# /status Endpoint ESS supports an [authorization mechanism based on Access Requests and Grants](https://docs.inrupt.com/security/authorization/access-requests-grants). ESS serializes the Access Requests and Grants as [Verifiable Credentials (VCs)](https://docs.inrupt.com/reference/glossary#verifiable-credential). The Access Requests and Grants VCs include the **`credentialStatus`** object with the following fields that provide information on their revocation status: ```json { // ... "credentialStatus": { "id": "https://vc./status/umZS#801", "revocationListCredential": "https://vc./status/umZS", "revocationListIndex": "801", "type": "RevocationList2020Status" }, // ... } ```

Field	Value
`"id"`	`"https://vc.<ESS Domain>/status/<credential>#<idx>"` The URL of the revocation status for this VC.
`"revocationListCredential"`	`"https://vc./status/"` The URL identifying the VC in the revocation list.
`"revocationListIndex"`	`"<idx>"` The bit position (i.e., the index) of the VC’s revocation status.
`"type"`	`"RevocationList2020Status"`

The ESS [Access Grant Service](https://docs.inrupt.com/ess/latest/services/service-access-grant) provides an endpoint where users may revoke an Access Requests/Grants. For more information, see [RevocationList2020Status](https://w3c-ccg.github.io/vc-status-rl-2020/#revocationlist2020status) ## `/status` Endpoint The ESS [Access Grant Service](https://docs.inrupt.com/ess/latest/services/service-access-grant) provides the following endpoint for updating the revocation status of issued Access Requests/Grants: ```json https://vc./status ``` Specifically, the endpoint allows for the revocation of the Access Requests/Grants. To revoke an Access Requests/Grants VC, clients can send a **`POST`** request to the endpoint: {% hint style="warning" %} **Important** * Users must be authenticated. The endpoint supports the use of either [Solid-OpenID Connect (OIDC) access token](https://docs.inrupt.com/ess/latest/services/service-oidc) or [UMA token](https://docs.inrupt.com/ess/latest/services/service-uma). * Only the agent whose WebID matches the Access Request/Grant VC’s **`credentialSubject.id`** can update the status. * For Access Requests, users must use an application whose Client ID is allowed by the [**`INRUPT_VC_CLIENT_ID_ALLOW_LIST_SOLIDACCESSREQUEST`**](https://docs.inrupt.com/ess/latest/services/service-access-grant/..#inrupt_vc_client_id_allow_list_solidaccessrequest) setting. * For Access Grants, users must use an application whose Client ID is allowed by the [**`INRUPT_VC_CLIENT_ID_ALLOW_LIST_SOLIDACCESSGRANT`**](https://docs.inrupt.com/ess/latest/services/service-access-grant/..#inrupt_vc_client_id_allow_list_solidaccessgrant) setting. {% endhint %}


Method	`POST`
Content-Type	`application/json`
Endpoint	`https://vc.<ESS Domain>/status`
Payload	Status update request object. See Payload for details.

Upon successful update, the endpoint returns a status of **`204`** . {% hint style="info" %} The **`/status`** endpoint no longer allows the reactivation of revoked Access Requests/Grants. Once revoked, initiate a new Access Request/Grant flow to regain access after revocation. {% endhint %} ## Payload The ESS Access Grant service’s **`/status`** endpoint accepts a document of the form: ```json { "credentialId": , "credentialStatus": [ { "type": "RevocationList2020Status", "status": 1 } ] } ```

Field Description

credentialId The id value (URL) of the access request/grant VC to update; e.g., a string of the form:
"https://vc.<ESS DOMAIN>/vc/<value>"

Field	Description
`credentialId`	The id value (URL) of the access request/grant VC to update; e.g., a string of the form: `"https://vc.<ESS DOMAIN>/vc/<value>"`
`credentialStatus`	Specify an array of status documents. To revoke ESS-issued Access Requests/Grants, specify a document of the form: `{ "type": "RevocationList2020Status", "status": 1 }` The status of Access Requests/Grants issued by ESS is indicated through the RevocationList2020Status. The `status` value of `1` indicates that the Access Request/Grant is to be revoked. Note The `/status` endpoint no longer allows the reactivation of revoked Access Requests/Grants. That is, you can no longer specify `"credentialStatus.status": 0` in the payload. Instead, once an Access Request/Grant is revoked, initiate a new Access Request/Grant flow to regain access.

credentialStatus

Specify an array of status documents. To revoke ESS-issued Access Requests/Grants, specify a document of the form:
{ "type": "RevocationList2020Status", "status": 1 }

The status of Access Requests/Grants issued by ESS is indicated through the RevocationList2020Status.

The status value of 1 indicates that the Access Request/Grant is to be revoked.

Note

The /status endpoint no longer allows the reactivation of revoked Access Requests/Grants. That is, you can no longer specify "credentialStatus.status": 0 in the payload.

Instead, once an Access Request/Grant is revoked, initiate a new Access Request/Grant flow to regain access.

## Example {% hint style="warning" %} **Important**\ Only the agent whose WebID matches the VC’s **`credentialSubject.id`** can update the status of an Access Request/Grant. {% endhint %} For example, assume that **`owliverowner`** has the following access grant as a record of the access granted to **`requestingrabbit`** :

{
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://schema.inrupt.com/credentials/v2.jsonld",
    "https://w3id.org/security/data-integrity/v1",
    "https://w3id.org/vc-revocation-list-2020/v1",
    "https://w3id.org/vc/status-list/2021/v1",
    "https://w3id.org/security/suites/ed25519-2020/v1"
  ],
  "id": "https://vc.<ESS DOMAIN>/vc/xxxxxx-1234-ffff-5678-abcd99999999",
  "type": [
    "VerifiableCredential",
    "SolidAccessGrant"
  ],
  "proof": {
    // ... Omitted for brevity
  },
  "credentialStatus": {
    "id": "https://vc.<ESS DOMAIN>/status/umZS#801",
    "revocationListCredential": "https://vc.<ESS DOMAIN>/status/umZS",
    "revocationListIndex": "801",
    "type": "RevocationList2020Status"
  },
  "credentialSubject": {
    "id": "https://id.<ESS DOMAIN>/owliverowner",
    "providedConsent": {
      "mode": "Read",
      "forPersonalData": "https://storage.<ESS DOMAIN>/<owliversRootContainer>/getting-started/readingList/myList",
      "hasStatus": "ConsentStatusExplicitlyGiven",
      "isProvidedTo": "https://id.<ESS Domain>/requestingrabbit"
    }
  },
  "issuer": "https://vc.<ESS DOMAIN>",
  "issuanceDate": "2023-02-10T23:41:39.731Z",
  "expirationDate": "2023-02-10T23:51:43.285Z"
}

In the example Access Grant, * **`id`** is **`"https://vc./vc/xxxxxx-1234-ffff-5678-abcd99999999"`** . When changing the revocation status of this Access Grant, use this value in the **`credentialId`** . * **`credentialStatus.type`** is **`"RevocationList2020Status"`** . When revoking this Access Grant, use this value in the **`credentialStatus.type`** field. * **`crendentialSubject.id`** is **`"https://id./owliverowner"`** . This indicates that **`"https://id./owliverowner"`** can modify the revocation status of this Access Grant. Then to revoke this Access Grant, the **`owliverowner`** can post the following payload to **`/status`** endpoint: ```json { "credentialId": "https://vc./vc/xxxxxx-1234-ffff-5678-abcd99999999", "credentialStatus": [ { "type": "RevocationList2020Status", "status": "1" } ] } ``` Upon successful update, the endpoint returns a status of **`204`** . After the Access Grant has been revoked, if you [verify the revoked access grant](https://docs.inrupt.com/ess/latest/services/service-access-grant/service-access-grant-verifier), you get the following result:

{
  "checks": [
    "issuanceDate",
    "proof",
    "expirationDate",
    "credentialStatus"
  ],
  "errors": [
    "credentialStatus validation has failed: credential has been revoked"
  ],
  "warnings": []
}

If **`requestingrabbit`** needs to access the resource, **`requestingrabbit`** must create a new request access to **`owliverowner`** .