SDK

This implementation utilizes AWS SDK's default credential provider chain for authentication, automatically detecting credentials from multiple sources including:

  • Environment variables
  • AWS credentials file
  • IAM roles for EC2
  • Container credentials
  • SSO credentials

Key generation

To create the key you can use the onboard endpoint provided by the issuer API and provide the necessary parameters to create the key in the AWS KMS service.

Creation via Issuer API

Request
Response

Endpoint:/onboard/issuer | API Reference

Example Request

curl -X 'POST' \
  'https://issuer.demo.walt.id/onboard/issuer' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "key": {
    "backend": "aws",
    "keyType": "secp256r1",
    "config": {
      "auth": {
        "region": "eu-central-1",
      },
      "tags": {
        "key": "value"
      }
    }
  },
  "did": {
    "method": "jwk"
  }
}'

Body

{
  "key": {
    "backend": "aws",
    "keyType": "secp256r1",
    "config": {
      "auth": {
        "region": "eu-central-1",
      },
      "tags": {
        "key": "value"
      }
    }
  },
  "did": {
    "method": "jwk"
  }
}

Body Parameters

  • key
    • backend: String - Specifies the storage type of key. It can be jwk (managed by you), aws (managed by AWS KMS using their kotlin SDK ) and others. Learn more about different types here.
    • keyType: String - the algorithm used to generate the key. Supported AWS KMS values are secp256r1, secp384r1, secp521r1, secp256k1, RSA, RSA3072, and RSA4096. Ed25519 is not supported by AWS KMS signing keys.
    • config
      • auth
        • region: String - The region where the AWS KMS service is located.
      • tags: Object - The metadata tags to add to the key for AWS
  • did:
    • method: String - Specifies the DID method. It can be key, jwk, web, cheqd.
Last updated on July 3, 2026