#General Config

The issuer, similar to other services in the Enterprise Stack, maintains a collection of configurations. These configurations include internal configs such as signing keys for access tokens and the base URL, which are used solely within the Enterprise Stack. Additionally, the issuer holds configurations that is both internally used and externally shared, such as supported credential types and issuer display information. This external information is made available through the OpenID issuer metadata endpoint, which can be accessed by wallets and other external applications involved in the credential exchange process.

#Get Issuer Config

CURL

Endpoint: /v1/{target}/issuer-service-api/configuration/view | API Reference

Example Request

curl -X 'GET' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/issuer-service-api/configuration/view' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json'

Path Parameters

orgID: - When performing operations within an organization, it is essential to use the organization's Base URL or another valid host alias. For example, if your organization is named test, your default Base URL will be test.enterprise-sandbox.walt.dev when using the sandbox environment.
target: resourceIdentifier - The target indicates the organization + tenant + issuer service from which to receive the configuration({organizationID}.{tenantID}.{issuerServiceID}), e.g. waltid.tenant1.issuer1

Response

201 - Service created successfully.

{
  "dependencies": [],
  "traversable": true,
  "_id": "waltid.tenant1.issuer1",
  "baseUrl": "http://waltid.enterprise.localhost:3000",
  "kms": "waltid.tenant1.kms1",
  "tokenKeyId": "waltid.tenant1.kms1.key1",
  "parent": "waltid.tenant1",
  "supportedCredentialTypes": {
    "identity_credential_vc+sd-jwt": {
      "format": "vc+sd-jwt",
      "vct": "{vctBaseURL}/identity_credential",
      "cryptographic_binding_methods_supported": [
        "jwk"
      ],
      "credential_signing_alg_values_supported": [
        "ES256"
      ],
      "sdJwtVcTypeMetadata": {
        "name": "Identity Credential",
        "description": "The Identity Verifiable Credential",
        "vct": "{vctBaseURL}/identity_credential"
      }
    },
    "OpenBadgeCredential_jwt_vc_json": {
      "format": "jwt_vc_json",
      "cryptographic_binding_methods_supported": [
        "did"
      ],
      "credential_signing_alg_values_supported": [
        "ES256"
      ],
      "credential_definition": {
        "type": [
          "VerifiableCredential",
          "OpenBadgeCredential"
        ]
      }
    }
  },
  "displayConfigurations": [
    {
      "name": "walt.id Enterprise Issuer Service",
      "locale": "en-US",
      "logo": {
        "uri": "http://cdn.walt.id/issuer/logo.png",
        "alt_text": "logo specific text goes here"
      }
    }
  ]
}

dependencies: List - List of service dependencies.
id: ID - Unique ID of this service.
baseUrl: String - This URL will be included in the generated OIDC4VC offer, allowing the wallet to know how to reach the issuer. It should reflect your organization's base URL. The general format for this URL is https://{orgID}.yourEnterpriseStackUrl.com. For example, if your organization is named myorg and the Enterprise Stack is hosted at the domain enterprise-stack.com, your base URL would be: https://myorg.enterprise-stack.com.
kms: - resourceIdentifier - The KMS service used for signing access tokens. The exact key is specified in via the tokenKeyId field.
tokenKeyId: - resourceIdentifier - A key in the connected KMS service used to sign the access token, which is used by the wallet to get the credential from the credential endpoint
supportedCredentialTypes: Object - A map of credentials the issuer supports. This list will be used to generate the issuer metadata.
displayConfigurations - issuer display metadata configs. Each object contains specific display information for different languages. To learn more about the display config in general go here

#Update Issuer Config

CURL

Endpoint: /v1/{target}/issuer-service-api/configuration/update | API Reference

Example Request

curl -X 'POST' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/issuer-service-api/configuration/update' \
  -H 'accept: */*' \  
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json' \
  -d '{
  "dependencies": [],
  "traversable": true,
  "_id": "waltid.tenant1.issuer1",
  "supportedCredentialTypes": {
    "identity_credential_vc+sd-jwt": {
      "format": "vc+sd-jwt",
      "vct": "{vctBaseURL}/identity_credential",
      "cryptographic_binding_methods_supported": [
        "jwk"
      ],
      "credential_signing_alg_values_supported": [
        "ES256"
      ],
      "sdJwtVcTypeMetadata": {
        "name": "Identity Credential",
        "description": "The Identity Verifiable Credential",
        "vct": "{vctBaseURL}/identity_credential"
      }
    },
    "OpenBadgeCredential_jwt_vc_json": {
      "format": "jwt_vc_json",
      "cryptographic_binding_methods_supported": [
        "did"
      ],
      "credential_signing_alg_values_supported": [
        "ES256"
      ],
      "credential_definition": {
        "type": [
          "VerifiableCredential",
          "OpenBadgeCredential"
        ]
      }
    }
  },
  "tokenKeyId": "waltid.tenant1.kms1.key1",
  "kms": "waltid.tenant1.kms1",
  "baseUrl": "http://waltid.enterprise.localhost:3000",
  "parent": "waltid.tenant1",
  "displayConfigurations": [
    {
      "name": "walt.id Enterprise Issuer Service",
      "locale": "en-US",
      "logo": {
        "uri": "http://cdn.walt.id/issuer/logo.png",
        "alt_text": "logo specific text goes here"
      }
    }
  ]
}'

Path Parameters

orgID: - When performing operations within an organization, it is essential to use the organization's Base URL or another valid host alias. For example, if your organization is named test, your default Base URL will be test.enterprise-sandbox.walt.dev when using the sandbox environment.
target: resourceIdentifier - The target indicates the organization + tenant + issuer service in which to update the configuration({organizationID}.{tenantID}.{issuerServiceID}), e.g. waltid.tenant1.issuer1

Body Parameters

dependencies: List - List of service dependencies.
traversable: Boolean - Must be true.
id: ID - Unique ID of this service.
supportedCredentialTypes: Object - A map of credentials the issuer supports. This list will be used to generate the issuer metadata.
Expand For W3C JWT & SD-JWT Credentials

To specify the support of a W3C credential the object will look as follows:
```
"OpenBadgeCredential_jwt_vc_json": {
    "format": "jwt_vc_json",
    "cryptographic_binding_methods_supported": [
      "did"
    ],
    "credential_signing_alg_values_supported": [
      "ES256"
    ],
    "credential_definition": {
      "type": [
        "VerifiableCredential",
        "OpenBadgeCredential"
      ]
    }
  }
```
The key will have the following structure: [CustomCredentialType]_jwt_vc_json, e.g. OpenBadgeCredential_jwt_vc_json
Inside the object:
- format - will be jwt_vc_json for W3C JWT & SD-JWT credentials
- cryptographic_binding_methods_supported - will be did
- credential_signing_alg_values_supported - will be ES256
- credential_definition
  - type - specifies a list of credential types. E.g. [VerifiableCredential, MyCustomCredential]
    1. First Entry: Your list must always start with VerifiableCredential.
    2. Subsequent Entries: After VerifiableCredential, you have two options:
    - You can add your custom type, such as CustomCredential.
    - If your credential is based on another credential (for example, VerifiableAttestation), first list all the credentials it builds upon, and then add your custom type at the end.
Expand For SD-JWT VC Credentials

To specify the support of a SD-JWT VC credential the object will look as follows:
```
"identity_credential_vc+sd-jwt": {
   "format": "vc+sd-jwt",
   "vct": "{vctBaseURL}/identity_credential",
   "cryptographic_binding_methods_supported": [
     "jwk"
   ],
   "credential_signing_alg_values_supported": [
     "ES256"
   ],
   "sdJwtVcTypeMetadata": {
     "name": "Identity Credential",
     "description": "The Identity Verifiable Credential",
     "vct": "{vctBaseURL}/identity_credential"
   }
 }
```
The key will have the following structure: [custom_credential_type]_vc+sd-jwt, e.g. identity_credential_vc+sd-jwt
Inside the object:
- format - will be vc+sd-jwt for SD-JWT VC credentials.
- vct - The Verifiable Credential Type URL. You can either:
  - Use the auto-generated format: {vctBaseURL}/[custom_credential_type] (e.g. {vctBaseURL}/identity_credential). The vctBaseURL will be replaced during issuance by the issuer API. Or you may choose to use your own external VCT URL: Provide a fully qualified URL pointing to your own VCT metadata document (e.g. https://schema.example.com/vct/identity_credential). This enables you to use shared VCTs in ecosystem setups, where multiple issuers reference the same schema repository. The credential data will be validated against the schema defined in your VCT during issuance.
- cryptographic_binding_methods_supported - will be jwk
- credential_signing_alg_values_supported - will be ES256
- sdJwtVcTypeMetadata (optional) - Metadata for the credential type. If omitted, the issuer API will synthesize metadata from your configuration. The document may contain either the schema or schema_uri properties:
  - name - Name of the credential
  - description - Description of the credential
  - vct - Holding the same value as the vct above.
Using External VCT URLs: When configuring your own VCT URL, ensure it points to a valid VCT metadata document that conforms to the SD-JWT VC specification. The document must be accessible and contain a valid JSON schema. During credential issuance, the credential data will be validated against this schema.

baseUrl: String - This URL will be included in the generated OIDC4VC offer, allowing the wallet to know how to reach the issuer. It should reflect your organization's base URL. The general format for this URL is https://{orgID}.yourEnterpriseStackUrl.com. For example, if your organization is named myorg and the Enterprise Stack is hosted at the domain enterprise-stack.com, your base URL would be: https://myorg.enterprise-stack.com.

kms: - resourceIdentifier - A KMS service connect with the Issuer service. It should be setup under the same tenant.

tokenKeyId: - resourceIdentifier - A key in the connected KMS service used to sign the access token, which is used to get the credential from the credential endpoint

displayConfigurations (optional) - an optional list of objects, where each object contains specific display information for the issuer for different languages. Including the local option is not mandatory; you can simply provide one object if localization is not required. To learn more about the display config in general go here, for object property details expand below.

Expand to learn more about the display config object properties

Display Config Object

{
  "name": "walt.id Enterprise Issuer Service",
  "locale": "en-US",
  "logo": {
    "uri": "http://cdn.walt.id/issuer/logo.png",
    "alt_text": "Logo of walt.id Enterprise Issuer Service"
  }
}

name (optional) String: String value of a display name for the Credential Issuer.
- locale (optional) String: String value that identifies the language of this object represented as a language tag taken from values defined in BCP47 RFC5646. There MUST be only one object for each language identifier. Example values are: en-US, de-DE, or fr-FR.
- logo (optional) Object: Object with information about the logo of the Credential Issuer.
  - uri String: String value that contains a URI where the Wallet can obtain the logo of the Credential Issuer.
  - alt_text (optional) String: String value of the alternative text for the logo image.

Response Codes

200 - Config updated successfully.

Last updated on November 18, 2025

Overview Verifying Verifiable Credentials via OID4VC