Overview
The issuer API supports Azure Key Vault as a key management solution. This allows you to store your cryptographic keys in a secure and scalable way. The API is designed to be stateless and does not store cryptographic key material. Therefore, every API call requires the cryptographic key to be provided. When signing and issuing a credential e.g. via OID4VC, either the complete key in JWK format or a reference to a key stored in Azure Key Vault is needed. In production systems, the recommended approach is to use Azure Key Vault so that the private key used to sign a credential never leaves a secure environment.
We support the following key types offered by Azure Key Vault:
- RSA
- SECP256R1
- SECP256K1
The platform offers two integration options for Azure Key Vault:
- A native Azure SDK–based backend registered as
azure - A REST-based backend registered as
azure-rest-api
Both backends allow you to generate keys, sign credentials using keys stored in Azure, and retrieve public keys, while keeping private key material inside Azure Key Vault.
Key Features
- Native Azure SDK integration for optimal performance (
azurebackend) - REST-based integration for environments where direct SDK usage is not possible (
azure-rest-apibackend) - Seamless key management through Azure Key Vault
- Support for attaching metadata tags to keys managed via the issuer API
Authentication
Depending on which backend you use, authentication towards Azure Key Vault can rely on:
- Client credentials (client ID, client secret, tenant ID)
- Managed identities (for SDK-based integrations, recommended for production)
In all cases, the issuer API only stores references and configuration required to access keys; the keys themselves are created and held by Azure Key Vault.
Get Started
- Azure Key Vault SDK - Use keys from Azure Key Vault to sign credentials.
- Azure Key Vault REST API - Use keys from Azure Key Vault via REST API.