diff --git a/x/credential/client/cli/cli_test.go b/x/credential/client/cli/cli_test.go
index a590f048..34b0c5d1 100644
--- a/x/credential/client/cli/cli_test.go
+++ b/x/credential/client/cli/cli_test.go
@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"os"
 	"runtime"
-	"strconv"
 	"testing"
 	"time"
 
@@ -133,12 +132,11 @@ func name(others ...string) string {
 	return fmt.Sprintln(f.Name(), others)
 }
 
-func publishCredentialDefinition(s *IntegrationTestSuite, identifier, name, schemaFile, vocabFile string, isPublic bool, val *network.Validator, code uint32) {
+func publishCredentialDefinition(s *IntegrationTestSuite, identifier, name, schemaFile, vocabFile string, val *network.Validator, code uint32) {
 
 	clientCtx := val.ClientCtx
 	args := []string{
 		identifier, name, schemaFile, vocabFile,
-		fmt.Sprintf("--%s=%s", "public", strconv.FormatBool(isPublic)),
 		fmt.Sprintf("--%s=%s", flags.FlagFrom, val.Address.String()),
 		fmt.Sprintf("--%s=true", flags.FlagSkipConfirmation),
 		fmt.Sprintf("--%s=%s", flags.FlagBroadcastMode, flags.BroadcastBlock),
@@ -247,7 +245,7 @@ func (s *IntegrationTestSuite) TestGetCmdQueryCredentialDefinition() {
 					schemaFile = "testdata/schema.json"
 					vocabFile  = "testdata/vocab.json"
 				)
-				publishCredentialDefinition(s, identifier, label, schemaFile, vocabFile, false, val, 0)
+				publishCredentialDefinition(s, identifier, label, schemaFile, vocabFile, val, 0)
 			},
 			"test-11234",
 		},
@@ -351,7 +349,7 @@ func (s *IntegrationTestSuite) TestNewPublishCredentialDefinitionCmd() {
 			val1.ClientCtx,
 		},
 		{
-			"PASS: update creddef name, visibility and active status",
+			"PASS: update creddef name, and active status",
 			codes.OK,
 			&sdk.TxResponse{},
 			[]string{
@@ -359,7 +357,6 @@ func (s *IntegrationTestSuite) TestNewPublishCredentialDefinitionCmd() {
 				"ValidDefName2",
 				"testdata/schema.json",
 				"testdata/vocab.json",
-				"--public=true",
 				"--inactive=true",
 				fmt.Sprintf("--%s=%s", flags.FlagFrom, val1.Address.String()),
 				fmt.Sprintf("--%s=true", flags.FlagSkipConfirmation),
diff --git a/x/credential/client/cli/tx.go b/x/credential/client/cli/tx.go
index 43eca46c..630e47db 100644
--- a/x/credential/client/cli/tx.go
+++ b/x/credential/client/cli/tx.go
@@ -300,7 +300,6 @@ func NewPublishCredentialDefinitionCmd() *cobra.Command {
 
 	var (
 		command        = "publish-credential-definition"
-		isPublic       bool
 		inactive       bool
 		publisherID    string
 		descr          string
@@ -329,7 +328,7 @@ func NewPublishCredentialDefinitionCmd() *cobra.Command {
 			}
 
 			// initialize the definition
-			def, err := credential.NewCredentialDefinitionFromFile(cdID, publisherDID, name, descr, isPublic, !inactive, schemaFile, vocabFIle)
+			def, err := credential.NewCredentialDefinitionFromFile(cdID, publisherDID, name, descr, !inactive, schemaFile, vocabFIle)
 			if err != nil {
 				println("error building credential definition", err)
 				return err
@@ -346,7 +345,6 @@ func NewPublishCredentialDefinitionCmd() *cobra.Command {
 	// add flags to set did relationships
 	cmd.Flags().StringVar(&descr, "description", "", "a human-readable description about the credential usage")
 	cmd.Flags().StringVarP(&publisherID, "publisher", "p", "", "the publisher DID. If not set, the DID key of the signer account will be used instead")
-	cmd.Flags().BoolVar(&isPublic, "public", false, "if is set, the credential is a public one and can be issued on chain")
 	cmd.Flags().BoolVar(&inactive, "inactive", false, "if is set, the credential definition will be flagged as inactive, client may refuse to issue credentials based on an inactive definition")
 	cmd.Flags().IntVar(&expirationDays, "expiration", 365, "number of days that the definition can be ")
 	// add flags to set did relationships
diff --git a/x/credential/credential.go b/x/credential/credential.go
index ef506322..b2aeac7f 100644
--- a/x/credential/credential.go
+++ b/x/credential/credential.go
@@ -33,7 +33,7 @@ func init() {
 // NewCredentialDefinitionFromFile create a credential definition by reading the data from a file
 func NewCredentialDefinitionFromFile(id string, publisherDID did.DID,
 	name, description string,
-	isPublic, isActive bool,
+	isActive bool,
 	schemaFile, vocabFile string) (*CredentialDefinition, error) {
 
 	def := &CredentialDefinition{
diff --git a/x/credential/credential_test.go b/x/credential/credential_test.go
index 6954c843..0fd9d39f 100644
--- a/x/credential/credential_test.go
+++ b/x/credential/credential_test.go
@@ -29,7 +29,6 @@ func TestNewCredentialDefinitionFromFile(t *testing.T) {
 		publisherDID did.DID
 		name         string
 		description  string
-		isPublic     bool
 		isActive     bool
 		schemaFile   string
 		vocabFile    string
@@ -48,7 +47,6 @@ func TestNewCredentialDefinitionFromFile(t *testing.T) {
 				"Credential Definition 1",
 				"This is a sample credential",
 				true,
-				true,
 				"keeper/testdata/schema.json",
 				"keeper/testdata/vocab.json",
 			},
@@ -72,7 +70,6 @@ func TestNewCredentialDefinitionFromFile(t *testing.T) {
 				"Credential Definition 1",
 				"This is a sample credential",
 				true,
-				true,
 				"keeper/testdata/schema.invalid.json",
 				"keeper/testdata/vocab.json",
 			},
@@ -95,7 +92,6 @@ func TestNewCredentialDefinitionFromFile(t *testing.T) {
 				"Credential Definition 1",
 				"This is a sample credential",
 				true,
-				true,
 				"keeper/testdata/schema.json",
 				"keeper/testdata/vocab.invalid.json",
 			},
@@ -118,7 +114,6 @@ func TestNewCredentialDefinitionFromFile(t *testing.T) {
 				"Credential Definition 1",
 				"This is a sample credential",
 				true,
-				true,
 				"keeper/testdata/non-exising.json",
 				"keeper/testdata/vocab.json",
 			},
@@ -138,7 +133,7 @@ func TestNewCredentialDefinitionFromFile(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			w, _ := os.Getwd()
 			t.Logf("cwd is %s", w)
-			got, err := NewCredentialDefinitionFromFile(tt.args.cdID, tt.args.publisherDID, tt.args.name, tt.args.description, tt.args.isPublic, tt.args.isActive, tt.args.schemaFile, tt.args.vocabFile)
+			got, err := NewCredentialDefinitionFromFile(tt.args.cdID, tt.args.publisherDID, tt.args.name, tt.args.description, tt.args.isActive, tt.args.schemaFile, tt.args.vocabFile)
 			if tt.wantErr == nil {
 				assert.NoError(t, err)
 				assert.Equal(t, tt.want, got)
diff --git a/x/credential/keeper/credential.go b/x/credential/keeper/credential.go
index 0702286b..474d8d86 100644
--- a/x/credential/keeper/credential.go
+++ b/x/credential/keeper/credential.go
@@ -1,6 +1,8 @@
 package keeper
 
 import (
+	"fmt"
+
 	"github.com/cosmos/cosmos-sdk/codec"
 	"github.com/cosmos/cosmos-sdk/store/prefix"
 	sdk "github.com/cosmos/cosmos-sdk/types"
@@ -118,12 +120,11 @@ func (k Keeper) GetAllowedCredentialDefinitions(ctx sdk.Context, req *query.Page
 	pageRes, err = query.Paginate(cdStore, req, func(key []byte, value []byte) error {
 		id := string(value)
 		cd, found := k.GetCredentialDefinition(ctx, id)
-		//if !found {
-		//	panic("credential definition with allowed id not found")
-		//}
-		if found {
-			cds = append(cds, &cd)
+		if !found {
+			panic(fmt.Sprintf("credential definition with allowed id %s not found", id))
 		}
+		cds = append(cds, &cd)
+
 		return nil
 	})
 	return
diff --git a/x/credential/keeper/grpc_query_test.go b/x/credential/keeper/grpc_query_test.go
index 5ece68ea..4e1e5564 100644
--- a/x/credential/keeper/grpc_query_test.go
+++ b/x/credential/keeper/grpc_query_test.go
@@ -546,6 +546,7 @@ func (suite *KeeperTestSuite) TestKeeper_AllowedPublicCredentials() {
 		msg     string
 		reqFn   func() (*credential.QueryAllowedPublicCredentialsRequest, *credential.QueryAllowedPublicCredentialsResponse)
 		wantErr error
+		panic   bool
 	}{
 		{
 			"PASS: no credentials",
@@ -553,6 +554,7 @@ func (suite *KeeperTestSuite) TestKeeper_AllowedPublicCredentials() {
 				return &credential.QueryAllowedPublicCredentialsRequest{}, &credential.QueryAllowedPublicCredentialsResponse{Credentials: nil, Pagination: &query.PageResponse{}}
 			},
 			nil,
+			false,
 		},
 		{
 			"PASS: no credentials in allow list",
@@ -561,7 +563,6 @@ func (suite *KeeperTestSuite) TestKeeper_AllowedPublicCredentials() {
 					id  = "001"
 					err error
 				)
-				//
 
 				// publish the definition
 				pcdr := credential.MsgPublishCredentialDefinitionRequest{
@@ -585,6 +586,7 @@ func (suite *KeeperTestSuite) TestKeeper_AllowedPublicCredentials() {
 				return &credential.QueryAllowedPublicCredentialsRequest{}, &credential.QueryAllowedPublicCredentialsResponse{Pagination: &query.PageResponse{Total: 0}}
 			},
 			nil,
+			false,
 		},
 		{
 			"PASS: can get the credential",
@@ -593,7 +595,6 @@ func (suite *KeeperTestSuite) TestKeeper_AllowedPublicCredentials() {
 					id  = "002"
 					err error
 				)
-				//
 
 				// publish the definition
 				pcdr := credential.MsgPublishCredentialDefinitionRequest{
@@ -617,18 +618,37 @@ func (suite *KeeperTestSuite) TestKeeper_AllowedPublicCredentials() {
 				return &credential.QueryAllowedPublicCredentialsRequest{}, &credential.QueryAllowedPublicCredentialsResponse{Credentials: []*credential.CredentialDefinition{pcdr.CredentialDefinition}, Pagination: &query.PageResponse{Total: 1}}
 			},
 			nil,
+			false,
+		},
+		{
+			"PANIC: id allowed but credential not found",
+			func() (*credential.QueryAllowedPublicCredentialsRequest, *credential.QueryAllowedPublicCredentialsResponse) {
+				var (
+					id = "did:cosmos:elesto:ipcq-003"
+				)
+				suite.keeper.AllowPublicCredential(suite.ctx, id)
+
+				return &credential.QueryAllowedPublicCredentialsRequest{}, nil
+			},
+			nil,
+			true,
 		},
 	}
 	for _, tc := range testCases {
 		suite.Run(fmt.Sprintf("Case %s", tc.msg), func() {
 			req, expectedResp := tc.reqFn()
-			gotResp, err := queryClient.AllowedPublicCredentials(context.Background(), req)
-			if tc.wantErr == nil {
-				suite.Require().NoError(err)
-				suite.Require().Equal(expectedResp, gotResp)
+			if tc.panic {
+				suite.Require().Panics(func() { queryClient.AllowedPublicCredentials(context.Background(), req) })
 			} else {
-				suite.Require().Error(err)
-				suite.Require().Equal(tc.wantErr.Error(), err.Error())
+				gotResp, err := queryClient.AllowedPublicCredentials(context.Background(), req)
+
+				if tc.wantErr == nil {
+					suite.Require().NoError(err)
+					suite.Require().Equal(expectedResp, gotResp)
+				} else {
+					suite.Require().Error(err)
+					suite.Require().Equal(tc.wantErr.Error(), err.Error())
+				}
 			}
 		})
 	}
diff --git a/x/credential/spec/02_state.md b/x/credential/spec/02_state.md
index 91a315f3..f18dd69b 100644
--- a/x/credential/spec/02_state.md
+++ b/x/credential/spec/02_state.md
@@ -30,9 +30,6 @@ type CredentialDefinition struct {
 	Name string
 	// the description of the credential, such as it's purpose
 	Description string 
-	// wherever the credential is intended for public use (on-chain) or not (off-chain)
-	// if the value is false then the module will forbid the issuance of the credential on chain
-	IsPublic bool
 	// did of the credential should not be used anymore in favour of something else
 	SupersededBy string `protobuf:"bytes,8,opt,name=supersededBy,proto3" json:"supersededBy,omitempty"`
 	// the credential can be de-activated