OpenID Metadata

Via the openid-metadata config, the verifier service can be configured to expose details such as verifier name and logo in a standardized way with other services such as digital wallets. These services can then use this information to display a human-readable verifier name and logo to the end-user during credential exchange.

Learn more about the client_name and logo_uri info exposure in the OAuth 2.0 standard here.

The configured info will be exposed via the public endpoint /.well-known/openid-configuration.

The new OpenID4VP 1.0 specification introduces additional objects to the client metadata object. These are:

  • jwks: OPTIONAL. A JSON Web Key Set, as defined in RFC7591, that contains one or more public keys, such as those used by the Wallet as an input to a key agreement that may be used for encryption of the Authorization Response see Section 8.3, or where the Wallet will require the public key of the Verifier to generate a Verifiable Presentation. This allows the Verifier to pass ephemeral keys specific to this Authorization Request. Public keys included in this parameter MUST NOT be used to verify the signature of signed Authorization Requests. Each JWK in the set MUST have a kid (Key ID) parameter that uniquely identifies the key within the context of the request.
  • encrypted_response_enc_values_supported: OPTIONAL. Non-empty array of strings, where each string is a JWE RFC7516 enc algorithm that can be used as the content encryption algorithm for encrypting the Response. When a response_mode requiring encryption of the Response (such as dc_api.jwt or direct_post.jwt) is specified, this MUST be present for anything other than the default single value of A128GCM. Otherwise, this SHOULD be absent.
  • vp_formats_supported: REQUIRED when not available to the Wallet via another mechanism. As defined in Section 11.1.

Get OpenID Metadata

CURL

Endpoint: /v1/{target}/verifier-service-api/configuration/openid-metadata/view | API Reference

Example Request

curl -X 'GET' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/verifier-service-api/configuration/view' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json'

Path Parameters

  • orgID: - When performing operations within an organization, it is essential to use the organization's Base URL or another valid host alias. For example, if your organization is named test, your default Base URL will be test.enterprise-sandbox.walt.dev when using the sandbox environment.
  • target: resourceIdentifier - The target indicates the organization + tenant + verifier service from which to receive the configuration({organizationID}.{tenantID}.{verifierServiceID}), e.g. waltid.tenant1.verifier1

Example Response

  • 200 - metadata retrieved successfully.
{
  "baseUrl": "http://org.enterprise.localhost:3000",
  "clientId": "did:jwk:eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoiU05JZ1ItTHZzSEUtNkhUUGxYYUpQVDVubHRZMFpqZlA0VkpTWEwzQ2ZkMCIsIngiOiJIVWM1ZHY1eFREV3VMVmZQcFdvVXBWTjZ1QTNJNzBsVzVnNEhoMG5VaDQ0In0",
  "clientMetadata": {
    "client_name": "walt.id Enterprise Verifier",
    "logo_uri": "https://cdn.walt.id/verifier/logo.png",
    "jwks": {
      "keys": [
        {
          "kid": "did:jwk:eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoiU05JZ1ItTHZzSEUtNkhUUGxYYUpQVDVubHRZMFpqZlA0VkpTWEwzQ2ZkMCIsIngiOiJIVWM1ZHY1eFREV3VMVmZQcFdvVXBWTjZ1QTNJNzBsVzVnNEhoMG5VaDQ0In0",
          "kty": "EC",
          "crv": "P-256",
          "x": "IVc5dv5xEDWtUFVfpPowUoVn6uASJ70lW5g3Hh0nUh44"
        }
      ]
    },
    "encrypted_response_enc_values_supported": [
      "A128GCM"
    ],
    "vp_formats_supported": [
      "vp_jwt"
    ]
  }
}
  • baseUrl String: The base URL of the verifier.
  • clientId String: The client ID of the verifier.
  • clientMetadata Object: The client metadata of the verifier.
    • client_name String: Human-readable string name of the verifier.
    • logo_uri String: URL string that references a logo for the verifier.
    • jwks Object: The JSON Web Key Set of the verifier.
    • encrypted_response_enc_values_supported Array: The encrypted response enc values supported by the verifier.
    • vp_formats_supported Array: The VP formats supported by the verifier.
  • 401 - Invalid authentication

Update OpenID Metadata

CURL

Endpoint: /v1/{target}/verifier-service-api/configuration/update | API Reference

Example Request

curl -X 'PUT' \
  'https://{orgID}.enterprise-sandbox.waltid.dev/v1/{target}/verifier-service-api/configuration/openid-metadata/update' \
  -H 'Authorization: Bearer {yourToken}' \
  -H 'Content-Type: application/json' \
  -d '{
  "baseUrl": "http://org.enterprise.localhost:3000",
  "clientId": "did:jwk:eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoiU05JZ1ItTHZzSEUtNkhUUGxYYUpQVDVubHRZMFpqZlA0VkpTWEwzQ2ZkMCIsIngiOiJIVWM1ZHY1eFREV3VMVmZQcFdvVXBWTjZ1QTNJNzBsVzVnNEhoMG5VaDQ0In0",
  "clientMetadata": {
    "client_name": "walt.id Enterprise Verifier",
    "logo_uri": "https://cdn.walt.id/verifier/logo.png"
    "jwks": {
      "keys": [
        {
          "kid": "did:jwk:eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoiU05JZ1ItTHZzSEUtNkhUUGxYYUpQVDVubHRZMFpqZlA0VkpTWEwzQ2ZkMCIsIngiOiJIVWM1ZHY1eFREV3VMVmZQcFdvVXBWTjZ1QTNJNzBsVzVnNEhoMG5VaDQ0In0",
          "kty": "EC",
          "crv": "P-256",
          "x": "IVc5dv5xEDWtUFVfpPowUoVn6uASJ70lW5g3Hh0nUh44"
        }
      ]
    },
    "encrypted_response_enc_values_supported": [
      "A128GCM"
    ],
    "vp_formats_supported": [
      "vp_jwt"
    ]
  }'
}'

Path Parameters

  • orgID: - When performing operations within an organization, it is essential to use the organization's Base URL or another valid host alias. For example, if your organization is named test, your default Base URL will be test.enterprise-sandbox.walt.dev when using the sandbox environment.
  • target: resourceIdentifier - The target indicates the organization + tenant + verifier service in which to update the configuration({organizationID}.{tenantID}.{verifierServiceID}), e.g. waltid.tenant1.verifier1

Body

{
  "client_name": "walt.id Enterprise Verifier",
  "logo_uri": "http://cdn.walt.id/verifier/logo.png"
  "jwks": {
    "keys": [
      {
        "kid": "did:jwk:eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoiU05JZ1ItTHZzSEUtNkhUUGxYYUpQVDVubHRZMFpqZlA0VkpTWEwzQ2ZkMCIsIngiOiJIVWM1ZHY1eFREV3VMVmZQcFdvVXBWTjZ1QTNJNzBsVzVnNEhoMG5VaDQ0In0",
        "kty": "EC",
        "crv": "P-256",
        "x": "IVc5dv5xEDWtUFVfpPowUoVn6uASJ70lW5g3Hh0nUh44"
      }
    ]
  }
  "encrypted_response_enc_values_supported": [
    "A128GCM"
  ],
  "vp_formats_supported": [
    "vp_jwt"
  ]
}

Body Parameters

  • name (optional) String: Human-readable string client_name of the verifier.
  • logo_uri (optional) String: URL string that references a logo for the verifier.
  • jwks (optional) Object: The JSON Web Key Set of the verifier.
  • encrypted_response_enc_values_supported (optional) Array: The encrypted response enc values supported by the verifier.
  • vp_formats_supported (optional) Array: The VP formats supported by the verifier.

Example Response

  • 200 - metadata updated successfully.
{
  "baseUrl": "http://org.enterprise.localhost:3000",
  "clientId": "did:jwk:eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoiU05JZ1ItTHZzSEUtNkhUUGxYYUpQVDVubHRZMFpqZlA0VkpTWEwzQ2ZkMCIsIngiOiJIVWM1ZHY1eFREV3VMVmZQcFdvVXBWTjZ1QTNJNzBsVzVnNEhoMG5VaDQ0In0",
  "clientMetadata": {
    "client_name": "walt.id Enterprise Verifier",
    "logo_uri": "https://cdn.walt.id/verifier/logo.png",
    "jwks": {
      "keys": [
        {
          "kid": "did:jwk:eyJrdHkiOiJPS1AiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoiU05JZ1ItTHZzSEUtNkhUUGxYYUpQVDVubHRZMFpqZlA0VkpTWEwzQ2ZkMCIsIngiOiJIVWM1ZHY1eFREV3VMVmZQcFdvVXBWTjZ1QTNJNzBsVzVnNEhoMG5VaDQ0In0",
          "kty": "EC",
          "crv": "P-256",
          "x": "IVc5dv5xEDWtUFVfpPowUoVn6uASJ70lW5g3Hh0nUh44"
        }
      ]
    },
    "encrypted_response_enc_values_supported": [
      "A128GCM"
    ],
    "vp_formats_supported": [
      "vp_jwt"
    ]
  }
}
  • 401 - Invalid authentication
Last updated on November 4, 2025
OverviewCallback and SSE