Should Content-Type & Accept headers be normative when verifying or issuing credentials?

[aljones15]

Obviously the request to issue a credential should have the following headers (these come from the examples in the spec):

Content-Type: application/json
Accept: application/json, /

But nothing in the specification makes these headers normative. This means an issuer endpoint can accept requests with:

Content-Type: text/plain; charset=utf-8
Accept: text/plain

And that request could have a json request body.

It also means an issuer can return a response with incorrect Content-Type headers such as Content-Type: text/plain and then a json response body.

Therefore I propose we make Content-Type and Accept normative for POST /credentials/issue
& POST /credentials/verify. The headers would need to match the type of the request or response body. In almost all cases those values would be application/json or application/ld+json. I'm not sure on the Content-Type if an issuer accepts or returns cbor-ld or possibly linked data in xml formats, but for all cases in the current version of this specification it strongly appears we are expecting json of some form in the request body and possibly json in the response body too.

[msporny]

The group discussed this on the 2023-05-23 call. @dlongley noted that the requests/responses are JSON requests/responses, so we don't send/receive application/vc+ld+json, so the content type for all requests/responses should be application/json because we wrap all the content types in the VCDM.

The content type for all requests/responses to the VC API is application/json and that content type should be normative.