When are they used? Optional key:value pairs known only by the PDC instance [2.1]. Used for resource access when constraints are not handled by the PTX Control Plane [5.1] or ODRL policies [4.2].
Credentials are defined as optional key–value pairs that are known by the Dataspace Connector (PDC) instance [2.1]. They are local and are never exposed, exchanged, or validated through the mechanisms of the core services or the Control Plane. You can click here to learn how to generate a new credential and manage them.
Credentials are used to control access to resources, as described in the Resource Representation [3.0] model of the connector. Each resource managed by the PDC may require additional constraints that cannot be enforced through the PTX Control Plane [5.1] or expressed using ODRL policies [4.2]. In these cases, credentials provide a connector-level mechanism to apply such constraints.
When a resource access request is evaluated, the PDC first applies the standard Control Plane and policy-based checks. If additional conditions are required, the PDC evaluates the locally defined credentials as part of its internal authorization logic. Once these local credential requirements are correct, you are given access to the resources.
Because credentials are only evaluated within the PDC, they remain hidden to the dataspace and do not affect the connections between participants. This allows them to maintain full sovereignty over sensitive access conditions while still been able to adhere to the shared dataspace and Control Plane rules.
