#Azure Key Vault (Azure SDK)

Azure Key Vault is a managed cloud service for securely storing and using cryptographic keys, secrets, and certificates. This document describes the native Azure SDK–based integration in the walt.id platform, which enables key generation, signing, verification, and deletion directly via the Azure SDK instead of raw REST calls.

This backend is registered as azure in the key manager.
The legacy REST-based implementation is now explicitly named azure-rest-api.

#Prerequisites

• An Azure account with an active subscription
  https://azure.microsoft.com/free/
• An Azure Key Vault instance
  https://learn.microsoft.com/azure/key-vault/general/quick-create-portal
• An Azure AD application (service principal)
• One of the following authentication methods:
  • Client Secret
  • Managed Identity (recommended for production)

#Supported Features

• Key generation in Azure Key Vault
• Signing using Azure-managed private keys
• Public key retrieval
• Key deletion

#Key Generation

Key creation is done using the standard onboarding endpoint. The only difference is the backend type and configuration structure.

#Creation via Issuer API (Azure SDK)

curl -X POST \
  'https://issuer.demo.walt.id/onboard/issuer' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
    "key": {
      "backend": "azure",
      "keyType": "secp256r1",
      "config": {
        "auth": {
          "keyVaultUrl": "url to the vault"
        },
        "tags": {
          "key": "value"
        }
      }
    },
    "did": {
      "method": "jwk"
    }
  }'

#Key Usage

Once created, Azure SDK–backed keys are used exactly like any other key backend. The issuer API will transparently delegate cryptographic operations to Azure Key Vault.

The key reference is passed via the issuerKey object.

Example IssuerKey Object (Azure SDK) :

{
  "issuerKey": {
  "type": "azure",
  "id": "https://<key-vault-name>.vault.azure.net/keys/issuer-key/1234567890abcdef"
  },
  "issuerDid": "did:jwk:..."
}