Data Retention and Auto-Purge (PII)

The Enterprise API can automatically purge old issuer and verifier session data to reduce PII retention. This is disabled by default and can be enabled via feature flags and configuration.

Enabling the feature

  1. Ensure the optional feature data-retention is enabled (defaults to disabled). You can enable it by either:
    • Setting the feature flag at runtime (if supported in your deployment), or
    • Using configuration: add the following to your run configuration or environment to keep default enabled state false and set enabled: true inside the config file below.
  2. Provide the data retention configuration file at waltid-enterprise-api/config/data-retention.conf (mounted into the container or placed in working directory).

Configuration file

File: config/data-retention.conf

Example:

{
  enabled: true,
  maxIssuerSessionAge: "30d",
  maxVerifierSessionAge: "30d",
  schedule: "0 0 * * *",
  dryRun: true,
  maxDeletePerRun: 500,
  logging: {
    enabled: true,
    level: "INFO"
  }
}

Option reference:

  • enabled: Toggles the purge job on/off. When false, nothing is scheduled.
  • maxIssuerSessionAge: Retention window (e.g. 1h, 1d, 1w, 1m) for issuer sessions. Entries older than this cutoff are considered expired.
  • maxVerifierSessionAge: Retention window (e.g. 1h, 1d, 1w, 1m) for verifier sessions (presentation sessions).
  • schedule: Cron-like string.
  • dryRun: When true, the job only logs which entries would be deleted without deleting them.
  • maxDeletePerRun: Safety limit for how many root session entries are deleted per run. Deletion is recursive per session path.
  • logging.enabled: Enables/disables logging for the job.
  • logging.level: Log level for job messages (TRACE, DEBUG, INFO, WARN, ERROR).

How it works

  • The job scans the organization_trees MongoDB collection for expired session entries:
    • Issuer sessions: documents with _t = "stored-issuance-session" and timestamp older than the cutoff.
    • Verifier sessions: documents with _t = "stored-presentation-session" and timestamp older than the cutoff.
  • For each selected session (up to maxDeletePerRun), the job deletes the session document and all child documents under its hierarchical _id path.
  • If MongoDB is not configured/available, the job logs a warning and skips the run.

Timestamps

Issuer and verifier session records include a timestamp set at creation time, which the purge job uses to determine expiry.

Last updated on December 2, 2025
WebOverview