Setup
We will setup an Issuer service inside of a tenant. If you don't have a tenant yet, you can learn how to create one here.
CURL
Endpoint: /v1/{target}/resource-api/services/create | API Reference
Example Request
curl -X 'POST' \
'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/resource-api/services/create' \
-H 'accept: */*' \
-H 'Authorization: Bearer {yourToken}' \
-H 'Content-Type: application/json' \
-d '{
"type": "issuer",
"baseUrl": "http://waltid.enterprise.localhost:3000",
"kms": "waltid.tenant1.kms1",
"tokenKeyId": "waltid.tenant1.kms1.key1",
"supportedCredentialTypes": {
"identity_credential_vc+sd-jwt": {
"format": "vc+sd-jwt",
"vct": "{vctBaseURL}/identity_credential",
"cryptographic_binding_methods_supported": [
"jwk"
],
"credential_signing_alg_values_supported": [
"ES256"
],
"sdJwtVcTypeMetadata": {
"name": "Identity Credential",
"description": "The Identity Verifiable Credential",
"vct": "{vctBaseURL}/identity_credential"
}
},
"OpenBadgeCredential_jwt_vc_json": {
"format": "jwt_vc_json",
"cryptographic_binding_methods_supported": [
"did"
],
"credential_signing_alg_values_supported": [
"ES256"
],
"credential_definition": {
"type": [
"VerifiableCredential",
"OpenBadgeCredential"
]
}
}
},
"displayConfigurations": [
{
"name": "walt.id Enterprise Issuer Service",
"locale": "en-US",
"logo": {
"uri": "http://cdn.walt.id/issuer/logo.png",
"alt_text": "logo specific text goes here"
}
}
]
}'
Body
{
"type": "issuer",
"baseUrl": "http://waltid.enterprise.localhost:3000",
"kms": "waltid.tenant1.kms1",
"tokenKeyId": "waltid.tenant1.kms1.key1",
"supportedCredentialTypes": {
"identity_credential_vc+sd-jwt": {
"format": "vc+sd-jwt",
"vct": "{vctBaseURL}/identity_credential",
"cryptographic_binding_methods_supported": [
"jwk"
],
"credential_signing_alg_values_supported": [
"ES256"
],
"sdJwtVcTypeMetadata": {
"name": "Identity Credential",
"description": "The Identity Verifiable Credential",
"vct": "{vctBaseURL}/identity_credential"
}
},
"OpenBadgeCredential_jwt_vc_json": {
"format": "jwt_vc_json",
"cryptographic_binding_methods_supported": [
"did"
],
"credential_signing_alg_values_supported": [
"ES256"
],
"credential_definition": {
"type": [
"VerifiableCredential",
"OpenBadgeCredential"
]
}
}
},
"displayConfigurations": [
{
"name": "walt.id Enterprise Issuer Service",
"locale": "en-US",
"logo": {
"uri": "http://cdn.walt.id/issuer/logo.png",
"alt_text": "logo specific text goes here"
}
}
]
}
Path Parameters
orgID: - When performing operations within an organization, it is essential to use the organization's Base URL or another valid host alias. For example, if your organization is namedtest, your default Base URL will betest.enterprise-sandbox.walt.devwhen using the sandbox environment.target: resourceIdentifier - The target indicates the organization + tenant in which to create the new Issuer service and the service's ID ({organizationID}.{tenantID}.[NewIssuerServiceID]), e.g.waltid.tenant1.issuer1
Body Parameters
type: serviceType - Specifies the type of service to create. In our caseissuerbaseUrl: String - This URL will be included in the generated OIDC4VC offer, allowing the wallet to know how to reach the issuer. It should reflect your organization's base URL. The general format for this URL ishttps://{orgID}.yourEnterpriseStackUrl.com. For example, if your organization is named myorg and the Enterprise Stack is hosted at the domain enterprise-stack.com, your base URL would be: https://myorg.enterprise-stack.com.kms: - resourceIdentifier - A KMS service you want to connect with the to be created Issuer service. It should be setup under the same tenant.tokenKeyId: - resourceIdentifier - A key in the connected KMS service used to sign the access token, which is used to get the credential from the credential endpointsupportedCredentialTypes: Object - A map of credentials the issuer supports. This list will be used to generate the issuer metadata. This list of supported credentials can be updated also after the initial setup.Expand For W3C JWT & SD-JWT Credentials
To specify the support of a W3C credential the object will look as follows:
"OpenBadgeCredential_jwt_vc_json": {
"format": "jwt_vc_json",
"cryptographic_binding_methods_supported": [
"did"
],
"credential_signing_alg_values_supported": [
"ES256"
],
"credential_definition": {
"type": [
"VerifiableCredential",
"OpenBadgeCredential"
]
}
}
The key will have the following structure: [CustomCredentialType]_jwt_vc_json,
e.g. OpenBadgeCredential_jwt_vc_json
Inside the object:
- `format` - will be `jwt_vc_json` for W3C JWT & SD-JWT credentials
- `cryptographic_binding_methods_supported` - will be `did`
- `credential_signing_alg_values_supported` - will be `ES256`
- `credential_definition`
- `type` - specifies a list of credential types. E.g. `[VerifiableCredential, MyCustomCredential]`
1. First Entry: Your list must always start with `VerifiableCredential`.
2. Subsequent Entries: After `VerifiableCredential`, you have two options:
- You can add your custom type, such as `CustomCredential`.
- If your credential is based on another credential (for example, `VerifiableAttestation`), first list all
the
credentials it builds upon, and then add your custom type at the end.
</details>
<br/>
<br/>
<details><summary>Expand For SD-JWT VC Credentials</summary>
<br/>
To specify the support of a SD-JWT VC credential the object will look as follows:
"identity_credential_vc+sd-jwt": {
"format": "vc+sd-jwt",
"vct": "{vctBaseURL}/identity_credential",
"cryptographic_binding_methods_supported": [
"jwk"
],
"credential_signing_alg_values_supported": [
"ES256"
],
"sdJwtVcTypeMetadata": {
"name": "Identity Credential",
"description": "The Identity Verifiable Credential",
"vct": "{vctBaseURL}/identity_credential"
}
}
The key will have the following structure: [custom_credential_type]_vc+sd-jwt,
e.g. identity_credential_vc+sd-jwt
Inside the object:
- `format` - will be `vc+sd-jwt` for SD-JWT VC credentials.
- `vct` - will follow the structure `{vctBaseURL}/[custom_credential_type]`,
e.g. `{vctBaseURL}/custom_credential_type`.
The vctBaseURL will be replaced during issuance by the issuer API.
- `cryptographic_binding_methods_supported` - will be `jwk`
- `credential_signing_alg_values_supported` - will be `ES256`
- `sdJwtVcTypeMetadata`
- `name` - Name of the credential
- `description` - Description of the credential
- `vct` - Holding the same value as the `vct` above.
</details>
displayConfigurations(optional) - an optional list of objects, where each object contains specific display information for different languages. Including the local option is not mandatory; you can simply provide one object if localization is not required. To learn more about the display config in general go here, for object property details expand below.
Expand to learn more about the display config object properties
Display Config Object
{
"name": "walt.id Enterprise Issuer Service",
"locale": "en-US",
"logo": {
"uri": "http://cdn.walt.id/issuer/logo.png",
"alt_text": "Logo of walt.id Enterprise Issuer Service"
}
}
```
- `name` (optional) _String_: String value of a display name for the Credential Issuer.
- `locale` (optional) _String_: String value that identifies the language of this object represented as a
language tag
taken from values defined in
BCP47 [RFC5646](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#RFC5646). There MUST
be only
one object for each language identifier. Example values are: `en-US`, `de-DE`, or `fr-FR`.
- `logo` (optional) _Object_: Object with information about the logo of the Credential Issuer.
- `uri` _String_: String value that contains a URI where the Wallet can obtain the logo of the Credential
Issuer.
- `alt_text` (optional) _String_: String value of the alternative text for the logo image.
</details>
---
**Response Codes**
201- Service created successfully.
Last updated on November 4, 2025