Enterprise Stack Features
The complete feature list for Issuer, Verifier, and Wallet capabilities in the Enterprise Stack. Jump directly to a section using the links.
Issuer
Core
| Feature | Highlights | Details |
|---|---|---|
| Stateful API | • Enterprise Issuer keeps issuance state • Shared DB (e.g., MongoDB) • Works in clustered deployments • Tenancy-aware sessions | Enterprise Issuer is stateful (vs. Community Stack stateless), persisting offers, sessions, configs and status ops to a shared DB for reliability and horizontal scaling in multi-instance setups. |
| Event Webhooks / Callbacks | • Subscribe to issuance state changes • Deliver to your backend • Retry/back-off | Optional webhooks notify external systems about offer creation, claim, issuance completion, and failures, enabling event-driven orchestration and audit pipelines. |
| Key Management (KMS-agnostic) | • External KMS (AWS, Azure, Hashicorp, OCI, …) • Asymmetric keys: ed25519, secp256r1/k1, RSA • Rotation & versioning via KMS • HSM boundary retained | Delegates signing to external KMS so private keys never leave HSMs; supports mainstream curves/RSA, rotation, versioning and provider auth patterns (IAM, API keys). Raw keys possible for dev/PoC. |
| DIDs & Identifiers | • did:web hosting & registry • did:key / did:jwk / did:ebsi support • x509 certificates • DID store service integration | Create/host issuer DIDs (incl. did:web) and resolve via DID services. Use appropriate methods per format and trust model; manage DID docs in-stack via enterprise DID store service. |
| Credential Templates / Types | • Flexible data models (incl. custom types) • No rigid “template” required | You can sign arbitrary JSON structures. Just register a credential type (name + optional display props) in issuer metadata; no rigid template DSL is required. |
| Credential Issuance Trigger | • Issuer- or Wallet (coming soon)- initiated | Initiate issuance from your backend API (Issuer-initiated)/ Admin UI or let a user start the flow from their wallet. |
| Credential Delivery | • QR code / deep link • Digital Credentials API (coming soon) | The Issuer generates OID4VCI credential offers which can either be rendered as QR codes for the wallet to scan or be provided as embedded links. |
| User (Credential Receiver) Authentication | • Pre-Auth (PIN optional) • Auth Code via external IdP | Choose pre-auth (optionally with PIN) or, Auth Code against an external IdP and optionally map verified claims to credential fields at issuance time. |
| Issuance modes | • Single credential issuance • Batch or deferred (coming soon) | Issue one or many credentials in a single session (immediately or deferred), simplifying onboarding flows that need a “bundle” (e.g., ID + entitlements). |
Standards
| Feature | Highlights | Details |
|---|---|---|
| Credentials: Support for all major credential standards | • ISO 18013-5 mDL • ISO/IEC 23220 • SD-JWT VC IETF • W3C VC v1.1+/v2.0 • W3C VC v2.0(coming soon) | Issue standard compliant credentials based on popular formats (incl. custom attribute structures, types and schemas). |
| Protocols: Support for all major exchange protocols standards | • OID4VCI Draft 11/13 • OID4VCI v1 (coming in Q4 25) • Pre-Auth Code (PIN optional) flow • Auth Code flow | OID4VCI flows supported for SD-JWT VC/W3C VC issuance; ISO-18013-7 for mDL/mdoc issuance. Auth Code (with custom OIDC compliant IdP). |
| Status: Support for various approaches to manage the lifecycle of credentials. | • Bitstring Status List v1.0 • StatusList2021 • RevocationList2020 • TokenStatusList (only JWT format with draft 8) | Issue standard compliant status credentials based on popular formats for various purposes (incl. revocation, suspension or custom statuses). |
| Digital Credentials API (2026) | • Standard browser/agent API for issuance • Wraps OID4VCI/ISO-18013-7 flows under the hood • Enables 1-click web integrations, native UX prompts | Provide a standardized browser interface for wallets/agents so web apps can request issuance with minimal glue code. Improves DX/UX while relying on existing protocols behind the scenes. |
Data & Identity Sourcing
| Feature | Highlights | Details |
|---|---|---|
| Pre-offer data collection | • Gather attributes from DB/CRM/registries before creating the credential offer • Best when data is known/stable • Can combine later with post-offer data functions (timestamps/IDs/webhooks) | Provide all credential and subject data upfront and pass it to the Issuer when creating the offer. This minimizes runtime lookups and user interaction. If needed, you can still enrich the credential later with post-offer data functions before signing. |
| Data functions for dynamic attributes | • Run after offer creation, before signing • Timestamps/UUIDs/DID injection - Webhooks to fetch external data | Inject time-sensitive or externally sourced values just-in-time (e.g., timestamps, subject DID, booking numbers) using built-in data functions and webhooks. |
| External IdP | • Map IdP claims to credential fields via the Auth Code flow | With the OID4VCI Auth Code flow, authenticate users at your IdP and map verified claims into credential attributes in real time during issuance. |
Lifecycle
| Feature | Highlights | Details |
|---|---|---|
| Revocation & suspension (via status lists) — Managed | • Add status at issuance (new bitstring entry + hosted Status Credential) • Auto-host to configured registry (S3, Azure Blob, GCS) • One API to update/re-sign/publish (revoke/suspend). | Create a status entry at issuance and auto-host the Status Credential in your chosen registry. Use a single API to update, re-sign, and publish changes. |
| Expiration and validity controls | • Valid-from / expiry • Generated via data functions | Set explicit or dynamically generated validity windows to match real-world lifecycle (passes, IDs, tickets). |
Integrations
| Feature | Highlights | Details |
|---|---|---|
| External KMS and diverse key types | • Store private key material in external KMS provider (e.g. AWS, Azure, Hashicorp, Oracle) • Use different key types (e.g. ed25519, secp256r1/k1, RSA) | Delegate signing to your KMS so private keys never leave the HSM boundary; supports multiple curves and RSA with key rotation/monitoring via the KMS provider. |
| Trust Registries | • eIDAS2 • EBSI | Integrates with various trust registries of different ID ecosystems (e.g eIDAS2). |
| QTSPs (2026) | • Create qualified signatures | Integrations with various QTSPs for qualified signatures. |
DID & Trust Anchors
| Feature | Highlights | Details |
|---|---|---|
| Host did:web documents | • Serve did:web • Automate doc updates | Publish/serve did:web documents for issuer identification using a DID. |
| DID Document Storage | • Persist DID documents for later reference | Persist DIDs and their documents via the Enterprise Stack DID store service. |
Branding
| Feature | Highlights | Details |
|---|---|---|
| Issuer Metadata | • Per-type styling - Colors, logo, description • Wallets can fetch/cache display metadata | Define reusable branding per credential type so wallets render consistent visuals without embedding styling in each credential. |
| Embedded in Credential | • Per-instance display data for fine-grained differentiation | Embed display attributes directly in a credential instance when variants of the same type need distinct visuals (e.g., ticket tiers). |
ID Ecosystems
| Feature | Highlights | Details |
|---|---|---|
| EMEA | • EU (eIDAS2, EBSI), Switzerland (SWIYU) | Issuance aligned with (emerging) regional trust frameworks. |
| APAC | • New Zealand (DISTF), Australia, Thailand, Japan, … | Issuance aligned with (emerging) regional trust frameworks. |
| Americas | • US, Canada, Brazil, … | Issuance aligned with (emerging) regional trust frameworks. |
| Custom | • Bring your own ID ecosystem | The issuer can be modified to comply with other ID ecosystems. |
Auth & Permissions
| Feature | Highlights | Details |
|---|---|---|
| Protected APIs (AuthN/Z) | • Fine-grained RBAC • Scoped access tokens • Tenant/service scoping | Enterprise Stack uses role-based access control and scoped identifiers to protect APIs at org/tenant/service boundaries. |
| Roles & Permissions (RBAC) | • Roles per org/tenant/service • Principle of least privilege | Assign granular roles for admins, integrators and operators; |
| API Keys (Server-to-Server) | • For M2M access • Assign roles for Fine-grained RBAC | Provision API credentials for backend integrations with scoping to services/tenants. |
| User Accounts | • Admin GUI login • Assign roles for Fine-grained RBAC | Operator accounts manage the Enterprise Stack via the GUI (e.g. service configs, check analytics, revoke credentials, …) |
Logs & Analytics
| Feature | Highlights | Details |
|---|---|---|
| Metrics | • Issuance KPIs • Status updates • Tenant/service breakdowns | Observe issuance volumes and success rates across tenants/services for ops and reporting. |
| Logs | • Structured events / system logs • Audit trails • Export to SIEM • Open Telemetry support | Emit structured logs/events for debugging and audit; export to external SIEM as needed. |
Platform & Ops.
| Feature | Highlights | Details |
|---|---|---|
| Stateful API + Persistence | • DB-backed sessions/configs • Multi-instance safe | Persistence enables HA/scale-out; instances share state cleanly for reliable issuance at scale. |
| Clustering & horizontal scaling | • Multi-instance behind LB • Stateless exchange layer + stateful DB | Run multiple Issuer instances concurrently behind a load balancer for throughput and resilience. |
| Data persistence layer | • MongoDB (document DB) • Durable storage of configs/events | Durable storage for offers, configs and events; fits high-volume issuance patterns. |
| Encryption | • DB level encryption | Setup encryption on the MongoDB database. |
| Enterprise CLI / Quickstart | • CLI to explore features • Docker-compose stack | Use the Enterprise Quickstart repo and CLI to bring the stack up locally (requires enterprise images). |
Verifier
Core
| Feature | Highlights | Details |
|---|---|---|
| Stateful API | • Enterprise Verifier keeps verification state • Shared DB (e.g., MongoDB) • Works in clustered deployments • Tenancy-aware sessions | Enterprise Verifier is stateful (vs. Community Stack stateless), persisting authorization requests, sessions, configs and status ops to a shared DB for reliability and horizontal scale in multi-instance setups. |
| Event Webhooks / Callbacks | • Subscribe to verification state changes • Deliver to your backend • Retry/back-off | Optional webhooks notify external systems about verification session states and success and failures, enabling event-driven orchestration and audit pipelines. |
Request
| Feature | Highlights | Details |
|---|---|---|
| Delivery (QR codes & links) | • QR code / deep link • Digital Credentials API (coming soon) | The Verifier generates OID4VP authorization requests which can either be rendered as QR codes for the wallet to scan or be provided as embedded links. |
| Query | • Simple type/format request • Presentation Definition filters/constraints • DCQL queries (in beta) | Define required credentials using simple params or Presentation Definition; the API generates an OID4VP authorization URL. |
| Bundles/Batch | • Request multiple credentials • Mixed standards/types (e.g., SD-JWT VC, W3C VC, mDL) • Single session, unified validation | Request several credentials in a single flow; the Verifier can validate heterogeneous sets within one VP/session. |
Verification & Policies
| Feature | Highlights | Details |
|---|---|---|
| Policy engine: static & parameterized | • Pre-build: signatures, validity, schema, Presentation Definition match • Parameterized: allow-issuer, webhook • Webhook delegates checks externally • Custom OPA/Rego policies | Apply predefined and parameterized policies—and optionally custom OPA/Rego rules—to enforce business logic. Webhooks can offload any check to external systems. |
Lifecycle & Trust
| Feature | Highlights | Details |
|---|---|---|
| Lifecycle: expiration & revocation | • Not-before/expiry checks • Revocation/status checks | Enforce validity windows (e.g. valid until) and revocation/status based on various standards (e.g. Bitstring Status List v1.0) on presented credentials. |
| Trust chain validation | • DID/key trust evaluation • Certificate chain (IACA/DSC/VICAL) • External trust sources supported (e.g. eIDAS2, EBSI) | Validate Issuer trust via DIDs/keys or via relevant PKI chains; keys/certs can be resolved dynamically or be based on trusted sources (e.g. eIDAS2 trusted lists) |
Auth & Permissions
| Feature | Highlights | Details |
|---|---|---|
| Protected APIs (AuthN/Z) | • Fine-grained RBAC • Scoped access tokens • Tenant/service scoping | Enterprise Stack uses role-based access control and scoped identifiers to protect APIs at org/tenant/service boundaries. |
| Roles & Permissions (RBAC) | • Roles per org/tenant/service • Principle of least privilege | Assign granular roles for admins, integrators and operators; |
| API Keys (Server-to-Server) | • For M2M access • Assign roles for Fine-grained RBAC | Provision API credentials for backend integrations with scoping to services/tenants. |
| User Accounts | • Admin GUI login • Assign roles for Fine-grained RBAC | Operator accounts manage the Enterprise Stack via the GUI (e.g. service configs, check analytics, revoke credentials, …) |
Standards
| Feature | Highlights | Details |
|---|---|---|
| Credentials: Support for all major credential standards | • ISO 18013-5 mDL • ISO/IEC 23220 • SD-JWT VC IETF • W3C VC v1.1+ • W3C VC v2.0 (coming soon) | Verify standard compliant credentials based on popular formats (incl. custom attribute structures, types and schemas). |
| Protocols: OID4VP flows and ISO-18013-7 | • OID4VP drafts 14/20 • OID4VP v1 | Interoperable OID4VP exchange across supported drafts using Presentation Definition. DCQL request syntax with OID4VP v1. |
| Digital Credentials API (coming soon) | • Standard browser/agent API for verification • Wraps OID4VP/ISO-18013-7 flows under the hood • Enables 1-click web integrations, native UX prompts | Provide a standardized browser interface for wallets/agents so web apps can request credentials from users with minimal glue code. Improves DX/UX while relying on existing protocols behind the scenes. |
ID Ecosystems
| Feature | Highlights | Details |
|---|---|---|
| EMEA | • EU (eIDAS2, EBSI), Switzerland (SWIYU) | Issuance aligned with (emerging) regional trust frameworks. |
| APAC | • New Zealand (DISTF), Australia, Thailand, Japan, … | Issuance aligned with (emerging) regional trust frameworks. |
| Americas | • US, Canada, Brazil, … | Issuance aligned with (emerging) regional trust frameworks. |
| Custom | • Bring your own ID ecosystem | The verifier can be modified to comply with other ID ecosystems. |
Integrations
| Feature | Highlights | Details |
|---|---|---|
| Trust Registries | • eIDAS2 • EBSI | Integrates with various trust registries of different ID ecosystems (e.g eIDAS2) |
| QTSPs (coming soon) | • signature/seal validation | Integrate with external QTSPs for qualified signature/seal validation. |
Admin UI
| Feature | Highlights | Details |
|---|---|---|
| Enterprise Console (Admin GUI) | • Configure different tenants/sub-tenants • View metrics • Manage your team / API keys | Use the Enterprise GUI to spin up tenants ,sub-tenants (B2B, B2B2C setups), and services. Set configs and track metrics per tenant and service. |
| Enterprise Console (Verifier GUI) | • Configure different verifier services • Monitor sessions and verification results | Use the Enterprise GUI to spin up verifier services, set configs, track verifications and their results (success or failure). |
Logs & Analytics
| Feature | Highlights | Details |
|---|---|---|
| Metrics | • Verification KPIs • Tenant/service breakdowns | Observe verification volumes and success rates across tenants/services for ops and reporting. |
| Logs | • Structured events / system logs • Audit trails • Export to SIEM • Open Telemetry support | Emit structured logs/events for debugging and audit; export to external SIEM as needed. |
Platform & Ops.
| Feature | Highlights | Details |
|---|---|---|
| Stateful API & Persistence | • DB-backed sessions/configs • Multi-instance safe | Persistence enables HA/scale-out; instances share state cleanly for reliable verification at scale. |
| Clustering & horizontal scaling | • Multi-instance behind LB • Stateless exchange layer + stateful DB | Run multiple Verifier instances concurrently behind a load balancer for throughput and resilience. |
| Data persistence layer | • MongoDB (document DB) • Durable storage of configs/events | Durable storage for requests, configs and events; fits high-volume verification patterns. |
| Encryption | • DB level encryption | Setup encryption on the MongoDB database. |
| Enterprise CLI / Quickstart | • CLI to explore features • Docker-compose stack | Use the Enterprise Quickstart repo and CLI to bring the stack up locally (requires enterprise images). |
Tenant & Configuration Model
| Feature | Highlights | Details |
|---|---|---|
| Hierarchical Multi-Tenancy | • Orgs → tenants → sub-tenants • Per-tenant services & isolation • RBAC per scope | Model B2B/B2G/B2B2C at scale; keep data/services virtually separated and permissioned under one roof. |
| Multi-Config Verifier Services | • Many verifier instances per tenant • Types, formats per service | Configure multiple verifier services with distinct capabilities and exposure; ideal for separating regulated profiles or customers. |
Wallet
Core
| Feature | Highlights | Details |
|---|---|---|
| Automatic holder binding and proof-of-key | • PoP during issuance & presentation (OID4VCI/VP) • DID/key ownership checks • Protocol-compliant signing of VP / holder-binding JWTs • Works across supported credential formats | Wallet performs proof-of-possession and holder binding automatically during receive/present flows, signing the right artefacts per OID4VCI/VP so Issuers/Verifiers can trust key control. |
| One-user-multi-wallet model | • Flexible user↔wallet relationships; • Supports multi-party wallet access, enabling parent/child or organizational wallets. • Works across B2C/B2B/B2B2C setups via multi-tenancy. • App-level auth & fine-grained permissions (no built-in end-user auth). | In the Enterprise Stack, the wallet doesn’t enforce a fixed user-to-wallet mapping. Applications can let a single user run multiple wallets or share wallets (e.g., parent-child), governed by app-level authentication/permissions and multi-tenant controls, with an admin UI for management. |
| Key Management (KMS-agnostic) | • External KMS (AWS, Azure, Hashicorp, OCI, …) • Asymmetric keys: ed25519, secp256r1/k1, RSA • Rotation & versioning via KMS • HSM boundary retained • For PoCs keys can also be stored locally in the Enterprise Stack DB. | Delegates signing to external KMS so private keys never leave HSMs; supports mainstream curves/RSA, rotation, versioning and provider auth patterns (IAM, API keys). Raw keys possible for dev/PoC. |
| DIDs & Identifiers | • did:web hosting & registry • did:key / did:jwk / did:ebsi support • DID store service integration | Create/host user DIDs (incl. did:web) and resolve via DID services. Use appropriate methods per format and trust model; manage DID docs in-stack via enterprise DID store service. |
Credential Exchange
| Feature | Highlights | Details |
|---|---|---|
| Receiving credentials | • Supports pre-authorized code (with optional TX-PIN) • Full authorization code flow | Receive credentials via pre-auth or full auth OID4VCI flows; Pre-auth TX-PIN is supported. |
| Presenting credentials | • Parse Presentation Definition • Match credentials to constraints • DCQL support | Wallet parses Presentation Definition and DCQL requests, matches stored credentials, and signs presentations send via OID4VP. |
Auth & Permissions
| Feature | Highlights | Details |
|---|---|---|
| Protected APIs (AuthN/Z) | • Fine-grained RBAC • Scoped access tokens • Tenant/service scoping | Enterprise Stack uses role-based access control and scoped identifiers to protect APIs at org/tenant/service boundaries. |
| Roles & Permissions (RBAC) | • Roles per org/tenant/service • Principle of least privilege | Assign granular roles for admins, integrators and operators; |
| API Keys (Server-to-Server) | • For M2M access • Assign roles for Fine-grained RBAC | Provision API credentials for backend integrations with scoping to services/tenants. |
| User Accounts | • Admin GUI login • Assign roles for Fine-grained RBAC | Operator accounts manage the Enterprise Stack via the GUI (e.g. service configs, check analytics, revoke credentials, …) |
Standards
| Feature | Highlights | Details |
|---|---|---|
| Credentials: Support for all major credential standards | • ISO 18013-5 mDL • ISO/IEC 23220 • SD-JWT VC IETF • W3C VC v1.1+ • W3C VC v2.0(coming soon) | Receive & present standard compliant credentials based on popular formats (incl. custom attribute structures, types and schemas). |
| Protocols: Support for all major exchange protocols standards | • OID4VP drafts 14/20 • OID4VP v1 • OID4VCI Draft 11/13 • OID4VCI v1 (coming in Q4 25) • 18013-7 | Interoperable OID4VCI/VP exchange across supported drafts using Presentation Definition. DCQL request syntax is coming soon with OID4VP v1 support |
ID Ecosystems
| Feature | Highlights | Details |
|---|---|---|
| EMEA | • EU (eIDAS2, EBSI), Switzerland (SWIYU) | Wallets aligned with (emerging) regional trust frameworks. |
| APAC | • New Zealand (DISTF), Australia, Thailand, Japan, … | Wallets aligned with (emerging) regional trust frameworks. |
| Americas | • US, Canada, Brazil, … | Wallets aligned with (emerging) regional trust frameworks. |
| Custom | • Bring your own ID ecosystem | The wallet can be modified to comply with other ID ecosystems. |
Integrations
| Feature | Highlights | Details |
|---|---|---|
| External KMS and diverse key types | • Store private key material in external KMS provider (e.g. AWS, Azure, Hashicorp, Oracle) • Use different key types (e.g. ed25519, secp256r1/k1, RSA) | Use external KMS for key custody and signing where desired; |
| Trust Registries | • eIDAS2 • EBSI | Integrates with various trust registries of different ID ecosystems (e.g eIDAS2) |
| QTSPs (coming soon) | • signature/seal creation | Integrate with external QTSPs for qualified signature/seal creation. |
DID & Trust Anchors
| Feature | Highlights | Details |
|---|---|---|
| Host did:web documents | • Serve did:web • Automate doc updates | Publish/serve did:web documents for holder identification using a DID. |
| DID Document Storage | • Persist DID documents for later reference | Persist DIDs and their documents via the Enterprise Stack DID store service. |
Admin UI
| Feature | Highlights | Details |
|---|---|---|
| Enterprise Console (Admin GUI) | • Configure different tenants/sub-tenants • View metrics • Manage your team / API keys | Use the Enterprise GUI to spin up tenants ,sub-tenants (B2B, B2B2C setups), and services. Set configs and track metrics per tenant and service. |
| Enterprise Console (Wallet GUI) | • Configure different wallet services • View wallet contents | Use the Enterprise GUI to spin up wallet services and set configs. |
Logs & Analytics
| Feature | Highlights | Details |
|---|---|---|
| Logs | • Structured events / system logs • Audit trails • Export to SIEM • Open Telemetry support | Emit structured logs/events for debugging and audit; export to external SIEM as needed. |
Platform & Ops.
| Feature | Highlights | Details |
|---|---|---|
| Stateful API + Persistence | • DB-backed wallets • Multi-instance safe | Persistence enables HA/scale-out; instances share state cleanly for reliable issuance at scale. |
| Clustering & horizontal scaling | • Multi-instance behind LB • Stateless exchange layer + stateful DB | Run multiple Wallet instances concurrently behind a load balancer for throughput and resilience. |
| Data persistence layer | • MongoDB (document DB) • Durable storage of configs/events | Durable storage for wallet contents, configs and events; fits high-volume wallet exchange patterns. |
| Encryption | • DB level encryption | Setup encryption on the MongoDB database. |
| Enterprise CLI / Quickstart | • CLI to explore features<br |
Tenant & Configuration Model
| Feature | Highlights | Details |
|---|---|---|
| Hierarchical Multi-Tenancy | • Orgs → tenants → sub-tenants • Per-tenant services & isolation • RBAC per scope | Model B2B/B2G/B2B2C at scale; keep data/services virtually separated and permissioned under one roof. |
Last updated on November 4, 2025