage: aca-py [-h][-v]{provision,start} ...
positional arguments:
{provision,start} provision Provision an agent
start Start a new agent process
optional arguments:
-h, --help show this help message and exit -v, --version print application version and exit
As you can see the commands added to the end are passed directly to ACA-py. The examples I give below assume that you have the aca-py command available, but you can substitute them with docker run --net=host bcgovimages/aries-cloudagent:py36-1.16-0_0.6.0 as well.
Starting two ACA-py instances
In this example I’m going to start two ACA-py instances, one called Alice, the other called Bob. Alice will be acting as an issuer. You can imagine Alice to be a party that will issue you a credential, like a drivers license, a padi certificate, or the credential for your use-case. Bob will be the receiver and holder of the credential. As an end-user you will probably not be running an ACA-py instance to hold the credentials for you, instead you will be using a Wallet App, for example the Trinsic.id app. However, when you are developing locally, it is easier to use an ACA-py instance to do that for you.
What about the demo?
The aries-cloudagent-python repository contains a folder called demo. You can run the demo which demonstrates how two instances can connect, issue a credential, and more. What is the difference between the demo, and the examples I’m showing here?
In the demo, you start a thing they call a “runner”. The runner consists of an “agent” and a “controller”. These terms are all really confusing and don’t help you with understanding what it is. The “agent” in this case, is an instance of ACA-py. The “controller” in this case, it the code that interacts with the HTTP Admin Endpoints of ACA-py. If you take a look at the code you can see that ACA-py is started here:
Instead of running ACA-py in the terminal like we are doing here, they use python -m ... to do exactly the same.
The “controller” part is the part that interacts with the Admin Endpoints of ACA-py. For example, you can find the code that calls the endpoint to create an invitation right here:
asyncdefget_invite(self,use_did_exchange:bool,auto_accept:bool=True):self.connection_id=Noneifuse_did_exchange:# TODO can mediation be used with DID exchange connections?invi_rec=awaitself.admin_POST("/out-of-band/create-invitation",{"handshake_protocols":["rfc23"]},params={"auto_accept":json.dumps(auto_accept)},)else:ifself.mediation:invi_rec=awaitself.admin_POST("/connections/create-invitation",{"mediation_id":self.mediator_request_id},params={"auto_accept":json.dumps(auto_accept)},)else:invi_rec=awaitself.admin_POST("/connections/create-invitation")returninvi_rec
To make your life easier, the demo combines the starting of an ACA-py instance, and the controller part and calls it a “runner”. So, whenever you start a runner, ACA-py will be started for you.
In the examples I’m giving below, we are not going to use the demo runners, as that is something you probably want don’t want to run for your application. Instead, we are going to start ACA-py ourselves. The “controller” parts are going to be done using curl commands. That is basically the same as using the Swagger/OpenAPI documentation that comes shipped with ACA-py.
The application you develop, the one that talks to the ACA-py Admin Endpoints, is called a controller. In these examples the controller is just curl commands, but of course you can develop your controller in any language, like Python, JavaScript or Go.
The demo runners make sure that the right command-line parameters are created when ACA-py is started. This means that if you want to run ACA-py yourself, you need to understand which command-line parameters are required, and what they mean.
Starting Alice
Alice is our issuer. The issuer will create a schema, and a credential definition which will be registered in the ledger. For the issuer to be able to register these on the ledger, a public DID is required. A public DID is a DID which is registered on the ledger. ACA-py doesn’t register a DID by itself on the ledger, you need to do that yourself. On the production ledgers, it costs money to register a DID on the ledger. As a holder, you don’t need a public DID.
A DID is derived from a public key. A public key is part of a public-private key pair. The key pair is generated based on a seed value. First, we are going to register a DID on the ledger using a seed.
An example of a seed is: Alice000000000000000000000000001. On a production ledger, a DID will be registered for you, and you will receive the seed value.
You can register the DID based on the seed value using the von-network webserver at localhost:9000 using the “Authenticate a New DID” section. Enter a seed, leave DID empty, and for “Alias” you can use “Alice”.
To start ACA-py, you need to provide command-line arguments. Remember that genesis URL [localhost:9000/genesis] mentioned before? This is where we need it. Try to run this command to see if you can get Alice to start:
Let’s go over the command-line parameters to see what they mean:
--label Alice This is the label or name that you give to your instance. It is the name that for example a Wallet App will see when you try to make a connection, or when you receive a credential.
-it http 0.0.0.0 8000 and -ot http are the inbound and outbound transport methods that ACA-py uses to communicate to other ACA-py instances. Remember port 8000 here, you need it for endpoint.
--admin 0.0.0.0 11000 and --admin-insecure-mode are the parameters that configure how your controller application can communicate with ACA-py. In this case, the Admin Endpoints are available on port 11000, and insecure, meaning there is no authentication required. Go ahead, open localhost:11000. You should see the Swagger docs, and you should see the provided label, in this case Alice. These are the endpoints your controller application will interact with
--genesis-url http://localhost:9000/genesis This is the URL to the genesis file. When you create a schema and credential definition, you create transactions in the Indy ledger. To be able to create these transactions, ACA-py needs to know about the genesis transaction, this is common in blockchains and distributed ledgers.
--seed Alice000000000000000000000000001 This is the seed value we used to register the DID. This seed value proves that you are the owner of the public DID.
--endpoint http://localhost:8000/ This is the URL that ACA-py will send to ledger, to register where the ACA-py instance for your DID can be reached. If you have started aca-py without errors, you should be able to find this endpoint in your von-network webserver. Check localhost:9000/browse/domain, you should see something like:
--debug-connections This parameter makes sure that more information about connections is being printed when we start making a connection between Alice and Bob in the next section.
--auto-provision This parameter makes sure that ACA-py is going to create a wallet for you when it doesn’t exist. Usually you should create a wallet only once using the aca-py provision command, but that is out of scope for this blog post.
--wallet-type indy, --wallet-name Alice and --wallet-key secret are the parameters that are used to create the wallet. In this setup, the wallet is stored in files on your system. You can find the wallets in ~/.indy_client/wallet/. The key is required to write and read to the wallet.
If you start Alice successfully, you can stop it, start it again with the same parameters, and it will just continue where it left off. If you start Alice with a different wallet-name, a new wallet will be created, so you won’t have access to all the previous data stored in the wallet. If you change the seed value here without registering it in the ledger first, you will be greeted with and error like:
1
Ledger rejected transaction request: client request invalid: could not authenticate, verkey for xxxx cannot be found
Starting Bob
We can start Bob the same way we did with Alice. However, Bob is going to be our holder. Bob is not going to create a schema or a credential definition, so he does not require a public DID. In fact, if you use a wallet app, you will not have a public DID at all. Remember it costs money to register a DID? This means only the issuer is paying for the registration of its DID, not the holder.
Bob does not need a public DID, so we are not going to register a DID on the ledger. This means our command-parameters change a bit. Open another terminal and run:
There is one new parameter: --wallet-local-did. Bob doesn’t have a public DID, but he does need a local DID. The local DID will be used for Alice to create a credential for, more on that later.
The Bob ACA-py instance also has an Admin API, you access it localhost:11001.
You should now have two ACA-py instances running next to each other. One for Alice (the issuer), and one for Bob (the holder). With the two agents running, it is time to play the controller for both of them!
Connecting
Let’s go through the steps of connecting Alice and Bob.
The field use_public_did signifies that the public DID will be used in invites, more on that in the tip below.
Public vs non-public invites
A public invites contains a DID for other agents to connect with. For a public invite, the ledger needs to know at which endpoint an agent can be reached. This means that it requires a lookup in the ledger by the invited agent. A non-public invite does not use a public DID, instead it contains a service endpoint url, so the invited agent can connect to inviter directly.
The invitation that Bob needs to receive, is the invitation object in the response of the call to /out-of-band/create-invitation that Alice made. Bob can receive this invitation like:
If you run two ACA-py instances next to each other you can just copy and paste the invitation. In the real world the invitation of Alice will usually go to Bob either as a QR-code or as link. The wallet app of Bob will scan the QR-code, thereby receiving the invitation.
When Bob receives the invitation, the ACA-py instance will log it:
Now that Bob as received the invitation, he can accept the invitation. For that, he needs the connection_id from the response of /out-of-band/receive-invitation which in this case is 6c770a37-64ad-43f4-99c6-12c467c58dba, but it will be different for you.
By accepting the invitation, Bob sends a connection request to Alice. This happens automatically when Bob accepts the invitation. The request will directly go from Bob’s ACA-py instance to Alice’s ACA-py instance.
Even though Alice started this interaction by creating an invitation, it is actually Bob that sends a connection request to Alice, therefore Bob is called the requester. Alice is called the responder.
Alice automatically receives the connection request.
4
Alice accepts the connection request
Alice can now accept Bob’s connection request. For this she needs the connection_id for the connection for her side. In this case that is 9ebac177-a3d4-4a74-be42-82f4e0cafefa. Note that the connection_id is different for both Alice and Bob. They both create their own unique identifier for the connection.
Congratulations! A connection has been made between Alice and Bob. You can now take a break, don’t forget to hydrate.
Automatic accepting
ACA-py support command line options to automatically accept invites and requests when they come in. This allows you to skip step 3 and 4. The command line flags are --auto-accept-invites and --auto-accept-requests.
Creating a schema and credential definition
Alice will be issuing a credential to Bob. Before she can do that she needs to create a schema and a credential definition.
Creating a schema is straight-forward by posting to the /schemas endpoint:
Just as with a tango, there are two parties involved when issuing a credential. There is the issuer (Alice) and the holder (Bob.
There are three flows for issuing credentials, based on which party (issuer, holder) initiates the dance and with what. When you, as a holder, start the dance, you start with sending a proposal to the issuer (step 1). The proposal contains what you would like to receive from the issuer. Based on that the issuer can send an offer to the holder. When the issuer starts the dance, it starts with sending an offer to the holder (step 2). The holder can also start by directly sending a request to the issuer, thereby skipping the proposal and offer steps.
The flow for issuing credentials is:
Holder sends a proposal to the issuer (issuer receives proposal)
Issuer sends an offer to the holder based on the proposal (holder receives offer)
Holder sends a request to the issuer (issuer receives request)
Issuer sends credential to holder (holder receives credentials)
Holder stores credential (holder sends acknowledge to issuer)
Issuer receives acknowledge
Issuing a credential
1
Bob starts with sending a proposal
When Bob starts with sending a proposal, he can use the /issue-credential-2.0/send-proposal endpoint. Note here that Bob uses the connection_id of his connection with Alice. The proposal is sent over the connection that has just been established.
The result you get back is a Credential Exchange Record. It is a record that contains the state of the credential dance. These records are stored in ACA-py and can be retrieved using the /issue-credentials-2.0/records/{id} endpoint where the id is the cred_ex_id in the result.
2
Alice responds with an offer
Alice receives the proposal and can respond with an offer using the /issue-credential-2.0/records/{id}/send-offer endpoint. Note here that the id that the issuer uses is different from the cred_ex_id that the holder got. Each ACA-py instance creates its own identifiers.
There is one last endpoint that we haven’t discussed, which is /issue-credential-2.0/send. Which is the same as /issue-credential-2.0/send-offer from the issuer viewpoint, but which sets the flag auto_offer and auto_issue to true. If the holder automatically accepts offers and turns them into requests, then this would completely automate the issuing of credentials.
Development and debugging
For development purposes you can automate a large part of the flow. To make debugging easier, you can provide --debug-credentials to ACA-py which will log information in the console.
The flow of issuing credentials can be automated using:
--auto-respond-credential-proposal
--auto-respond-credential-offer
--auto-respond-credential-request
--auto-store-credential
If you have read this blog post so far, then these command line options should speak for themselves. Of course these are for development and debugging, so never enable these for production usage.
When you create a credential proposal or a credential offer, the credential exchange record will be automatically removed after the issuing of the credential has completed. The automatic removal can be disabled by providing --preserve-exchange-records to ACA-py.
Conclusion
These steps should get you through the process of starting instances, creating a connection between them, and issuing a credential. You can find more details about creating a connection in here, and more details about issuing credentials here.
Please let me know if this guide was useful and if you have any questions!