Issuer Service

The issuer-service.conf file controls the core runtime settings of the walt.id Issuer API.

Please make sure to restart the issuer API service for changes to take effect.

Example Configurations

Local Development

issuer-service.conf
baseUrl = "http://localhost:7002"

Docker / Docker Compose

issuer-service.conf
baseUrl = "http://${SERVICE_HOST}:${ISSUER_API_PORT}"

Production (with pinned token key)

issuer-service.conf
baseUrl = "https://issuer.yourdomain.com"

ciTokenKey = "{\"type\":\"jwk\",\"jwk\":\"{\\"kty\\":\\"EC\\",\\"crv\\":\\"P-256\\",\\"d\\":\\"Tys3-CNQkQxRlZ6yMvH1n7k6o_xFBxzRMVGJNamRLdY\\",\\"x\\":\\"WqGl0DlGFfH9KRsLZW0v2RDWGXQT_JsMyW3A7L5Bq0A\\",\\"y\\":\\"1lzq3OO0PB9X_3Zs4c5GNd6eRxjXfLGP5YvMkZQ8V1Y\\"}\"}"

Parameters

baseUrl

Required. The public base URL at which the Issuer API is reachable.

The baseUrl is embedded into the OID4VCI artifacts the service produces at runtime, including the credential issuer metadata, credential offer URIs, the vct claim in SD-JWT VCs, and the iss claim when no issuer DID is configured. Make sure the URL is reachable by the wallet.

EnvironmentExample value
Local development (browser-based wallet on same machine)http://localhost:7002
Local development (mobile wallet on the same network)http://192.168.x.x:7002 — use your machine's LAN IP
Docker / Docker Composehttp://${SERVICE_HOST}:${ISSUER_API_PORT}
Productionhttps://issuer.yourdomain.com

The port in baseUrl must match webPort in web.conf.

ciTokenKey

Optional. A serialized EC key used to sign internal credential issuance session tokens (the short-lived tokens exchanged between the issuer and wallet during the OID4VCI flow).

When ciTokenKey is not set, the service auto-generates a fresh P-256 key on every startup. This has two important consequences:

  • All active issuance sessions are invalidated on every service restart. Any wallet that received a credential offer before the restart will no longer be able to claim it.
  • In multi-instance or rolling deployments, each instance generates its own key. A session token issued by one instance cannot be validated by another, causing random claim failures depending on which instance the wallet reaches.

For any production or staging environment, you should configure a fixed, persistent key.

The value is a JSON object — serialized as a string — where the inner jwk field is itself a JSON-encoded string. Generate a P-256 key pair using any standard tool (openssl, an online JWK generator, etc.), then substitute your own d, x, and y values into the production example above.

Replace the example key before deploying. The value in the production example above is provided for illustration only. Using it in production means anyone with access to these docs could forge session tokens for your issuer.

Last updated on May 6, 2026
Credential Issuer MetadataWeb